@openid4vc/openid4vp 0.3.0-alpha-20250315153126 → 0.3.0-alpha-20250318163628

package/dist/index.mjs

@@ -1,58 +1,50 @@
-// src/client-identifier-scheme/z-client-id-scheme.ts
-import { z } from "zod";
-var zClientIdScheme = z.enum([
-  "pre-registered",
-  "redirect_uri",
-  "https",
-  "verifier_attestation",
-  "did",
-  "x509_san_dns",
-  "x509_san_uri",
-  "web-origin"
-]);
+// src/client-identifier-scheme/parse-client-identifier-scheme.ts
+import { Oauth2ErrorCodes as Oauth2ErrorCodes2, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError2, getGlobalConfig } from "@openid4vc/oauth2";
+import { URL as URL2 } from "@openid4vc/utils";
 
-// src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts
-import {
-  Oauth2Error as Oauth2Error3,
-  decodeJwt,
-  jwtSignerFromJwt,
-  zCompactJwe,
-  zCompactJwt,
-  zJwtHeader as zJwtHeader2
-} from "@openid4vc/oauth2";
-import z4 from "zod";
+// src/authorization-request/z-authorization-request-dc-api.ts
+import { z as z5 } from "zod";
+
+// src/authorization-request/z-authorization-request.ts
+import { URL, zHttpsUrl as zHttpsUrl2 } from "@openid4vc/utils";
+import { z as z4 } from "zod";
+
+// src/models/z-client-metadata.ts
+import { zJwkSet } from "@openid4vc/oauth2";
+import { zHttpsUrl } from "@openid4vc/utils";
+import { z as z3 } from "zod";
 
 // src/jarm/metadata/z-jarm-client-metadata.ts
 import { Oauth2Error, zAlgValueNotNone } from "@openid4vc/oauth2";
 import { parseWithErrorHandling } from "@openid4vc/utils";
-import { z as z2 } from "zod";
-var zJarmSignOnlyClientMetadata = z2.object({
+import { z } from "zod";
+var zJarmSignOnlyClientMetadata = z.object({
   authorization_signed_response_alg: zAlgValueNotNone,
-  authorization_encrypted_response_alg: z2.optional(z2.never()),
-  authorization_encrypted_response_enc: z2.optional(z2.never())
+  authorization_encrypted_response_alg: z.optional(z.never()),
+  authorization_encrypted_response_enc: z.optional(z.never())
 });
-var zJarmEncryptOnlyClientMetadata = z2.object({
-  authorization_signed_response_alg: z2.optional(z2.never()),
-  authorization_encrypted_response_alg: z2.string(),
-  authorization_encrypted_response_enc: z2.optional(z2.string())
+var zJarmEncryptOnlyClientMetadata = z.object({
+  authorization_signed_response_alg: z.optional(z.never()),
+  authorization_encrypted_response_alg: z.string(),
+  authorization_encrypted_response_enc: z.optional(z.string())
 });
-var zJarmSignEncryptClientMetadata = z2.object({
+var zJarmSignEncryptClientMetadata = z.object({
   authorization_signed_response_alg: zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg,
   authorization_encrypted_response_alg: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg,
   authorization_encrypted_response_enc: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc
 });
-var zJarmClientMetadata = z2.object({
-  authorization_signed_response_alg: z2.optional(zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg),
-  authorization_encrypted_response_alg: z2.optional(
+var zJarmClientMetadata = z.object({
+  authorization_signed_response_alg: z.optional(zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg),
+  authorization_encrypted_response_alg: z.optional(
     zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg
   ),
-  authorization_encrypted_response_enc: z2.optional(
+  authorization_encrypted_response_enc: z.optional(
     zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc
   )
 });
 var zJarmClientMetadataParsed = zJarmClientMetadata.transform((client_metadata) => {
   const parsedClientMeta = parseWithErrorHandling(
-    z2.union([zJarmEncryptOnlyClientMetadata, zJarmSignOnlyClientMetadata, zJarmSignEncryptClientMetadata]),
+    z.union([zJarmEncryptOnlyClientMetadata, zJarmSignOnlyClientMetadata, zJarmSignEncryptClientMetadata]),
     client_metadata,
     "Invalid jarm client metadata."
   );
@@ -89,766 +81,799 @@ var zJarmClientMetadataParsed = zJarmClientMetadata.transform((client_metadata)
   throw new Oauth2Error("Invalid jarm client metadata. Failed to parse.");
 });
 
-// src/jarm/jarm-extract-jwks.ts
-function extractJwksFromClientMetadata(clientMetadata) {
-  const parsed = zJarmClientMetadataParsed.parse(clientMetadata);
-  const encryptionAlg = parsed.client_metadata.authorization_encrypted_response_enc;
-  const signingAlg = parsed.client_metadata.authorization_signed_response_alg;
-  const encJwk = clientMetadata.jwks.keys.find((key) => key.use === "enc" && key.alg === encryptionAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "enc") ?? // fallback, take first key. HAIP does not specify requirement on enc
-  clientMetadata.jwks.keys?.[0];
-  const sigJwk = clientMetadata.jwks.keys.find((key) => key.use === "sig" && key.alg === signingAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "sig") ?? // falback, take first key
-  clientMetadata.jwks.keys?.[0];
-  return { encJwk, sigJwk };
-}
-
-// src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts
-import { Oauth2Error as Oauth2Error2 } from "@openid4vc/oauth2";
-import { dateToSeconds } from "@openid4vc/utils";
+// src/models/z-vp-formats-supported.ts
+import { z as z2 } from "zod";
+var zVpFormatsSupported = z2.record(
+  z2.string(),
+  z2.object({
+    alg_values_supported: z2.optional(z2.array(z2.string()))
+  }).passthrough()
+);
 
-// src/jarm/jarm-authorization-response/z-jarm-authorization-response.ts
-import { zJwtHeader, zJwtPayload } from "@openid4vc/oauth2";
-import { z as z3 } from "zod";
-var zJarmHeader = z3.object({ ...zJwtHeader.shape, apu: z3.string().optional(), apv: z3.string().optional() });
-var zJarmAuthorizationResponse = z3.object({
-  /**
-   * iss: The issuer URL of the authorization server that created the response
-   * aud: The client_id of the client the response is intended for
-   * exp: The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.
-   */
-  ...zJwtPayload.shape,
-  ...zJwtPayload.pick({ iss: true, aud: true, exp: true }).required().shape,
-  state: z3.optional(z3.string())
-}).passthrough();
-var zJarmAuthorizationResponseEncryptedOnly = z3.object({
-  ...zJwtPayload.shape,
-  state: z3.optional(z3.string())
+// src/models/z-client-metadata.ts
+var zClientMetadata = z3.object({
+  jwks: z3.optional(zJwkSet),
+  vp_formats: z3.optional(zVpFormatsSupported),
+  ...zJarmClientMetadata.shape,
+  logo_uri: zHttpsUrl.optional(),
+  client_name: z3.string().optional()
 }).passthrough();
 
-// src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts
-var jarmAuthorizationResponseValidate = (options) => {
-  const { expectedClientId, authorizationResponse } = options;
-  if (!zJarmAuthorizationResponse.safeParse(authorizationResponse).success) {
-    return;
-  }
-  if (expectedClientId !== authorizationResponse.aud) {
-    throw new Oauth2Error2(
-      `Invalid 'aud' claim in JARM authorization response. Expected '${expectedClientId}' received '${JSON.stringify(authorizationResponse.aud)}'.`
-    );
-  }
-  if (authorizationResponse.exp !== void 0 && authorizationResponse.exp < dateToSeconds()) {
-    throw new Oauth2Error2("Jarm auth response is expired.");
-  }
-};
-
-// src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts
-var decryptJarmAuthorizationResponseJwt = async (options) => {
-  const { jarmAuthorizationResponseJwt, callbacks, authorizationRequestPayload } = options;
-  const encryptionJwk = authorizationRequestPayload.client_metadata?.jwks ? extractJwksFromClientMetadata({
-    ...authorizationRequestPayload.client_metadata,
-    jwks: authorizationRequestPayload.client_metadata.jwks
-  }).encJwk : void 0;
-  const result = await callbacks.decryptJwe(jarmAuthorizationResponseJwt, { jwk: encryptionJwk });
-  if (!result.decrypted) {
-    throw new Oauth2Error3("Failed to decrypt jarm auth response.");
-  }
-  return result.payload;
-};
-async function verifyJarmAuthorizationResponse(options) {
-  const { jarmAuthorizationResponseJwt, callbacks, expectedClientId, authorizationRequestPayload } = options;
-  const requestDataIsEncrypted = zCompactJwe.safeParse(jarmAuthorizationResponseJwt).success;
-  const decryptedRequestData = requestDataIsEncrypted ? await decryptJarmAuthorizationResponseJwt({
-    jarmAuthorizationResponseJwt,
-    callbacks,
-    authorizationRequestPayload
-  }) : jarmAuthorizationResponseJwt;
-  const responseIsSigned = zCompactJwt.safeParse(decryptedRequestData).success;
-  if (!requestDataIsEncrypted && !responseIsSigned) {
-    throw new Oauth2Error3("Jarm Auth Response must be either encrypted, signed, or signed and encrypted.");
-  }
-  let jarmAuthorizationResponse;
-  if (responseIsSigned) {
-    const { header: jwsProtectedHeader, payload: jwsPayload } = decodeJwt({
-      jwt: decryptedRequestData,
-      headerSchema: z4.object({ ...zJwtHeader2.shape, kid: z4.string() })
-    });
-    const response = zJarmAuthorizationResponse.parse(jwsPayload);
-    const jwtSigner = jwtSignerFromJwt({ header: jwsProtectedHeader, payload: jwsPayload });
-    const verificationResult = await options.callbacks.verifyJwt(jwtSigner, {
-      compact: decryptedRequestData,
-      header: jwsProtectedHeader,
-      payload: jwsPayload
+// src/authorization-request/z-authorization-request.ts
+var zStringToJson = z4.string().transform((string, ctx) => {
+  try {
+    return JSON.parse(string);
+  } catch (error) {
+    ctx.addIssue({
+      code: "custom",
+      message: "Expected a JSON string, but could not parse the string to JSON"
     });
-    if (!verificationResult.verified) {
-      throw new Oauth2Error3("Jarm Auth Response is not valid.");
-    }
-    jarmAuthorizationResponse = response;
-  } else {
-    const jsonRequestData = JSON.parse(decryptedRequestData);
-    jarmAuthorizationResponse = zJarmAuthorizationResponseEncryptedOnly.parse(jsonRequestData);
+    return z4.NEVER;
   }
-  jarmAuthorizationResponseValidate({
-    expectedClientId,
-    authorizationResponse: jarmAuthorizationResponse
-  });
-  const type = requestDataIsEncrypted && responseIsSigned ? "SignedEncrypted" /* SignedEncrypted */ : requestDataIsEncrypted ? "Encrypted" /* Encrypted */ : "Signed" /* Signed */;
-  const issuer = jarmAuthorizationResponse.iss;
-  return { jarmAuthorizationResponse, type, issuer };
-}
-
-// src/authorization-request/create-authorization-request.ts
-import { Oauth2Error as Oauth2Error4 } from "@openid4vc/oauth2";
-import { URL, URLSearchParams, objectToQueryParams, parseWithErrorHandling as parseWithErrorHandling2 } from "@openid4vc/utils";
+});
+var zOpenid4vpAuthorizationRequest = z4.object({
+  response_type: z4.literal("vp_token"),
+  client_id: z4.string(),
+  redirect_uri: zHttpsUrl2.optional(),
+  response_uri: zHttpsUrl2.optional(),
+  request_uri: zHttpsUrl2.optional(),
+  request_uri_method: z4.optional(z4.string()),
+  response_mode: z4.enum(["direct_post", "direct_post.jwt"]).optional(),
+  nonce: z4.string(),
+  wallet_nonce: z4.string().optional(),
+  scope: z4.string().optional(),
+  presentation_definition: z4.record(z4.any()).or(zStringToJson).optional(),
+  presentation_definition_uri: zHttpsUrl2.optional(),
+  dcql_query: z4.record(z4.any()).or(zStringToJson).optional(),
+  client_metadata: zClientMetadata.optional(),
+  client_metadata_uri: zHttpsUrl2.optional(),
+  state: z4.string().optional(),
+  transaction_data: z4.array(z4.string().base64url()).optional(),
+  trust_chain: z4.unknown().optional(),
+  client_id_scheme: z4.enum([
+    "pre-registered",
+    "redirect_uri",
+    "entity_id",
+    "did",
+    "verifier_attestation",
+    "x509_san_dns",
+    "x509_san_uri"
+  ]).optional()
+}).passthrough();
+var zOpenid4vpAuthorizationRequestFromUriParams = z4.string().url().transform((url) => Object.fromEntries(new URL(url).searchParams)).pipe(
+  z4.object({
+    presentation_definition: zStringToJson.optional(),
+    client_metadata: zStringToJson.optional(),
+    dcql_query: zStringToJson.optional(),
+    transaction_data: zStringToJson.optional()
+  }).passthrough()
+);
 
-// src/jar/create-jar-authorization-request.ts
-import {
-  jwtHeaderFromJwtSigner
-} from "@openid4vc/oauth2";
-async function createJarAuthorizationRequest(options) {
-  const { jwtSigner, jweEncryptor, authorizationRequestPayload, requestUri, callbacks } = options;
-  let authorizationRequestJwt;
-  let encryptionJwk;
-  const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {
-    header: { ...jwtHeaderFromJwtSigner(jwtSigner), typ: "oauth-authz-req+jwt" },
-    payload: { ...options.additionalJwtPayload, ...authorizationRequestPayload }
-  });
-  authorizationRequestJwt = jwt;
-  if (jweEncryptor) {
-    const encryptionResult = await callbacks.encryptJwe(jweEncryptor, authorizationRequestJwt);
-    authorizationRequestJwt = encryptionResult.jwe;
-    encryptionJwk = encryptionResult.encryptionJwk;
-  }
-  const client_id = authorizationRequestPayload.client_id;
-  const jarAuthorizationRequest = requestUri ? { client_id, request_uri: requestUri } : { client_id, request: authorizationRequestJwt };
-  return { jarAuthorizationRequest, signerJwk, encryptionJwk, authorizationRequestJwt };
+// src/authorization-request/z-authorization-request-dc-api.ts
+var zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest.pick({
+  client_id: true,
+  response_type: true,
+  response_mode: true,
+  nonce: true,
+  presentation_definition: true,
+  client_metadata: true,
+  transaction_data: true,
+  dcql_query: true,
+  trust_chain: true
+}).extend({
+  client_id: z5.optional(z5.string()),
+  expected_origins: z5.array(z5.string()).optional(),
+  response_mode: z5.enum(["dc_api", "dc_api.jwt", "w3c_dc_api.jwt", "w3c_dc_api"]),
+  client_id_scheme: z5.enum([
+    "pre-registered",
+    "redirect_uri",
+    "entity_id",
+    "did",
+    "verifier_attestation",
+    "x509_san_dns",
+    "x509_san_uri"
+  ]).optional()
+}).strip();
+function isOpenid4vpAuthorizationRequestDcApi(request) {
+  return request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt" || request.response_mode === "w3c_dc_api.jwt" || request.response_mode === "w3c_dc_api";
 }
 
-// src/authorization-request/validate-authorization-request.ts
+// src/version.ts
 import { Oauth2ErrorCodes, Oauth2ServerErrorResponseError } from "@openid4vc/oauth2";
-import { zHttpsUrl } from "@openid4vc/utils";
-var validateOpenid4vpAuthorizationRequestPayload = (options) => {
-  const { params, walletVerificationOptions } = options;
-  if (!params.redirect_uri && !params.response_uri) {
-    throw new Oauth2ServerErrorResponseError({
-      error: Oauth2ErrorCodes.InvalidRequest,
-      error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`
-    });
+
+// src/client-identifier-scheme/z-client-id-scheme.ts
+import { z as z6 } from "zod";
+var zClientIdScheme = z6.enum([
+  "pre-registered",
+  "redirect_uri",
+  "https",
+  "verifier_attestation",
+  "did",
+  "x509_san_dns",
+  "x509_san_uri",
+  "web-origin"
+]);
+
+// src/version.ts
+function parseAuthorizationRequestVersion(request) {
+  const requirements = [];
+  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
+    requirements.push(["<", 23]);
+    requirements.push([">=", 21]);
   }
-  if (params.response_uri && !["direct_post", "direct_post.jwt"].find((mode) => mode === params.response_mode)) {
-    throw new Oauth2ServerErrorResponseError({
-      error: Oauth2ErrorCodes.InvalidRequest,
-      error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`
-    });
+  if (isOpenid4vpAuthorizationRequestDcApi(request) && request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt") {
+    requirements.push([">=", 23]);
   }
-  if ([params.presentation_definition_uri, params.presentation_definition, params.dcql_query, params.scope].filter(
-    Boolean
-  ).length > 1) {
-    throw new Oauth2ServerErrorResponseError({
-      error: Oauth2ErrorCodes.InvalidRequest,
-      error_description: "Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition."
-    });
+  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) {
+    requirements.push([">=", 23]);
   }
-  if (params.request_uri_method && !params.request_uri) {
-    throw new Oauth2ServerErrorResponseError({
-      error: Oauth2ErrorCodes.InvalidRequest,
-      error_description: 'The "request_uri_method" parameter MUST NOT be present in the authorization request if the "request_uri" parameter is not present.'
-    });
+  if (request.dcql_query) {
+    requirements.push([">=", 22]);
   }
-  if (params.request_uri_method && !["GET", "POST"].includes(params.request_uri_method)) {
-    throw new Oauth2ServerErrorResponseError({
-      error: Oauth2ErrorCodes.InvalidRequestUriMethod,
-      error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`
-    });
+  if (request.transaction_data) {
+    requirements.push([">=", 22]);
   }
-  if (params.trust_chain && !zHttpsUrl.safeParse(params.client_id).success) {
-    throw new Oauth2ServerErrorResponseError({
-      error: Oauth2ErrorCodes.InvalidRequest,
-      error_description: 'The "trust_chain" parameter MUST NOT be present in the authorization request if the "client_id" is not an OpenId Federation Entity Identifier starting with http:// or https://.'
-    });
+  if (request.client_id_scheme) {
+    requirements.push(["<", 22]);
   }
-  if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) {
-    throw new Oauth2ServerErrorResponseError({
-      error: Oauth2ErrorCodes.InvalidRequest,
-      error_description: 'The "wallet_nonce" parameter MUST be present in the authorization request when the "expectedNonce" parameter is provided.'
-    });
+  if (request.client_id) {
+    const colonIndex = request.client_id.indexOf(":");
+    const schemePart = request.client_id.substring(0, colonIndex);
+    const parsedScheme = zClientIdScheme.safeParse(schemePart);
+    if (parsedScheme.success && parsedScheme.data !== "did" && parsedScheme.data !== "https") {
+      requirements.push([">=", 22]);
+    }
   }
-  if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) {
-    throw new Oauth2ServerErrorResponseError({
-      error: Oauth2ErrorCodes.InvalidRequest,
-      error_description: 'The "wallet_nonce" parameter MUST match the "expectedNonce" parameter when the "expectedNonce" parameter is provided.'
-    });
+  if (!request.client_id) {
+    requirements.push([">=", 21]);
   }
-  if (params.client_id.startsWith("web-origin:")) {
+  if ("client_metadata_uri" in request) {
+    requirements.push(["<", 21]);
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(request)) {
+    requirements.push([">=", 21]);
+  }
+  if ("request_uri_method" in request || "wallet_nonce" in request) {
+    requirements.push([">=", 21]);
+  }
+  if (request.client_id_scheme === "verifier_attestation") {
+    requirements.push([">=", 20]);
+  }
+  if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") {
+    requirements.push([">=", 19]);
+  }
+  const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
+  const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
+  const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 24;
+  const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
+  if (lowestRequiredVersion > highestPossibleVersion) {
     throw new Oauth2ServerErrorResponseError({
       error: Oauth2ErrorCodes.InvalidRequest,
-      error_description: `The 'client_id' parameter MUST NOT use client identifier scheme 'web-origin' when not using the dc_api response mode. Current: ${params.client_id}`
+      error_description: "Could not infer openid4vp version from the openid4vp request payload."
     });
   }
-};
+  return highestPossibleVersion;
+}
 
-// src/authorization-request/validate-authorization-request-dc-api.ts
-import { Oauth2ErrorCodes as Oauth2ErrorCodes2, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError2 } from "@openid4vc/oauth2";
-var validateOpenid4vpAuthorizationRequestDcApiPayload = (options) => {
-  const { params, isJarRequest, disableOriginValidation, origin } = options;
-  if (isJarRequest && !params.expected_origins) {
-    throw new Oauth2ServerErrorResponseError2({
-      error: Oauth2ErrorCodes2.InvalidRequest,
-      error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`
-    });
-  }
-  if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) {
-    throw new Oauth2ServerErrorResponseError2({
-      error: Oauth2ErrorCodes2.InvalidRequest,
-      error_description: "Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query or presentation_definition"
-    });
+// src/client-identifier-scheme/parse-client-identifier-scheme.ts
+function getOpenid4vpClientId(options) {
+  const version = parseAuthorizationRequestVersion(options.authorizationRequestPayload);
+  if (version < 22) {
+    return getLegacyClientId(options);
   }
-  if (params.expected_origins && !disableOriginValidation) {
-    if (!origin) {
+  if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
+    if (!options.origin) {
       throw new Oauth2ServerErrorResponseError2({
         error: Oauth2ErrorCodes2.InvalidRequest,
-        error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`
+        error_description: "Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'"
       });
     }
-    if (params.expected_origins && !params.expected_origins.includes(origin)) {
+    if (!options.jar || !options.authorizationRequestPayload.client_id) return `web-origin:${options.origin}`;
+    return options.authorizationRequestPayload.client_id;
+  }
+  return options.authorizationRequestPayload.client_id;
+}
+function getLegacyClientId(options) {
+  const legacyClientIdScheme = options.authorizationRequestPayload.client_id_scheme ?? "pre-registered";
+  const clientIdScheme = legacyClientIdScheme === "entity_id" ? "https" : legacyClientIdScheme;
+  if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
+    if (!options.origin) {
       throw new Oauth2ServerErrorResponseError2({
         error: Oauth2ErrorCodes2.InvalidRequest,
-        error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(", ")}`
+        error_description: "Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'"
       });
     }
+    if (!options.jar || !options.authorizationRequestPayload.client_id) return `web-origin:${options.origin}`;
+    return `${clientIdScheme}:${options.authorizationRequestPayload.client_id}`;
   }
-};
-
-// src/authorization-request/z-authorization-request.ts
-import { zHttpsUrl as zHttpsUrl3 } from "@openid4vc/utils";
-import { z as z7 } from "zod";
-
-// src/models/z-client-metadata.ts
-import { zJwkSet } from "@openid4vc/oauth2";
-import { zHttpsUrl as zHttpsUrl2 } from "@openid4vc/utils";
-import { z as z6 } from "zod";
-
-// src/models/z-vp-formats-supported.ts
-import { z as z5 } from "zod";
-var zVpFormatsSupported = z5.record(
-  z5.string(),
-  z5.object({
-    alg_values_supported: z5.optional(z5.array(z5.string()))
-  }).passthrough()
-);
-
-// src/models/z-client-metadata.ts
-var zClientMetadata = z6.object({
-  jwks: z6.optional(zJwkSet),
-  vp_formats: z6.optional(zVpFormatsSupported),
-  ...zJarmClientMetadata.shape,
-  logo_uri: zHttpsUrl2.optional(),
-  client_name: z6.string().optional()
-}).passthrough();
-
-// src/authorization-request/z-authorization-request.ts
-var zOpenid4vpAuthorizationRequest = z7.object({
-  response_type: z7.literal("vp_token"),
-  client_id: z7.string(),
-  redirect_uri: zHttpsUrl3.optional(),
-  response_uri: zHttpsUrl3.optional(),
-  request_uri: zHttpsUrl3.optional(),
-  request_uri_method: z7.optional(z7.string()),
-  response_mode: z7.enum(["direct_post", "direct_post.jwt"]).optional(),
-  nonce: z7.string(),
-  wallet_nonce: z7.string().optional(),
-  scope: z7.string().optional(),
-  presentation_definition: z7.record(z7.any()).optional(),
-  presentation_definition_uri: zHttpsUrl3.optional(),
-  dcql_query: z7.record(z7.any()).optional(),
-  client_metadata: zClientMetadata.optional(),
-  client_metadata_uri: zHttpsUrl3.optional(),
-  state: z7.string().optional(),
-  transaction_data: z7.array(z7.string()).optional(),
-  trust_chain: z7.unknown().optional(),
-  client_id_scheme: z7.enum([
-    "pre-registered",
-    "redirect_uri",
-    "entity_id",
-    "did",
-    "verifier_attestation",
-    "x509_san_dns",
-    "x509_san_uri"
-  ]).optional()
-}).passthrough();
-
-// src/authorization-request/z-authorization-request-dc-api.ts
-import { z as z8 } from "zod";
-var zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest.pick({
-  client_id: true,
-  response_type: true,
-  response_mode: true,
-  nonce: true,
-  presentation_definition: true,
-  client_metadata: true,
-  transaction_data: true,
-  dcql_query: true,
-  trust_chain: true
-}).extend({
-  client_id: z8.optional(z8.string()),
-  expected_origins: z8.array(z8.string()).optional(),
-  response_mode: z8.enum(["dc_api", "dc_api.jwt", "w3c_dc_api.jwt", "w3c_dc_api"]),
-  client_id_scheme: z8.enum([
-    "pre-registered",
-    "redirect_uri",
-    "entity_id",
-    "did",
-    "verifier_attestation",
-    "x509_san_dns",
-    "x509_san_uri"
-  ]).optional()
-}).strip();
-function isOpenid4vpAuthorizationRequestDcApi(request) {
-  return request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt" || request.response_mode === "w3c_dc_api.jwt" || request.response_mode === "w3c_dc_api";
+  if (clientIdScheme === "https" || clientIdScheme === "did") {
+    return options.authorizationRequestPayload.client_id;
+  }
+  if (clientIdScheme === "pre-registered") {
+    return options.authorizationRequestPayload.client_id;
+  }
+  return `${clientIdScheme}:${options.authorizationRequestPayload.client_id}`;
 }
-
-// src/authorization-request/create-authorization-request.ts
-async function createOpenid4vpAuthorizationRequest(options) {
-  const { jar, scheme = "openid4vp://", wallet, callbacks } = options;
-  let additionalJwtPayload;
-  let authorizationRequestPayload;
-  if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
-    authorizationRequestPayload = parseWithErrorHandling2(
-      zOpenid4vpAuthorizationRequestDcApi,
-      options.authorizationRequestPayload,
-      "Invalid authorization request. Could not parse openid4vp dc_api authorization request."
-    );
-    if (jar && !authorizationRequestPayload.expected_origins) {
-      throw new Oauth2Error4(
-        `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combination with jar.`
-      );
-    }
-    validateOpenid4vpAuthorizationRequestDcApiPayload({
-      params: authorizationRequestPayload,
-      isJarRequest: Boolean(jar),
-      disableOriginValidation: true
-    });
-  } else {
-    authorizationRequestPayload = parseWithErrorHandling2(
-      zOpenid4vpAuthorizationRequest,
-      options.authorizationRequestPayload,
-      "Invalid authorization request. Could not parse openid4vp authorization request."
-    );
-    validateOpenid4vpAuthorizationRequestPayload({
-      params: authorizationRequestPayload,
-      walletVerificationOptions: wallet
+function parseClientIdentifier(options, parserConfig) {
+  const { authorizationRequestPayload, jar } = options;
+  const parserConfigWithDefaults = {
+    supportedSchemes: parserConfig?.supportedSchemes || Object.values(zClientIdScheme.options)
+  };
+  const clientId = getOpenid4vpClientId(options);
+  const colonIndex = clientId.indexOf(":");
+  if (colonIndex === -1) {
+    return {
+      scheme: "pre-registered",
+      identifier: clientId,
+      originalValue: clientId,
+      clientMetadata: authorizationRequestPayload.client_metadata
+    };
+  }
+  const schemePart = clientId.substring(0, colonIndex);
+  const identifierPart = clientId.substring(colonIndex + 1);
+  if (!parserConfigWithDefaults.supportedSchemes.includes(schemePart)) {
+    throw new Oauth2ServerErrorResponseError2({
+      error: Oauth2ErrorCodes2.InvalidRequest,
+      error_description: `Unsupported client identifier scheme. ${schemePart} is not supported.`
     });
   }
-  if (jar) {
-    if (!jar.additionalJwtPayload?.aud) {
-      additionalJwtPayload = { ...jar.additionalJwtPayload, aud: jar.requestUri };
+  const scheme = schemePart;
+  if (scheme === "https") {
+    if (!clientId.startsWith("https://") && !(getGlobalConfig().allowInsecureUrls && clientId.startsWith("http://"))) {
+      throw new Oauth2ServerErrorResponseError2({
+        error: Oauth2ErrorCodes2.InvalidRequest,
+        error_description: "Invalid client identifier. Client identifier must start with https:// or http:// if allowInsecureUrls is true."
+      });
     }
-    const jarResult = await createJarAuthorizationRequest({
-      ...jar,
-      authorizationRequestPayload,
-      additionalJwtPayload,
-      callbacks
-    });
-    const url2 = new URL(scheme);
-    url2.search = `?${new URLSearchParams([
-      ...url2.searchParams.entries(),
-      ...objectToQueryParams(jarResult.jarAuthorizationRequest).entries()
-    ]).toString()}`;
     return {
-      authorizationRequestPayload,
-      authorizationRequestObject: jarResult.jarAuthorizationRequest,
-      authorizationRequest: url2.toString(),
-      jar: { ...jar, ...jarResult }
+      scheme,
+      identifier: clientId,
+      originalValue: clientId,
+      trustChain: authorizationRequestPayload.trust_chain
     };
   }
-  const url = new URL(scheme);
-  url.search = `?${new URLSearchParams([
-    ...url.searchParams.entries(),
-    ...objectToQueryParams(authorizationRequestPayload).entries()
-  ]).toString()}`;
-  return {
-    authorizationRequestPayload,
-    authorizationRequestObject: authorizationRequestPayload,
-    authorizationRequest: url.toString(),
-    jar: void 0
-  };
-}
-
-// src/authorization-request/parse-authorization-request-params.ts
-import { decodeJwt as decodeJwt2 } from "@openid4vc/oauth2";
-import { URL as URL2 } from "@openid4vc/utils";
-import { parseWithErrorHandling as parseWithErrorHandling3 } from "@openid4vc/utils";
-import z10 from "zod";
-
-// src/jar/z-jar-authorization-request.ts
-import { Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError3 } from "@openid4vc/oauth2";
-import { zHttpsUrl as zHttpsUrl4 } from "@openid4vc/utils";
-import { z as z9 } from "zod";
-var zJarAuthorizationRequest = z9.object({
-  request: z9.optional(z9.string()),
-  request_uri: z9.optional(zHttpsUrl4),
-  request_uri_method: z9.optional(z9.string()),
-  client_id: z9.optional(z9.string())
-}).passthrough();
-function validateJarRequestParams(options) {
-  const { jarRequestParams } = options;
-  if (jarRequestParams.request && jarRequestParams.request_uri) {
-    throw new Oauth2ServerErrorResponseError3({
-      error: "invalid_request_object",
-      error_description: "request and request_uri cannot both be present in a JAR request"
-    });
-  }
-  if (!jarRequestParams.request && !jarRequestParams.request_uri) {
-    throw new Oauth2ServerErrorResponseError3({
-      error: "invalid_request_object",
-      error_description: "request or request_uri must be present"
-    });
+  if (scheme === "redirect_uri") {
+    if (jar) {
+      throw new Oauth2ServerErrorResponseError2({
+        error: Oauth2ErrorCodes2.InvalidRequest,
+        error_description: 'Using client identifier scheme "redirect_uri" the request MUST NOT be signed.'
+      });
+    }
+    if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
+      throw new Oauth2ServerErrorResponseError2({
+        error: Oauth2ErrorCodes2.InvalidRequest,
+        error_description: `The client identifier scheme 'redirect_uri' is not supported when using the dc_api response mode.`
+      });
+    }
+    return {
+      scheme,
+      identifier: identifierPart,
+      originalValue: clientId,
+      redirectUri: authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri
+    };
   }
-  return jarRequestParams;
-}
-function isJarAuthorizationRequest(request) {
-  return "request" in request || "request_uri" in request;
-}
-
-// src/authorization-request/parse-authorization-request-params.ts
-function parseOpenid4vpAuthorizationRequestPayload(options) {
-  const { authorizationRequest } = options;
-  let provided = "params";
-  let params;
-  if (typeof authorizationRequest === "string") {
-    if (authorizationRequest.includes("://")) {
-      const url = new URL2(authorizationRequest);
-      params = Object.fromEntries(url.searchParams);
-      provided = "uri";
-    } else {
-      const decoded = decodeJwt2({ jwt: authorizationRequest });
-      params = decoded.payload;
-      provided = "jwt";
+  if (scheme === "did") {
+    if (!jar) {
+      throw new Oauth2ServerErrorResponseError2({
+        error: Oauth2ErrorCodes2.InvalidRequest,
+        error_description: 'Using client identifier scheme "did" requires a signed JAR request.'
+      });
     }
-  } else {
-    params = authorizationRequest;
+    if (!clientId.startsWith("did:")) {
+      throw new Oauth2ServerErrorResponseError2({
+        error: Oauth2ErrorCodes2.InvalidRequest,
+        error_description: "Invalid client identifier. Client identifier must start with 'did:'"
+      });
+    }
+    if (!jar.signer.publicJwk.kid) {
+      throw new Oauth2ServerErrorResponseError2({
+        error: Oauth2ErrorCodes2.InvalidRequest,
+        error_description: `Missing required 'kid' for client identifier scheme: did`
+      });
+    }
+    if (!jar.signer.publicJwk.kid?.startsWith(clientId)) {
+      throw new Oauth2ServerErrorResponseError2({
+        error: Oauth2ErrorCodes2.InvalidRequest,
+        error_description: 'With client identifier scheme "did" the JAR request must be signed by the same DID as the client identifier.'
+      });
+    }
+    return {
+      scheme,
+      identifier: clientId,
+      originalValue: clientId,
+      didUrl: jar.signer.publicJwk.kid
+    };
   }
-  const parsedRequest = parseWithErrorHandling3(
-    z10.union([zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest, zOpenid4vpAuthorizationRequestDcApi]),
-    params
-  );
-  if (isJarAuthorizationRequest(parsedRequest)) {
+  if (scheme === "x509_san_dns" || scheme === "x509_san_uri") {
+    if (!jar) {
+      throw new Oauth2ServerErrorResponseError2({
+        error: Oauth2ErrorCodes2.InvalidRequest,
+        error_description: 'Using client identifier scheme "x509_san_dns" or "x509_san_uri" requires a signed JAR request.'
+      });
+    }
+    if (jar.signer.method !== "x5c") {
+      throw new Oauth2ServerErrorResponseError2({
+        error: Oauth2ErrorCodes2.InvalidRequest,
+        error_description: "Something went wrong. The JWT signer method is not x5c but the client identifier scheme is x509_san_dns."
+      });
+    }
+    if (scheme === "x509_san_dns") {
+      if (!options.callbacks.getX509CertificateMetadata) {
+        throw new Oauth2ServerErrorResponseError2(
+          {
+            error: Oauth2ErrorCodes2.ServerError
+          },
+          {
+            internalMessage: "Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_dns' client id scheme"
+          }
+        );
+      }
+      const { sanDnsNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
+      if (!sanDnsNames.includes(identifierPart)) {
+        throw new Oauth2ServerErrorResponseError2({
+          error: Oauth2ErrorCodes2.InvalidRequest,
+          error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(", ")}] must match the client identifier '${identifierPart}'. `
+        });
+      }
+      if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
+        const uri = authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri;
+        if (!uri || new URL2(uri).hostname !== identifierPart) {
+          throw new Oauth2ServerErrorResponseError2({
+            error: Oauth2ErrorCodes2.InvalidRequest,
+            error_description: "Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns."
+          });
+        }
+      }
+    } else if (scheme === "x509_san_uri") {
+      if (!options.callbacks.getX509CertificateMetadata) {
+        throw new Oauth2ServerErrorResponseError2(
+          {
+            error: Oauth2ErrorCodes2.ServerError
+          },
+          {
+            internalMessage: "Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_uri' client id scheme"
+          }
+        );
+      }
+      const { sanUriNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
+      if (!sanUriNames.includes(identifierPart)) {
+        throw new Oauth2ServerErrorResponseError2({
+          error: Oauth2ErrorCodes2.InvalidRequest,
+          error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(", ")}] must match the client identifier '${identifierPart}'.`
+        });
+      }
+      if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
+        const uri = authorizationRequestPayload.redirect_uri || authorizationRequestPayload.response_uri;
+        if (!uri || uri !== identifierPart) {
+          throw new Oauth2ServerErrorResponseError2({
+            error: Oauth2ErrorCodes2.InvalidRequest,
+            error_description: "The redirect_uri value MUST match the Client Identifier without the prefix x509_san_uri"
+          });
+        }
+      }
+    }
     return {
-      type: "jar",
-      provided,
-      params: parsedRequest
+      scheme,
+      identifier: identifierPart,
+      originalValue: clientId,
+      x5c: jar.signer.x5c
     };
   }
-  if (isOpenid4vpAuthorizationRequestDcApi(parsedRequest)) {
+  if (scheme === "web-origin") {
     return {
-      type: "openid4vp_dc_api",
-      provided,
-      params: parsedRequest
+      scheme,
+      identifier: identifierPart,
+      originalValue: clientId,
+      clientMetadata: authorizationRequestPayload.client_metadata
     };
   }
+  if (scheme === "verifier_attestation") {
+    if (!jar) {
+      throw new Oauth2ServerErrorResponseError2({
+        error: Oauth2ErrorCodes2.InvalidRequest,
+        error_description: 'Using client identifier scheme "verifier_attestation" requires a signed JAR request.'
+      });
+    }
+  }
   return {
-    type: "openid4vp",
-    provided,
-    params: parsedRequest
+    scheme,
+    identifier: identifierPart,
+    originalValue: clientId
   };
 }
 
-// src/authorization-request/resolve-authorization-request.ts
-import { Oauth2ErrorCodes as Oauth2ErrorCodes9, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError10 } from "@openid4vc/oauth2";
-import { parseWithErrorHandling as parseWithErrorHandling4 } from "@openid4vc/utils";
-import z14 from "zod";
+// src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts
+import {
+  Oauth2Error as Oauth2Error3,
+  decodeJwt,
+  jwtSignerFromJwt,
+  zCompactJwe,
+  zCompactJwt,
+  zJwtHeader as zJwtHeader2
+} from "@openid4vc/oauth2";
+import z8 from "zod";
 
-// src/client-identifier-scheme/parse-client-identifier-scheme.ts
-import { Oauth2ErrorCodes as Oauth2ErrorCodes4, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError5, getGlobalConfig } from "@openid4vc/oauth2";
-import { URL as URL3 } from "@openid4vc/utils";
+// src/jarm/jarm-extract-jwks.ts
+function extractJwksFromClientMetadata(clientMetadata) {
+  const parsed = zJarmClientMetadataParsed.parse(clientMetadata);
+  const encryptionAlg = parsed.client_metadata.authorization_encrypted_response_enc;
+  const signingAlg = parsed.client_metadata.authorization_signed_response_alg;
+  const encJwk = clientMetadata.jwks.keys.find((key) => key.use === "enc" && key.alg === encryptionAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "enc") ?? // fallback, take first key. HAIP does not specify requirement on enc
+  clientMetadata.jwks.keys?.[0];
+  const sigJwk = clientMetadata.jwks.keys.find((key) => key.use === "sig" && key.alg === signingAlg) ?? clientMetadata.jwks.keys.find((key) => key.use === "sig") ?? // falback, take first key
+  clientMetadata.jwks.keys?.[0];
+  return { encJwk, sigJwk };
+}
 
-// src/version.ts
-import { Oauth2ErrorCodes as Oauth2ErrorCodes3, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError4 } from "@openid4vc/oauth2";
-function parseAuthorizationRequestVersion(request) {
-  const requirements = [];
-  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
-    requirements.push(["<", 23]);
-    requirements.push([">=", 21]);
-  }
-  if (isOpenid4vpAuthorizationRequestDcApi(request) && request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt") {
-    requirements.push([">=", 23]);
+// src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts
+import { Oauth2Error as Oauth2Error2 } from "@openid4vc/oauth2";
+import { dateToSeconds } from "@openid4vc/utils";
+
+// src/jarm/jarm-authorization-response/z-jarm-authorization-response.ts
+import { zJwtHeader, zJwtPayload } from "@openid4vc/oauth2";
+import { z as z7 } from "zod";
+var zJarmHeader = z7.object({ ...zJwtHeader.shape, apu: z7.string().optional(), apv: z7.string().optional() });
+var zJarmAuthorizationResponse = z7.object({
+  /**
+   * iss: The issuer URL of the authorization server that created the response
+   * aud: The client_id of the client the response is intended for
+   * exp: The expiration time of the JWT. A maximum JWT lifetime of 10 minutes is RECOMMENDED.
+   */
+  ...zJwtPayload.shape,
+  ...zJwtPayload.pick({ iss: true, aud: true, exp: true }).required().shape,
+  state: z7.optional(z7.string())
+}).passthrough();
+var zJarmAuthorizationResponseEncryptedOnly = z7.object({
+  ...zJwtPayload.shape,
+  state: z7.optional(z7.string())
+}).passthrough();
+
+// src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts
+var jarmAuthorizationResponseValidate = (options) => {
+  const { expectedClientId, authorizationResponse } = options;
+  if (!zJarmAuthorizationResponse.safeParse(authorizationResponse).success) {
+    return;
   }
-  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) {
-    requirements.push([">=", 23]);
+  if (expectedClientId !== authorizationResponse.aud) {
+    throw new Oauth2Error2(
+      `Invalid 'aud' claim in JARM authorization response. Expected '${expectedClientId}' received '${JSON.stringify(authorizationResponse.aud)}'.`
+    );
   }
-  if (request.dcql_query) {
-    requirements.push([">=", 22]);
+  if (authorizationResponse.exp !== void 0 && authorizationResponse.exp < dateToSeconds()) {
+    throw new Oauth2Error2("Jarm auth response is expired.");
   }
-  if (request.transaction_data) {
-    requirements.push([">=", 22]);
+};
+
+// src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts
+var decryptJarmAuthorizationResponseJwt = async (options) => {
+  const { jarmAuthorizationResponseJwt, callbacks, authorizationRequestPayload } = options;
+  const encryptionJwk = authorizationRequestPayload.client_metadata?.jwks ? extractJwksFromClientMetadata({
+    ...authorizationRequestPayload.client_metadata,
+    jwks: authorizationRequestPayload.client_metadata.jwks
+  }).encJwk : void 0;
+  const result = await callbacks.decryptJwe(jarmAuthorizationResponseJwt, { jwk: encryptionJwk });
+  if (!result.decrypted) {
+    throw new Oauth2Error3("Failed to decrypt jarm auth response.");
   }
-  if (request.client_id_scheme) {
-    requirements.push(["<", 22]);
+  return result.payload;
+};
+async function verifyJarmAuthorizationResponse(options) {
+  const { jarmAuthorizationResponseJwt, callbacks, expectedClientId, authorizationRequestPayload } = options;
+  const requestDataIsEncrypted = zCompactJwe.safeParse(jarmAuthorizationResponseJwt).success;
+  const decryptedRequestData = requestDataIsEncrypted ? await decryptJarmAuthorizationResponseJwt({
+    jarmAuthorizationResponseJwt,
+    callbacks,
+    authorizationRequestPayload
+  }) : jarmAuthorizationResponseJwt;
+  const responseIsSigned = zCompactJwt.safeParse(decryptedRequestData).success;
+  if (!requestDataIsEncrypted && !responseIsSigned) {
+    throw new Oauth2Error3("Jarm Auth Response must be either encrypted, signed, or signed and encrypted.");
   }
-  if (request.client_id) {
-    const colonIndex = request.client_id.indexOf(":");
-    const schemePart = request.client_id.substring(0, colonIndex);
-    const parsedScheme = zClientIdScheme.safeParse(schemePart);
-    if (parsedScheme.success && parsedScheme.data !== "did" && parsedScheme.data !== "https") {
-      requirements.push([">=", 22]);
+  let jarmAuthorizationResponse;
+  if (responseIsSigned) {
+    const { header: jwsProtectedHeader, payload: jwsPayload } = decodeJwt({
+      jwt: decryptedRequestData,
+      headerSchema: z8.object({ ...zJwtHeader2.shape, kid: z8.string() })
+    });
+    const response = zJarmAuthorizationResponse.parse(jwsPayload);
+    const jwtSigner = jwtSignerFromJwt({ header: jwsProtectedHeader, payload: jwsPayload });
+    const verificationResult = await options.callbacks.verifyJwt(jwtSigner, {
+      compact: decryptedRequestData,
+      header: jwsProtectedHeader,
+      payload: jwsPayload
+    });
+    if (!verificationResult.verified) {
+      throw new Oauth2Error3("Jarm Auth Response is not valid.");
     }
+    jarmAuthorizationResponse = response;
+  } else {
+    const jsonRequestData = JSON.parse(decryptedRequestData);
+    jarmAuthorizationResponse = zJarmAuthorizationResponseEncryptedOnly.parse(jsonRequestData);
   }
-  if (!request.client_id) {
-    requirements.push([">=", 21]);
-  }
-  if ("client_metadata_uri" in request) {
-    requirements.push(["<", 21]);
-  }
-  if (isOpenid4vpAuthorizationRequestDcApi(request)) {
-    requirements.push([">=", 21]);
-  }
-  if ("request_uri_method" in request || "wallet_nonce" in request) {
-    requirements.push([">=", 21]);
-  }
-  if (request.client_id_scheme === "verifier_attestation") {
-    requirements.push([">=", 20]);
+  jarmAuthorizationResponseValidate({
+    expectedClientId,
+    authorizationResponse: jarmAuthorizationResponse
+  });
+  const type = requestDataIsEncrypted && responseIsSigned ? "SignedEncrypted" /* SignedEncrypted */ : requestDataIsEncrypted ? "Encrypted" /* Encrypted */ : "Signed" /* Signed */;
+  const issuer = jarmAuthorizationResponse.iss;
+  return { jarmAuthorizationResponse, type, issuer };
+}
+
+// src/authorization-request/create-authorization-request.ts
+import { Oauth2Error as Oauth2Error4 } from "@openid4vc/oauth2";
+import { URL as URL3, URLSearchParams, objectToQueryParams, parseWithErrorHandling as parseWithErrorHandling2 } from "@openid4vc/utils";
+
+// src/jar/create-jar-authorization-request.ts
+import {
+  jwtHeaderFromJwtSigner
+} from "@openid4vc/oauth2";
+async function createJarAuthorizationRequest(options) {
+  const { jwtSigner, jweEncryptor, authorizationRequestPayload, requestUri, callbacks } = options;
+  let authorizationRequestJwt;
+  let encryptionJwk;
+  const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {
+    header: { ...jwtHeaderFromJwtSigner(jwtSigner), typ: "oauth-authz-req+jwt" },
+    payload: { ...options.additionalJwtPayload, ...authorizationRequestPayload }
+  });
+  authorizationRequestJwt = jwt;
+  if (jweEncryptor) {
+    const encryptionResult = await callbacks.encryptJwe(jweEncryptor, authorizationRequestJwt);
+    authorizationRequestJwt = encryptionResult.jwe;
+    encryptionJwk = encryptionResult.encryptionJwk;
   }
-  if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") {
-    requirements.push([">=", 19]);
+  const client_id = authorizationRequestPayload.client_id;
+  const jarAuthorizationRequest = requestUri ? { client_id, request_uri: requestUri } : { client_id, request: authorizationRequestJwt };
+  return { jarAuthorizationRequest, signerJwk, encryptionJwk, authorizationRequestJwt };
+}
+
+// src/authorization-request/validate-authorization-request.ts
+import { Oauth2ErrorCodes as Oauth2ErrorCodes3, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError3 } from "@openid4vc/oauth2";
+import { zHttpsUrl as zHttpsUrl3 } from "@openid4vc/utils";
+var validateOpenid4vpAuthorizationRequestPayload = (options) => {
+  const { params, walletVerificationOptions } = options;
+  if (!params.redirect_uri && !params.response_uri) {
+    throw new Oauth2ServerErrorResponseError3({
+      error: Oauth2ErrorCodes3.InvalidRequest,
+      error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`
+    });
   }
-  const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
-  const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
-  const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 24;
-  const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
-  if (lowestRequiredVersion > highestPossibleVersion) {
-    throw new Oauth2ServerErrorResponseError4({
+  if (params.response_uri && !["direct_post", "direct_post.jwt"].find((mode) => mode === params.response_mode)) {
+    throw new Oauth2ServerErrorResponseError3({
       error: Oauth2ErrorCodes3.InvalidRequest,
-      error_description: "Could not infer openid4vp version from the openid4vp request payload."
+      error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`
     });
   }
-  return highestPossibleVersion;
-}
-
-// src/client-identifier-scheme/parse-client-identifier-scheme.ts
-function getClientId(options) {
-  const version = parseAuthorizationRequestVersion(options.authorizationRequestPayload);
-  if (version < 22) {
-    return getLegacyClientId(options);
+  if ([params.presentation_definition_uri, params.presentation_definition, params.dcql_query, params.scope].filter(
+    Boolean
+  ).length > 1) {
+    throw new Oauth2ServerErrorResponseError3({
+      error: Oauth2ErrorCodes3.InvalidRequest,
+      error_description: "Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition."
+    });
   }
-  if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
-    if (!options.origin) {
-      throw new Oauth2ServerErrorResponseError5({
-        error: Oauth2ErrorCodes4.InvalidRequest,
-        error_description: "Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'"
-      });
-    }
-    if (!options.jar || !options.authorizationRequestPayload.client_id) return `web-origin:${options.origin}`;
-    return options.authorizationRequestPayload.client_id;
+  if (params.request_uri_method && !params.request_uri) {
+    throw new Oauth2ServerErrorResponseError3({
+      error: Oauth2ErrorCodes3.InvalidRequest,
+      error_description: 'The "request_uri_method" parameter MUST NOT be present in the authorization request if the "request_uri" parameter is not present.'
+    });
   }
-  return options.authorizationRequestPayload.client_id;
-}
-function getLegacyClientId(options) {
-  const legacyClientIdScheme = options.authorizationRequestPayload.client_id_scheme ?? "pre-registered";
-  const clientIdScheme = legacyClientIdScheme === "entity_id" ? "https" : legacyClientIdScheme;
-  if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
-    if (!options.origin) {
-      throw new Oauth2ServerErrorResponseError5({
-        error: Oauth2ErrorCodes4.InvalidRequest,
-        error_description: "Failed to parse client identifier. 'origin' is required for requests with response_mode 'dc_api' and 'dc_api.jwt'"
-      });
-    }
-    if (!options.jar || !options.authorizationRequestPayload.client_id) return `web-origin:${options.origin}`;
-    return `${clientIdScheme}:${options.authorizationRequestPayload.client_id}`;
+  if (params.request_uri_method && !["GET", "POST"].includes(params.request_uri_method)) {
+    throw new Oauth2ServerErrorResponseError3({
+      error: Oauth2ErrorCodes3.InvalidRequestUriMethod,
+      error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`
+    });
   }
-  if (clientIdScheme === "https" || clientIdScheme === "did") {
-    return options.authorizationRequestPayload.client_id;
+  if (params.trust_chain && !zHttpsUrl3.safeParse(params.client_id).success) {
+    throw new Oauth2ServerErrorResponseError3({
+      error: Oauth2ErrorCodes3.InvalidRequest,
+      error_description: 'The "trust_chain" parameter MUST NOT be present in the authorization request if the "client_id" is not an OpenId Federation Entity Identifier starting with http:// or https://.'
+    });
   }
-  if (clientIdScheme === "pre-registered") {
-    return options.authorizationRequestPayload.client_id;
+  if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) {
+    throw new Oauth2ServerErrorResponseError3({
+      error: Oauth2ErrorCodes3.InvalidRequest,
+      error_description: 'The "wallet_nonce" parameter MUST be present in the authorization request when the "expectedNonce" parameter is provided.'
+    });
   }
-  return `${clientIdScheme}:${options.authorizationRequestPayload.client_id}`;
-}
-function parseClientIdentifier(options, parserConfig) {
-  const { authorizationRequestPayload, jar } = options;
-  const parserConfigWithDefaults = {
-    supportedSchemes: parserConfig?.supportedSchemes || Object.values(zClientIdScheme.options)
-  };
-  const clientId = getClientId(options);
-  const colonIndex = clientId.indexOf(":");
-  if (colonIndex === -1) {
-    return {
-      scheme: "pre-registered",
-      identifier: clientId,
-      originalValue: clientId,
-      clientMetadata: authorizationRequestPayload.client_metadata
-    };
+  if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) {
+    throw new Oauth2ServerErrorResponseError3({
+      error: Oauth2ErrorCodes3.InvalidRequest,
+      error_description: 'The "wallet_nonce" parameter MUST match the "expectedNonce" parameter when the "expectedNonce" parameter is provided.'
+    });
   }
-  const schemePart = clientId.substring(0, colonIndex);
-  const identifierPart = clientId.substring(colonIndex + 1);
-  if (!parserConfigWithDefaults.supportedSchemes.includes(schemePart)) {
-    throw new Oauth2ServerErrorResponseError5({
-      error: Oauth2ErrorCodes4.InvalidRequest,
-      error_description: `Unsupported client identifier scheme. ${schemePart} is not supported.`
+  if (params.client_id.startsWith("web-origin:")) {
+    throw new Oauth2ServerErrorResponseError3({
+      error: Oauth2ErrorCodes3.InvalidRequest,
+      error_description: `The 'client_id' parameter MUST NOT use client identifier scheme 'web-origin' when not using the dc_api response mode. Current: ${params.client_id}`
     });
   }
-  const scheme = schemePart;
-  if (scheme === "https") {
-    if (!clientId.startsWith("https://") && !(getGlobalConfig().allowInsecureUrls && clientId.startsWith("http://"))) {
-      throw new Oauth2ServerErrorResponseError5({
-        error: Oauth2ErrorCodes4.InvalidRequest,
-        error_description: "Invalid client identifier. Client identifier must start with https:// or http:// if allowInsecureUrls is true."
-      });
-    }
-    return {
-      scheme,
-      identifier: clientId,
-      originalValue: clientId,
-      trustChain: authorizationRequestPayload.trust_chain
-    };
+};
+
+// src/authorization-request/validate-authorization-request-dc-api.ts
+import { Oauth2ErrorCodes as Oauth2ErrorCodes4, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError4 } from "@openid4vc/oauth2";
+var validateOpenid4vpAuthorizationRequestDcApiPayload = (options) => {
+  const { params, isJarRequest, disableOriginValidation, origin } = options;
+  if (isJarRequest && !params.expected_origins) {
+    throw new Oauth2ServerErrorResponseError4({
+      error: Oauth2ErrorCodes4.InvalidRequest,
+      error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`
+    });
   }
-  if (scheme === "redirect_uri") {
-    if (jar) {
-      throw new Oauth2ServerErrorResponseError5({
-        error: Oauth2ErrorCodes4.InvalidRequest,
-        error_description: 'Using client identifier scheme "redirect_uri" the request MUST NOT be signed.'
-      });
-    }
-    if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
-      throw new Oauth2ServerErrorResponseError5({
-        error: Oauth2ErrorCodes4.InvalidRequest,
-        error_description: `The client identifier scheme 'redirect_uri' is not supported when using the dc_api response mode.`
-      });
-    }
-    return {
-      scheme,
-      identifier: identifierPart,
-      originalValue: clientId,
-      redirectUri: authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri
-    };
+  if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) {
+    throw new Oauth2ServerErrorResponseError4({
+      error: Oauth2ErrorCodes4.InvalidRequest,
+      error_description: "Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query or presentation_definition"
+    });
   }
-  if (scheme === "did") {
-    if (!jar) {
-      throw new Oauth2ServerErrorResponseError5({
+  if (params.expected_origins && !disableOriginValidation) {
+    if (!origin) {
+      throw new Oauth2ServerErrorResponseError4({
         error: Oauth2ErrorCodes4.InvalidRequest,
-        error_description: 'Using client identifier scheme "did" requires a signed JAR request.'
+        error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`
       });
     }
-    if (!clientId.startsWith("did:")) {
-      throw new Oauth2ServerErrorResponseError5({
+    if (params.expected_origins && !params.expected_origins.includes(origin)) {
+      throw new Oauth2ServerErrorResponseError4({
         error: Oauth2ErrorCodes4.InvalidRequest,
-        error_description: "Invalid client identifier. Client identifier must start with 'did:'"
+        error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(", ")}`
       });
     }
-    if (!jar.signer.publicJwk.kid) {
-      throw new Oauth2ServerErrorResponseError5({
-        error: Oauth2ErrorCodes4.InvalidRequest,
-        error_description: `Missing required 'kid' for client identifier scheme: did`
-      });
+  }
+};
+
+// src/authorization-request/create-authorization-request.ts
+async function createOpenid4vpAuthorizationRequest(options) {
+  const { jar, scheme = "openid4vp://", wallet, callbacks } = options;
+  let additionalJwtPayload;
+  let authorizationRequestPayload;
+  if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
+    authorizationRequestPayload = parseWithErrorHandling2(
+      zOpenid4vpAuthorizationRequestDcApi,
+      options.authorizationRequestPayload,
+      "Invalid authorization request. Could not parse openid4vp dc_api authorization request."
+    );
+    if (jar && !authorizationRequestPayload.expected_origins) {
+      throw new Oauth2Error4(
+        `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combination with jar.`
+      );
     }
-    if (!jar.signer.publicJwk.kid?.startsWith(clientId)) {
-      throw new Oauth2ServerErrorResponseError5({
-        error: Oauth2ErrorCodes4.InvalidRequest,
-        error_description: 'With client identifier scheme "did" the JAR request must be signed by the same DID as the client identifier.'
-      });
+    validateOpenid4vpAuthorizationRequestDcApiPayload({
+      params: authorizationRequestPayload,
+      isJarRequest: Boolean(jar),
+      disableOriginValidation: true
+    });
+  } else {
+    authorizationRequestPayload = parseWithErrorHandling2(
+      zOpenid4vpAuthorizationRequest,
+      options.authorizationRequestPayload,
+      "Invalid authorization request. Could not parse openid4vp authorization request."
+    );
+    validateOpenid4vpAuthorizationRequestPayload({
+      params: authorizationRequestPayload,
+      walletVerificationOptions: wallet
+    });
+  }
+  if (jar) {
+    if (!jar.additionalJwtPayload?.aud) {
+      additionalJwtPayload = { ...jar.additionalJwtPayload, aud: jar.requestUri };
     }
+    const jarResult = await createJarAuthorizationRequest({
+      ...jar,
+      authorizationRequestPayload,
+      additionalJwtPayload,
+      callbacks
+    });
+    const url2 = new URL3(scheme);
+    url2.search = `?${new URLSearchParams([
+      ...url2.searchParams.entries(),
+      ...objectToQueryParams(jarResult.jarAuthorizationRequest).entries()
+    ]).toString()}`;
     return {
-      scheme,
-      identifier: clientId,
-      originalValue: clientId,
-      didUrl: jar.signer.publicJwk.kid
+      authorizationRequestPayload,
+      authorizationRequestObject: jarResult.jarAuthorizationRequest,
+      authorizationRequest: url2.toString(),
+      jar: { ...jar, ...jarResult }
     };
   }
-  if (scheme === "x509_san_dns" || scheme === "x509_san_uri") {
-    if (!jar) {
-      throw new Oauth2ServerErrorResponseError5({
-        error: Oauth2ErrorCodes4.InvalidRequest,
-        error_description: 'Using client identifier scheme "x509_san_dns" or "x509_san_uri" requires a signed JAR request.'
-      });
-    }
-    if (jar.signer.method !== "x5c") {
-      throw new Oauth2ServerErrorResponseError5({
-        error: Oauth2ErrorCodes4.InvalidRequest,
-        error_description: "Something went wrong. The JWT signer method is not x5c but the client identifier scheme is x509_san_dns."
-      });
-    }
-    if (scheme === "x509_san_dns") {
-      if (!options.callbacks.getX509CertificateMetadata) {
-        throw new Oauth2ServerErrorResponseError5(
-          {
-            error: Oauth2ErrorCodes4.ServerError
-          },
-          {
-            internalMessage: "Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_dns' client id scheme"
-          }
-        );
-      }
-      const { sanDnsNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
-      if (!sanDnsNames.includes(identifierPart)) {
-        throw new Oauth2ServerErrorResponseError5({
-          error: Oauth2ErrorCodes4.InvalidRequest,
-          error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(", ")}] must match the client identifier '${identifierPart}'. `
-        });
-      }
-      if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
-        const uri = authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri;
-        if (!uri || new URL3(uri).hostname !== identifierPart) {
-          throw new Oauth2ServerErrorResponseError5({
-            error: Oauth2ErrorCodes4.InvalidRequest,
-            error_description: "Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns."
-          });
-        }
-      }
-    } else if (scheme === "x509_san_uri") {
-      if (!options.callbacks.getX509CertificateMetadata) {
-        throw new Oauth2ServerErrorResponseError5(
-          {
-            error: Oauth2ErrorCodes4.ServerError
-          },
-          {
-            internalMessage: "Missing required 'getX509CertificateMetadata' callback for verification of 'x509_san_uri' client id scheme"
-          }
-        );
-      }
-      const { sanUriNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
-      if (!sanUriNames.includes(identifierPart)) {
-        throw new Oauth2ServerErrorResponseError5({
-          error: Oauth2ErrorCodes4.InvalidRequest,
-          error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(", ")}] must match the client identifier '${identifierPart}'.`
-        });
-      }
-      if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
-        const uri = authorizationRequestPayload.redirect_uri || authorizationRequestPayload.response_uri;
-        if (!uri || uri !== identifierPart) {
-          throw new Oauth2ServerErrorResponseError5({
-            error: Oauth2ErrorCodes4.InvalidRequest,
-            error_description: "The redirect_uri value MUST match the Client Identifier without the prefix x509_san_uri"
-          });
-        }
-      }
+  const url = new URL3(scheme);
+  url.search = `?${new URLSearchParams([
+    ...url.searchParams.entries(),
+    ...objectToQueryParams(authorizationRequestPayload).entries()
+  ]).toString()}`;
+  return {
+    authorizationRequestPayload,
+    authorizationRequestObject: authorizationRequestPayload,
+    authorizationRequest: url.toString(),
+    jar: void 0
+  };
+}
+
+// src/authorization-request/parse-authorization-request-params.ts
+import { decodeJwt as decodeJwt2 } from "@openid4vc/oauth2";
+import { parseWithErrorHandling as parseWithErrorHandling3 } from "@openid4vc/utils";
+import z10 from "zod";
+
+// src/jar/z-jar-authorization-request.ts
+import { Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError5 } from "@openid4vc/oauth2";
+import { zHttpsUrl as zHttpsUrl4 } from "@openid4vc/utils";
+import { z as z9 } from "zod";
+var zJarAuthorizationRequest = z9.object({
+  request: z9.optional(z9.string()),
+  request_uri: z9.optional(zHttpsUrl4),
+  request_uri_method: z9.optional(z9.string()),
+  client_id: z9.optional(z9.string())
+}).passthrough();
+function validateJarRequestParams(options) {
+  const { jarRequestParams } = options;
+  if (jarRequestParams.request && jarRequestParams.request_uri) {
+    throw new Oauth2ServerErrorResponseError5({
+      error: "invalid_request_object",
+      error_description: "request and request_uri cannot both be present in a JAR request"
+    });
+  }
+  if (!jarRequestParams.request && !jarRequestParams.request_uri) {
+    throw new Oauth2ServerErrorResponseError5({
+      error: "invalid_request_object",
+      error_description: "request or request_uri must be present"
+    });
+  }
+  return jarRequestParams;
+}
+function isJarAuthorizationRequest(request) {
+  return "request" in request || "request_uri" in request;
+}
+
+// src/authorization-request/parse-authorization-request-params.ts
+function parseOpenid4vpAuthorizationRequest(options) {
+  const { authorizationRequest } = options;
+  let provided = "params";
+  let params;
+  if (typeof authorizationRequest === "string") {
+    if (authorizationRequest.includes("://")) {
+      params = parseWithErrorHandling3(
+        zOpenid4vpAuthorizationRequestFromUriParams,
+        authorizationRequest,
+        "Unable to parse openid4vp authorization request uri to a valid object"
+      );
+      provided = "uri";
+    } else {
+      const decoded = decodeJwt2({ jwt: authorizationRequest });
+      params = decoded.payload;
+      provided = "jwt";
     }
+  } else {
+    params = authorizationRequest;
+  }
+  const parsedRequest = parseWithErrorHandling3(
+    z10.union([zOpenid4vpAuthorizationRequest, zJarAuthorizationRequest, zOpenid4vpAuthorizationRequestDcApi]),
+    params
+  );
+  if (isJarAuthorizationRequest(parsedRequest)) {
     return {
-      scheme,
-      identifier: identifierPart,
-      originalValue: clientId,
-      x5c: jar.signer.x5c
+      type: "jar",
+      provided,
+      params: parsedRequest
     };
   }
-  if (scheme === "web-origin") {
+  if (isOpenid4vpAuthorizationRequestDcApi(parsedRequest)) {
     return {
-      scheme,
-      identifier: identifierPart,
-      originalValue: clientId,
-      clientMetadata: authorizationRequestPayload.client_metadata
+      type: "openid4vp_dc_api",
+      provided,
+      params: parsedRequest
     };
   }
-  if (scheme === "verifier_attestation") {
-    if (!jar) {
-      throw new Oauth2ServerErrorResponseError5({
-        error: Oauth2ErrorCodes4.InvalidRequest,
-        error_description: 'Using client identifier scheme "verifier_attestation" requires a signed JAR request.'
-      });
-    }
-  }
   return {
-    scheme,
-    identifier: identifierPart,
-    originalValue: clientId
+    type: "openid4vp",
+    provided,
+    params: parsedRequest
   };
 }
 
+// src/authorization-request/resolve-authorization-request.ts
+import { Oauth2ErrorCodes as Oauth2ErrorCodes9, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError10 } from "@openid4vc/oauth2";
+import { parseWithErrorHandling as parseWithErrorHandling4 } from "@openid4vc/utils";
+import z14 from "zod";
+
 // src/fetch-client-metadata.ts
 import { Oauth2ErrorCodes as Oauth2ErrorCodes5, Oauth2ServerErrorResponseError as Oauth2ServerErrorResponseError6 } from "@openid4vc/oauth2";
 import { ContentType, createZodFetcher } from "@openid4vc/utils";
@@ -1547,7 +1572,7 @@ async function parseJarmAuthorizationResponse(options) {
 // src/authorization-response/parse-authorization-response.ts
 async function parseOpenid4vpAuthorizationResponse(options) {
   const { authorizationResponse, callbacks, authorizationRequestPayload, origin } = options;
-  const expectedClientId = getClientId({ authorizationRequestPayload, origin });
+  const expectedClientId = getOpenid4vpClientId({ authorizationRequestPayload, origin });
   if (authorizationResponse.response) {
     return parseJarmAuthorizationResponse({
       jarmResponseJwt: authorizationResponse.response,
@@ -1585,8 +1610,8 @@ var Openid4vpClient = class {
   constructor(options) {
     this.options = options;
   }
-  parseOpenid4vpAuthorizationRequestPayload(options) {
-    return parseOpenid4vpAuthorizationRequestPayload(options);
+  parseOpenid4vpAuthorizationRequest(options) {
+    return parseOpenid4vpAuthorizationRequest(options);
   }
   async resolveOpenId4vpAuthorizationRequest(options) {
     return resolveOpenid4vpAuthorizationRequest({ ...options, callbacks: this.options.callbacks });
@@ -1677,7 +1702,7 @@ var Openid4vpVerifier = class {
     return createOpenid4vpAuthorizationRequest({ ...options, callbacks: this.options.callbacks });
   }
   parseOpenid4vpAuthorizationRequestPayload(options) {
-    return parseOpenid4vpAuthorizationRequestPayload(options);
+    return parseOpenid4vpAuthorizationRequest(options);
   }
   parseOpenid4vpAuthorizationResponse(options) {
     return parseOpenid4vpAuthorizationResponse(options);
@@ -1695,7 +1720,10 @@ var Openid4vpVerifier = class {
     return parseTransactionData(options);
   }
   verifyTransactionData(options) {
-    return verifyTransactionData(options);
+    return verifyTransactionData({
+      ...options,
+      callbacks: this.options.callbacks
+    });
   }
 };
 
@@ -1722,11 +1750,12 @@ export {
   Openid4vpVerifier,
   createOpenid4vpAuthorizationRequest,
   createOpenid4vpAuthorizationResponse,
+  getOpenid4vpClientId,
   isJarmResponseMode,
   isOpenid4vpAuthorizationRequestDcApi,
   parseDcqlVpToken,
   parseJarmAuthorizationResponse,
-  parseOpenid4vpAuthorizationRequestPayload,
+  parseOpenid4vpAuthorizationRequest,
   parseOpenid4vpAuthorizationResponse,
   parsePexVpToken,
   parseTransactionData,