@openid4vc/openid4vp 0.3.0-alpha-20250315153126 → 0.3.0-alpha-20250318163628

package/dist/index.js

@@ -34,11 +34,12 @@ __export(src_exports, {
   Openid4vpVerifier: () => Openid4vpVerifier,
   createOpenid4vpAuthorizationRequest: () => createOpenid4vpAuthorizationRequest,
   createOpenid4vpAuthorizationResponse: () => createOpenid4vpAuthorizationResponse,
+  getOpenid4vpClientId: () => getOpenid4vpClientId,
   isJarmResponseMode: () => isJarmResponseMode,
   isOpenid4vpAuthorizationRequestDcApi: () => isOpenid4vpAuthorizationRequestDcApi,
   parseDcqlVpToken: () => parseDcqlVpToken,
   parseJarmAuthorizationResponse: () => parseJarmAuthorizationResponse,
-  parseOpenid4vpAuthorizationRequestPayload: () => parseOpenid4vpAuthorizationRequestPayload,
+  parseOpenid4vpAuthorizationRequest: () => parseOpenid4vpAuthorizationRequest,
   parseOpenid4vpAuthorizationResponse: () => parseOpenid4vpAuthorizationResponse,
   parsePexVpToken: () => parsePexVpToken,
   parseTransactionData: () => parseTransactionData,
@@ -57,54 +58,53 @@ __export(src_exports, {
 });
 module.exports = __toCommonJS(src_exports);
 
-// src/client-identifier-scheme/z-client-id-scheme.ts
-var import_zod = require("zod");
-var zClientIdScheme = import_zod.z.enum([
-  "pre-registered",
-  "redirect_uri",
-  "https",
-  "verifier_attestation",
-  "did",
-  "x509_san_dns",
-  "x509_san_uri",
-  "web-origin"
-]);
-
-// src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts
+// src/client-identifier-scheme/parse-client-identifier-scheme.ts
 var import_oauth24 = require("@openid4vc/oauth2");
-var import_zod4 = __toESM(require("zod"));
+var import_utils4 = require("@openid4vc/utils");
+
+// src/authorization-request/z-authorization-request-dc-api.ts
+var import_zod5 = require("zod");
+
+// src/authorization-request/z-authorization-request.ts
+var import_utils3 = require("@openid4vc/utils");
+var import_zod4 = require("zod");
+
+// src/models/z-client-metadata.ts
+var import_oauth22 = require("@openid4vc/oauth2");
+var import_utils2 = require("@openid4vc/utils");
+var import_zod3 = require("zod");
 
 // src/jarm/metadata/z-jarm-client-metadata.ts
 var import_oauth2 = require("@openid4vc/oauth2");
 var import_utils = require("@openid4vc/utils");
-var import_zod2 = require("zod");
-var zJarmSignOnlyClientMetadata = import_zod2.z.object({
+var import_zod = require("zod");
+var zJarmSignOnlyClientMetadata = import_zod.z.object({
   authorization_signed_response_alg: import_oauth2.zAlgValueNotNone,
-  authorization_encrypted_response_alg: import_zod2.z.optional(import_zod2.z.never()),
-  authorization_encrypted_response_enc: import_zod2.z.optional(import_zod2.z.never())
+  authorization_encrypted_response_alg: import_zod.z.optional(import_zod.z.never()),
+  authorization_encrypted_response_enc: import_zod.z.optional(import_zod.z.never())
 });
-var zJarmEncryptOnlyClientMetadata = import_zod2.z.object({
-  authorization_signed_response_alg: import_zod2.z.optional(import_zod2.z.never()),
-  authorization_encrypted_response_alg: import_zod2.z.string(),
-  authorization_encrypted_response_enc: import_zod2.z.optional(import_zod2.z.string())
+var zJarmEncryptOnlyClientMetadata = import_zod.z.object({
+  authorization_signed_response_alg: import_zod.z.optional(import_zod.z.never()),
+  authorization_encrypted_response_alg: import_zod.z.string(),
+  authorization_encrypted_response_enc: import_zod.z.optional(import_zod.z.string())
 });
-var zJarmSignEncryptClientMetadata = import_zod2.z.object({
+var zJarmSignEncryptClientMetadata = import_zod.z.object({
   authorization_signed_response_alg: zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg,
   authorization_encrypted_response_alg: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg,
   authorization_encrypted_response_enc: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc
 });
-var zJarmClientMetadata = import_zod2.z.object({
-  authorization_signed_response_alg: import_zod2.z.optional(zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg),
-  authorization_encrypted_response_alg: import_zod2.z.optional(
+var zJarmClientMetadata = import_zod.z.object({
+  authorization_signed_response_alg: import_zod.z.optional(zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg),
+  authorization_encrypted_response_alg: import_zod.z.optional(
     zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg
   ),
-  authorization_encrypted_response_enc: import_zod2.z.optional(
+  authorization_encrypted_response_enc: import_zod.z.optional(
     zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc
   )
 });
 var zJarmClientMetadataParsed = zJarmClientMetadata.transform((client_metadata) => {
   const parsedClientMeta = (0, import_utils.parseWithErrorHandling)(
-    import_zod2.z.union([zJarmEncryptOnlyClientMetadata, zJarmSignOnlyClientMetadata, zJarmSignEncryptClientMetadata]),
+    import_zod.z.union([zJarmEncryptOnlyClientMetadata, zJarmSignOnlyClientMetadata, zJarmSignEncryptClientMetadata]),
     client_metadata,
     "Invalid jarm client metadata."
   );
@@ -141,280 +141,56 @@ var zJarmClientMetadataParsed = zJarmClientMetadata.transform((client_metadata)
   throw new import_oauth2.Oauth2Error("Invalid jarm client metadata. Failed to parse.");
 });
 
-// src/jarm/jarm-extract-jwks.ts
-function extractJwksFromClientMetadata(clientMetadata) {
-  const parsed = zJarmClientMetadataParsed.parse(clientMetadata);
-  const encryptionAlg = parsed.client_metadata.authorization_encrypted_response_enc;
-  const signingAlg = parsed.client_metadata.authorization_signed_response_alg;
-  const encJwk = clientMetadata.jwks.keys.find((key) => key.use === "enc" && key.alg === encryptionAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "enc") ?? // fallback, take first key. HAIP does not specify requirement on enc
-  clientMetadata.jwks.keys?.[0];
-  const sigJwk = clientMetadata.jwks.keys.find((key) => key.use === "sig" && key.alg === signingAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "sig") ?? // falback, take first key
-  clientMetadata.jwks.keys?.[0];
-  return { encJwk, sigJwk };
-}
-
-// src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts
-var import_oauth23 = require("@openid4vc/oauth2");
-var import_utils2 = require("@openid4vc/utils");
-
-// src/jarm/jarm-authorization-response/z-jarm-authorization-response.ts
-var import_oauth22 = require("@openid4vc/oauth2");
-var import_zod3 = require("zod");
-var zJarmHeader = import_zod3.z.object({ ...import_oauth22.zJwtHeader.shape, apu: import_zod3.z.string().optional(), apv: import_zod3.z.string().optional() });
-var zJarmAuthorizationResponse = import_zod3.z.object({
-  /**
-   * iss: The issuer URL of the authorization server that created the response
-   * aud: The client_id of the client the response is intended for
-   * exp: The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.
-   */
-  ...import_oauth22.zJwtPayload.shape,
-  ...import_oauth22.zJwtPayload.pick({ iss: true, aud: true, exp: true }).required().shape,
-  state: import_zod3.z.optional(import_zod3.z.string())
-}).passthrough();
-var zJarmAuthorizationResponseEncryptedOnly = import_zod3.z.object({
-  ...import_oauth22.zJwtPayload.shape,
-  state: import_zod3.z.optional(import_zod3.z.string())
-}).passthrough();
-
-// src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts
-var jarmAuthorizationResponseValidate = (options) => {
-  const { expectedClientId, authorizationResponse } = options;
-  if (!zJarmAuthorizationResponse.safeParse(authorizationResponse).success) {
-    return;
-  }
-  if (expectedClientId !== authorizationResponse.aud) {
-    throw new import_oauth23.Oauth2Error(
-      `Invalid 'aud' claim in JARM authorization response. Expected '${expectedClientId}' received '${JSON.stringify(authorizationResponse.aud)}'.`
-    );
-  }
-  if (authorizationResponse.exp !== void 0 && authorizationResponse.exp < (0, import_utils2.dateToSeconds)()) {
-    throw new import_oauth23.Oauth2Error("Jarm auth response is expired.");
-  }
-};
-
-// src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts
-var decryptJarmAuthorizationResponseJwt = async (options) => {
-  const { jarmAuthorizationResponseJwt, callbacks, authorizationRequestPayload } = options;
-  const encryptionJwk = authorizationRequestPayload.client_metadata?.jwks ? extractJwksFromClientMetadata({
-    ...authorizationRequestPayload.client_metadata,
-    jwks: authorizationRequestPayload.client_metadata.jwks
-  }).encJwk : void 0;
-  const result = await callbacks.decryptJwe(jarmAuthorizationResponseJwt, { jwk: encryptionJwk });
-  if (!result.decrypted) {
-    throw new import_oauth24.Oauth2Error("Failed to decrypt jarm auth response.");
-  }
-  return result.payload;
-};
-async function verifyJarmAuthorizationResponse(options) {
-  const { jarmAuthorizationResponseJwt, callbacks, expectedClientId, authorizationRequestPayload } = options;
-  const requestDataIsEncrypted = import_oauth24.zCompactJwe.safeParse(jarmAuthorizationResponseJwt).success;
-  const decryptedRequestData = requestDataIsEncrypted ? await decryptJarmAuthorizationResponseJwt({
-    jarmAuthorizationResponseJwt,
-    callbacks,
-    authorizationRequestPayload
-  }) : jarmAuthorizationResponseJwt;
-  const responseIsSigned = import_oauth24.zCompactJwt.safeParse(decryptedRequestData).success;
-  if (!requestDataIsEncrypted && !responseIsSigned) {
-    throw new import_oauth24.Oauth2Error("Jarm Auth Response must be either encrypted, signed, or signed and encrypted.");
-  }
-  let jarmAuthorizationResponse;
-  if (responseIsSigned) {
-    const { header: jwsProtectedHeader, payload: jwsPayload } = (0, import_oauth24.decodeJwt)({
-      jwt: decryptedRequestData,
-      headerSchema: import_zod4.default.object({ ...import_oauth24.zJwtHeader.shape, kid: import_zod4.default.string() })
-    });
-    const response = zJarmAuthorizationResponse.parse(jwsPayload);
-    const jwtSigner = (0, import_oauth24.jwtSignerFromJwt)({ header: jwsProtectedHeader, payload: jwsPayload });
-    const verificationResult = await options.callbacks.verifyJwt(jwtSigner, {
-      compact: decryptedRequestData,
-      header: jwsProtectedHeader,
-      payload: jwsPayload
-    });
-    if (!verificationResult.verified) {
-      throw new import_oauth24.Oauth2Error("Jarm Auth Response is not valid.");
-    }
-    jarmAuthorizationResponse = response;
-  } else {
-    const jsonRequestData = JSON.parse(decryptedRequestData);
-    jarmAuthorizationResponse = zJarmAuthorizationResponseEncryptedOnly.parse(jsonRequestData);
-  }
-  jarmAuthorizationResponseValidate({
-    expectedClientId,
-    authorizationResponse: jarmAuthorizationResponse
-  });
-  const type = requestDataIsEncrypted && responseIsSigned ? "SignedEncrypted" /* SignedEncrypted */ : requestDataIsEncrypted ? "Encrypted" /* Encrypted */ : "Signed" /* Signed */;
-  const issuer = jarmAuthorizationResponse.iss;
-  return { jarmAuthorizationResponse, type, issuer };
-}
-
-// src/authorization-request/create-authorization-request.ts
-var import_oauth29 = require("@openid4vc/oauth2");
-var import_utils6 = require("@openid4vc/utils");
-
-// src/jar/create-jar-authorization-request.ts
-var import_oauth25 = require("@openid4vc/oauth2");
-async function createJarAuthorizationRequest(options) {
-  const { jwtSigner, jweEncryptor, authorizationRequestPayload, requestUri, callbacks } = options;
-  let authorizationRequestJwt;
-  let encryptionJwk;
-  const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {
-    header: { ...(0, import_oauth25.jwtHeaderFromJwtSigner)(jwtSigner), typ: "oauth-authz-req+jwt" },
-    payload: { ...options.additionalJwtPayload, ...authorizationRequestPayload }
-  });
-  authorizationRequestJwt = jwt;
-  if (jweEncryptor) {
-    const encryptionResult = await callbacks.encryptJwe(jweEncryptor, authorizationRequestJwt);
-    authorizationRequestJwt = encryptionResult.jwe;
-    encryptionJwk = encryptionResult.encryptionJwk;
-  }
-  const client_id = authorizationRequestPayload.client_id;
-  const jarAuthorizationRequest = requestUri ? { client_id, request_uri: requestUri } : { client_id, request: authorizationRequestJwt };
-  return { jarAuthorizationRequest, signerJwk, encryptionJwk, authorizationRequestJwt };
-}
-
-// src/authorization-request/validate-authorization-request.ts
-var import_oauth26 = require("@openid4vc/oauth2");
-var import_utils3 = require("@openid4vc/utils");
-var validateOpenid4vpAuthorizationRequestPayload = (options) => {
-  const { params, walletVerificationOptions } = options;
-  if (!params.redirect_uri && !params.response_uri) {
-    throw new import_oauth26.Oauth2ServerErrorResponseError({
-      error: import_oauth26.Oauth2ErrorCodes.InvalidRequest,
-      error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`
-    });
-  }
-  if (params.response_uri && !["direct_post", "direct_post.jwt"].find((mode) => mode === params.response_mode)) {
-    throw new import_oauth26.Oauth2ServerErrorResponseError({
-      error: import_oauth26.Oauth2ErrorCodes.InvalidRequest,
-      error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`
-    });
-  }
-  if ([params.presentation_definition_uri, params.presentation_definition, params.dcql_query, params.scope].filter(
-    Boolean
-  ).length > 1) {
-    throw new import_oauth26.Oauth2ServerErrorResponseError({
-      error: import_oauth26.Oauth2ErrorCodes.InvalidRequest,
-      error_description: "Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition."
-    });
-  }
-  if (params.request_uri_method && !params.request_uri) {
-    throw new import_oauth26.Oauth2ServerErrorResponseError({
-      error: import_oauth26.Oauth2ErrorCodes.InvalidRequest,
-      error_description: 'The "request_uri_method" parameter MUST NOT be present in the authorization request if the "request_uri" parameter is not present.'
-    });
-  }
-  if (params.request_uri_method && !["GET", "POST"].includes(params.request_uri_method)) {
-    throw new import_oauth26.Oauth2ServerErrorResponseError({
-      error: import_oauth26.Oauth2ErrorCodes.InvalidRequestUriMethod,
-      error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`
-    });
-  }
-  if (params.trust_chain && !import_utils3.zHttpsUrl.safeParse(params.client_id).success) {
-    throw new import_oauth26.Oauth2ServerErrorResponseError({
-      error: import_oauth26.Oauth2ErrorCodes.InvalidRequest,
-      error_description: 'The "trust_chain" parameter MUST NOT be present in the authorization request if the "client_id" is not an OpenId Federation Entity Identifier starting with http:// or https://.'
-    });
-  }
-  if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) {
-    throw new import_oauth26.Oauth2ServerErrorResponseError({
-      error: import_oauth26.Oauth2ErrorCodes.InvalidRequest,
-      error_description: 'The "wallet_nonce" parameter MUST be present in the authorization request when the "expectedNonce" parameter is provided.'
-    });
-  }
-  if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) {
-    throw new import_oauth26.Oauth2ServerErrorResponseError({
-      error: import_oauth26.Oauth2ErrorCodes.InvalidRequest,
-      error_description: 'The "wallet_nonce" parameter MUST match the "expectedNonce" parameter when the "expectedNonce" parameter is provided.'
-    });
-  }
-  if (params.client_id.startsWith("web-origin:")) {
-    throw new import_oauth26.Oauth2ServerErrorResponseError({
-      error: import_oauth26.Oauth2ErrorCodes.InvalidRequest,
-      error_description: `The 'client_id' parameter MUST NOT use client identifier scheme 'web-origin' when not using the dc_api response mode. Current: ${params.client_id}`
-    });
-  }
-};
-
-// src/authorization-request/validate-authorization-request-dc-api.ts
-var import_oauth27 = require("@openid4vc/oauth2");
-var validateOpenid4vpAuthorizationRequestDcApiPayload = (options) => {
-  const { params, isJarRequest, disableOriginValidation, origin } = options;
-  if (isJarRequest && !params.expected_origins) {
-    throw new import_oauth27.Oauth2ServerErrorResponseError({
-      error: import_oauth27.Oauth2ErrorCodes.InvalidRequest,
-      error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`
-    });
-  }
-  if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) {
-    throw new import_oauth27.Oauth2ServerErrorResponseError({
-      error: import_oauth27.Oauth2ErrorCodes.InvalidRequest,
-      error_description: "Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query or presentation_definition"
-    });
-  }
-  if (params.expected_origins && !disableOriginValidation) {
-    if (!origin) {
-      throw new import_oauth27.Oauth2ServerErrorResponseError({
-        error: import_oauth27.Oauth2ErrorCodes.InvalidRequest,
-        error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`
-      });
-    }
-    if (params.expected_origins && !params.expected_origins.includes(origin)) {
-      throw new import_oauth27.Oauth2ServerErrorResponseError({
-        error: import_oauth27.Oauth2ErrorCodes.InvalidRequest,
-        error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(", ")}`
-      });
-    }
-  }
-};
-
-// src/authorization-request/z-authorization-request.ts
-var import_utils5 = require("@openid4vc/utils");
-var import_zod7 = require("zod");
-
-// src/models/z-client-metadata.ts
-var import_oauth28 = require("@openid4vc/oauth2");
-var import_utils4 = require("@openid4vc/utils");
-var import_zod6 = require("zod");
-
 // src/models/z-vp-formats-supported.ts
-var import_zod5 = require("zod");
-var zVpFormatsSupported = import_zod5.z.record(
-  import_zod5.z.string(),
-  import_zod5.z.object({
-    alg_values_supported: import_zod5.z.optional(import_zod5.z.array(import_zod5.z.string()))
+var import_zod2 = require("zod");
+var zVpFormatsSupported = import_zod2.z.record(
+  import_zod2.z.string(),
+  import_zod2.z.object({
+    alg_values_supported: import_zod2.z.optional(import_zod2.z.array(import_zod2.z.string()))
   }).passthrough()
 );
 
 // src/models/z-client-metadata.ts
-var zClientMetadata = import_zod6.z.object({
-  jwks: import_zod6.z.optional(import_oauth28.zJwkSet),
-  vp_formats: import_zod6.z.optional(zVpFormatsSupported),
+var zClientMetadata = import_zod3.z.object({
+  jwks: import_zod3.z.optional(import_oauth22.zJwkSet),
+  vp_formats: import_zod3.z.optional(zVpFormatsSupported),
   ...zJarmClientMetadata.shape,
-  logo_uri: import_utils4.zHttpsUrl.optional(),
-  client_name: import_zod6.z.string().optional()
+  logo_uri: import_utils2.zHttpsUrl.optional(),
+  client_name: import_zod3.z.string().optional()
 }).passthrough();
 
 // src/authorization-request/z-authorization-request.ts
-var zOpenid4vpAuthorizationRequest = import_zod7.z.object({
-  response_type: import_zod7.z.literal("vp_token"),
-  client_id: import_zod7.z.string(),
-  redirect_uri: import_utils5.zHttpsUrl.optional(),
-  response_uri: import_utils5.zHttpsUrl.optional(),
-  request_uri: import_utils5.zHttpsUrl.optional(),
-  request_uri_method: import_zod7.z.optional(import_zod7.z.string()),
-  response_mode: import_zod7.z.enum(["direct_post", "direct_post.jwt"]).optional(),
-  nonce: import_zod7.z.string(),
-  wallet_nonce: import_zod7.z.string().optional(),
-  scope: import_zod7.z.string().optional(),
-  presentation_definition: import_zod7.z.record(import_zod7.z.any()).optional(),
-  presentation_definition_uri: import_utils5.zHttpsUrl.optional(),
-  dcql_query: import_zod7.z.record(import_zod7.z.any()).optional(),
+var zStringToJson = import_zod4.z.string().transform((string, ctx) => {
+  try {
+    return JSON.parse(string);
+  } catch (error) {
+    ctx.addIssue({
+      code: "custom",
+      message: "Expected a JSON string, but could not parse the string to JSON"
+    });
+    return import_zod4.z.NEVER;
+  }
+});
+var zOpenid4vpAuthorizationRequest = import_zod4.z.object({
+  response_type: import_zod4.z.literal("vp_token"),
+  client_id: import_zod4.z.string(),
+  redirect_uri: import_utils3.zHttpsUrl.optional(),
+  response_uri: import_utils3.zHttpsUrl.optional(),
+  request_uri: import_utils3.zHttpsUrl.optional(),
+  request_uri_method: import_zod4.z.optional(import_zod4.z.string()),
+  response_mode: import_zod4.z.enum(["direct_post", "direct_post.jwt"]).optional(),
+  nonce: import_zod4.z.string(),
+  wallet_nonce: import_zod4.z.string().optional(),
+  scope: import_zod4.z.string().optional(),
+  presentation_definition: import_zod4.z.record(import_zod4.z.any()).or(zStringToJson).optional(),
+  presentation_definition_uri: import_utils3.zHttpsUrl.optional(),
+  dcql_query: import_zod4.z.record(import_zod4.z.any()).or(zStringToJson).optional(),
   client_metadata: zClientMetadata.optional(),
-  client_metadata_uri: import_utils5.zHttpsUrl.optional(),
-  state: import_zod7.z.string().optional(),
-  transaction_data: import_zod7.z.array(import_zod7.z.string()).optional(),
-  trust_chain: import_zod7.z.unknown().optional(),
-  client_id_scheme: import_zod7.z.enum([
+  client_metadata_uri: import_utils3.zHttpsUrl.optional(),
+  state: import_zod4.z.string().optional(),
+  transaction_data: import_zod4.z.array(import_zod4.z.string().base64url()).optional(),
+  trust_chain: import_zod4.z.unknown().optional(),
+  client_id_scheme: import_zod4.z.enum([
     "pre-registered",
     "redirect_uri",
     "entity_id",
@@ -424,9 +200,16 @@ var zOpenid4vpAuthorizationRequest = import_zod7.z.object({
     "x509_san_uri"
   ]).optional()
 }).passthrough();
+var zOpenid4vpAuthorizationRequestFromUriParams = import_zod4.z.string().url().transform((url) => Object.fromEntries(new import_utils3.URL(url).searchParams)).pipe(
+  import_zod4.z.object({
+    presentation_definition: zStringToJson.optional(),
+    client_metadata: zStringToJson.optional(),
+    dcql_query: zStringToJson.optional(),
+    transaction_data: zStringToJson.optional()
+  }).passthrough()
+);
 
 // src/authorization-request/z-authorization-request-dc-api.ts
-var import_zod8 = require("zod");
 var zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest.pick({
   client_id: true,
   response_type: true,
@@ -438,10 +221,10 @@ var zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest.pick({
   dcql_query: true,
   trust_chain: true
 }).extend({
-  client_id: import_zod8.z.optional(import_zod8.z.string()),
-  expected_origins: import_zod8.z.array(import_zod8.z.string()).optional(),
-  response_mode: import_zod8.z.enum(["dc_api", "dc_api.jwt", "w3c_dc_api.jwt", "w3c_dc_api"]),
-  client_id_scheme: import_zod8.z.enum([
+  client_id: import_zod5.z.optional(import_zod5.z.string()),
+  expected_origins: import_zod5.z.array(import_zod5.z.string()).optional(),
+  response_mode: import_zod5.z.enum(["dc_api", "dc_api.jwt", "w3c_dc_api.jwt", "w3c_dc_api"]),
+  client_id_scheme: import_zod5.z.enum([
     "pre-registered",
     "redirect_uri",
     "entity_id",
@@ -455,163 +238,23 @@ function isOpenid4vpAuthorizationRequestDcApi(request) {
   return request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt" || request.response_mode === "w3c_dc_api.jwt" || request.response_mode === "w3c_dc_api";
 }
 
-// src/authorization-request/create-authorization-request.ts
-async function createOpenid4vpAuthorizationRequest(options) {
-  const { jar, scheme = "openid4vp://", wallet, callbacks } = options;
-  let additionalJwtPayload;
-  let authorizationRequestPayload;
-  if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
-    authorizationRequestPayload = (0, import_utils6.parseWithErrorHandling)(
-      zOpenid4vpAuthorizationRequestDcApi,
-      options.authorizationRequestPayload,
-      "Invalid authorization request. Could not parse openid4vp dc_api authorization request."
-    );
-    if (jar && !authorizationRequestPayload.expected_origins) {
-      throw new import_oauth29.Oauth2Error(
-        `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combination with jar.`
-      );
-    }
-    validateOpenid4vpAuthorizationRequestDcApiPayload({
-      params: authorizationRequestPayload,
-      isJarRequest: Boolean(jar),
-      disableOriginValidation: true
-    });
-  } else {
-    authorizationRequestPayload = (0, import_utils6.parseWithErrorHandling)(
-      zOpenid4vpAuthorizationRequest,
-      options.authorizationRequestPayload,
-      "Invalid authorization request. Could not parse openid4vp authorization request."
-    );
-    validateOpenid4vpAuthorizationRequestPayload({
-      params: authorizationRequestPayload,
-      walletVerificationOptions: wallet
-    });
-  }
-  if (jar) {
-    if (!jar.additionalJwtPayload?.aud) {
-      additionalJwtPayload = { ...jar.additionalJwtPayload, aud: jar.requestUri };
-    }
-    const jarResult = await createJarAuthorizationRequest({
-      ...jar,
-      authorizationRequestPayload,
-      additionalJwtPayload,
-      callbacks
-    });
-    const url2 = new import_utils6.URL(scheme);
-    url2.search = `?${new import_utils6.URLSearchParams([
-      ...url2.searchParams.entries(),
-      ...(0, import_utils6.objectToQueryParams)(jarResult.jarAuthorizationRequest).entries()
-    ]).toString()}`;
-    return {
-      authorizationRequestPayload,
-      authorizationRequestObject: jarResult.jarAuthorizationRequest,
-      authorizationRequest: url2.toString(),
-      jar: { ...jar, ...jarResult }
-    };
-  }
-  const url = new import_utils6.URL(scheme);
-  url.search = `?${new import_utils6.URLSearchParams([
-    ...url.searchParams.entries(),
-    ...(0, import_utils6.objectToQueryParams)(authorizationRequestPayload).entries()
-  ]).toString()}`;
-  return {
-    authorizationRequestPayload,
-    authorizationRequestObject: authorizationRequestPayload,
-    authorizationRequest: url.toString(),
-    jar: void 0
-  };
-}
-
-// src/authorization-request/parse-authorization-request-params.ts
-var import_oauth211 = require("@openid4vc/oauth2");
-var import_utils8 = require("@openid4vc/utils");
-var import_utils9 = require("@openid4vc/utils");
-var import_zod10 = __toESM(require("zod"));
-
-// src/jar/z-jar-authorization-request.ts
-var import_oauth210 = require("@openid4vc/oauth2");
-var import_utils7 = require("@openid4vc/utils");
-var import_zod9 = require("zod");
-var zJarAuthorizationRequest = import_zod9.z.object({
-  request: import_zod9.z.optional(import_zod9.z.string()),
-  request_uri: import_zod9.z.optional(import_utils7.zHttpsUrl),
-  request_uri_method: import_zod9.z.optional(import_zod9.z.string()),
-  client_id: import_zod9.z.optional(import_zod9.z.string())
-}).passthrough();
-function validateJarRequestParams(options) {
-  const { jarRequestParams } = options;
-  if (jarRequestParams.request && jarRequestParams.request_uri) {
-    throw new import_oauth210.Oauth2ServerErrorResponseError({
-      error: "invalid_request_object",
-      error_description: "request and request_uri cannot both be present in a JAR request"
-    });
-  }
-  if (!jarRequestParams.request && !jarRequestParams.request_uri) {
-    throw new import_oauth210.Oauth2ServerErrorResponseError({
-      error: "invalid_request_object",
-      error_description: "request or request_uri must be present"
-    });
-  }
-  return jarRequestParams;
-}
-function isJarAuthorizationRequest(request) {
-  return "request" in request || "request_uri" in request;
-}
-
-// src/authorization-request/parse-authorization-request-params.ts
-function parseOpenid4vpAuthorizationRequestPayload(options) {
-  const { authorizationRequest } = options;
-  let provided = "params";
-  let params;
-  if (typeof authorizationRequest === "string") {
-    if (authorizationRequest.includes("://")) {
-      const url = new import_utils8.URL(authorizationRequest);
-      params = Object.fromEntries(url.searchParams);
-      provided = "uri";
-    } else {
-      const decoded = (0, import_oauth211.decodeJwt)({ jwt: authorizationRequest });
-      params = decoded.payload;
-      provided = "jwt";
-    }
-  } else {
-    params = authorizationRequest;
-  }
-  const parsedRequest = (0, import_utils9.parseWithErrorHandling)(
-    import_zod10.default.union([zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest, zOpenid4vpAuthorizationRequestDcApi]),
-    params
-  );
-  if (isJarAuthorizationRequest(parsedRequest)) {
-    return {
-      type: "jar",
-      provided,
-      params: parsedRequest
-    };
-  }
-  if (isOpenid4vpAuthorizationRequestDcApi(parsedRequest)) {
-    return {
-      type: "openid4vp_dc_api",
-      provided,
-      params: parsedRequest
-    };
-  }
-  return {
-    type: "openid4vp",
-    provided,
-    params: parsedRequest
-  };
-}
-
-// src/authorization-request/resolve-authorization-request.ts
-var import_oauth219 = require("@openid4vc/oauth2");
-var import_utils14 = require("@openid4vc/utils");
-var import_zod14 = __toESM(require("zod"));
+// src/version.ts
+var import_oauth23 = require("@openid4vc/oauth2");
 
-// src/client-identifier-scheme/parse-client-identifier-scheme.ts
-var import_oauth213 = require("@openid4vc/oauth2");
-var import_utils10 = require("@openid4vc/utils");
+// src/client-identifier-scheme/z-client-id-scheme.ts
+var import_zod6 = require("zod");
+var zClientIdScheme = import_zod6.z.enum([
+  "pre-registered",
+  "redirect_uri",
+  "https",
+  "verifier_attestation",
+  "did",
+  "x509_san_dns",
+  "x509_san_uri",
+  "web-origin"
+]);
 
 // src/version.ts
-var import_oauth212 = require("@openid4vc/oauth2");
 function parseAuthorizationRequestVersion(request) {
   const requirements = [];
   if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
@@ -664,8 +307,8 @@ function parseAuthorizationRequestVersion(request) {
   const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 24;
   const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
   if (lowestRequiredVersion > highestPossibleVersion) {
-    throw new import_oauth212.Oauth2ServerErrorResponseError({
-      error: import_oauth212.Oauth2ErrorCodes.InvalidRequest,
+    throw new import_oauth23.Oauth2ServerErrorResponseError({
+      error: import_oauth23.Oauth2ErrorCodes.InvalidRequest,
       error_description: "Could not infer openid4vp version from the openid4vp request payload."
     });
   }
@@ -673,15 +316,15 @@ function parseAuthorizationRequestVersion(request) {
 }
 
 // src/client-identifier-scheme/parse-client-identifier-scheme.ts
-function getClientId(options) {
+function getOpenid4vpClientId(options) {
   const version = parseAuthorizationRequestVersion(options.authorizationRequestPayload);
   if (version < 22) {
     return getLegacyClientId(options);
   }
   if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
     if (!options.origin) {
-      throw new import_oauth213.Oauth2ServerErrorResponseError({
-        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
+      throw new import_oauth24.Oauth2ServerErrorResponseError({
+        error: import_oauth24.Oauth2ErrorCodes.InvalidRequest,
         error_description: "Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'"
       });
     }
@@ -695,8 +338,8 @@ function getLegacyClientId(options) {
   const clientIdScheme = legacyClientIdScheme === "entity_id" ? "https" : legacyClientIdScheme;
   if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
     if (!options.origin) {
-      throw new import_oauth213.Oauth2ServerErrorResponseError({
-        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
+      throw new import_oauth24.Oauth2ServerErrorResponseError({
+        error: import_oauth24.Oauth2ErrorCodes.InvalidRequest,
         error_description: "Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'"
       });
     }
@@ -716,7 +359,7 @@ function parseClientIdentifier(options, parserConfig) {
   const parserConfigWithDefaults = {
     supportedSchemes: parserConfig?.supportedSchemes || Object.values(zClientIdScheme.options)
   };
-  const clientId = getClientId(options);
+  const clientId = getOpenid4vpClientId(options);
   const colonIndex = clientId.indexOf(":");
   if (colonIndex === -1) {
     return {
@@ -729,16 +372,16 @@ function parseClientIdentifier(options, parserConfig) {
   const schemePart = clientId.substring(0, colonIndex);
   const identifierPart = clientId.substring(colonIndex + 1);
   if (!parserConfigWithDefaults.supportedSchemes.includes(schemePart)) {
-    throw new import_oauth213.Oauth2ServerErrorResponseError({
-      error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
+    throw new import_oauth24.Oauth2ServerErrorResponseError({
+      error: import_oauth24.Oauth2ErrorCodes.InvalidRequest,
       error_description: `Unsupported client identifier scheme. ${schemePart} is not supported.`
     });
   }
   const scheme = schemePart;
   if (scheme === "https") {
-    if (!clientId.startsWith("https://") && !((0, import_oauth213.getGlobalConfig)().allowInsecureUrls && clientId.startsWith("http://"))) {
-      throw new import_oauth213.Oauth2ServerErrorResponseError({
-        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
+    if (!clientId.startsWith("https://") && !((0, import_oauth24.getGlobalConfig)().allowInsecureUrls && clientId.startsWith("http://"))) {
+      throw new import_oauth24.Oauth2ServerErrorResponseError({
+        error: import_oauth24.Oauth2ErrorCodes.InvalidRequest,
         error_description: "Invalid client identifier. Client identifier must start with https:// or http:// if allowInsecureUrls is true."
       });
     }
@@ -749,166 +392,549 @@ function parseClientIdentifier(options, parserConfig) {
       trustChain: authorizationRequestPayload.trust_chain
     };
   }
-  if (scheme === "redirect_uri") {
-    if (jar) {
-      throw new import_oauth213.Oauth2ServerErrorResponseError({
-        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
-        error_description: 'Using client identifier scheme "redirect_uri" the request MUST NOT be signed.'
-      });
-    }
-    if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
-      throw new import_oauth213.Oauth2ServerErrorResponseError({
-        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
-        error_description: `The client identifier scheme 'redirect_uri' is not supported when using the dc_api response mode.`
-      });
-    }
-    return {
-      scheme,
-      identifier: identifierPart,
-      originalValue: clientId,
-      redirectUri: authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri
-    };
+  if (scheme === "redirect_uri") {
+    if (jar) {
+      throw new import_oauth24.Oauth2ServerErrorResponseError({
+        error: import_oauth24.Oauth2ErrorCodes.InvalidRequest,
+        error_description: 'Using client identifier scheme "redirect_uri" the request MUST NOT be signed.'
+      });
+    }
+    if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
+      throw new import_oauth24.Oauth2ServerErrorResponseError({
+        error: import_oauth24.Oauth2ErrorCodes.InvalidRequest,
+        error_description: `The client identifier scheme 'redirect_uri' is not supported when using the dc_api response mode.`
+      });
+    }
+    return {
+      scheme,
+      identifier: identifierPart,
+      originalValue: clientId,
+      redirectUri: authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri
+    };
+  }
+  if (scheme === "did") {
+    if (!jar) {
+      throw new import_oauth24.Oauth2ServerErrorResponseError({
+        error: import_oauth24.Oauth2ErrorCodes.InvalidRequest,
+        error_description: 'Using client identifier scheme "did" requires a signed JAR request.'
+      });
+    }
+    if (!clientId.startsWith("did:")) {
+      throw new import_oauth24.Oauth2ServerErrorResponseError({
+        error: import_oauth24.Oauth2ErrorCodes.InvalidRequest,
+        error_description: "Invalid client identifier. Client identifier must start with 'did:'"
+      });
+    }
+    if (!jar.signer.publicJwk.kid) {
+      throw new import_oauth24.Oauth2ServerErrorResponseError({
+        error: import_oauth24.Oauth2ErrorCodes.InvalidRequest,
+        error_description: `Missing required 'kid' for client identifier scheme: did`
+      });
+    }
+    if (!jar.signer.publicJwk.kid?.startsWith(clientId)) {
+      throw new import_oauth24.Oauth2ServerErrorResponseError({
+        error: import_oauth24.Oauth2ErrorCodes.InvalidRequest,
+        error_description: 'With client identifier scheme "did" the JAR request must be signed by the same DID as the client identifier.'
+      });
+    }
+    return {
+      scheme,
+      identifier: clientId,
+      originalValue: clientId,
+      didUrl: jar.signer.publicJwk.kid
+    };
+  }
+  if (scheme === "x509_san_dns" || scheme === "x509_san_uri") {
+    if (!jar) {
+      throw new import_oauth24.Oauth2ServerErrorResponseError({
+        error: import_oauth24.Oauth2ErrorCodes.InvalidRequest,
+        error_description: 'Using client identifier scheme "x509_san_dns" or "x509_san_uri" requires a signed JAR request.'
+      });
+    }
+    if (jar.signer.method !== "x5c") {
+      throw new import_oauth24.Oauth2ServerErrorResponseError({
+        error: import_oauth24.Oauth2ErrorCodes.InvalidRequest,
+        error_description: "Something went wrong. The JWT signer method is not x5c but the client identifier scheme is x509_san_dns."
+      });
+    }
+    if (scheme === "x509_san_dns") {
+      if (!options.callbacks.getX509CertificateMetadata) {
+        throw new import_oauth24.Oauth2ServerErrorResponseError(
+          {
+            error: import_oauth24.Oauth2ErrorCodes.ServerError
+          },
+          {
+            internalMessage: "Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_dns' client id scheme"
+          }
+        );
+      }
+      const { sanDnsNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
+      if (!sanDnsNames.includes(identifierPart)) {
+        throw new import_oauth24.Oauth2ServerErrorResponseError({
+          error: import_oauth24.Oauth2ErrorCodes.InvalidRequest,
+          error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(", ")}] must match the client identifier '${identifierPart}'. `
+        });
+      }
+      if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
+        const uri = authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri;
+        if (!uri || new import_utils4.URL(uri).hostname !== identifierPart) {
+          throw new import_oauth24.Oauth2ServerErrorResponseError({
+            error: import_oauth24.Oauth2ErrorCodes.InvalidRequest,
+            error_description: "Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns."
+          });
+        }
+      }
+    } else if (scheme === "x509_san_uri") {
+      if (!options.callbacks.getX509CertificateMetadata) {
+        throw new import_oauth24.Oauth2ServerErrorResponseError(
+          {
+            error: import_oauth24.Oauth2ErrorCodes.ServerError
+          },
+          {
+            internalMessage: "Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_uri' client id scheme"
+          }
+        );
+      }
+      const { sanUriNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
+      if (!sanUriNames.includes(identifierPart)) {
+        throw new import_oauth24.Oauth2ServerErrorResponseError({
+          error: import_oauth24.Oauth2ErrorCodes.InvalidRequest,
+          error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(", ")}] must match the client identifier '${identifierPart}'.`
+        });
+      }
+      if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
+        const uri = authorizationRequestPayload.redirect_uri || authorizationRequestPayload.response_uri;
+        if (!uri || uri !== identifierPart) {
+          throw new import_oauth24.Oauth2ServerErrorResponseError({
+            error: import_oauth24.Oauth2ErrorCodes.InvalidRequest,
+            error_description: "The redirect_uri value MUST match the Client Identifier without the prefix x509_san_uri"
+          });
+        }
+      }
+    }
+    return {
+      scheme,
+      identifier: identifierPart,
+      originalValue: clientId,
+      x5c: jar.signer.x5c
+    };
+  }
+  if (scheme === "web-origin") {
+    return {
+      scheme,
+      identifier: identifierPart,
+      originalValue: clientId,
+      clientMetadata: authorizationRequestPayload.client_metadata
+    };
+  }
+  if (scheme === "verifier_attestation") {
+    if (!jar) {
+      throw new import_oauth24.Oauth2ServerErrorResponseError({
+        error: import_oauth24.Oauth2ErrorCodes.InvalidRequest,
+        error_description: 'Using client identifier scheme "verifier_attestation" requires a signed JAR request.'
+      });
+    }
+  }
+  return {
+    scheme,
+    identifier: identifierPart,
+    originalValue: clientId
+  };
+}
+
+// src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts
+var import_oauth27 = require("@openid4vc/oauth2");
+var import_zod8 = __toESM(require("zod"));
+
+// src/jarm/jarm-extract-jwks.ts
+function extractJwksFromClientMetadata(clientMetadata) {
+  const parsed = zJarmClientMetadataParsed.parse(clientMetadata);
+  const encryptionAlg = parsed.client_metadata.authorization_encrypted_response_enc;
+  const signingAlg = parsed.client_metadata.authorization_signed_response_alg;
+  const encJwk = clientMetadata.jwks.keys.find((key) => key.use === "enc" && key.alg === encryptionAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "enc") ?? // fallback, take first key. HAIP does not specify requirement on enc
+  clientMetadata.jwks.keys?.[0];
+  const sigJwk = clientMetadata.jwks.keys.find((key) => key.use === "sig" && key.alg === signingAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "sig") ?? // falback, take first key
+  clientMetadata.jwks.keys?.[0];
+  return { encJwk, sigJwk };
+}
+
+// src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts
+var import_oauth26 = require("@openid4vc/oauth2");
+var import_utils5 = require("@openid4vc/utils");
+
+// src/jarm/jarm-authorization-response/z-jarm-authorization-response.ts
+var import_oauth25 = require("@openid4vc/oauth2");
+var import_zod7 = require("zod");
+var zJarmHeader = import_zod7.z.object({ ...import_oauth25.zJwtHeader.shape, apu: import_zod7.z.string().optional(), apv: import_zod7.z.string().optional() });
+var zJarmAuthorizationResponse = import_zod7.z.object({
+  /**
+   * iss: The issuer URL of the authorization server that created the response
+   * aud: The client_id of the client the response is intended for
+   * exp: The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.
+   */
+  ...import_oauth25.zJwtPayload.shape,
+  ...import_oauth25.zJwtPayload.pick({ iss: true, aud: true, exp: true }).required().shape,
+  state: import_zod7.z.optional(import_zod7.z.string())
+}).passthrough();
+var zJarmAuthorizationResponseEncryptedOnly = import_zod7.z.object({
+  ...import_oauth25.zJwtPayload.shape,
+  state: import_zod7.z.optional(import_zod7.z.string())
+}).passthrough();
+
+// src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts
+var jarmAuthorizationResponseValidate = (options) => {
+  const { expectedClientId, authorizationResponse } = options;
+  if (!zJarmAuthorizationResponse.safeParse(authorizationResponse).success) {
+    return;
+  }
+  if (expectedClientId !== authorizationResponse.aud) {
+    throw new import_oauth26.Oauth2Error(
+      `Invalid 'aud' claim in JARM authorization response. Expected '${expectedClientId}' received '${JSON.stringify(authorizationResponse.aud)}'.`
+    );
+  }
+  if (authorizationResponse.exp !== void 0 && authorizationResponse.exp < (0, import_utils5.dateToSeconds)()) {
+    throw new import_oauth26.Oauth2Error("Jarm auth response is expired.");
+  }
+};
+
+// src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts
+var decryptJarmAuthorizationResponseJwt = async (options) => {
+  const { jarmAuthorizationResponseJwt, callbacks, authorizationRequestPayload } = options;
+  const encryptionJwk = authorizationRequestPayload.client_metadata?.jwks ? extractJwksFromClientMetadata({
+    ...authorizationRequestPayload.client_metadata,
+    jwks: authorizationRequestPayload.client_metadata.jwks
+  }).encJwk : void 0;
+  const result = await callbacks.decryptJwe(jarmAuthorizationResponseJwt, { jwk: encryptionJwk });
+  if (!result.decrypted) {
+    throw new import_oauth27.Oauth2Error("Failed to decrypt jarm auth response.");
+  }
+  return result.payload;
+};
+async function verifyJarmAuthorizationResponse(options) {
+  const { jarmAuthorizationResponseJwt, callbacks, expectedClientId, authorizationRequestPayload } = options;
+  const requestDataIsEncrypted = import_oauth27.zCompactJwe.safeParse(jarmAuthorizationResponseJwt).success;
+  const decryptedRequestData = requestDataIsEncrypted ? await decryptJarmAuthorizationResponseJwt({
+    jarmAuthorizationResponseJwt,
+    callbacks,
+    authorizationRequestPayload
+  }) : jarmAuthorizationResponseJwt;
+  const responseIsSigned = import_oauth27.zCompactJwt.safeParse(decryptedRequestData).success;
+  if (!requestDataIsEncrypted && !responseIsSigned) {
+    throw new import_oauth27.Oauth2Error("Jarm Auth Response must be either encrypted, signed, or signed and encrypted.");
+  }
+  let jarmAuthorizationResponse;
+  if (responseIsSigned) {
+    const { header: jwsProtectedHeader, payload: jwsPayload } = (0, import_oauth27.decodeJwt)({
+      jwt: decryptedRequestData,
+      headerSchema: import_zod8.default.object({ ...import_oauth27.zJwtHeader.shape, kid: import_zod8.default.string() })
+    });
+    const response = zJarmAuthorizationResponse.parse(jwsPayload);
+    const jwtSigner = (0, import_oauth27.jwtSignerFromJwt)({ header: jwsProtectedHeader, payload: jwsPayload });
+    const verificationResult = await options.callbacks.verifyJwt(jwtSigner, {
+      compact: decryptedRequestData,
+      header: jwsProtectedHeader,
+      payload: jwsPayload
+    });
+    if (!verificationResult.verified) {
+      throw new import_oauth27.Oauth2Error("Jarm Auth Response is not valid.");
+    }
+    jarmAuthorizationResponse = response;
+  } else {
+    const jsonRequestData = JSON.parse(decryptedRequestData);
+    jarmAuthorizationResponse = zJarmAuthorizationResponseEncryptedOnly.parse(jsonRequestData);
+  }
+  jarmAuthorizationResponseValidate({
+    expectedClientId,
+    authorizationResponse: jarmAuthorizationResponse
+  });
+  const type = requestDataIsEncrypted && responseIsSigned ? "SignedEncrypted" /* SignedEncrypted */ : requestDataIsEncrypted ? "Encrypted" /* Encrypted */ : "Signed" /* Signed */;
+  const issuer = jarmAuthorizationResponse.iss;
+  return { jarmAuthorizationResponse, type, issuer };
+}
+
+// src/authorization-request/create-authorization-request.ts
+var import_oauth211 = require("@openid4vc/oauth2");
+var import_utils7 = require("@openid4vc/utils");
+
+// src/jar/create-jar-authorization-request.ts
+var import_oauth28 = require("@openid4vc/oauth2");
+async function createJarAuthorizationRequest(options) {
+  const { jwtSigner, jweEncryptor, authorizationRequestPayload, requestUri, callbacks } = options;
+  let authorizationRequestJwt;
+  let encryptionJwk;
+  const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {
+    header: { ...(0, import_oauth28.jwtHeaderFromJwtSigner)(jwtSigner), typ: "oauth-authz-req+jwt" },
+    payload: { ...options.additionalJwtPayload, ...authorizationRequestPayload }
+  });
+  authorizationRequestJwt = jwt;
+  if (jweEncryptor) {
+    const encryptionResult = await callbacks.encryptJwe(jweEncryptor, authorizationRequestJwt);
+    authorizationRequestJwt = encryptionResult.jwe;
+    encryptionJwk = encryptionResult.encryptionJwk;
+  }
+  const client_id = authorizationRequestPayload.client_id;
+  const jarAuthorizationRequest = requestUri ? { client_id, request_uri: requestUri } : { client_id, request: authorizationRequestJwt };
+  return { jarAuthorizationRequest, signerJwk, encryptionJwk, authorizationRequestJwt };
+}
+
+// src/authorization-request/validate-authorization-request.ts
+var import_oauth29 = require("@openid4vc/oauth2");
+var import_utils6 = require("@openid4vc/utils");
+var validateOpenid4vpAuthorizationRequestPayload = (options) => {
+  const { params, walletVerificationOptions } = options;
+  if (!params.redirect_uri && !params.response_uri) {
+    throw new import_oauth29.Oauth2ServerErrorResponseError({
+      error: import_oauth29.Oauth2ErrorCodes.InvalidRequest,
+      error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`
+    });
+  }
+  if (params.response_uri && !["direct_post", "direct_post.jwt"].find((mode) => mode === params.response_mode)) {
+    throw new import_oauth29.Oauth2ServerErrorResponseError({
+      error: import_oauth29.Oauth2ErrorCodes.InvalidRequest,
+      error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`
+    });
+  }
+  if ([params.presentation_definition_uri, params.presentation_definition, params.dcql_query, params.scope].filter(
+    Boolean
+  ).length > 1) {
+    throw new import_oauth29.Oauth2ServerErrorResponseError({
+      error: import_oauth29.Oauth2ErrorCodes.InvalidRequest,
+      error_description: "Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition."
+    });
+  }
+  if (params.request_uri_method && !params.request_uri) {
+    throw new import_oauth29.Oauth2ServerErrorResponseError({
+      error: import_oauth29.Oauth2ErrorCodes.InvalidRequest,
+      error_description: 'The "request_uri_method" parameter MUST NOT be present in the authorization request if the "request_uri" parameter is not present.'
+    });
+  }
+  if (params.request_uri_method && !["GET", "POST"].includes(params.request_uri_method)) {
+    throw new import_oauth29.Oauth2ServerErrorResponseError({
+      error: import_oauth29.Oauth2ErrorCodes.InvalidRequestUriMethod,
+      error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`
+    });
+  }
+  if (params.trust_chain && !import_utils6.zHttpsUrl.safeParse(params.client_id).success) {
+    throw new import_oauth29.Oauth2ServerErrorResponseError({
+      error: import_oauth29.Oauth2ErrorCodes.InvalidRequest,
+      error_description: 'The "trust_chain" parameter MUST NOT be present in the authorization request if the "client_id" is not an OpenId Federation Entity Identifier starting with http:// or https://.'
+    });
+  }
+  if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) {
+    throw new import_oauth29.Oauth2ServerErrorResponseError({
+      error: import_oauth29.Oauth2ErrorCodes.InvalidRequest,
+      error_description: 'The "wallet_nonce" parameter MUST be present in the authorization request when the "expectedNonce" parameter is provided.'
+    });
+  }
+  if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) {
+    throw new import_oauth29.Oauth2ServerErrorResponseError({
+      error: import_oauth29.Oauth2ErrorCodes.InvalidRequest,
+      error_description: 'The "wallet_nonce" parameter MUST match the "expectedNonce" parameter when the "expectedNonce" parameter is provided.'
+    });
+  }
+  if (params.client_id.startsWith("web-origin:")) {
+    throw new import_oauth29.Oauth2ServerErrorResponseError({
+      error: import_oauth29.Oauth2ErrorCodes.InvalidRequest,
+      error_description: `The 'client_id' parameter MUST NOT use client identifier scheme 'web-origin' when not using the dc_api response mode. Current: ${params.client_id}`
+    });
+  }
+};
+
+// src/authorization-request/validate-authorization-request-dc-api.ts
+var import_oauth210 = require("@openid4vc/oauth2");
+var validateOpenid4vpAuthorizationRequestDcApiPayload = (options) => {
+  const { params, isJarRequest, disableOriginValidation, origin } = options;
+  if (isJarRequest && !params.expected_origins) {
+    throw new import_oauth210.Oauth2ServerErrorResponseError({
+      error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
+      error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`
+    });
+  }
+  if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) {
+    throw new import_oauth210.Oauth2ServerErrorResponseError({
+      error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
+      error_description: "Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query or presentation_definition"
+    });
   }
-  if (scheme === "did") {
-    if (!jar) {
-      throw new import_oauth213.Oauth2ServerErrorResponseError({
-        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
-        error_description: 'Using client identifier scheme "did" requires a signed JAR request.'
+  if (params.expected_origins && !disableOriginValidation) {
+    if (!origin) {
+      throw new import_oauth210.Oauth2ServerErrorResponseError({
+        error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
+        error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`
       });
     }
-    if (!clientId.startsWith("did:")) {
-      throw new import_oauth213.Oauth2ServerErrorResponseError({
-        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
-        error_description: "Invalid client identifier. Client identifier must start with 'did:'"
+    if (params.expected_origins && !params.expected_origins.includes(origin)) {
+      throw new import_oauth210.Oauth2ServerErrorResponseError({
+        error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
+        error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(", ")}`
       });
     }
-    if (!jar.signer.publicJwk.kid) {
-      throw new import_oauth213.Oauth2ServerErrorResponseError({
-        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
-        error_description: `Missing required 'kid' for client identifier scheme: did`
-      });
+  }
+};
+
+// src/authorization-request/create-authorization-request.ts
+async function createOpenid4vpAuthorizationRequest(options) {
+  const { jar, scheme = "openid4vp://", wallet, callbacks } = options;
+  let additionalJwtPayload;
+  let authorizationRequestPayload;
+  if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
+    authorizationRequestPayload = (0, import_utils7.parseWithErrorHandling)(
+      zOpenid4vpAuthorizationRequestDcApi,
+      options.authorizationRequestPayload,
+      "Invalid authorization request. Could not parse openid4vp dc_api authorization request."
+    );
+    if (jar && !authorizationRequestPayload.expected_origins) {
+      throw new import_oauth211.Oauth2Error(
+        `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combination with jar.`
+      );
     }
-    if (!jar.signer.publicJwk.kid?.startsWith(clientId)) {
-      throw new import_oauth213.Oauth2ServerErrorResponseError({
-        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
-        error_description: 'With client identifier scheme "did" the JAR request must be signed by the same DID as the client identifier.'
-      });
+    validateOpenid4vpAuthorizationRequestDcApiPayload({
+      params: authorizationRequestPayload,
+      isJarRequest: Boolean(jar),
+      disableOriginValidation: true
+    });
+  } else {
+    authorizationRequestPayload = (0, import_utils7.parseWithErrorHandling)(
+      zOpenid4vpAuthorizationRequest,
+      options.authorizationRequestPayload,
+      "Invalid authorization request. Could not parse openid4vp authorization request."
+    );
+    validateOpenid4vpAuthorizationRequestPayload({
+      params: authorizationRequestPayload,
+      walletVerificationOptions: wallet
+    });
+  }
+  if (jar) {
+    if (!jar.additionalJwtPayload?.aud) {
+      additionalJwtPayload = { ...jar.additionalJwtPayload, aud: jar.requestUri };
     }
+    const jarResult = await createJarAuthorizationRequest({
+      ...jar,
+      authorizationRequestPayload,
+      additionalJwtPayload,
+      callbacks
+    });
+    const url2 = new import_utils7.URL(scheme);
+    url2.search = `?${new import_utils7.URLSearchParams([
+      ...url2.searchParams.entries(),
+      ...(0, import_utils7.objectToQueryParams)(jarResult.jarAuthorizationRequest).entries()
+    ]).toString()}`;
     return {
-      scheme,
-      identifier: clientId,
-      originalValue: clientId,
-      didUrl: jar.signer.publicJwk.kid
+      authorizationRequestPayload,
+      authorizationRequestObject: jarResult.jarAuthorizationRequest,
+      authorizationRequest: url2.toString(),
+      jar: { ...jar, ...jarResult }
     };
   }
-  if (scheme === "x509_san_dns" || scheme === "x509_san_uri") {
-    if (!jar) {
-      throw new import_oauth213.Oauth2ServerErrorResponseError({
-        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
-        error_description: 'Using client identifier scheme "x509_san_dns" or "x509_san_uri" requires a signed JAR request.'
-      });
-    }
-    if (jar.signer.method !== "x5c") {
-      throw new import_oauth213.Oauth2ServerErrorResponseError({
-        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
-        error_description: "Something went wrong. The JWT signer method is not x5c but the client identifier scheme is x509_san_dns."
-      });
-    }
-    if (scheme === "x509_san_dns") {
-      if (!options.callbacks.getX509CertificateMetadata) {
-        throw new import_oauth213.Oauth2ServerErrorResponseError(
-          {
-            error: import_oauth213.Oauth2ErrorCodes.ServerError
-          },
-          {
-            internalMessage: "Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_dns' client id scheme"
-          }
-        );
-      }
-      const { sanDnsNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
-      if (!sanDnsNames.includes(identifierPart)) {
-        throw new import_oauth213.Oauth2ServerErrorResponseError({
-          error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
-          error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(", ")}] must match the client identifier '${identifierPart}'. `
-        });
-      }
-      if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
-        const uri = authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri;
-        if (!uri || new import_utils10.URL(uri).hostname !== identifierPart) {
-          throw new import_oauth213.Oauth2ServerErrorResponseError({
-            error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
-            error_description: "Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns."
-          });
-        }
-      }
-    } else if (scheme === "x509_san_uri") {
-      if (!options.callbacks.getX509CertificateMetadata) {
-        throw new import_oauth213.Oauth2ServerErrorResponseError(
-          {
-            error: import_oauth213.Oauth2ErrorCodes.ServerError
-          },
-          {
-            internalMessage: "Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_uri' client id scheme"
-          }
-        );
-      }
-      const { sanUriNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
-      if (!sanUriNames.includes(identifierPart)) {
-        throw new import_oauth213.Oauth2ServerErrorResponseError({
-          error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
-          error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(", ")}] must match the client identifier '${identifierPart}'.`
-        });
-      }
-      if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
-        const uri = authorizationRequestPayload.redirect_uri || authorizationRequestPayload.response_uri;
-        if (!uri || uri !== identifierPart) {
-          throw new import_oauth213.Oauth2ServerErrorResponseError({
-            error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
-            error_description: "The redirect_uri value MUST match the Client Identifier without the prefix x509_san_uri"
-          });
-        }
-      }
+  const url = new import_utils7.URL(scheme);
+  url.search = `?${new import_utils7.URLSearchParams([
+    ...url.searchParams.entries(),
+    ...(0, import_utils7.objectToQueryParams)(authorizationRequestPayload).entries()
+  ]).toString()}`;
+  return {
+    authorizationRequestPayload,
+    authorizationRequestObject: authorizationRequestPayload,
+    authorizationRequest: url.toString(),
+    jar: void 0
+  };
+}
+
+// src/authorization-request/parse-authorization-request-params.ts
+var import_oauth213 = require("@openid4vc/oauth2");
+var import_utils9 = require("@openid4vc/utils");
+var import_zod10 = __toESM(require("zod"));
+
+// src/jar/z-jar-authorization-request.ts
+var import_oauth212 = require("@openid4vc/oauth2");
+var import_utils8 = require("@openid4vc/utils");
+var import_zod9 = require("zod");
+var zJarAuthorizationRequest = import_zod9.z.object({
+  request: import_zod9.z.optional(import_zod9.z.string()),
+  request_uri: import_zod9.z.optional(import_utils8.zHttpsUrl),
+  request_uri_method: import_zod9.z.optional(import_zod9.z.string()),
+  client_id: import_zod9.z.optional(import_zod9.z.string())
+}).passthrough();
+function validateJarRequestParams(options) {
+  const { jarRequestParams } = options;
+  if (jarRequestParams.request && jarRequestParams.request_uri) {
+    throw new import_oauth212.Oauth2ServerErrorResponseError({
+      error: "invalid_request_object",
+      error_description: "request and request_uri cannot both be present in a JAR request"
+    });
+  }
+  if (!jarRequestParams.request && !jarRequestParams.request_uri) {
+    throw new import_oauth212.Oauth2ServerErrorResponseError({
+      error: "invalid_request_object",
+      error_description: "request or request_uri must be present"
+    });
+  }
+  return jarRequestParams;
+}
+function isJarAuthorizationRequest(request) {
+  return "request" in request || "request_uri" in request;
+}
+
+// src/authorization-request/parse-authorization-request-params.ts
+function parseOpenid4vpAuthorizationRequest(options) {
+  const { authorizationRequest } = options;
+  let provided = "params";
+  let params;
+  if (typeof authorizationRequest === "string") {
+    if (authorizationRequest.includes("://")) {
+      params = (0, import_utils9.parseWithErrorHandling)(
+        zOpenid4vpAuthorizationRequestFromUriParams,
+        authorizationRequest,
+        "Unable to parse openid4vp authorization request uri to a valid object"
+      );
+      provided = "uri";
+    } else {
+      const decoded = (0, import_oauth213.decodeJwt)({ jwt: authorizationRequest });
+      params = decoded.payload;
+      provided = "jwt";
     }
+  } else {
+    params = authorizationRequest;
+  }
+  const parsedRequest = (0, import_utils9.parseWithErrorHandling)(
+    import_zod10.default.union([zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest, zOpenid4vpAuthorizationRequestDcApi]),
+    params
+  );
+  if (isJarAuthorizationRequest(parsedRequest)) {
     return {
-      scheme,
-      identifier: identifierPart,
-      originalValue: clientId,
-      x5c: jar.signer.x5c
+      type: "jar",
+      provided,
+      params: parsedRequest
     };
   }
-  if (scheme === "web-origin") {
+  if (isOpenid4vpAuthorizationRequestDcApi(parsedRequest)) {
     return {
-      scheme,
-      identifier: identifierPart,
-      originalValue: clientId,
-      clientMetadata: authorizationRequestPayload.client_metadata
+      type: "openid4vp_dc_api",
+      provided,
+      params: parsedRequest
     };
   }
-  if (scheme === "verifier_attestation") {
-    if (!jar) {
-      throw new import_oauth213.Oauth2ServerErrorResponseError({
-        error: import_oauth213.Oauth2ErrorCodes.InvalidRequest,
-        error_description: 'Using client identifier scheme "verifier_attestation" requires a signed JAR request.'
-      });
-    }
-  }
   return {
-    scheme,
-    identifier: identifierPart,
-    originalValue: clientId
+    type: "openid4vp",
+    provided,
+    params: parsedRequest
   };
 }
 
+// src/authorization-request/resolve-authorization-request.ts
+var import_oauth219 = require("@openid4vc/oauth2");
+var import_utils13 = require("@openid4vc/utils");
+var import_zod14 = __toESM(require("zod"));
+
 // src/fetch-client-metadata.ts
 var import_oauth214 = require("@openid4vc/oauth2");
-var import_utils11 = require("@openid4vc/utils");
+var import_utils10 = require("@openid4vc/utils");
 async function fetchClientMetadata(options) {
   const { fetch, clientMetadataUri } = options;
-  const fetcher = (0, import_utils11.createZodFetcher)(fetch);
-  const { result, response } = await fetcher(zClientMetadata, import_utils11.ContentType.Json, clientMetadataUri, {
+  const fetcher = (0, import_utils10.createZodFetcher)(fetch);
+  const { result, response } = await fetcher(zClientMetadata, import_utils10.ContentType.Json, clientMetadataUri, {
     method: "GET",
     headers: {
-      Accept: import_utils11.ContentType.Json
+      Accept: import_utils10.ContentType.Json
     }
   });
   if (!response.ok) {
@@ -931,23 +957,23 @@ var import_oauth217 = require("@openid4vc/oauth2");
 
 // src/jar/jar-request-object/fetch-jar-request-object.ts
 var import_oauth215 = require("@openid4vc/oauth2");
-var import_utils12 = require("@openid4vc/utils");
+var import_utils11 = require("@openid4vc/utils");
 var import_zod11 = require("zod");
 async function fetchJarRequestObject(options) {
   const { requestUri, clientIdentifierScheme, method, wallet, fetch } = options;
-  const fetcher = (0, import_utils12.createZodFetcher)(fetch);
+  const fetcher = (0, import_utils11.createZodFetcher)(fetch);
   let requestBody = wallet.metadata ? { wallet_metadata: wallet.metadata, wallet_nonce: wallet.nonce } : void 0;
   if (requestBody?.wallet_metadata?.request_object_signing_alg_values_supported && clientIdentifierScheme === "redirect_uri") {
     const { request_object_signing_alg_values_supported, ...rest } = requestBody.wallet_metadata;
     requestBody = { ...requestBody, wallet_metadata: { ...rest } };
   }
-  const { result, response } = await fetcher(import_zod11.z.string(), import_utils12.ContentType.OAuthAuthorizationRequestJwt, requestUri, {
+  const { result, response } = await fetcher(import_zod11.z.string(), import_utils11.ContentType.OAuthAuthorizationRequestJwt, requestUri, {
     method,
     headers: {
-      Accept: `${import_utils12.ContentType.OAuthAuthorizationRequestJwt}, ${import_utils12.ContentType.Jwt};q=0.9`,
-      "Content-Type": import_utils12.ContentType.XWwwFormUrlencoded
+      Accept: `${import_utils11.ContentType.OAuthAuthorizationRequestJwt}, ${import_utils11.ContentType.Jwt};q=0.9`,
+      "Content-Type": import_utils11.ContentType.XWwwFormUrlencoded
     },
-    body: method === "POST" ? (0, import_utils12.objectToQueryParams)(wallet.metadata ?? {}) : void 0
+    body: method === "POST" ? (0, import_utils11.objectToQueryParams)(wallet.metadata ?? {}) : void 0
   });
   if (!response.ok) {
     throw new import_oauth215.Oauth2ServerErrorResponseError({
@@ -1064,7 +1090,7 @@ async function verifyJarRequestObject(options) {
 
 // src/transaction-data/parse-transaction-data.ts
 var import_oauth218 = require("@openid4vc/oauth2");
-var import_utils13 = require("@openid4vc/utils");
+var import_utils12 = require("@openid4vc/utils");
 
 // src/transaction-data/z-transaction-data.ts
 var import_zod13 = require("zod");
@@ -1078,7 +1104,7 @@ var zTransactionData = import_zod13.z.array(zTransactionEntry);
 // src/transaction-data/parse-transaction-data.ts
 function parseTransactionData(options) {
   const { transactionData } = options;
-  const decoded = transactionData.map((tdEntry) => (0, import_utils13.parseIfJson)((0, import_utils13.encodeToUtf8String)((0, import_utils13.decodeBase64)(tdEntry))));
+  const decoded = transactionData.map((tdEntry) => (0, import_utils12.parseIfJson)((0, import_utils12.encodeToUtf8String)((0, import_utils12.decodeBase64)(tdEntry))));
   const parsedResult = zTransactionData.safeParse(decoded);
   if (!parsedResult.success) {
     throw new import_oauth218.Oauth2ServerErrorResponseError({
@@ -1097,7 +1123,7 @@ function parseTransactionData(options) {
 async function resolveOpenid4vpAuthorizationRequest(options) {
   const { wallet, callbacks, origin, disableOriginValidation } = options;
   let authorizationRequestPayload;
-  const parsed = (0, import_utils14.parseWithErrorHandling)(
+  const parsed = (0, import_utils13.parseWithErrorHandling)(
     import_zod14.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest]),
     options.authorizationRequestPayload,
     "Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request."
@@ -1105,7 +1131,7 @@ async function resolveOpenid4vpAuthorizationRequest(options) {
   let jar;
   if (isJarAuthorizationRequest(parsed)) {
     jar = await verifyJarRequest({ jarRequestParams: parsed, callbacks, wallet });
-    const parsedJarAuthorizationRequestPayload = (0, import_utils14.parseWithErrorHandling)(
+    const parsedJarAuthorizationRequestPayload = (0, import_utils13.parseWithErrorHandling)(
       import_zod14.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]),
       jar.authorizationRequestParams,
       "Invalid authorization request. Could not parse jar request payload as openid4vp auth request."
@@ -1186,7 +1212,7 @@ function validateOpenId4vpAuthorizationRequestPayload(options) {
 
 // src/authorization-response/create-authorization-response.ts
 var import_oauth222 = require("@openid4vc/oauth2");
-var import_utils15 = require("@openid4vc/utils");
+var import_utils14 = require("@openid4vc/utils");
 
 // ../utils/src/date.ts
 function addSecondsToDate(date, seconds) {
@@ -1330,7 +1356,7 @@ async function createOpenid4vpAuthorizationResponse(options) {
     additionalJwtPayload = {
       iss: jarm.authorizationServer,
       aud: jarm.audience,
-      exp: jarm.expiresInSeconds ?? (0, import_utils15.dateToSeconds)(addSecondsToDate(/* @__PURE__ */ new Date(), 60 * 10))
+      exp: jarm.expiresInSeconds ?? (0, import_utils14.dateToSeconds)(addSecondsToDate(/* @__PURE__ */ new Date(), 60 * 10))
       // default: 10 minutes
     };
   }
@@ -1362,25 +1388,25 @@ async function createOpenid4vpAuthorizationResponse(options) {
 
 // src/authorization-response/submit-authorization-response.ts
 var import_oauth224 = require("@openid4vc/oauth2");
+var import_utils16 = require("@openid4vc/utils");
 var import_utils17 = require("@openid4vc/utils");
-var import_utils18 = require("@openid4vc/utils");
 
 // src/jarm/jarm-authorizatino-response-send.ts
 var import_oauth223 = require("@openid4vc/oauth2");
-var import_utils16 = require("@openid4vc/utils");
+var import_utils15 = require("@openid4vc/utils");
 var jarmAuthorizationResponseSend = (options) => {
   const { authorizationRequestPayload, jarmAuthorizationResponseJwt, callbacks } = options;
   const responseEndpoint = authorizationRequestPayload.response_uri ?? authorizationRequestPayload.redirect_uri;
   if (!responseEndpoint) {
     throw new import_oauth223.Oauth2Error(`Either 'response_uri' or 'redirect_uri' MUST  be present in the authorization request`);
   }
-  const responseEndpointUrl = new import_utils16.URL(responseEndpoint);
+  const responseEndpointUrl = new import_utils15.URL(responseEndpoint);
   return handleDirectPostJwt(responseEndpointUrl, jarmAuthorizationResponseJwt, callbacks);
 };
 async function handleDirectPostJwt(responseEndpoint, responseJwt, callbacks) {
-  const response = await (callbacks.fetch ?? import_utils16.defaultFetcher)(responseEndpoint, {
+  const response = await (callbacks.fetch ?? import_utils15.defaultFetcher)(responseEndpoint, {
     method: "POST",
-    headers: { "Content-Type": import_utils16.ContentType.XWwwFormUrlencoded },
+    headers: { "Content-Type": import_utils15.ContentType.XWwwFormUrlencoded },
     body: `response=${responseJwt}`
   });
   return {
@@ -1405,13 +1431,13 @@ async function submitOpenid4vpAuthorizationResponse(options) {
       "Failed to submit OpenId4Vp Authorization Response. No redirect_uri or response_uri provided."
     );
   }
-  const fetch = callbacks.fetch ?? import_utils17.defaultFetcher;
-  const encodedResponse = (0, import_utils18.objectToQueryParams)(authorizationResponsePayload);
+  const fetch = callbacks.fetch ?? import_utils16.defaultFetcher;
+  const encodedResponse = (0, import_utils17.objectToQueryParams)(authorizationResponsePayload);
   const submissionResponse = await fetch(url, {
     method: "POST",
     body: encodedResponse,
     headers: {
-      "Content-Type": import_utils17.ContentType.XWwwFormUrlencoded
+      "Content-Type": import_utils16.ContentType.XWwwFormUrlencoded
     }
   });
   return {
@@ -1424,7 +1450,7 @@ async function submitOpenid4vpAuthorizationResponse(options) {
 var import_oauth225 = require("@openid4vc/oauth2");
 
 // src/vp-token/parse-vp-token.ts
-var import_utils19 = require("@openid4vc/utils");
+var import_utils18 = require("@openid4vc/utils");
 
 // src/vp-token/z-vp-token.ts
 var import_zod16 = require("zod");
@@ -1444,17 +1470,17 @@ var zVpToken = zVpTokenDcql.or(zVpTokenPex);
 
 // src/vp-token/parse-vp-token.ts
 function parsePexVpToken(vpToken) {
-  const parsedVpToken = (0, import_utils19.parseWithErrorHandling)(
+  const parsedVpToken = (0, import_utils18.parseWithErrorHandling)(
     zVpTokenPex,
-    (0, import_utils19.parseIfJson)(vpToken),
+    (0, import_utils18.parseIfJson)(vpToken),
     "Could not parse presentation exchange vp_token. Expected a string or an array of strings"
   );
   return Array.isArray(parsedVpToken) ? parsedVpToken : [parsedVpToken];
 }
 function parseDcqlVpToken(vpToken) {
-  return (0, import_utils19.parseWithErrorHandling)(
+  return (0, import_utils18.parseWithErrorHandling)(
     zVpTokenDcql,
-    (0, import_utils19.parseIfJson)(vpToken),
+    (0, import_utils18.parseIfJson)(vpToken),
     "Could not parse dcql vp_token. Expected an object where the values are encoded presentations"
   );
 }
@@ -1507,7 +1533,7 @@ function validateOpenid4vpAuthorizationResponsePayload(options) {
 var import_oauth227 = require("@openid4vc/oauth2");
 
 // src/authorization-response/parse-authorization-response-payload.ts
-var import_utils20 = require("@openid4vc/utils");
+var import_utils19 = require("@openid4vc/utils");
 
 // src/authorization-response/z-authorization-response.ts
 var import_zod18 = require("zod");
@@ -1531,7 +1557,7 @@ var zOpenid4vpAuthorizationResponse = import_zod18.z.object({
 
 // src/authorization-response/parse-authorization-response-payload.ts
 function parseOpenid4VpAuthorizationResponsePayload(payload) {
-  return (0, import_utils20.parseWithErrorHandling)(
+  return (0, import_utils19.parseWithErrorHandling)(
     zOpenid4vpAuthorizationResponse,
     payload,
     "Failed to parse openid4vp authorization response."
@@ -1540,11 +1566,11 @@ function parseOpenid4VpAuthorizationResponsePayload(payload) {
 
 // src/authorization-response/parse-jarm-authorization-response.ts
 var import_oauth226 = require("@openid4vc/oauth2");
-var import_utils21 = require("@openid4vc/utils");
+var import_utils20 = require("@openid4vc/utils");
 var import_zod19 = __toESM(require("zod"));
 async function parseJarmAuthorizationResponse(options) {
   const { jarmResponseJwt, callbacks, authorizationRequestPayload, expectedClientId } = options;
-  const jarmAuthorizationResponseJwt = (0, import_utils21.parseWithErrorHandling)(
+  const jarmAuthorizationResponseJwt = (0, import_utils20.parseWithErrorHandling)(
     import_zod19.default.union([import_oauth226.zCompactJwt, import_oauth226.zCompactJwe]),
     jarmResponseJwt,
     "Invalid jarm authorization response jwt."
@@ -1582,7 +1608,7 @@ async function parseJarmAuthorizationResponse(options) {
 // src/authorization-response/parse-authorization-response.ts
 async function parseOpenid4vpAuthorizationResponse(options) {
   const { authorizationResponse, callbacks, authorizationRequestPayload, origin } = options;
-  const expectedClientId = getClientId({ authorizationRequestPayload, origin });
+  const expectedClientId = getOpenid4vpClientId({ authorizationRequestPayload, origin });
   if (authorizationResponse.response) {
     return parseJarmAuthorizationResponse({
       jarmResponseJwt: authorizationResponse.response,
@@ -1620,8 +1646,8 @@ var Openid4vpClient = class {
   constructor(options) {
     this.options = options;
   }
-  parseOpenid4vpAuthorizationRequestPayload(options) {
-    return parseOpenid4vpAuthorizationRequestPayload(options);
+  parseOpenid4vpAuthorizationRequest(options) {
+    return parseOpenid4vpAuthorizationRequest(options);
   }
   async resolveOpenId4vpAuthorizationRequest(options) {
     return resolveOpenid4vpAuthorizationRequest({ ...options, callbacks: this.options.callbacks });
@@ -1636,7 +1662,7 @@ var Openid4vpClient = class {
 
 // src/transaction-data/verify-transaction-data.ts
 var import_oauth228 = require("@openid4vc/oauth2");
-var import_utils22 = require("@openid4vc/utils");
+var import_utils21 = require("@openid4vc/utils");
 async function verifyTransactionData(options) {
   const parsedTransactionData = parseTransactionData({
     transactionData: options.transactionData
@@ -1663,7 +1689,7 @@ async function verifyTransactionDataEntry({
   );
   const hashes = {};
   for (const alg of supportedAlgs) {
-    hashes[alg] = (0, import_utils22.encodeToBase64Url)(await callbacks.hash((0, import_utils22.decodeUtf8String)(entry.encoded), alg));
+    hashes[alg] = (0, import_utils21.encodeToBase64Url)(await callbacks.hash((0, import_utils21.decodeUtf8String)(entry.encoded), alg));
   }
   for (const credentialId of entry.transactionData.credential_ids) {
     const transactionDataHashesCredential = credentials[credentialId];
@@ -1708,7 +1734,7 @@ var Openid4vpVerifier = class {
     return createOpenid4vpAuthorizationRequest({ ...options, callbacks: this.options.callbacks });
   }
   parseOpenid4vpAuthorizationRequestPayload(options) {
-    return parseOpenid4vpAuthorizationRequestPayload(options);
+    return parseOpenid4vpAuthorizationRequest(options);
   }
   parseOpenid4vpAuthorizationResponse(options) {
     return parseOpenid4vpAuthorizationResponse(options);
@@ -1726,7 +1752,10 @@ var Openid4vpVerifier = class {
     return parseTransactionData(options);
   }
   verifyTransactionData(options) {
-    return verifyTransactionData(options);
+    return verifyTransactionData({
+      ...options,
+      callbacks: this.options.callbacks
+    });
   }
 };
 
@@ -1754,11 +1783,12 @@ var zWalletMetadata = import_zod22.z.object({
   Openid4vpVerifier,
   createOpenid4vpAuthorizationRequest,
   createOpenid4vpAuthorizationResponse,
+  getOpenid4vpClientId,
   isJarmResponseMode,
   isOpenid4vpAuthorizationRequestDcApi,
   parseDcqlVpToken,
   parseJarmAuthorizationResponse,
-  parseOpenid4vpAuthorizationRequestPayload,
+  parseOpenid4vpAuthorizationRequest,
   parseOpenid4vpAuthorizationResponse,
   parsePexVpToken,
   parseTransactionData,