@openid4vc/openid4vp 0.3.0-alpha-20250707121837 → 0.3.0-alpha-20250711140312

package/dist/index.js

@@ -38,6 +38,7 @@ __export(index_exports, {
   getOpenid4vpClientId: () => getOpenid4vpClientId,
   isJarmResponseMode: () => isJarmResponseMode,
   isOpenid4vpAuthorizationRequestDcApi: () => isOpenid4vpAuthorizationRequestDcApi,
+  parseAuthorizationRequestVersion: () => parseAuthorizationRequestVersion,
   parseDcqlVpToken: () => parseDcqlVpToken,
   parseJarmAuthorizationResponse: () => parseJarmAuthorizationResponse,
   parseOpenid4VpAuthorizationResponsePayload: () => parseOpenid4VpAuthorizationResponsePayload,
@@ -783,12 +784,116 @@ async function verifyJarmAuthorizationResponse(options) {
   return { jarmAuthorizationResponse, type, issuer };
 }
 
+// src/version.ts
+var import_oauth28 = require("@openid4vc/oauth2");
+function parseAuthorizationRequestVersion(request) {
+  const requirements = [];
+  if (request.verifier_info) {
+    requirements.push([">=", 100]);
+  }
+  if (request.verifier_attestations) {
+    requirements.push(["<", 100]);
+  }
+  if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values) {
+    requirements.push([">=", 28]);
+  }
+  if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuer_signed_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.device_signed_alg_values) {
+    requirements.push(["<", 28]);
+  }
+  if (request.client_metadata?.vp_formats) {
+    requirements.push([">=", 27]);
+  }
+  if (request.client_metadata?.vp_formats_supported) {
+    requirements.push(["<", 27]);
+  }
+  if (request.client_id?.startsWith("openid_federation:") || request.client_id?.startsWith("decentralized_identifier:")) {
+    requirements.push([">=", 26]);
+  }
+  if (request.client_id?.startsWith("did:")) {
+    requirements.push(["<", 26]);
+  }
+  if (request.presentation_definition || request.presentation_definition_uri) {
+    requirements.push([">=", 26]);
+  }
+  if (request.verifier_attestations) {
+    requirements.push([">=", 26]);
+  }
+  if (request.client_id?.startsWith("x509_san_uri:")) {
+    requirements.push(["<", 25]);
+  }
+  if (request.client_id?.startsWith("x509_hash:")) {
+    requirements.push([">=", 25]);
+  }
+  if (request.client_id?.startsWith("web-origin:")) {
+    requirements.push(["<", 25]);
+  }
+  if (request.client_id?.startsWith("origin:")) {
+    requirements.push([">=", 25]);
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
+    requirements.push(["<", 23]);
+    requirements.push([">=", 21]);
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt")) {
+    requirements.push([">=", 23]);
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) {
+    requirements.push([">=", 23]);
+  }
+  if (request.transaction_data) {
+    requirements.push([">=", 22]);
+  }
+  if (request.client_id_scheme) {
+    requirements.push(["<", 22]);
+  }
+  if (request.client_id) {
+    const colonIndex = request.client_id.indexOf(":");
+    const schemePart = request.client_id.substring(0, colonIndex);
+    const parsedScheme = zClientIdPrefix.safeParse(schemePart);
+    if (parsedScheme.success && parsedScheme.data !== "did" && parsedScheme.data !== "https") {
+      requirements.push([">=", 22]);
+    }
+  }
+  if (!request.client_id) {
+    requirements.push([">=", 21]);
+  }
+  if (request.dcql_query) {
+    requirements.push([">=", 21]);
+  }
+  if (request.client_metadata_uri) {
+    requirements.push(["<", 21]);
+  }
+  if (isOpenid4vpAuthorizationRequestDcApi(request)) {
+    requirements.push([">=", 21]);
+  }
+  if (request.request_uri_method || request.wallet_nonce) {
+    requirements.push([">=", 21]);
+  }
+  if (request.client_id_scheme === "verifier_attestation") {
+    requirements.push([">=", 20]);
+  }
+  if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") {
+    requirements.push([">=", 19]);
+  }
+  const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
+  const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
+  const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 100;
+  const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
+  if (lowestRequiredVersion > highestPossibleVersion) {
+    throw new import_oauth28.Oauth2ServerErrorResponseError({
+      error: import_oauth28.Oauth2ErrorCodes.InvalidRequest,
+      error_description: `Could not infer openid4vp version from the openid4vp request payload. Based on specification requirements, lowest required version is ${lowestRequiredVersion} and highest possible version is ${highestPossibleVersion}`
+    });
+  }
+  return highestPossibleVersion;
+}
+
 // src/authorization-request/create-authorization-request.ts
-var import_oauth211 = require("@openid4vc/oauth2");
+var import_oauth212 = require("@openid4vc/oauth2");
 var import_utils9 = require("@openid4vc/utils");
 
 // src/jar/create-jar-authorization-request.ts
-var import_oauth28 = require("@openid4vc/oauth2");
+var import_oauth29 = require("@openid4vc/oauth2");
 var import_utils7 = require("@openid4vc/utils");
 async function createJarAuthorizationRequest(options) {
   const { jwtSigner, jweEncryptor, authorizationRequestPayload, requestUri, callbacks } = options;
@@ -796,7 +901,7 @@ async function createJarAuthorizationRequest(options) {
   let encryptionJwk;
   const now = options.now ?? /* @__PURE__ */ new Date();
   const { jwt, signerJwk } = await callbacks.signJwt(jwtSigner, {
-    header: { ...(0, import_oauth28.jwtHeaderFromJwtSigner)(jwtSigner), typ: "oauth-authz-req+jwt" },
+    header: { ...(0, import_oauth29.jwtHeaderFromJwtSigner)(jwtSigner), typ: "oauth-authz-req+jwt" },
     payload: {
       iat: (0, import_utils7.dateToSeconds)(now),
       exp: (0, import_utils7.dateToSeconds)((0, import_utils7.addSecondsToDate)(now, options.expiresInSeconds)),
@@ -816,94 +921,94 @@ async function createJarAuthorizationRequest(options) {
 }
 
 // src/authorization-request/validate-authorization-request.ts
-var import_oauth29 = require("@openid4vc/oauth2");
+var import_oauth210 = require("@openid4vc/oauth2");
 var import_utils8 = require("@openid4vc/utils");
 var validateOpenid4vpAuthorizationRequestPayload = (options) => {
   const { params, walletVerificationOptions } = options;
   if (!params.redirect_uri && !params.response_uri) {
-    throw new import_oauth29.Oauth2ServerErrorResponseError({
-      error: import_oauth29.Oauth2ErrorCodes.InvalidRequest,
+    throw new import_oauth210.Oauth2ServerErrorResponseError({
+      error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
       error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`
     });
   }
   if (params.response_uri && !["direct_post", "direct_post.jwt"].find((mode) => mode === params.response_mode)) {
-    throw new import_oauth29.Oauth2ServerErrorResponseError({
-      error: import_oauth29.Oauth2ErrorCodes.InvalidRequest,
+    throw new import_oauth210.Oauth2ServerErrorResponseError({
+      error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
       error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`
     });
   }
   if ([params.presentation_definition_uri, params.presentation_definition, params.dcql_query, params.scope].filter(
     Boolean
   ).length > 1) {
-    throw new import_oauth29.Oauth2ServerErrorResponseError({
-      error: import_oauth29.Oauth2ErrorCodes.InvalidRequest,
+    throw new import_oauth210.Oauth2ServerErrorResponseError({
+      error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
       error_description: "Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition."
     });
   }
   if (params.request_uri_method && !params.request_uri) {
-    throw new import_oauth29.Oauth2ServerErrorResponseError({
-      error: import_oauth29.Oauth2ErrorCodes.InvalidRequest,
+    throw new import_oauth210.Oauth2ServerErrorResponseError({
+      error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
       error_description: 'The "request_uri_method" parameter MUST NOT be present in the authorization request if the "request_uri" parameter is not present.'
     });
   }
   if (params.request_uri_method && !["GET", "POST"].includes(params.request_uri_method)) {
-    throw new import_oauth29.Oauth2ServerErrorResponseError({
-      error: import_oauth29.Oauth2ErrorCodes.InvalidRequestUriMethod,
+    throw new import_oauth210.Oauth2ServerErrorResponseError({
+      error: import_oauth210.Oauth2ErrorCodes.InvalidRequestUriMethod,
       error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`
     });
   }
   if (params.trust_chain && !import_utils8.zHttpsUrl.safeParse(params.client_id).success) {
-    throw new import_oauth29.Oauth2ServerErrorResponseError({
-      error: import_oauth29.Oauth2ErrorCodes.InvalidRequest,
+    throw new import_oauth210.Oauth2ServerErrorResponseError({
+      error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
       error_description: 'The "trust_chain" parameter MUST NOT be present in the authorization request if the "client_id" is not an OpenId Federation Entity Identifier starting with http:// or https://.'
     });
   }
   if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) {
-    throw new import_oauth29.Oauth2ServerErrorResponseError({
-      error: import_oauth29.Oauth2ErrorCodes.InvalidRequest,
+    throw new import_oauth210.Oauth2ServerErrorResponseError({
+      error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
       error_description: 'The "wallet_nonce" parameter MUST be present in the authorization request when the "expectedNonce" parameter is provided.'
     });
   }
   if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) {
-    throw new import_oauth29.Oauth2ServerErrorResponseError({
-      error: import_oauth29.Oauth2ErrorCodes.InvalidRequest,
+    throw new import_oauth210.Oauth2ServerErrorResponseError({
+      error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
       error_description: 'The "wallet_nonce" parameter MUST match the "expectedNonce" parameter when the "expectedNonce" parameter is provided.'
     });
   }
   if (params.client_id.startsWith("web-origin:") || params.client_id.startsWith("origin:")) {
-    throw new import_oauth29.Oauth2ServerErrorResponseError({
-      error: import_oauth29.Oauth2ErrorCodes.InvalidRequest,
+    throw new import_oauth210.Oauth2ServerErrorResponseError({
+      error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
       error_description: `The 'client_id' parameter MUST NOT use client identifier scheme '${params.client_id.split(":")[0]}' when not using the dc_api response mode. Current: ${params.client_id}`
     });
   }
 };
 
 // src/authorization-request/validate-authorization-request-dc-api.ts
-var import_oauth210 = require("@openid4vc/oauth2");
+var import_oauth211 = require("@openid4vc/oauth2");
 var validateOpenid4vpAuthorizationRequestDcApiPayload = (options) => {
   const { params, isJarRequest, disableOriginValidation, origin } = options;
   if (isJarRequest && !params.expected_origins) {
-    throw new import_oauth210.Oauth2ServerErrorResponseError({
-      error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
+    throw new import_oauth211.Oauth2ServerErrorResponseError({
+      error: import_oauth211.Oauth2ErrorCodes.InvalidRequest,
       error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`
     });
   }
   if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) {
-    throw new import_oauth210.Oauth2ServerErrorResponseError({
-      error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
+    throw new import_oauth211.Oauth2ServerErrorResponseError({
+      error: import_oauth211.Oauth2ErrorCodes.InvalidRequest,
       error_description: "Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query or presentation_definition"
     });
   }
   if (params.expected_origins && !disableOriginValidation) {
     if (!origin) {
-      throw new import_oauth210.Oauth2ServerErrorResponseError({
-        error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
+      throw new import_oauth211.Oauth2ServerErrorResponseError({
+        error: import_oauth211.Oauth2ErrorCodes.InvalidRequest,
         error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`
       });
     }
     if (params.expected_origins && !params.expected_origins.includes(origin)) {
-      throw new import_oauth210.Oauth2ServerErrorResponseError({
-        error: import_oauth210.Oauth2ErrorCodes.InvalidRequest,
+      throw new import_oauth211.Oauth2ServerErrorResponseError({
+        error: import_oauth211.Oauth2ErrorCodes.InvalidRequest,
         error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(", ")}`
       });
     }
@@ -922,7 +1027,7 @@ async function createOpenid4vpAuthorizationRequest(options) {
       "Invalid authorization request. Could not parse openid4vp dc_api authorization request."
     );
     if (jar && !authorizationRequestPayload.expected_origins) {
-      throw new import_oauth211.Oauth2Error(
+      throw new import_oauth212.Oauth2Error(
         `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combination with jar.`
       );
     }
@@ -980,12 +1085,12 @@ async function createOpenid4vpAuthorizationRequest(options) {
 }
 
 // src/authorization-request/parse-authorization-request-params.ts
-var import_oauth213 = require("@openid4vc/oauth2");
+var import_oauth214 = require("@openid4vc/oauth2");
 var import_utils11 = require("@openid4vc/utils");
 var import_zod11 = __toESM(require("zod"));
 
 // src/jar/z-jar-authorization-request.ts
-var import_oauth212 = require("@openid4vc/oauth2");
+var import_oauth213 = require("@openid4vc/oauth2");
 var import_utils10 = require("@openid4vc/utils");
 var import_zod10 = require("zod");
 var zJarAuthorizationRequest = import_zod10.z.object({
@@ -997,13 +1102,13 @@ var zJarAuthorizationRequest = import_zod10.z.object({
 function validateJarRequestParams(options) {
   const { jarRequestParams } = options;
   if (jarRequestParams.request && jarRequestParams.request_uri) {
-    throw new import_oauth212.Oauth2ServerErrorResponseError({
+    throw new import_oauth213.Oauth2ServerErrorResponseError({
       error: "invalid_request_object",
       error_description: "request and request_uri cannot both be present in a JAR request"
     });
   }
   if (!jarRequestParams.request && !jarRequestParams.request_uri) {
-    throw new import_oauth212.Oauth2ServerErrorResponseError({
+    throw new import_oauth213.Oauth2ServerErrorResponseError({
       error: "invalid_request_object",
       error_description: "request or request_uri must be present"
     });
@@ -1028,7 +1133,7 @@ function parseOpenid4vpAuthorizationRequest(options) {
       );
       provided = "uri";
     } else {
-      const decoded = (0, import_oauth213.decodeJwt)({ jwt: authorizationRequest });
+      const decoded = (0, import_oauth214.decodeJwt)({ jwt: authorizationRequest });
       params = decoded.payload;
       provided = "jwt";
     }
@@ -1066,7 +1171,7 @@ var import_utils15 = require("@openid4vc/utils");
 var import_zod15 = __toESM(require("zod"));
 
 // src/fetch-client-metadata.ts
-var import_oauth214 = require("@openid4vc/oauth2");
+var import_oauth215 = require("@openid4vc/oauth2");
 var import_utils12 = require("@openid4vc/utils");
 async function fetchClientMetadata(options) {
   const { fetch, clientMetadataUri } = options;
@@ -1078,15 +1183,15 @@ async function fetchClientMetadata(options) {
     }
   });
   if (!response.ok) {
-    throw new import_oauth214.Oauth2ServerErrorResponseError({
+    throw new import_oauth215.Oauth2ServerErrorResponseError({
       error_description: `Fetching client metadata from '${clientMetadataUri}' failed with status code '${response.status}'.`,
-      error: import_oauth214.Oauth2ErrorCodes.InvalidRequestUri
+      error: import_oauth215.Oauth2ErrorCodes.InvalidRequestUri
     });
   }
   if (!result || !result.success) {
-    throw new import_oauth214.Oauth2ServerErrorResponseError({
+    throw new import_oauth215.Oauth2ServerErrorResponseError({
       error_description: `Parsing client metadata from '${clientMetadataUri}' failed.`,
-      error: import_oauth214.Oauth2ErrorCodes.InvalidRequestObject
+      error: import_oauth215.Oauth2ErrorCodes.InvalidRequestObject
     });
   }
   return result.data;
@@ -1096,110 +1201,6 @@ async function fetchClientMetadata(options) {
 var import_oauth218 = require("@openid4vc/oauth2");
 var import_zod13 = __toESM(require("zod"));
 
-// src/version.ts
-var import_oauth215 = require("@openid4vc/oauth2");
-function parseAuthorizationRequestVersion(request) {
-  const requirements = [];
-  if (request.verifier_info) {
-    requirements.push([">=", 29]);
-  }
-  if (request.verifier_attestations) {
-    requirements.push(["<", 29]);
-  }
-  if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values) {
-    requirements.push([">=", 28]);
-  }
-  if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuer_signed_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.device_signed_alg_values) {
-    requirements.push(["<", 28]);
-  }
-  if (request.client_metadata?.vp_formats) {
-    requirements.push([">=", 27]);
-  }
-  if (request.client_metadata?.vp_formats_supported) {
-    requirements.push(["<", 27]);
-  }
-  if (request.client_id?.startsWith("openid_federation:") || request.client_id?.startsWith("decentralized_identifier:")) {
-    requirements.push([">=", 26]);
-  }
-  if (request.client_id?.startsWith("did:")) {
-    requirements.push(["<", 26]);
-  }
-  if (request.presentation_definition || request.presentation_definition_uri) {
-    requirements.push([">=", 26]);
-  }
-  if (request.verifier_attestations) {
-    requirements.push([">=", 26]);
-  }
-  if (request.client_id?.startsWith("x509_san_uri:")) {
-    requirements.push(["<", 25]);
-  }
-  if (request.client_id?.startsWith("x509_hash:")) {
-    requirements.push([">=", 25]);
-  }
-  if (request.client_id?.startsWith("web-origin:")) {
-    requirements.push(["<", 25]);
-  }
-  if (request.client_id?.startsWith("origin:")) {
-    requirements.push([">=", 25]);
-  }
-  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
-    requirements.push(["<", 23]);
-    requirements.push([">=", 21]);
-  }
-  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt")) {
-    requirements.push([">=", 23]);
-  }
-  if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) {
-    requirements.push([">=", 23]);
-  }
-  if (request.transaction_data) {
-    requirements.push([">=", 22]);
-  }
-  if (request.client_id_scheme) {
-    requirements.push(["<", 22]);
-  }
-  if (request.client_id) {
-    const colonIndex = request.client_id.indexOf(":");
-    const schemePart = request.client_id.substring(0, colonIndex);
-    const parsedScheme = zClientIdPrefix.safeParse(schemePart);
-    if (parsedScheme.success && parsedScheme.data !== "did" && parsedScheme.data !== "https") {
-      requirements.push([">=", 22]);
-    }
-  }
-  if (!request.client_id) {
-    requirements.push([">=", 21]);
-  }
-  if (request.dcql_query) {
-    requirements.push([">=", 21]);
-  }
-  if (request.client_metadata_uri) {
-    requirements.push(["<", 21]);
-  }
-  if (isOpenid4vpAuthorizationRequestDcApi(request)) {
-    requirements.push([">=", 21]);
-  }
-  if (request.request_uri_method || request.wallet_nonce) {
-    requirements.push([">=", 21]);
-  }
-  if (request.client_id_scheme === "verifier_attestation") {
-    requirements.push([">=", 20]);
-  }
-  if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") {
-    requirements.push([">=", 19]);
-  }
-  const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
-  const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
-  const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 29;
-  const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
-  if (lowestRequiredVersion > highestPossibleVersion) {
-    throw new import_oauth215.Oauth2ServerErrorResponseError({
-      error: import_oauth215.Oauth2ErrorCodes.InvalidRequest,
-      error_description: "Could not infer openid4vp version from the openid4vp request payload."
-    });
-  }
-  return highestPossibleVersion;
-}
-
 // src/jar/jar-request-object/fetch-jar-request-object.ts
 var import_oauth216 = require("@openid4vc/oauth2");
 var import_utils13 = require("@openid4vc/utils");
@@ -1783,18 +1784,24 @@ var import_utils20 = require("@openid4vc/utils");
 
 // src/vp-token/z-vp-token.ts
 var import_zod17 = require("zod");
-var zVpTokenPexEntry = import_zod17.z.union([import_zod17.z.string(), import_zod17.z.record(import_zod17.z.any())], {
-  message: "pex vp_token entry must be a string or object"
+var zVpTokenPresentationEntry = import_zod17.z.union([import_zod17.z.string(), import_zod17.z.record(import_zod17.z.any())], {
+  message: "vp_token presentation entry must be string or object"
 });
 var zVpTokenPex = import_zod17.z.union(
-  [zVpTokenPexEntry, import_zod17.z.array(zVpTokenPexEntry).nonempty("Must have at least entry in vp_token array")],
+  [
+    zVpTokenPresentationEntry,
+    import_zod17.z.array(zVpTokenPresentationEntry).nonempty("Must have at least entry in vp_token array")
+  ],
   {
-    message: "pex vp_token must be a string, object or array of strings and objects"
+    message: "pex vp_token must be a string, object or non-empty array of strings and objects"
+  }
+);
+var zVpTokenDcql = import_zod17.z.record(
+  import_zod17.z.union([import_zod17.z.array(zVpTokenPresentationEntry).nonempty(), zVpTokenPresentationEntry]),
+  {
+    message: "dcql vp_token must be an object with keys referencing the dcql credential query id, and values a non-empty array of strings and objects, or string, or object"
   }
 );
-var zVpTokenDcql = import_zod17.z.record(import_zod17.z.union([import_zod17.z.string(), import_zod17.z.record(import_zod17.z.any())]), {
-  message: "dcql vp_token must be an object with keys referencing the dcql credential query id, and values the encoded (string or object) presentation"
-});
 var zVpToken = zVpTokenDcql.or(zVpTokenPex);
 
 // src/vp-token/parse-vp-token.ts
@@ -1807,11 +1814,17 @@ function parsePexVpToken(vpToken) {
   return Array.isArray(parsedVpToken) ? parsedVpToken : [parsedVpToken];
 }
 function parseDcqlVpToken(vpToken) {
-  return (0, import_utils20.parseWithErrorHandling)(
+  const parsedVpToken = (0, import_utils20.parseWithErrorHandling)(
     zVpTokenDcql,
     (0, import_utils20.parseIfJson)(vpToken),
     "Could not parse dcql vp_token. Expected an object where the values are encoded presentations"
   );
+  return Object.fromEntries(
+    Object.entries(parsedVpToken).map(([queryId, presentations]) => [
+      queryId,
+      Array.isArray(presentations) ? presentations : [presentations]
+    ])
+  );
 }
 
 // src/authorization-response/validate-authorization-response.ts
@@ -2127,6 +2140,7 @@ var zWalletMetadata = import_zod23.z.object({
   getOpenid4vpClientId,
   isJarmResponseMode,
   isOpenid4vpAuthorizationRequestDcApi,
+  parseAuthorizationRequestVersion,
   parseDcqlVpToken,
   parseJarmAuthorizationResponse,
   parseOpenid4VpAuthorizationResponsePayload,