@openid4vc/openid4vp 0.3.1-alpha-20251124151046 → 0.4.0-alpha-20251127093634

package/dist/index.cjs

@@ -1,1761 +0,0 @@
-//#region rolldown:runtime
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __copyProps = (to, from, except, desc) => {
-	if (from && typeof from === "object" || typeof from === "function") {
-		for (var keys = __getOwnPropNames(from), i = 0, n = keys.length, key; i < n; i++) {
-			key = keys[i];
-			if (!__hasOwnProp.call(to, key) && key !== except) {
-				__defProp(to, key, {
-					get: ((k) => from[k]).bind(null, key),
-					enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
-				});
-			}
-		}
-	}
-	return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
-	value: mod,
-	enumerable: true
-}) : target, mod));
-
-//#endregion
-let __openid4vc_oauth2 = require("@openid4vc/oauth2");
-let __openid4vc_utils = require("@openid4vc/utils");
-let zod = require("zod");
-zod = __toESM(zod);
-
-//#region src/authorization-request/validate-authorization-request.ts
-/**
-* Validate the OpenId4Vp Authorization Request parameters
-*/
-const validateOpenid4vpAuthorizationRequestPayload = (options) => {
-	const { params, walletVerificationOptions } = options;
-	if (!params.redirect_uri && !params.response_uri) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-		error_description: `Missing required 'redirect_uri' or 'response_uri' in openid4vp authorization request.`
-	});
-	if (params.response_uri && !["direct_post", "direct_post.jwt"].find((mode) => mode === params.response_mode)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-		error_description: `The 'response_mode' parameter MUST be 'direct_post' or 'direct_post.jwt' when 'response_uri' is provided. Current: ${params.response_mode}`
-	});
-	if ([
-		params.presentation_definition_uri,
-		params.presentation_definition,
-		params.dcql_query,
-		params.scope
-	].filter(Boolean).length > 1) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-		error_description: "Exactly one of the following parameters MUST be present in the authorization request: dcql_query, presentation_definition, presentation_definition_uri, or a scope value representing a Presentation Definition."
-	});
-	if (params.request_uri_method && !params.request_uri) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-		error_description: "The \"request_uri_method\" parameter MUST NOT be present in the authorization request if the \"request_uri\" parameter is not present."
-	});
-	if (params.request_uri_method && !["GET", "POST"].includes(params.request_uri_method)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestUriMethod,
-		error_description: `The 'request_uri_method' parameter MUST be 'GET' or 'POST'. Current: ${params.request_uri_method}`
-	});
-	if (params.trust_chain && !__openid4vc_utils.zHttpsUrl.safeParse(params.client_id).success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-		error_description: "The \"trust_chain\" parameter MUST NOT be present in the authorization request if the \"client_id\" is not an OpenId Federation Entity Identifier starting with http:// or https://."
-	});
-	if (walletVerificationOptions?.expectedNonce && !params.wallet_nonce) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-		error_description: "The \"wallet_nonce\" parameter MUST be present in the authorization request when the \"expectedNonce\" parameter is provided."
-	});
-	if (walletVerificationOptions?.expectedNonce !== params.wallet_nonce) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-		error_description: "The \"wallet_nonce\" parameter MUST match the \"expectedNonce\" parameter when the \"expectedNonce\" parameter is provided."
-	});
-	if (params.client_id.startsWith("web-origin:") || params.client_id.startsWith("origin:")) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-		error_description: `The 'client_id' parameter MUST NOT use client identifier scheme '${params.client_id.split(":")[0]}' when not using the dc_api response mode. Current: ${params.client_id}`
-	});
-};
-
-//#endregion
-//#region src/authorization-request/validate-authorization-request-dc-api.ts
-/**
-* Validate the OpenId4Vp Authorization Request parameters for the dc_api response mode
-*/
-const validateOpenid4vpAuthorizationRequestDcApiPayload = (options) => {
-	const { params, isJarRequest, disableOriginValidation, origin } = options;
-	if (isJarRequest && !params.expected_origins) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-		error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`
-	});
-	if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-		error_description: "Exactly one of the following parameters MUST be present in the Authorization Request: dcql_query or presentation_definition"
-	});
-	if (params.expected_origins && !disableOriginValidation) {
-		if (!origin) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`
-		});
-		if (params.expected_origins && !params.expected_origins.includes(origin)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(", ")}`
-		});
-	}
-};
-
-//#endregion
-//#region src/jarm/metadata/z-jarm-client-metadata.ts
-const zJarmSignOnlyClientMetadata = zod.z.object({
-	authorization_signed_response_alg: __openid4vc_oauth2.zAlgValueNotNone,
-	authorization_encrypted_response_alg: zod.z.optional(zod.z.never()),
-	authorization_encrypted_response_enc: zod.z.optional(zod.z.never())
-});
-const zJarmEncryptOnlyClientMetadata = zod.z.object({
-	authorization_signed_response_alg: zod.z.optional(zod.z.never()),
-	authorization_encrypted_response_alg: zod.z.string(),
-	authorization_encrypted_response_enc: zod.z.optional(zod.z.string())
-});
-const zJarmSignEncryptClientMetadata = zod.z.object({
-	authorization_signed_response_alg: zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg,
-	authorization_encrypted_response_alg: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg,
-	authorization_encrypted_response_enc: zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc
-});
-/**
-* Clients may register their public encryption keys using the jwks_uri or jwks metadata parameters.
-*/
-const zJarmClientMetadata = zod.z.object({
-	authorization_signed_response_alg: zod.z.optional(zJarmSignOnlyClientMetadata.shape.authorization_signed_response_alg),
-	authorization_encrypted_response_alg: zod.z.optional(zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_alg),
-	authorization_encrypted_response_enc: zod.z.optional(zJarmEncryptOnlyClientMetadata.shape.authorization_encrypted_response_enc)
-});
-const zJarmClientMetadataParsed = zJarmClientMetadata.transform((client_metadata) => {
-	const parsedClientMeta = (0, __openid4vc_utils.parseWithErrorHandling)(zod.z.union([
-		zJarmEncryptOnlyClientMetadata,
-		zJarmSignOnlyClientMetadata,
-		zJarmSignEncryptClientMetadata
-	]), client_metadata, "Invalid jarm client metadata.");
-	const SignEncrypt = zJarmSignEncryptClientMetadata.safeParse(parsedClientMeta);
-	if (SignEncrypt.success) return {
-		type: "sign_encrypt",
-		client_metadata: {
-			...SignEncrypt.data,
-			authorization_encrypted_response_enc: client_metadata.authorization_encrypted_response_enc
-		}
-	};
-	const encryptOnly = zJarmEncryptOnlyClientMetadata.safeParse(parsedClientMeta);
-	if (encryptOnly.success) return {
-		type: "encrypt",
-		client_metadata: {
-			...encryptOnly.data,
-			authorization_encrypted_response_enc: parsedClientMeta.authorization_encrypted_response_enc
-		}
-	};
-	const signOnly = zJarmSignOnlyClientMetadata.safeParse(parsedClientMeta);
-	if (signOnly.success) return {
-		type: "sign",
-		client_metadata: {
-			...signOnly.data,
-			authorization_signed_response_alg: parsedClientMeta.authorization_signed_response_alg
-		}
-	};
-	throw new __openid4vc_oauth2.Oauth2Error("Invalid jarm client metadata. Failed to parse.");
-});
-
-//#endregion
-//#region src/models/z-vp-formats-supported.ts
-const zVpFormatsSupported = zod.z.object({
-	"dc+sd-jwt": zod.z.optional(zod.z.object({
-		"sd-jwt_alg_values": zod.z.optional(zod.z.tuple([zod.z.string()], zod.z.string())),
-		"kb-jwt_alg_values": zod.z.optional(zod.z.tuple([zod.z.string()], zod.z.string()))
-	}).loose()),
-	jwt_vc_json: zod.z.optional(zod.z.object({ alg_values: zod.z.optional(zod.z.tuple([zod.z.string()], zod.z.string())) }).loose()),
-	ldp_vc: zod.z.optional(zod.z.object({
-		proof_type_values: zod.z.optional(zod.z.tuple([zod.z.string()], zod.z.string())),
-		cryptosuite_values: zod.z.optional(zod.z.tuple([zod.z.string()], zod.z.string()))
-	}).loose()),
-	mso_mdoc: zod.z.optional(zod.z.object({
-		issuer_signed_alg_values: zod.z.optional(zod.z.tuple([zod.z.number()], zod.z.number())),
-		device_signed_alg_values: zod.z.optional(zod.z.tuple([zod.z.number()], zod.z.number())),
-		issuerauth_alg_values: zod.z.optional(zod.z.tuple([zod.z.number()], zod.z.number())),
-		deviceauth_alg_values: zod.z.optional(zod.z.tuple([zod.z.number()], zod.z.number()))
-	}).loose())
-}).loose().catchall(zod.z.object({}).loose());
-const zLegacyVpFormats = zod.z.record(zod.z.string(), zod.z.object({ alg_values_supported: zod.z.optional(zod.z.array(zod.z.string())) }).loose());
-
-//#endregion
-//#region src/models/z-client-metadata.ts
-const zClientMetadata = zod.z.object({
-	jwks_uri: zod.z.url().optional(),
-	jwks: zod.z.optional(__openid4vc_oauth2.zJwkSet),
-	vp_formats: zod.z.optional(zLegacyVpFormats),
-	vp_formats_supported: zod.z.optional(zVpFormatsSupported),
-	encrypted_response_enc_values_supported: zod.z.optional(zod.z.array(zod.z.string())),
-	...zJarmClientMetadata.shape,
-	logo_uri: __openid4vc_utils.zHttpsUrl.or(__openid4vc_utils.zDataUrl).optional(),
-	client_name: zod.z.string().optional()
-}).loose();
-
-//#endregion
-//#region src/models/z-verifier-attestations.ts
-const zVerifierAttestation = zod.default.object({
-	format: zod.default.string(),
-	data: zod.default.record(zod.default.string(), zod.default.unknown()).or(zod.default.string()),
-	credential_ids: zod.default.array(zod.default.string()).optional()
-});
-const zVerifierAttestations = zod.default.array(zVerifierAttestation);
-
-//#endregion
-//#region src/authorization-request/z-authorization-request.ts
-const zOpenid4vpAuthorizationRequest = zod.z.object({
-	response_type: zod.z.literal("vp_token"),
-	client_id: zod.z.string(),
-	redirect_uri: __openid4vc_utils.zHttpsUrl.optional(),
-	response_uri: __openid4vc_utils.zHttpsUrl.optional(),
-	request_uri: __openid4vc_utils.zHttpsUrl.optional(),
-	request_uri_method: zod.z.optional(zod.z.string()),
-	response_mode: zod.z.enum(["direct_post", "direct_post.jwt"]).optional(),
-	nonce: zod.z.string(),
-	wallet_nonce: zod.z.string().optional(),
-	scope: zod.z.string().optional(),
-	presentation_definition: zod.z.record(zod.z.string(), zod.z.any()).or(__openid4vc_utils.zStringToJson).optional(),
-	presentation_definition_uri: __openid4vc_utils.zHttpsUrl.optional(),
-	dcql_query: zod.z.record(zod.z.string(), zod.z.any()).or(__openid4vc_utils.zStringToJson).optional(),
-	client_metadata: zClientMetadata.optional(),
-	client_metadata_uri: __openid4vc_utils.zHttpsUrl.optional(),
-	state: zod.z.string().optional(),
-	transaction_data: zod.z.array(zod.z.base64url()).optional(),
-	trust_chain: zod.z.tuple([zod.z.string()], zod.z.string()).optional(),
-	client_id_scheme: zod.z.enum([
-		"pre-registered",
-		"redirect_uri",
-		"entity_id",
-		"did",
-		"verifier_attestation",
-		"x509_san_dns",
-		"x509_san_uri",
-		"x509_hash"
-	]).optional(),
-	verifier_attestations: zVerifierAttestations.optional(),
-	verifier_info: zVerifierAttestations.optional()
-}).loose();
-const zOpenid4vpAuthorizationRequestFromUriParams = zod.z.url().transform((url) => Object.fromEntries(new __openid4vc_utils.URL(url).searchParams)).pipe(zod.z.object({
-	presentation_definition: __openid4vc_utils.zStringToJson.optional(),
-	client_metadata: __openid4vc_utils.zStringToJson.optional(),
-	dcql_query: __openid4vc_utils.zStringToJson.optional(),
-	transaction_data: __openid4vc_utils.zStringToJson.optional(),
-	verifier_attestations: __openid4vc_utils.zStringToJson.optional(),
-	verifier_info: __openid4vc_utils.zStringToJson.optional()
-}).loose());
-
-//#endregion
-//#region src/authorization-request/z-authorization-request-dc-api.ts
-const zOpenid4vpResponseModeDcApi = zod.z.enum([
-	"dc_api",
-	"dc_api.jwt",
-	"w3c_dc_api.jwt",
-	"w3c_dc_api"
-]);
-const zOpenid4vpAuthorizationRequestDcApi = zOpenid4vpAuthorizationRequest.pick({
-	response_type: true,
-	nonce: true,
-	presentation_definition: true,
-	client_metadata: true,
-	transaction_data: true,
-	dcql_query: true,
-	trust_chain: true,
-	state: true,
-	verifier_attestations: true,
-	verifier_info: true
-}).extend({
-	client_id: zod.z.optional(zod.z.string()),
-	expected_origins: zod.z.array(zod.z.string()).optional(),
-	response_mode: zOpenid4vpResponseModeDcApi,
-	client_id_scheme: zod.z.never().optional(),
-	scope: zod.z.never().optional()
-});
-function isOpenid4vpResponseModeDcApi(responseMode) {
-	return responseMode !== void 0 && zOpenid4vpResponseModeDcApi.options.includes(responseMode);
-}
-function isOpenid4vpAuthorizationRequestDcApi(request) {
-	return isOpenid4vpResponseModeDcApi(request.response_mode);
-}
-
-//#endregion
-//#region src/authorization-request/create-authorization-request.ts
-/**
-* Creates an OpenID4VP authorization request, optionally with a JWT Secured Authorization Request (JAR)
-* If the request is created after receiving wallet metadata via a POST to the request_uri endpoint, the wallet nonce needs to be provided
-*
-* @param options Configuration options for creating the authorization request
-* @param input.scheme Optional URI scheme to use (defaults to 'openid4vp://')
-* @param input.authorizationRequestPayload The OpenID4VP authorization request parameters
-* @param input.jar Optional JWT Secured Authorization Request (JAR) configuration
-* @param input.jar.requestUri The URI where the JAR will be accessible
-* @param input.jar.jwtSigner Function to sign the JAR JWT
-* @param input.jar.jweEncryptor Optional function to encrypt the JAR JWT
-* @param input.jar.additionalJwtPayload Optional additional claims to include in JAR JWT
-* @param input.wallet Optional wallet-specific parameters
-* @param input.wallet.nonce Optional wallet nonce
-* @param input.callbacks Callback functions for JWT operations
-* @returns Object containing the authorization request parameters, URI and optional JAR details
-*/
-async function createOpenid4vpAuthorizationRequest(options) {
-	const { jar, scheme = "openid4vp://", wallet, callbacks } = options;
-	let additionalJwtPayload;
-	let authorizationRequestPayload;
-	if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
-		authorizationRequestPayload = (0, __openid4vc_utils.parseWithErrorHandling)(zOpenid4vpAuthorizationRequestDcApi, options.authorizationRequestPayload, "Invalid authorization request. Could not parse openid4vp dc_api authorization request.");
-		if (jar && !authorizationRequestPayload.expected_origins) throw new __openid4vc_oauth2.Oauth2Error(`The 'expected_origins' parameter MUST be present when using the dc_api response mode in combination with jar.`);
-		validateOpenid4vpAuthorizationRequestDcApiPayload({
-			params: authorizationRequestPayload,
-			isJarRequest: Boolean(jar),
-			disableOriginValidation: true
-		});
-	} else {
-		authorizationRequestPayload = (0, __openid4vc_utils.parseWithErrorHandling)(zOpenid4vpAuthorizationRequest, options.authorizationRequestPayload, "Invalid authorization request. Could not parse openid4vp authorization request.");
-		validateOpenid4vpAuthorizationRequestPayload({
-			params: authorizationRequestPayload,
-			walletVerificationOptions: wallet
-		});
-	}
-	if (jar) {
-		if (!jar.additionalJwtPayload?.aud) additionalJwtPayload = {
-			...jar.additionalJwtPayload,
-			aud: jar.requestUri
-		};
-		const jarResult = await (0, __openid4vc_oauth2.createJarAuthorizationRequest)({
-			...jar,
-			authorizationRequestPayload,
-			additionalJwtPayload,
-			callbacks
-		});
-		const url$1 = new __openid4vc_utils.URL(scheme);
-		url$1.search = `?${new __openid4vc_utils.URLSearchParams([
-			...url$1.searchParams.entries(),
-			...(0, __openid4vc_utils.objectToQueryParams)(jarResult.jarAuthorizationRequest).entries(),
-			...authorizationRequestPayload.client_id_scheme ? [["client_id_scheme", authorizationRequestPayload.client_id_scheme]] : []
-		]).toString()}`;
-		return {
-			authorizationRequestPayload,
-			authorizationRequestObject: jarResult.jarAuthorizationRequest,
-			authorizationRequest: url$1.toString(),
-			jar: {
-				...jar,
-				...jarResult
-			}
-		};
-	}
-	const url = new __openid4vc_utils.URL(scheme);
-	url.search = `?${new __openid4vc_utils.URLSearchParams([...url.searchParams.entries(), ...(0, __openid4vc_utils.objectToQueryParams)(authorizationRequestPayload).entries()]).toString()}`;
-	return {
-		authorizationRequestPayload,
-		authorizationRequestObject: authorizationRequestPayload,
-		authorizationRequest: url.toString(),
-		jar: void 0
-	};
-}
-
-//#endregion
-//#region src/jar/z-jar-authorization-request.ts
-const zOpenid4vpJarAuthorizationRequest = __openid4vc_oauth2.zJarAuthorizationRequest.extend({ request_uri_method: zod.z.optional(zod.z.string()) });
-function isJarAuthorizationRequest(request) {
-	return "request" in request || "request_uri" in request;
-}
-
-//#endregion
-//#region src/authorization-request/parse-authorization-request-params.ts
-function parseOpenid4vpAuthorizationRequest(options) {
-	const { authorizationRequest } = options;
-	let provided = "params";
-	let params;
-	if (typeof authorizationRequest === "string") if (authorizationRequest.includes(":")) {
-		params = (0, __openid4vc_utils.parseWithErrorHandling)(zOpenid4vpAuthorizationRequestFromUriParams, authorizationRequest, "Unable to parse openid4vp authorization request uri to a valid object");
-		provided = "uri";
-	} else {
-		params = (0, __openid4vc_oauth2.decodeJwt)({ jwt: authorizationRequest }).payload;
-		provided = "jwt";
-	}
-	else params = authorizationRequest;
-	const parsedRequest = (0, __openid4vc_utils.parseWithErrorHandling)(zod.default.union([
-		zOpenid4vpAuthorizationRequest,
-		zOpenid4vpJarAuthorizationRequest,
-		zOpenid4vpAuthorizationRequestDcApi
-	]), params);
-	if (isJarAuthorizationRequest(parsedRequest)) return {
-		type: "jar",
-		provided,
-		params: parsedRequest
-	};
-	if (isOpenid4vpAuthorizationRequestDcApi(parsedRequest)) return {
-		type: "openid4vp_dc_api",
-		provided,
-		params: parsedRequest
-	};
-	return {
-		type: "openid4vp",
-		provided,
-		params: parsedRequest
-	};
-}
-
-//#endregion
-//#region src/client-identifier-prefix/x509-hash.ts
-async function calculateX509HashClientIdPrefixValue({ x509Certificate, hash }) {
-	return (0, __openid4vc_utils.encodeToBase64Url)(await hash(typeof x509Certificate === "string" ? (0, __openid4vc_utils.decodeBase64)(x509Certificate) : x509Certificate, __openid4vc_oauth2.HashAlgorithm.Sha256));
-}
-
-//#endregion
-//#region src/client-identifier-prefix/z-client-id-prefix.ts
-const zClientIdPrefix = zod.z.enum([
-	"pre-registered",
-	"redirect_uri",
-	"verifier_attestation",
-	"https",
-	"openid_federation",
-	"did",
-	"decentralized_identifier",
-	"x509_san_uri",
-	"x509_hash",
-	"x509_san_dns",
-	"origin",
-	"web-origin"
-]);
-const zUniformClientIdPrefix = zClientIdPrefix.exclude([
-	"did",
-	"https",
-	"web-origin"
-]);
-const zClientIdToClientIdPrefixAndIdentifier = zod.z.union([zod.z.string({ message: "client_id MUST be a string" }).includes(":").transform((clientId) => {
-	const colonIndex = clientId.indexOf(":");
-	const clientIdPrefix = clientId.slice(0, colonIndex);
-	const clientIdIdentifier = clientId.slice(colonIndex + 1);
-	if (clientIdPrefix === "http" && (0, __openid4vc_utils.getGlobalConfig)().allowInsecureUrls) return ["https", clientId];
-	if (clientIdPrefix === "did" || clientIdPrefix === "http" || clientIdPrefix === "https") return [clientIdPrefix, clientId];
-	return [clientIdPrefix, clientIdIdentifier];
-}).pipe(zod.z.tuple([zClientIdPrefix.exclude(["pre-registered"]), zod.z.string()])), zod.z.string().refine((clientId) => clientId.includes(":") === false).transform((clientId) => ["pre-registered", clientId])], { message: `client_id must either start with a known prefix followed by ':' or contain no ':'. Known prefixes are ${zClientIdPrefix.exclude(["pre-registered"]).options.join(", ")}` });
-const zClientIdPrefixToUniform = zClientIdPrefix.transform((prefix) => prefix === "did" ? "decentralized_identifier" : prefix === "https" ? "openid_federation" : prefix === "web-origin" ? "origin" : prefix);
-const zLegacyClientIdScheme = zod.z.enum([
-	"pre-registered",
-	"redirect_uri",
-	"entity_id",
-	"did",
-	"verifier_attestation",
-	"x509_san_dns",
-	"x509_san_uri"
-]);
-const zLegacyClientIdSchemeToClientIdPrefix = zLegacyClientIdScheme.optional().default("pre-registered").transform((clientIdScheme) => clientIdScheme === "entity_id" ? "openid_federation" : clientIdScheme === "did" ? "decentralized_identifier" : clientIdScheme);
-
-//#endregion
-//#region src/client-identifier-prefix/parse-client-identifier-prefix.ts
-/**
-* Get the client id for an authorization request based on the response_mode, client_id, client_id_scheme and origin values.
-*
-* It will return the client id prefix as used in OpenID4VP v1, and optionally provide the legacyClientId if the
-* client id was provided with a client_id_scheme
-*/
-function getOpenid4vpClientId(options) {
-	const original = { clientId: options.clientId };
-	const version = options.version ?? 100;
-	if (isOpenid4vpResponseModeDcApi(options.responseMode)) {
-		if (!options.clientId) {
-			if (!options.origin) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-				error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-				error_description: "Failed to parse client identifier. 'origin' is required for requests without a client_id and response_mode 'dc_api' and 'dc_api.jwt'"
-			});
-			return {
-				clientIdPrefix: "origin",
-				effectiveClientIdPrefix: "origin",
-				clientIdIdentifier: options.origin,
-				effectiveClientId: version >= 25 ? `origin:${options.origin}` : `web-origin:${options.origin}`,
-				original
-			};
-		}
-		const parsedClientIdPrefixAndIdentifier$1 = zClientIdToClientIdPrefixAndIdentifier.safeParse(options.clientId);
-		if (!parsedClientIdPrefixAndIdentifier$1.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
-		});
-		const [clientIdScheme$1, clientIdIdentifier$1] = parsedClientIdPrefixAndIdentifier$1.data;
-		const uniformClientIdScheme$1 = zClientIdPrefixToUniform.safeParse(clientIdScheme$1);
-		if (!uniformClientIdScheme$1.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
-		});
-		return {
-			effectiveClientId: options.clientId,
-			effectiveClientIdPrefix: clientIdScheme$1,
-			original,
-			clientIdPrefix: uniformClientIdScheme$1.data,
-			clientIdIdentifier: clientIdIdentifier$1
-		};
-	}
-	if (!options.clientId) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-		error_description: `Failed to parse client identifier. Missing required client_id parameter for response_mode '${options.responseMode}'.`
-	});
-	if (options.legacyClientIdScheme) {
-		const parsedClientIdPrefix = zLegacyClientIdSchemeToClientIdPrefix.safeParse(options.legacyClientIdScheme);
-		if (!parsedClientIdPrefix.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: `Failed to parse client identifier. Unsupported client_id_scheme value '${options.legacyClientIdScheme}'.`
-		});
-		const clientIdPrefix = parsedClientIdPrefix.data;
-		return {
-			effectiveClientId: options.clientId,
-			clientIdIdentifier: options.clientId,
-			clientIdPrefix,
-			effectiveClientIdPrefix: options.legacyClientIdScheme ?? "pre-registered",
-			original: {
-				...original,
-				clientIdScheme: options.legacyClientIdScheme
-			}
-		};
-	}
-	const parsedClientIdPrefixAndIdentifier = zClientIdToClientIdPrefixAndIdentifier.safeParse(options.clientId);
-	if (!parsedClientIdPrefixAndIdentifier.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-		error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
-	});
-	const [clientIdScheme, clientIdIdentifier] = parsedClientIdPrefixAndIdentifier.data;
-	const uniformClientIdScheme = zClientIdPrefixToUniform.safeParse(clientIdScheme);
-	if (!uniformClientIdScheme.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-		error_description: `Failed to parse client identifier. Unsupported client_id '${options.clientId}'.`
-	});
-	return {
-		effectiveClientId: options.clientId,
-		clientIdPrefix: uniformClientIdScheme.data,
-		effectiveClientIdPrefix: clientIdScheme,
-		clientIdIdentifier,
-		original
-	};
-}
-/**
-* Parse and validate a client identifier
-*/
-async function validateOpenid4vpClientId(options, parserConfig) {
-	const { authorizationRequestPayload, jar, origin } = options;
-	const parserConfigWithDefaults = { supportedSchemes: parserConfig?.supportedSchemes || Object.values(zClientIdPrefix.options) };
-	const { clientIdIdentifier, clientIdPrefix, effectiveClientId, original } = getOpenid4vpClientId({
-		clientId: authorizationRequestPayload.client_id,
-		legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,
-		responseMode: authorizationRequestPayload.response_mode,
-		origin
-	});
-	if (clientIdPrefix === "pre-registered") return {
-		prefix: "pre-registered",
-		identifier: clientIdIdentifier,
-		effective: effectiveClientId,
-		original
-	};
-	if (!parserConfigWithDefaults.supportedSchemes.includes(clientIdPrefix)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-		error_description: `Unsupported client identifier prefix. ${clientIdPrefix} is not supported.`
-	});
-	if (clientIdPrefix === "openid_federation") {
-		if (!__openid4vc_utils.zHttpsUrl.safeParse(clientIdIdentifier).success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: "Invalid client identifier. Client identifier must start with https://"
-		}, { internalMessage: `Insecure http:// urls can be enabled by setting the 'allowInsecureUrls' option using setGlobalConfig` });
-		if (!jar) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: "Using client identifier prefix \"https\" requires a signed JAR request."
-		});
-		if (jar.signer.method !== "federation") throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: "Something went wrong. The JWT signer method is not federation but the client identifier prefix is https."
-		});
-		return {
-			prefix: "openid_federation",
-			identifier: clientIdIdentifier,
-			effective: effectiveClientId,
-			original,
-			trustChain: authorizationRequestPayload.trust_chain
-		};
-	}
-	if (clientIdPrefix === "redirect_uri") {
-		if (jar) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: "Using client identifier prefix \"redirect_uri\" the request MUST NOT be signed."
-		});
-		if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: `The client identifier prefix 'redirect_uri' is not supported when using the dc_api response mode.`
-		});
-		if (authorizationRequestPayload.redirect_uri && authorizationRequestPayload.redirect_uri !== clientIdIdentifier) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidClient,
-			error_description: `When the client identifier prefix is 'redirect_uri', the client id identifier MUST match the redirect_uri.`
-		});
-		if (authorizationRequestPayload.response_uri && authorizationRequestPayload.response_uri !== clientIdIdentifier) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidClient,
-			error_description: `When the client identifier prefix is 'redirect_uri', the client id identifier MUST match the response_uri.`
-		});
-		return {
-			prefix: clientIdPrefix,
-			identifier: clientIdIdentifier,
-			effective: effectiveClientId,
-			original,
-			clientMetadata: authorizationRequestPayload.client_metadata,
-			redirectUri: authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri
-		};
-	}
-	if (clientIdPrefix === "decentralized_identifier") {
-		if (!jar) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: "Using client identifier prefix \"did\" requires a signed JAR request."
-		});
-		if (jar.signer.method !== "did") throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: "Something went wrong. The JWT signer method is not did but the client identifier prefix is did."
-		});
-		if (!clientIdIdentifier.startsWith("did:")) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: "Invalid client identifier. Client id identifier must start with 'did:'"
-		});
-		const [did] = jar.signer.didUrl.split("#");
-		if (clientIdIdentifier !== did) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: `With client identifier prefix '${clientIdPrefix}' the JAR request must be signed by the same DID as the client identifier.`
-		});
-		return {
-			prefix: "decentralized_identifier",
-			identifier: clientIdIdentifier,
-			effective: effectiveClientId,
-			original,
-			clientMetadata: authorizationRequestPayload.client_metadata,
-			didUrl: jar.signer.didUrl
-		};
-	}
-	if (clientIdPrefix === "x509_san_dns" || clientIdPrefix === "x509_san_uri" || clientIdPrefix === "x509_hash") {
-		if (!jar) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: `Using client identifier prefix '${clientIdPrefix}' requires a signed JAR request.`
-		});
-		if (jar.signer.method !== "x5c") throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: `Something went wrong. The JWT signer method is not x5c but the client identifier prefix is '${clientIdPrefix}'`
-		});
-		if (!options.callbacks.getX509CertificateMetadata) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({ error: __openid4vc_oauth2.Oauth2ErrorCodes.ServerError }, { internalMessage: `Missing required 'getX509CertificateMetadata' callback for verification of '${clientIdPrefix}' client id prefix` });
-		if (clientIdPrefix === "x509_san_dns") {
-			const { sanDnsNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
-			if (!sanDnsNames.includes(clientIdIdentifier)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-				error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-				error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(", ")}] must match the client identifier '${clientIdIdentifier}'. `
-			});
-			if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
-				const uri = authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri;
-				if (!uri || new __openid4vc_utils.URL(uri).hostname !== clientIdIdentifier) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-					error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-					error_description: "Invalid client identifier. The fully qualified domain name of the redirect_uri value MUST match the Client Identifier without the prefix x509_san_dns."
-				});
-			}
-		} else if (clientIdPrefix === "x509_san_uri") {
-			const { sanUriNames } = options.callbacks.getX509CertificateMetadata(jar.signer.x5c[0]);
-			if (!sanUriNames.includes(clientIdIdentifier)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-				error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-				error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(", ")}] must match the client identifier '${clientIdIdentifier}'.`
-			});
-			if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
-				const uri = authorizationRequestPayload.redirect_uri || authorizationRequestPayload.response_uri;
-				if (!uri || uri !== clientIdIdentifier) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-					error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-					error_description: "The redirect_uri value MUST match the Client Identifier without the prefix x509_san_uri"
-				});
-			}
-		} else if (clientIdPrefix === "x509_hash") {
-			const x509Hash = await calculateX509HashClientIdPrefixValue({
-				hash: options.callbacks.hash,
-				x509Certificate: jar.signer.x5c[0]
-			});
-			if (x509Hash !== clientIdIdentifier) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-				error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-				error_description: `Invalid client identifier. Expected the base64url encoded sha-256 hash of the leaf x5c certificate ('${x509Hash}') to match the client identifier '${clientIdIdentifier}'.`
-			});
-		}
-		return {
-			prefix: clientIdPrefix,
-			identifier: clientIdIdentifier,
-			effective: effectiveClientId,
-			original,
-			x5c: jar.signer.x5c,
-			clientMetadata: authorizationRequestPayload.client_metadata
-		};
-	}
-	if (clientIdPrefix === "origin") return {
-		prefix: clientIdPrefix,
-		identifier: clientIdIdentifier,
-		effective: effectiveClientId,
-		original,
-		clientMetadata: authorizationRequestPayload.client_metadata
-	};
-	if (clientIdPrefix === "verifier_attestation") {
-		if (!jar) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: "Using client identifier prefix \"verifier_attestation\" requires a signed JAR request."
-		});
-	}
-	return {
-		prefix: clientIdPrefix,
-		clientMetadata: authorizationRequestPayload.client_metadata,
-		identifier: clientIdIdentifier,
-		effective: effectiveClientId,
-		original
-	};
-}
-
-//#endregion
-//#region src/fetch-client-metadata.ts
-async function fetchClientMetadata(options) {
-	const { fetch, clientMetadataUri } = options;
-	const { result, response } = await (0, __openid4vc_utils.createZodFetcher)(fetch)(zClientMetadata, __openid4vc_utils.ContentType.Json, clientMetadataUri, {
-		method: "GET",
-		headers: { Accept: __openid4vc_utils.ContentType.Json }
-	});
-	if (!response.ok) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error_description: `Fetching client metadata from '${clientMetadataUri}' failed with status code '${response.status}'.`,
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestUri
-	});
-	if (!result || !result.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error_description: `Parsing client metadata from '${clientMetadataUri}' failed.`,
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestObject
-	});
-	return result.data;
-}
-
-//#endregion
-//#region src/version.ts
-function parseAuthorizationRequestVersion(request) {
-	const requirements = [];
-	if (request.verifier_info) requirements.push([">=", 100]);
-	if (request.verifier_attestations) requirements.push(["<", 100]);
-	if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values) requirements.push([">=", 28]);
-	if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuer_signed_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.device_signed_alg_values) requirements.push(["<", 28]);
-	if (request.client_metadata?.vp_formats_supported) requirements.push([">=", 27]);
-	if (request.client_metadata?.vp_formats) requirements.push(["<", 27]);
-	if (request.client_id?.startsWith("openid_federation:") || request.client_id?.startsWith("decentralized_identifier:")) requirements.push([">=", 26]);
-	if (request.client_id?.startsWith("did:")) requirements.push(["<", 26]);
-	if (request.presentation_definition || request.presentation_definition_uri) requirements.push(["<", 26]);
-	if (request.verifier_attestations) requirements.push([">=", 26]);
-	if (request.client_id?.startsWith("x509_san_uri:")) requirements.push(["<", 25]);
-	if (request.client_id?.startsWith("x509_hash:")) requirements.push([">=", 25]);
-	if (request.client_id?.startsWith("web-origin:")) requirements.push(["<", 25]);
-	if (request.client_id?.startsWith("origin:")) requirements.push([">=", 25]);
-	if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "w3c_dc_api" || request.response_mode === "w3c_dc_api.jwt")) {
-		requirements.push(["<", 23]);
-		requirements.push([">=", 21]);
-	}
-	if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.response_mode === "dc_api" || request.response_mode === "dc_api.jwt")) requirements.push([">=", 23]);
-	if (isOpenid4vpAuthorizationRequestDcApi(request) && (request.transaction_data || request.dcql_query)) requirements.push([">=", 23]);
-	if (request.transaction_data) requirements.push([">=", 22]);
-	if (request.client_id_scheme) requirements.push(["<", 22]);
-	if (request.client_id) {
-		const colonIndex = request.client_id.indexOf(":");
-		const schemePart = request.client_id.substring(0, colonIndex);
-		const parsedScheme = zClientIdPrefix.safeParse(schemePart);
-		if (parsedScheme.success && parsedScheme.data !== "did" && parsedScheme.data !== "https") requirements.push([">=", 22]);
-	}
-	if (!request.client_id) requirements.push([">=", 21]);
-	if (request.dcql_query) requirements.push([">=", 21]);
-	if (request.client_metadata_uri) requirements.push(["<", 21]);
-	if (isOpenid4vpAuthorizationRequestDcApi(request)) requirements.push([">=", 21]);
-	if (request.request_uri_method || request.wallet_nonce) requirements.push([">=", 21]);
-	if (request.client_id_scheme === "verifier_attestation") requirements.push([">=", 20]);
-	if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") requirements.push([">=", 19]);
-	const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
-	const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
-	const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 100;
-	const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
-	if (lowestRequiredVersion > highestPossibleVersion) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-		error_description: `Could not infer openid4vp version from the openid4vp request payload. Based on specification requirements, lowest required version is ${lowestRequiredVersion} and highest possible version is ${highestPossibleVersion}`
-	});
-	return highestPossibleVersion;
-}
-
-//#endregion
-//#region src/jar/jar-request-object/fetch-jar-request-object.ts
-/**
-* Fetch a request object and parse the response.
-* If you want to fetch the request object without providing wallet_metadata or wallet_nonce as defined in jar you can use the `fetchJarRequestObject` function.
-*
-* Returns validated request object if successful response
-* Throws error otherwise
-*
-* @throws {ValidationError} if successful response but validation of response failed
-* @throws {InvalidFetchResponseError} if no successful or 404 response
-* @throws {Error} if parsing json from response fails
-*/
-async function fetchJarRequestObject(options) {
-	const { requestUri, clientIdPrefix, method, wallet, fetch } = options;
-	let requestBody = wallet.metadata ? {
-		wallet_metadata: wallet.metadata,
-		wallet_nonce: wallet.nonce
-	} : void 0;
-	if (requestBody?.wallet_metadata?.request_object_signing_alg_values_supported && clientIdPrefix === "redirect_uri") {
-		const { request_object_signing_alg_values_supported, ...rest } = requestBody.wallet_metadata;
-		requestBody = {
-			...requestBody,
-			wallet_metadata: { ...rest }
-		};
-	}
-	const response = await (0, __openid4vc_utils.createFetcher)(fetch)(requestUri, {
-		method,
-		body: method === "post" ? (0, __openid4vc_utils.objectToQueryParams)(wallet.metadata ?? {}) : void 0,
-		headers: {
-			Accept: `${__openid4vc_utils.ContentType.OAuthAuthorizationRequestJwt}, ${__openid4vc_utils.ContentType.Jwt};q=0.9, text/plain`,
-			"Content-Type": __openid4vc_utils.ContentType.XWwwFormUrlencoded
-		}
-	}).catch(() => {
-		throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error_description: `Fetching request_object from request_uri '${requestUri}' failed`,
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestUri
-		});
-	});
-	if (!response.ok) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error_description: `Fetching request_object from request_uri '${requestUri}' failed with status code '${response.status}'.`,
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestUri
-	});
-	return await response.text();
-}
-
-//#endregion
-//#region src/jar/handle-jar-request/verify-jar-request.ts
-/**
-* Verifies a JAR (JWT Secured Authorization Request) request by validating, decrypting, and verifying signatures.
-*
-* @param options - The input parameters
-* @param options.jarRequestParams - The JAR authorization request parameters
-* @param options.callbacks - Context containing the relevant Jose crypto operations
-* @returns The verified authorization request parameters and metadata
-*/
-async function verifyJarRequest(options) {
-	const { callbacks, wallet = {} } = options;
-	const jarRequestParams = {
-		...(0, __openid4vc_oauth2.validateJarRequestParams)(options),
-		...options.jarRequestParams
-	};
-	const sendBy = jarRequestParams.request ? "value" : "reference";
-	const clientIdPrefix = jarRequestParams.client_id ? zClientIdPrefix.safeParse(jarRequestParams.client_id.split(":")[0]).data : "origin";
-	const method = jarRequestParams.request_uri_method ?? "get";
-	if (method !== "get" && method !== "post") throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestUriMethod,
-		error_description: `Invalid request_uri_method. Must be 'get' or 'post'.`
-	});
-	const requestObject = jarRequestParams.request ?? await fetchJarRequestObject({
-		requestUri: jarRequestParams.request_uri,
-		clientIdPrefix,
-		method,
-		wallet,
-		fetch: callbacks.fetch
-	});
-	const { decryptionJwk, payload: decryptedRequestObject } = __openid4vc_oauth2.zCompactJwe.safeParse(requestObject).success ? await decryptJarRequest({
-		jwe: requestObject,
-		callbacks
-	}) : {
-		payload: requestObject,
-		decryptionJwk: void 0
-	};
-	if (!__openid4vc_oauth2.zCompactJwt.safeParse(decryptedRequestObject).success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestObject,
-		error_description: "JAR request object is not a valid JWT."
-	});
-	const { authorizationRequestPayload, signer, jwt } = await verifyJarRequestObject({
-		decryptedRequestObject,
-		callbacks
-	});
-	if (!authorizationRequestPayload.client_id) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestObject,
-		error_description: "Jar Request Object is missing the required \"client_id\" field."
-	});
-	if (!isOpenid4vpResponseModeDcApi(authorizationRequestPayload.response_mode) && jarRequestParams.client_id !== authorizationRequestPayload.client_id) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-		error_description: "client_id does not match the request object client_id."
-	});
-	if (jarRequestParams.client_id_scheme && jarRequestParams.client_id_scheme !== authorizationRequestPayload.client_id_scheme) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-		error_description: "client_id_scheme does not match the request object client_id_scheme."
-	});
-	return {
-		sendBy,
-		jwt,
-		authorizationRequestPayload,
-		signer,
-		decryptionJwk
-	};
-}
-async function decryptJarRequest(options) {
-	const { jwe, callbacks } = options;
-	const { header } = (0, __openid4vc_oauth2.decodeJwt)({ jwt: jwe });
-	if (!header.kid) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestObject,
-		error_description: "Jar JWE is missing the protected header field \"kid\"."
-	});
-	const decryptionResult = await callbacks.decryptJwe(jwe);
-	if (!decryptionResult.decrypted) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestObject,
-		error_description: "Failed to decrypt jar request object."
-	});
-	return decryptionResult;
-}
-async function verifyJarRequestObject(options) {
-	const { decryptedRequestObject, callbacks } = options;
-	const jwt = (0, __openid4vc_oauth2.decodeJwt)({
-		jwt: decryptedRequestObject,
-		payloadSchema: __openid4vc_oauth2.zJarRequestObjectPayload
-	});
-	let jwtSigner;
-	const { clientIdPrefix } = getOpenid4vpClientId({
-		responseMode: jwt.payload.response_mode,
-		clientId: jwt.payload.client_id,
-		legacyClientIdScheme: jwt.payload.client_id_scheme
-	});
-	const clientIdToSignerMethod = {
-		decentralized_identifier: ["did"],
-		"pre-registered": [
-			"custom",
-			"did",
-			"jwk"
-		],
-		origin: [],
-		redirect_uri: [],
-		verifier_attestation: [
-			"did",
-			"federation",
-			"jwk",
-			"x5c",
-			"custom"
-		],
-		x509_san_dns: ["x5c"],
-		x509_san_uri: ["x5c"],
-		x509_hash: ["x5c"],
-		openid_federation: []
-	};
-	if (clientIdPrefix === "openid_federation") {
-		if (!jwt.header.kid) throw new __openid4vc_oauth2.Oauth2Error(`When OpenID Federation is used for signed authorization request, the 'kid' parameter is required.`);
-		jwtSigner = {
-			method: "federation",
-			alg: jwt.header.alg,
-			trustChain: jwt.payload.trust_chain,
-			kid: jwt.header.kid
-		};
-	} else jwtSigner = (0, __openid4vc_oauth2.jwtSignerFromJwt)({
-		...jwt,
-		allowedSignerMethods: clientIdToSignerMethod[clientIdPrefix]
-	});
-	const { signer } = await (0, __openid4vc_oauth2.verifyJwt)({
-		verifyJwtCallback: callbacks.verifyJwt,
-		compact: decryptedRequestObject,
-		header: jwt.header,
-		payload: jwt.payload,
-		signer: jwtSigner
-	});
-	const version = parseAuthorizationRequestVersion(jwt.payload);
-	if (jwt.header.typ !== __openid4vc_oauth2.signedAuthorizationRequestJwtHeaderTyp && version >= 24) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequestObject,
-		error_description: `Invalid Jar Request Object typ header. Expected "oauth-authz-req+jwt", received "${jwt.header.typ}".`
-	});
-	return {
-		signer,
-		jwt,
-		authorizationRequestPayload: jwt.payload
-	};
-}
-
-//#endregion
-//#region src/transaction-data/z-transaction-data.ts
-const zTransactionEntry = zod.z.object({
-	type: zod.z.string(),
-	credential_ids: zod.z.tuple([zod.z.string()], zod.z.string()),
-	transaction_data_hashes_alg: zod.z.tuple([zod.z.string()], zod.z.string()).optional()
-}).loose();
-const zTransactionData = zod.z.array(zTransactionEntry);
-
-//#endregion
-//#region src/transaction-data/parse-transaction-data.ts
-function parseTransactionData(options) {
-	const { transactionData } = options;
-	const decoded = transactionData.map((tdEntry) => (0, __openid4vc_utils.parseIfJson)((0, __openid4vc_utils.encodeToUtf8String)((0, __openid4vc_utils.decodeBase64)(tdEntry))));
-	const parsedResult = zTransactionData.safeParse(decoded);
-	if (!parsedResult.success) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidTransactionData,
-		error_description: "Failed to parse transaction data."
-	});
-	return parsedResult.data.map((decoded$1, index) => ({
-		transactionData: decoded$1,
-		encoded: transactionData[index],
-		transactionDataIndex: index
-	}));
-}
-
-//#endregion
-//#region src/authorization-request/resolve-authorization-request.ts
-async function resolveOpenid4vpAuthorizationRequest(options) {
-	const { wallet, callbacks, origin, disableOriginValidation } = options;
-	let authorizationRequestPayload;
-	const parsed = (0, __openid4vc_utils.parseWithErrorHandling)(zod.default.union([
-		zOpenid4vpAuthorizationRequestDcApi,
-		zOpenid4vpAuthorizationRequest,
-		zOpenid4vpJarAuthorizationRequest
-	]), options.authorizationRequestPayload, "Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request.");
-	let jar;
-	if (isJarAuthorizationRequest(parsed)) {
-		jar = await verifyJarRequest({
-			jarRequestParams: parsed,
-			callbacks,
-			wallet
-		});
-		authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({
-			authorizationRequestPayload: (0, __openid4vc_utils.parseWithErrorHandling)(zod.default.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]), jar.authorizationRequestPayload, "Invalid authorization request. Could not parse jar request payload as openid4vp auth request."),
-			wallet,
-			jar: true,
-			origin,
-			disableOriginValidation
-		});
-	} else authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({
-		authorizationRequestPayload: parsed,
-		wallet,
-		jar: false,
-		origin,
-		disableOriginValidation
-	});
-	const version = parseAuthorizationRequestVersion(authorizationRequestPayload);
-	let clientMetadata = authorizationRequestPayload.client_metadata;
-	if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) && !clientMetadata && authorizationRequestPayload.client_metadata_uri) clientMetadata = await fetchClientMetadata({ clientMetadataUri: authorizationRequestPayload.client_metadata_uri });
-	const clientMeta = await validateOpenid4vpClientId({
-		authorizationRequestPayload: {
-			...authorizationRequestPayload,
-			client_metadata: clientMetadata
-		},
-		jar,
-		callbacks,
-		origin,
-		version
-	});
-	let pex;
-	let dcql;
-	if (authorizationRequestPayload.presentation_definition || authorizationRequestPayload.presentation_definition_uri) {
-		if (authorizationRequestPayload.presentation_definition_uri) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: "Cannot fetch presentation definition from URI. Not supported."
-		});
-		pex = {
-			presentation_definition: authorizationRequestPayload.presentation_definition,
-			presentation_definition_uri: authorizationRequestPayload.presentation_definition_uri
-		};
-	}
-	if (authorizationRequestPayload.dcql_query) dcql = { query: authorizationRequestPayload.dcql_query };
-	return {
-		transactionData: authorizationRequestPayload.transaction_data ? parseTransactionData({ transactionData: authorizationRequestPayload.transaction_data }) : void 0,
-		authorizationRequestPayload,
-		jar,
-		client: clientMeta,
-		pex,
-		dcql,
-		version
-	};
-}
-function validateOpenId4vpAuthorizationRequestPayload(options) {
-	const { authorizationRequestPayload, wallet, jar, origin, disableOriginValidation } = options;
-	if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
-		validateOpenid4vpAuthorizationRequestDcApiPayload({
-			params: authorizationRequestPayload,
-			isJarRequest: jar,
-			disableOriginValidation,
-			origin
-		});
-		return authorizationRequestPayload;
-	}
-	validateOpenid4vpAuthorizationRequestPayload({
-		params: authorizationRequestPayload,
-		walletVerificationOptions: wallet
-	});
-	return authorizationRequestPayload;
-}
-
-//#endregion
-//#region ../utils/src/date.ts
-function addSecondsToDate(date, seconds) {
-	return new Date(date.getTime() + seconds * 1e3);
-}
-
-//#endregion
-//#region src/jarm/jarm-authorization-response-create.ts
-async function createJarmAuthorizationResponse(options) {
-	const { jarmAuthorizationResponse, jweEncryptor, jwtSigner, callbacks } = options;
-	if (!jwtSigner && jweEncryptor) {
-		const { jwe } = await callbacks.encryptJwe(jweEncryptor, JSON.stringify(jarmAuthorizationResponse));
-		return { jarmAuthorizationResponseJwt: jwe };
-	}
-	if (jwtSigner && !jweEncryptor) return { jarmAuthorizationResponseJwt: (await callbacks.signJwt(jwtSigner, {
-		header: (0, __openid4vc_oauth2.jwtHeaderFromJwtSigner)(jwtSigner),
-		payload: jarmAuthorizationResponse
-	})).jwt };
-	if (!jwtSigner || !jweEncryptor) throw new __openid4vc_oauth2.Oauth2Error("JWT signer and/or encryptor are required to create a JARM auth response.");
-	const signed = await callbacks.signJwt(jwtSigner, {
-		header: (0, __openid4vc_oauth2.jwtHeaderFromJwtSigner)(jwtSigner),
-		payload: jarmAuthorizationResponse
-	});
-	return { jarmAuthorizationResponseJwt: (await callbacks.encryptJwe(jweEncryptor, signed.jwt)).jwe };
-}
-
-//#endregion
-//#region src/jarm/jarm-extract-jwks.ts
-function extractEncryptionJwkFromJwks(jwks, { kid, supportedAlgValues }) {
-	if (kid) return jwks.keys.find((jwk) => jwk.kid === kid);
-	let algFiltered = jwks.keys.filter((key) => key.alg && supportedAlgValues?.includes(key.alg));
-	if (algFiltered.length === 0) algFiltered = jwks.keys;
-	let encFiltered = algFiltered.filter((key) => key.use === "enc");
-	if (!encFiltered) encFiltered = algFiltered.filter((key) => key.use !== "sig");
-	return encFiltered.length > 0 ? encFiltered[0] : jwks.keys[0];
-}
-
-//#endregion
-//#region src/jarm/jarm-response-mode.ts
-const jarmResponseMode = [
-	"jwt",
-	"query.jwt",
-	"fragment.jwt",
-	"form_post.jwt",
-	"direct_post.jwt",
-	"dc_api.jwt"
-];
-const zJarmResponseMode = zod.z.enum(jarmResponseMode);
-const isJarmResponseMode = (responseMode) => {
-	return jarmResponseMode.includes(responseMode);
-};
-
-//#endregion
-//#region src/jarm/metadata/jarm-assert-metadata-supported.ts
-function assertValueSupported(options) {
-	const { errorMessage, supported, actual } = options;
-	const intersection = supported.find((value) => value === actual);
-	if (!intersection) throw new __openid4vc_oauth2.Oauth2Error(errorMessage);
-	return intersection;
-}
-function jarmAssertMetadataSupported(options) {
-	const { clientMetadata, serverMetadata } = options;
-	const parsedClientMetadata = zJarmClientMetadataParsed.parse(clientMetadata);
-	if (parsedClientMetadata.type === "sign_encrypt" || parsedClientMetadata.type === "encrypt") {
-		if (serverMetadata.authorization_encryption_alg_values_supported) assertValueSupported({
-			supported: serverMetadata.authorization_encryption_alg_values_supported,
-			actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_alg,
-			errorMessage: "Invalid authorization_encryption_alg"
-		});
-		if (serverMetadata.authorization_encryption_enc_values_supported) assertValueSupported({
-			supported: serverMetadata.authorization_encryption_enc_values_supported,
-			actual: parsedClientMetadata.client_metadata.authorization_encrypted_response_enc,
-			errorMessage: "Invalid authorization_encryption_enc"
-		});
-	}
-	if (serverMetadata.authorization_signing_alg_values_supported && (parsedClientMetadata.type === "sign" || parsedClientMetadata.type === "sign_encrypt")) assertValueSupported({
-		supported: serverMetadata.authorization_signing_alg_values_supported,
-		actual: parsedClientMetadata.client_metadata.authorization_signed_response_alg,
-		errorMessage: "Invalid authorization_signed_response_alg"
-	});
-	return parsedClientMetadata;
-}
-
-//#endregion
-//#region src/authorization-response/create-authorization-response.ts
-async function createOpenid4vpAuthorizationResponse(options) {
-	const { authorizationRequestPayload, jarm, callbacks, origin } = options;
-	const authorizationResponsePayload = {
-		...options.authorizationResponsePayload,
-		state: authorizationRequestPayload.state
-	};
-	const { clientIdPrefix } = getOpenid4vpClientId({
-		responseMode: authorizationRequestPayload.response_mode,
-		clientId: authorizationRequestPayload.client_id,
-		legacyClientIdScheme: authorizationRequestPayload.client_id_scheme,
-		origin
-	});
-	if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode) && !jarm) throw new __openid4vc_oauth2.Oauth2Error(`Missing jarm options for creating Jarm response with response mode '${authorizationRequestPayload.response_mode}'`);
-	if (!jarm) return { authorizationResponsePayload };
-	if (clientIdPrefix === "openid_federation" && !options.clientMetadata) throw new __openid4vc_oauth2.Oauth2Error("When OpenID Federation is used as the client id prefix (https/openid_federation), passing externally fetched and verified 'clientMetadata' to the 'createOpenid4vpAuthorizationResponse' is required.");
-	const clientMetadata = options.clientMetadata ?? authorizationRequestPayload.client_metadata;
-	if (!clientMetadata) throw new __openid4vc_oauth2.Oauth2Error("Missing client metadata in the request params to assert Jarm metadata support.");
-	let jwks;
-	if (clientMetadata.jwks) jwks = clientMetadata.jwks;
-	else if (clientMetadata.jwks_uri) jwks = await (0, __openid4vc_oauth2.fetchJwks)(clientMetadata.jwks_uri, options.callbacks.fetch);
-	else throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-		error_description: `Missing 'jwks' or 'jwks_uri' in client metadata. Cannot extract encryption JWK.`
-	});
-	if (clientMetadata.authorization_encrypted_response_alg || clientMetadata.authorization_encrypted_response_enc || clientMetadata.authorization_signed_response_alg) jarmAssertMetadataSupported({
-		clientMetadata,
-		serverMetadata: jarm.serverMetadata
-	});
-	const encJwk = jarm?.encryption?.jwk ?? extractEncryptionJwkFromJwks(jwks, { supportedAlgValues: jarm.serverMetadata.authorization_encryption_alg_values_supported ?? (clientMetadata.authorization_encrypted_response_alg ? [clientMetadata.authorization_encrypted_response_alg] : void 0) });
-	if (!encJwk) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-		error_description: "No encryption JWK provided and could not extract encryption JWK from client metadata. Failed to create JARM response."
-	});
-	let enc;
-	if (clientMetadata.encrypted_response_enc_values_supported) enc = jarm.serverMetadata.authorization_encryption_enc_values_supported.find((enc$1) => clientMetadata.encrypted_response_enc_values_supported?.includes(enc$1)) ?? clientMetadata.encrypted_response_enc_values_supported[0];
-	else enc = clientMetadata.authorization_encrypted_response_enc ?? "A128GCM";
-	assertValueSupported({
-		actual: enc,
-		supported: jarm.serverMetadata.authorization_encryption_enc_values_supported,
-		errorMessage: `Invalid 'enc' value ${enc}. Supported values are ${jarm.serverMetadata.authorization_encryption_enc_values_supported.join(", ")}`
-	});
-	const alg = encJwk.alg ?? clientMetadata.authorization_encrypted_response_alg ?? "ECDH-ES";
-	assertValueSupported({
-		actual: alg,
-		supported: jarm.serverMetadata.authorization_encryption_alg_values_supported,
-		errorMessage: `Invalid 'alg' value ${alg}. Supported values are ${jarm.serverMetadata.authorization_encryption_alg_values_supported.join(", ")}`
-	});
-	let additionalJwtPayload;
-	if (jarm?.jwtSigner) {
-		if (!jarm.authorizationServer) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: "Missing required iss in JARM configuration for creating OpenID4VP authorization response."
-		});
-		if (!jarm.audience) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-			error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidRequest,
-			error_description: "Missing required aud in JARM configuration for creating OpenID4VP authorization response."
-		});
-		additionalJwtPayload = {
-			iss: jarm.authorizationServer,
-			aud: jarm.audience,
-			exp: jarm.expiresInSeconds ?? (0, __openid4vc_utils.dateToSeconds)(addSecondsToDate(/* @__PURE__ */ new Date(), 600))
-		};
-	}
-	const jarmResponsePayload = {
-		...authorizationResponsePayload,
-		...additionalJwtPayload
-	};
-	return {
-		authorizationResponsePayload: jarmResponsePayload,
-		jarm: {
-			responseJwt: (await createJarmAuthorizationResponse({
-				jarmAuthorizationResponse: jarmResponsePayload,
-				jwtSigner: jarm?.jwtSigner,
-				jweEncryptor: jarm?.encryption ? {
-					method: "jwk",
-					publicJwk: encJwk,
-					apu: jarm.encryption.nonce ? (0, __openid4vc_utils.encodeToBase64Url)(jarm.encryption.nonce) : void 0,
-					apv: (0, __openid4vc_utils.encodeToBase64Url)(authorizationRequestPayload.nonce),
-					alg,
-					enc
-				} : void 0,
-				callbacks: {
-					signJwt: callbacks.signJwt,
-					encryptJwe: callbacks.encryptJwe
-				}
-			})).jarmAuthorizationResponseJwt,
-			encryptionJwk: encJwk
-		}
-	};
-}
-
-//#endregion
-//#region src/models/z-pex.ts
-const zPexPresentationDefinition = zod.z.record(zod.z.string(), zod.z.any());
-const zPexPresentationSubmission = zod.z.record(zod.z.string(), zod.z.any());
-
-//#endregion
-//#region src/vp-token/z-vp-token.ts
-const zVpTokenPresentationEntry = zod.z.union([zod.z.string(), zod.z.record(zod.z.string(), zod.z.any())], { message: "vp_token presentation entry must be string or object" });
-const zVpTokenPex = zod.z.union([zVpTokenPresentationEntry, zod.z.tuple([zVpTokenPresentationEntry], zVpTokenPresentationEntry, "Must have at least entry in vp_token array")], { message: "pex vp_token must be a string, object or non-empty array of strings and objects" });
-const zVpTokenDcql = zod.z.record(zod.z.string(), zod.z.union([zod.z.tuple([zVpTokenPresentationEntry], zVpTokenPresentationEntry), zVpTokenPresentationEntry]), { message: "dcql vp_token must be an object with keys referencing the dcql credential query id, and values a non-empty array of strings and objects, or string, or object" });
-const zVpToken = zVpTokenDcql.or(zVpTokenPex);
-
-//#endregion
-//#region src/authorization-response/z-authorization-response.ts
-const zOpenid4vpAuthorizationResponse = zod.z.object({
-	state: zod.z.string().optional(),
-	id_token: zod.z.string().optional(),
-	vp_token: zVpToken,
-	presentation_submission: zPexPresentationSubmission.or(__openid4vc_utils.zStringToJson).optional(),
-	refresh_token: zod.z.string().optional(),
-	token_type: zod.z.string().optional(),
-	access_token: zod.z.string().optional(),
-	expires_in: zod.z.coerce.number().optional()
-}).loose();
-
-//#endregion
-//#region src/authorization-response/parse-authorization-response-payload.ts
-function parseOpenid4VpAuthorizationResponsePayload(payload) {
-	return (0, __openid4vc_utils.parseWithErrorHandling)(zOpenid4vpAuthorizationResponse, payload, "Failed to parse openid4vp authorization response.");
-}
-
-//#endregion
-//#region src/jarm/jarm-authorization-response/z-jarm-authorization-response.ts
-const zJarmHeader = zod.z.object({
-	...__openid4vc_oauth2.zJwtHeader.shape,
-	apu: zod.z.string().optional(),
-	apv: zod.z.string().optional()
-});
-const zJarmAuthorizationResponse = zod.z.object({
-	...__openid4vc_oauth2.zJwtPayload.shape,
-	...__openid4vc_oauth2.zJwtPayload.pick({
-		iss: true,
-		aud: true,
-		exp: true
-	}).required().shape,
-	state: zod.z.optional(zod.z.string())
-}).loose();
-const zJarmAuthorizationResponseEncryptedOnly = zod.z.object({
-	...__openid4vc_oauth2.zJwtPayload.shape,
-	state: zod.z.optional(zod.z.string())
-}).loose();
-
-//#endregion
-//#region src/jarm/jarm-authorization-response/jarm-validate-authorization-response.ts
-const jarmAuthorizationResponseValidate = (options) => {
-	const { expectedClientId, authorizationResponse } = options;
-	if (!zJarmAuthorizationResponse.safeParse(authorizationResponse).success) return;
-	if (Array.isArray(authorizationResponse.aud) && !authorizationResponse.aud.includes(expectedClientId) || typeof authorizationResponse.aud === "string" && authorizationResponse.aud !== expectedClientId) throw new __openid4vc_oauth2.Oauth2Error(`Invalid 'aud' claim in JARM authorization response. Expected '${expectedClientId}' received '${JSON.stringify(authorizationResponse.aud)}'.`);
-	if (authorizationResponse.exp !== void 0 && authorizationResponse.exp < (0, __openid4vc_utils.dateToSeconds)()) throw new __openid4vc_oauth2.Oauth2Error("JARM auth response is expired.");
-};
-
-//#endregion
-//#region src/jarm/jarm-authorization-response/verify-jarm-authorization-response.ts
-let JarmMode = /* @__PURE__ */ function(JarmMode$1) {
-	JarmMode$1["Signed"] = "Signed";
-	JarmMode$1["Encrypted"] = "Encrypted";
-	JarmMode$1["SignedEncrypted"] = "SignedEncrypted";
-	return JarmMode$1;
-}({});
-/**
-* The client decrypts the JWT using the default key for the respective issuer or,
-* if applicable, determined by the kid JWT header parameter.
-* The key might be a private key, where the corresponding public key is registered
-* with the expected issuer of the response ("use":"enc" via the client's metadata jwks or jwks_uri)
-* or a key derived from its client secret (see Section 2.2).
-*/
-const decryptJarmAuthorizationResponseJwt = async (options) => {
-	const { jarmAuthorizationResponseJwt, callbacks, authorizationRequestPayload } = options;
-	let encryptionJwk;
-	const { header } = (0, __openid4vc_oauth2.decodeJwtHeader)({ jwt: jarmAuthorizationResponseJwt });
-	if (authorizationRequestPayload.client_metadata?.jwks) encryptionJwk = extractEncryptionJwkFromJwks(authorizationRequestPayload.client_metadata.jwks, {
-		kid: header.kid,
-		supportedAlgValues: authorizationRequestPayload.client_metadata.authorization_encrypted_response_alg ? [authorizationRequestPayload.client_metadata.authorization_encrypted_response_alg] : void 0
-	});
-	const result = await callbacks.decryptJwe(jarmAuthorizationResponseJwt, { jwk: encryptionJwk });
-	if (!result.decrypted) throw new __openid4vc_oauth2.Oauth2Error("Failed to decrypt jarm auth response.");
-	return {
-		decryptionJwk: result.decryptionJwk,
-		payload: result.payload
-	};
-};
-/**
-* Validate a JARM direct_post.jwt compliant authentication response
-* * The decryption key should be resolvable using the the protected header's 'kid' field
-* * The signature verification jwk should be resolvable using the jws protected header's 'kid' field and the payload's 'iss' field.
-*/
-async function verifyJarmAuthorizationResponse(options) {
-	const { jarmAuthorizationResponseJwt, callbacks, expectedClientId, authorizationRequestPayload } = options;
-	const requestDataIsEncrypted = __openid4vc_oauth2.zCompactJwe.safeParse(jarmAuthorizationResponseJwt).success;
-	const decryptedRequestData = requestDataIsEncrypted ? await decryptJarmAuthorizationResponseJwt({
-		jarmAuthorizationResponseJwt,
-		callbacks,
-		authorizationRequestPayload
-	}) : {
-		payload: jarmAuthorizationResponseJwt,
-		decryptionJwk: void 0
-	};
-	const responseIsSigned = __openid4vc_oauth2.zCompactJwt.safeParse(decryptedRequestData.payload).success;
-	if (!requestDataIsEncrypted && !responseIsSigned) throw new __openid4vc_oauth2.Oauth2Error("Jarm Auth Response must be either encrypted, signed, or signed and encrypted.");
-	let jarmAuthorizationResponse;
-	if (responseIsSigned) {
-		const { header: jwsProtectedHeader, payload: jwsPayload } = (0, __openid4vc_oauth2.decodeJwt)({
-			jwt: decryptedRequestData.payload,
-			headerSchema: zod.default.object({
-				...__openid4vc_oauth2.zJwtHeader.shape,
-				kid: zod.default.string()
-			})
-		});
-		const response = zJarmAuthorizationResponse.parse(jwsPayload);
-		const jwtSigner = (0, __openid4vc_oauth2.jwtSignerFromJwt)({
-			header: jwsProtectedHeader,
-			payload: jwsPayload
-		});
-		if (!(await options.callbacks.verifyJwt(jwtSigner, {
-			compact: decryptedRequestData.payload,
-			header: jwsProtectedHeader,
-			payload: jwsPayload
-		})).verified) throw new __openid4vc_oauth2.Oauth2Error("Jarm Auth Response is not valid.");
-		jarmAuthorizationResponse = response;
-	} else {
-		const jsonRequestData = (0, __openid4vc_utils.stringToJsonWithErrorHandling)(decryptedRequestData.payload, "Unable to parse decrypted JARM JWE body to JSON");
-		jarmAuthorizationResponse = zJarmAuthorizationResponseEncryptedOnly.parse(jsonRequestData);
-	}
-	jarmAuthorizationResponseValidate({
-		expectedClientId,
-		authorizationResponse: jarmAuthorizationResponse
-	});
-	const type = requestDataIsEncrypted && responseIsSigned ? JarmMode.SignedEncrypted : requestDataIsEncrypted ? JarmMode.Encrypted : JarmMode.Signed;
-	const issuer = jarmAuthorizationResponse.iss;
-	return {
-		jarmAuthorizationResponse,
-		type,
-		issuer,
-		decryptionJwk: decryptedRequestData.decryptionJwk
-	};
-}
-
-//#endregion
-//#region src/vp-token/parse-vp-token.ts
-function parsePexVpToken(vpToken) {
-	const parsedVpToken = (0, __openid4vc_utils.parseWithErrorHandling)(zVpTokenPex, (0, __openid4vc_utils.parseIfJson)(vpToken), "Could not parse presentation exchange vp_token. Expected a string or an array of strings");
-	return Array.isArray(parsedVpToken) ? parsedVpToken : [parsedVpToken];
-}
-function parseDcqlVpToken(vpToken) {
-	const parsedVpToken = (0, __openid4vc_utils.parseWithErrorHandling)(zVpTokenDcql, (0, __openid4vc_utils.parseIfJson)(vpToken), "Could not parse dcql vp_token. Expected an object where the values are encoded presentations");
-	return Object.fromEntries(Object.entries(parsedVpToken).map(([queryId, presentations]) => [queryId, Array.isArray(presentations) ? presentations : [presentations]]));
-}
-
-//#endregion
-//#region src/authorization-response/validate-authorization-response.ts
-/**
-* The following steps need to be performed outside of this library
-* - verifying the presentations
-* - validating the presentations against the presentation definition
-* - checking the revocation status of the presentations
-* - checking the nonce of the presentations matches the nonce of the request (for mdoc's)
-*/
-function validateOpenid4vpAuthorizationResponsePayload(options) {
-	const { authorizationRequestPayload, authorizationResponsePayload } = options;
-	if (authorizationRequestPayload.state && authorizationRequestPayload.state !== authorizationResponsePayload.state) throw new __openid4vc_oauth2.Oauth2Error("OpenId4Vp Authorization Response state mismatch.");
-	if (authorizationResponsePayload.id_token) throw new __openid4vc_oauth2.Oauth2Error("OpenId4Vp Authorization Response id_token is not supported.");
-	if (authorizationResponsePayload.presentation_submission) {
-		if (!authorizationRequestPayload.presentation_definition) throw new __openid4vc_oauth2.Oauth2Error("OpenId4Vp Authorization Request is missing the required presentation_definition.");
-		return {
-			type: "pex",
-			pex: authorizationRequestPayload.scope ? {
-				scope: authorizationRequestPayload.scope,
-				presentationSubmission: authorizationResponsePayload.presentation_submission,
-				presentations: parsePexVpToken(authorizationResponsePayload.vp_token)
-			} : {
-				presentationDefinition: authorizationRequestPayload.presentation_definition,
-				presentationSubmission: authorizationResponsePayload.presentation_submission,
-				presentations: parsePexVpToken(authorizationResponsePayload.vp_token)
-			}
-		};
-	}
-	if (authorizationRequestPayload.dcql_query) {
-		const presentations = parseDcqlVpToken(authorizationResponsePayload.vp_token);
-		return {
-			type: "dcql",
-			dcql: authorizationRequestPayload.scope ? {
-				scope: authorizationRequestPayload.scope,
-				presentations
-			} : {
-				query: authorizationRequestPayload.dcql_query,
-				presentations
-			}
-		};
-	}
-	throw new __openid4vc_oauth2.Oauth2Error("Invalid OpenId4Vp Authorization Response. Response neither contains a presentation_submission nor request contains a dcql_query.");
-}
-
-//#endregion
-//#region src/authorization-response/parse-jarm-authorization-response.ts
-async function parseJarmAuthorizationResponse(options) {
-	const { jarmResponseJwt, callbacks, authorizationRequestPayload, expectedClientId } = options;
-	const jarmAuthorizationResponseJwt = (0, __openid4vc_utils.parseWithErrorHandling)(zod.default.union([__openid4vc_oauth2.zCompactJwt, __openid4vc_oauth2.zCompactJwe]), jarmResponseJwt, "Invalid jarm authorization response jwt.");
-	const verifiedJarmResponse = await verifyJarmAuthorizationResponse({
-		jarmAuthorizationResponseJwt,
-		callbacks,
-		expectedClientId,
-		authorizationRequestPayload
-	});
-	const { header: jarmHeader } = (0, __openid4vc_oauth2.decodeJwtHeader)({
-		jwt: jarmAuthorizationResponseJwt,
-		headerSchema: zJarmHeader
-	});
-	const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(verifiedJarmResponse.jarmAuthorizationResponse);
-	const validateOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({
-		authorizationRequestPayload,
-		authorizationResponsePayload
-	});
-	if (!authorizationRequestPayload.response_mode || !isJarmResponseMode(authorizationRequestPayload.response_mode)) throw new __openid4vc_oauth2.Oauth2Error(`Invalid response mode for jarm response. Response mode: '${authorizationRequestPayload.response_mode ?? "fragment"}'`);
-	return {
-		...validateOpenId4vpResponse,
-		jarm: {
-			...verifiedJarmResponse,
-			jarmHeader
-		},
-		expectedNonce: authorizationRequestPayload.nonce,
-		authorizationResponsePayload
-	};
-}
-
-//#endregion
-//#region src/authorization-response/parse-authorization-response.ts
-async function parseOpenid4vpAuthorizationResponse(options) {
-	const { authorizationResponse, callbacks, authorizationRequestPayload, origin } = options;
-	const expectedClientId = getOpenid4vpClientId({
-		origin,
-		responseMode: authorizationRequestPayload.response_mode,
-		clientId: authorizationRequestPayload.client_id,
-		legacyClientIdScheme: authorizationRequestPayload.client_id_scheme
-	});
-	if (authorizationResponse.response) return parseJarmAuthorizationResponse({
-		jarmResponseJwt: authorizationResponse.response,
-		callbacks,
-		authorizationRequestPayload,
-		expectedClientId: expectedClientId.effectiveClientId
-	});
-	const authorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload(authorizationResponse);
-	const validatedOpenId4vpResponse = validateOpenid4vpAuthorizationResponsePayload({
-		authorizationRequestPayload,
-		authorizationResponsePayload
-	});
-	if (authorizationRequestPayload.response_mode && isJarmResponseMode(authorizationRequestPayload.response_mode)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: "invalid_request",
-		error_description: "Invalid response mode for openid4vp response. Expected jarm response."
-	}, { status: 400 });
-	return {
-		...validatedOpenId4vpResponse,
-		expectedNonce: authorizationRequestPayload.nonce,
-		authorizationResponsePayload,
-		jarm: void 0
-	};
-}
-
-//#endregion
-//#region src/jarm/jarm-authorizatino-response-send.ts
-const jarmAuthorizationResponseSend = (options) => {
-	const { authorizationRequestPayload, jarmAuthorizationResponseJwt, callbacks } = options;
-	const responseEndpoint = authorizationRequestPayload.response_uri ?? authorizationRequestPayload.redirect_uri;
-	if (!responseEndpoint) throw new __openid4vc_oauth2.Oauth2Error(`Either 'response_uri' or 'redirect_uri' MUST  be present in the authorization request`);
-	return handleDirectPostJwt(new __openid4vc_utils.URL(responseEndpoint), jarmAuthorizationResponseJwt, callbacks);
-};
-async function handleDirectPostJwt(responseEndpoint, responseJwt, callbacks) {
-	return {
-		responseMode: "direct_post.jwt",
-		response: await (0, __openid4vc_utils.createFetcher)(callbacks.fetch)(responseEndpoint, {
-			method: "POST",
-			headers: { "Content-Type": __openid4vc_utils.ContentType.XWwwFormUrlencoded },
-			body: `response=${responseJwt}`
-		})
-	};
-}
-
-//#endregion
-//#region src/authorization-response/submit-authorization-response.ts
-async function submitOpenid4vpAuthorizationResponse(options) {
-	const { authorizationRequestPayload, authorizationResponsePayload, jarm, callbacks } = options;
-	const url = authorizationRequestPayload.response_uri;
-	if (jarm) return jarmAuthorizationResponseSend({
-		authorizationRequestPayload,
-		jarmAuthorizationResponseJwt: jarm.responseJwt,
-		callbacks
-	});
-	if (!url) throw new __openid4vc_oauth2.Oauth2Error("Failed to submit OpenId4Vp Authorization Response. No redirect_uri or response_uri provided.");
-	return {
-		responseMode: "direct_post",
-		response: await (0, __openid4vc_utils.createFetcher)(callbacks.fetch)(url, {
-			method: "POST",
-			body: (0, __openid4vc_utils.objectToQueryParams)(authorizationResponsePayload).toString(),
-			headers: { "Content-Type": __openid4vc_utils.ContentType.XWwwFormUrlencoded }
-		})
-	};
-}
-
-//#endregion
-//#region src/models/z-credential-formats.ts
-const zCredentialFormat = zod.z.enum([
-	"jwt_vc_json",
-	"ldp_vc",
-	"mso_mdoc",
-	"dc+sd-jwt",
-	"vc+sd-jwt"
-]);
-
-//#endregion
-//#region src/models/z-proof-formats.ts
-const zProofFormat = zod.z.enum([
-	"jwt_vp_json",
-	"ldc_vp",
-	"ac_vp",
-	"dc+sd-jwt",
-	"vc+sd-jwt",
-	"mso_mdoc"
-]);
-
-//#endregion
-//#region src/models/z-wallet-metadata.ts
-const zWalletMetadata = zod.z.object({
-	presentation_definition_uri_supported: zod.z.optional(zod.z.boolean()),
-	vp_formats_supported: zod.z.optional(zVpFormatsSupported.or(zLegacyVpFormats)),
-	client_id_schemes_supported: zod.z.optional(zod.z.array(zClientIdPrefix.exclude(["decentralized_identifier", "openid_federation"]))),
-	client_id_prefixes_supported: zod.z.optional(zod.z.array(zUniformClientIdPrefix)),
-	request_object_signing_alg_values_supported: zod.z.optional(zod.z.array(zod.z.string())),
-	authorization_encryption_alg_values_supported: zod.z.optional(zod.z.array(zod.z.string())),
-	authorization_encryption_enc_values_supported: zod.z.optional(zod.z.array(zod.z.string()))
-});
-
-//#endregion
-//#region src/Openid4vpClient.ts
-var Openid4vpClient = class {
-	constructor(options) {
-		this.options = options;
-	}
-	parseOpenid4vpAuthorizationRequest(options) {
-		return parseOpenid4vpAuthorizationRequest(options);
-	}
-	async resolveOpenId4vpAuthorizationRequest(options) {
-		return resolveOpenid4vpAuthorizationRequest({
-			...options,
-			callbacks: this.options.callbacks
-		});
-	}
-	async createOpenid4vpAuthorizationResponse(options) {
-		return createOpenid4vpAuthorizationResponse({
-			...options,
-			callbacks: this.options.callbacks
-		});
-	}
-	async submitOpenid4vpAuthorizationResponse(options) {
-		return submitOpenid4vpAuthorizationResponse({
-			...options,
-			callbacks: this.options.callbacks
-		});
-	}
-};
-
-//#endregion
-//#region src/transaction-data/verify-transaction-data.ts
-async function verifyTransactionData(options) {
-	const parsedTransactionData = parseTransactionData({ transactionData: options.transactionData });
-	const matchedEntries = [];
-	for (const parsedEntry of parsedTransactionData) {
-		const matchedEntry = await verifyTransactionDataEntry({
-			entry: parsedEntry,
-			callbacks: options.callbacks,
-			credentials: options.credentials
-		});
-		matchedEntries.push(matchedEntry);
-	}
-	return matchedEntries;
-}
-async function verifyTransactionDataEntry({ entry, credentials, callbacks }) {
-	const allowedAlgs = entry.transactionData.transaction_data_hashes_alg ?? ["sha-256"];
-	const supportedAlgs = allowedAlgs.filter((alg) => Object.values(__openid4vc_oauth2.HashAlgorithm).includes(alg));
-	const hashes = {};
-	for (const alg of supportedAlgs) hashes[alg] = (0, __openid4vc_utils.encodeToBase64Url)(await callbacks.hash((0, __openid4vc_utils.decodeUtf8String)(entry.encoded), alg));
-	for (const credentialId of entry.transactionData.credential_ids) {
-		const transactionDataHashesCredentials = credentials[credentialId];
-		if (!transactionDataHashesCredentials) continue;
-		const presentations = [];
-		for (const transactionDataHashesCredential of transactionDataHashesCredentials) {
-			const alg = transactionDataHashesCredential.transaction_data_hashes_alg ?? "sha-256";
-			const hash = hashes[alg];
-			const presentationIndex = transactionDataHashesCredentials.indexOf(transactionDataHashesCredential);
-			if (!allowedAlgs.includes(alg)) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-				error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidTransactionData,
-				error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} is hashed using alg '${alg}'. However transaction data only allows alg values ${allowedAlgs.join(", ")}.`
-			});
-			if (!hash) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-				error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidTransactionData,
-				error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} is hashed using unsupported alg '${alg}'. This library only supports verification of transaction data hashes using alg values ${Object.values(__openid4vc_oauth2.HashAlgorithm).join(", ")}. Either verify the hashes outside of this library, or limit the allowed alg values to the ones supported by this library.`
-			});
-			const credentialHashIndex = transactionDataHashesCredential.transaction_data_hashes.indexOf(hash);
-			if (credentialHashIndex === -1) throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-				error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidTransactionData,
-				error_description: `Transaction data entry with index ${entry.transactionDataIndex} for presentation ${credentialId} with index ${presentationIndex} does not have a matching hash in the transaction_data_hashes`
-			});
-			presentations.push({
-				credentialHashIndex,
-				hash,
-				hashAlg: alg,
-				presentationIndex
-			});
-		}
-		return {
-			transactionDataEntry: entry,
-			credentialId,
-			presentations
-		};
-	}
-	throw new __openid4vc_oauth2.Oauth2ServerErrorResponseError({
-		error: __openid4vc_oauth2.Oauth2ErrorCodes.InvalidTransactionData,
-		error_description: `Transaction data entry with index ${entry.transactionDataIndex} does not have a matching hash in any of the submitted credentials`
-	});
-}
-
-//#endregion
-//#region src/Openid4vpVerifier.ts
-var Openid4vpVerifier = class {
-	constructor(options) {
-		this.options = options;
-	}
-	async createOpenId4vpAuthorizationRequest(options) {
-		return createOpenid4vpAuthorizationRequest({
-			...options,
-			callbacks: this.options.callbacks
-		});
-	}
-	parseOpenid4vpAuthorizationRequestPayload(options) {
-		return parseOpenid4vpAuthorizationRequest(options);
-	}
-	parseOpenid4vpAuthorizationResponse(options) {
-		return parseOpenid4vpAuthorizationResponse(options);
-	}
-	validateOpenid4vpAuthorizationResponsePayload(options) {
-		return validateOpenid4vpAuthorizationResponsePayload(options);
-	}
-	parsePexVpToken(vpToken) {
-		return parsePexVpToken(vpToken);
-	}
-	parseDcqlVpToken(vpToken) {
-		return parseDcqlVpToken(vpToken);
-	}
-	parseTransactionData(options) {
-		return parseTransactionData(options);
-	}
-	/**
-	* Verify transaction data against submitted credentials.
-	*
-	* NOTE: this expects transaction data based authorization based on hashes. This is the method defined
-	* for SD-JWT VC, but for mDOCs it's much more generic. If you're using transaction data with mDOCs based
-	* on hashes, you can extract the values from the DeviceResponse, otherwise you must verify the transaction data
-	* manually.
-	*/
-	verifyTransactionData(options) {
-		return verifyTransactionData({
-			...options,
-			callbacks: this.options.callbacks
-		});
-	}
-};
-
-//#endregion
-exports.JarmMode = JarmMode;
-exports.Openid4vpClient = Openid4vpClient;
-exports.Openid4vpVerifier = Openid4vpVerifier;
-exports.calculateX509HashClientIdPrefixValue = calculateX509HashClientIdPrefixValue;
-exports.createOpenid4vpAuthorizationRequest = createOpenid4vpAuthorizationRequest;
-exports.createOpenid4vpAuthorizationResponse = createOpenid4vpAuthorizationResponse;
-exports.extractEncryptionJwkFromJwks = extractEncryptionJwkFromJwks;
-exports.getOpenid4vpClientId = getOpenid4vpClientId;
-exports.isJarmResponseMode = isJarmResponseMode;
-exports.isOpenid4vpAuthorizationRequestDcApi = isOpenid4vpAuthorizationRequestDcApi;
-exports.parseAuthorizationRequestVersion = parseAuthorizationRequestVersion;
-exports.parseDcqlVpToken = parseDcqlVpToken;
-exports.parseJarmAuthorizationResponse = parseJarmAuthorizationResponse;
-exports.parseOpenid4VpAuthorizationResponsePayload = parseOpenid4VpAuthorizationResponsePayload;
-exports.parseOpenid4vpAuthorizationRequest = parseOpenid4vpAuthorizationRequest;
-exports.parseOpenid4vpAuthorizationResponse = parseOpenid4vpAuthorizationResponse;
-exports.parsePexVpToken = parsePexVpToken;
-exports.parseTransactionData = parseTransactionData;
-exports.resolveOpenid4vpAuthorizationRequest = resolveOpenid4vpAuthorizationRequest;
-exports.submitOpenid4vpAuthorizationResponse = submitOpenid4vpAuthorizationResponse;
-exports.validateOpenid4vpAuthorizationRequestPayload = validateOpenid4vpAuthorizationRequestPayload;
-exports.validateOpenid4vpAuthorizationResponsePayload = validateOpenid4vpAuthorizationResponsePayload;
-exports.verifyJarmAuthorizationResponse = verifyJarmAuthorizationResponse;
-exports.zClientIdPrefix = zClientIdPrefix;
-exports.zClientMetadata = zClientMetadata;
-exports.zCredentialFormat = zCredentialFormat;
-exports.zJarmClientMetadata = zJarmClientMetadata;
-exports.zOpenid4vpAuthorizationResponse = zOpenid4vpAuthorizationResponse;
-exports.zProofFormat = zProofFormat;
-exports.zVerifierAttestations = zVerifierAttestations;
-exports.zWalletMetadata = zWalletMetadata;
-//# sourceMappingURL=index.cjs.map