@openid4vc/openid4vp 0.4.6-alpha-20260201172333 → 0.5.0-alpha-20260202155954

package/dist/index.mjs

@@ -60,7 +60,7 @@ const validateOpenid4vpAuthorizationRequestDcApiPayload = (options) => {
 	const { params, isJarRequest, disableOriginValidation, origin } = options;
 	if (isJarRequest && !params.expected_origins) throw new Oauth2ServerErrorResponseError({
 		error: Oauth2ErrorCodes.InvalidRequest,
-		error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combinaction with jar.`
+		error_description: `The 'expected_origins' parameter MUST be present when using the dc_api response mode in combination with jar.`
 	});
 	if ([params.presentation_definition, params.dcql_query].filter(Boolean).length !== 1) throw new Oauth2ServerErrorResponseError({
 		error: Oauth2ErrorCodes.InvalidRequest,
@@ -71,13 +71,48 @@ const validateOpenid4vpAuthorizationRequestDcApiPayload = (options) => {
 			error: Oauth2ErrorCodes.InvalidRequest,
 			error_description: `Failed to validate the 'origin' of the authorization request. The 'origin' was not provided.`
 		});
-		if (params.expected_origins && !params.expected_origins.includes(origin)) throw new Oauth2ServerErrorResponseError({
+		if (!params.expected_origins.includes(origin)) throw new Oauth2ServerErrorResponseError({
 			error: Oauth2ErrorCodes.InvalidRequest,
 			error_description: `The 'expected_origins' parameter MUST include the origin of the authorization request. Current: ${params.expected_origins.join(", ")}`
 		});
 	}
 };
 
+//#endregion
+//#region src/authorization-request/validate-authorization-request-iae.ts
+/**
+* Validate the OpenId4Vp Authorization Request parameters for the IAE (Interactive Authorization Endpoint) response mode
+*
+* The IAE flow is part of OpenID4VCI 1.1 and is used when the authorization server needs to
+* interact directly with the wallet during the authorization process.
+*
+* Key validation rules:
+* - For signed requests (JAR), expected_url parameter is validated against the actual endpoint URL
+* - expected_url is used instead of expected_origins to prevent replay attacks
+* - dcql_query must be present
+*/
+const validateOpenid4vpAuthorizationRequestIaePayload = (options) => {
+	const { params, isJarRequest, expectedUrl, disableExpectedUrlValidation } = options;
+	if (isJarRequest && !params.expected_url) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequest,
+		error_description: `The 'expected_url' parameter MUST be present when using the iae_post response mode in combination with jar.`
+	});
+	if (!params.dcql_query) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequest,
+		error_description: "dcql_query MUST be present when using iae_post response mode."
+	});
+	if (params.expected_url && !disableExpectedUrlValidation) {
+		if (!expectedUrl) throw new Oauth2ServerErrorResponseError({
+			error: Oauth2ErrorCodes.InvalidRequest,
+			error_description: `Failed to validate the 'expected_url' of the authorization request. The 'expectedUrl' was not provided for validation.`
+		});
+		if (params.expected_url !== expectedUrl) throw new Oauth2ServerErrorResponseError({
+			error: Oauth2ErrorCodes.InvalidRequest,
+			error_description: `The 'expected_url' parameter does not match the follow-up request URL. This prevents replay attacks from malicious verifiers.`
+		});
+	}
+};
+
 //#endregion
 //#region src/jarm/metadata/z-jarm-client-metadata.ts
 const zJarmSignOnlyClientMetadata = z.object({
@@ -255,6 +290,42 @@ function isOpenid4vpAuthorizationRequestDcApi(request) {
 	return isOpenid4vpResponseModeDcApi(request.response_mode);
 }
 
+//#endregion
+//#region src/authorization-request/z-authorization-request-iae.ts
+/**
+* Response modes for Interactive Authorization Endpoint (IAE) flow
+* Part of OpenID4VCI 1.1 specification
+*/
+const zOpenid4vpResponseModeIae = z.enum(["iae_post", "iae_post.jwt"]);
+/**
+* Authorization Request schema for Interactive Authorization Endpoint (IAE) flow
+*
+* IAE is used in OpenID4VCI when the authorization server needs to interact
+* directly with the wallet (e.g., requesting credential presentation) as part
+* of the authorization process.
+*
+* Key differences from DC API:
+* - Uses iae_post/iae_post.jwt response modes
+* - Uses expected_url instead of expected_origins for signed requests
+* - Response is sent back to the Interactive Authorization Endpoint
+*/
+const zOpenid4vpAuthorizationRequestIae = zOpenid4vpAuthorizationRequestDcApi.omit({
+	response_mode: true,
+	expected_origins: true,
+	presentation_definition: true
+}).extend({
+	response_mode: zOpenid4vpResponseModeIae,
+	dcql_query: z.record(z.string(), z.any()),
+	expected_url: z.string().optional(),
+	expected_origins: z.never("The 'expected_origins' parameter MUST NOT be present when using Interactive Authorization response mode. ").optional()
+});
+function isOpenid4vpResponseModeIae(responseMode) {
+	return responseMode !== void 0 && zOpenid4vpResponseModeIae.options.includes(responseMode);
+}
+function isOpenid4vpAuthorizationRequestIae(request) {
+	return isOpenid4vpResponseModeIae(request.response_mode);
+}
+
 //#endregion
 //#region src/authorization-request/create-authorization-request.ts
 /**
@@ -280,12 +351,18 @@ async function createOpenid4vpAuthorizationRequest(options) {
 	let authorizationRequestPayload;
 	if (isOpenid4vpAuthorizationRequestDcApi(options.authorizationRequestPayload)) {
 		authorizationRequestPayload = parseWithErrorHandling(zOpenid4vpAuthorizationRequestDcApi, options.authorizationRequestPayload, "Invalid authorization request. Could not parse openid4vp dc_api authorization request.");
-		if (jar && !authorizationRequestPayload.expected_origins) throw new Oauth2Error(`The 'expected_origins' parameter MUST be present when using the dc_api response mode in combination with jar.`);
 		validateOpenid4vpAuthorizationRequestDcApiPayload({
 			params: authorizationRequestPayload,
 			isJarRequest: Boolean(jar),
 			disableOriginValidation: true
 		});
+	} else if (isOpenid4vpAuthorizationRequestIae(options.authorizationRequestPayload)) {
+		authorizationRequestPayload = parseWithErrorHandling(zOpenid4vpAuthorizationRequestIae, options.authorizationRequestPayload, "Invalid authorization request. Could not parse openid4vp iae_post authorization request.");
+		validateOpenid4vpAuthorizationRequestIaePayload({
+			params: authorizationRequestPayload,
+			isJarRequest: Boolean(jar),
+			disableExpectedUrlValidation: true
+		});
 	} else {
 		authorizationRequestPayload = parseWithErrorHandling(zOpenid4vpAuthorizationRequest, options.authorizationRequestPayload, "Invalid authorization request. Could not parse openid4vp authorization request.");
 		validateOpenid4vpAuthorizationRequestPayload({
@@ -354,7 +431,8 @@ function parseOpenid4vpAuthorizationRequest(options) {
 	const parsedRequest = parseWithErrorHandling(z$1.union([
 		zOpenid4vpAuthorizationRequest,
 		zOpenid4vpJarAuthorizationRequest,
-		zOpenid4vpAuthorizationRequestDcApi
+		zOpenid4vpAuthorizationRequestDcApi,
+		zOpenid4vpAuthorizationRequestIae
 	]), params);
 	if (isJarAuthorizationRequest(parsedRequest)) return {
 		type: "jar",
@@ -366,6 +444,11 @@ function parseOpenid4vpAuthorizationRequest(options) {
 		provided,
 		params: parsedRequest
 	};
+	if (isOpenid4vpAuthorizationRequestIae(parsedRequest)) return {
+		type: "openid4vp_iae",
+		provided,
+		params: parsedRequest
+	};
 	return {
 		type: "openid4vp",
 		provided,
@@ -430,7 +513,7 @@ const zLegacyClientIdSchemeToClientIdPrefix = zLegacyClientIdScheme.optional().d
 */
 function getOpenid4vpClientId(options) {
 	const original = { clientId: options.clientId };
-	const version = options.version ?? 100;
+	const version = options.version ?? 101;
 	if (isOpenid4vpResponseModeDcApi(options.responseMode)) {
 		if (!options.clientId) {
 			if (!options.origin) throw new Oauth2ServerErrorResponseError({
@@ -468,7 +551,7 @@ function getOpenid4vpClientId(options) {
 		error: Oauth2ErrorCodes.InvalidRequest,
 		error_description: `Failed to parse client identifier. Missing required client_id parameter for response_mode '${options.responseMode}'.`
 	});
-	if (options.legacyClientIdScheme) {
+	if (options.legacyClientIdScheme && !isOpenid4vpResponseModeIae(options.responseMode)) {
 		const parsedClientIdPrefix = zLegacyClientIdSchemeToClientIdPrefix.safeParse(options.legacyClientIdScheme);
 		if (!parsedClientIdPrefix.success) throw new Oauth2ServerErrorResponseError({
 			error: Oauth2ErrorCodes.InvalidRequest,
@@ -517,16 +600,16 @@ async function validateOpenid4vpClientId(options, parserConfig) {
 		responseMode: authorizationRequestPayload.response_mode,
 		origin
 	});
+	if (!parserConfigWithDefaults.supportedSchemes.includes(clientIdPrefix)) throw new Oauth2ServerErrorResponseError({
+		error: Oauth2ErrorCodes.InvalidRequest,
+		error_description: `Unsupported client identifier prefix. ${clientIdPrefix} is not supported.`
+	});
 	if (clientIdPrefix === "pre-registered") return {
 		prefix: "pre-registered",
 		identifier: clientIdIdentifier,
 		effective: effectiveClientId,
 		original
 	};
-	if (!parserConfigWithDefaults.supportedSchemes.includes(clientIdPrefix)) throw new Oauth2ServerErrorResponseError({
-		error: Oauth2ErrorCodes.InvalidRequest,
-		error_description: `Unsupported client identifier prefix. ${clientIdPrefix} is not supported.`
-	});
 	if (clientIdPrefix === "openid_federation") {
 		if (!zHttpsUrl.safeParse(clientIdIdentifier).success) throw new Oauth2ServerErrorResponseError({
 			error: Oauth2ErrorCodes.InvalidRequest,
@@ -553,9 +636,9 @@ async function validateOpenid4vpClientId(options, parserConfig) {
 			error: Oauth2ErrorCodes.InvalidRequest,
 			error_description: "Using client identifier prefix \"redirect_uri\" the request MUST NOT be signed."
 		});
-		if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) throw new Oauth2ServerErrorResponseError({
+		if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) || isOpenid4vpAuthorizationRequestIae(authorizationRequestPayload)) throw new Oauth2ServerErrorResponseError({
 			error: Oauth2ErrorCodes.InvalidRequest,
-			error_description: `The client identifier prefix 'redirect_uri' is not supported when using the dc_api response mode.`
+			error_description: `The client identifier prefix 'redirect_uri' is not supported when using the ${authorizationRequestPayload.response_mode} response mode.`
 		});
 		if (authorizationRequestPayload.redirect_uri && authorizationRequestPayload.redirect_uri !== clientIdIdentifier) throw new Oauth2ServerErrorResponseError({
 			error: Oauth2ErrorCodes.InvalidClient,
@@ -577,7 +660,7 @@ async function validateOpenid4vpClientId(options, parserConfig) {
 	if (clientIdPrefix === "decentralized_identifier") {
 		if (!jar) throw new Oauth2ServerErrorResponseError({
 			error: Oauth2ErrorCodes.InvalidRequest,
-			error_description: "Using client identifier prefix \"did\" requires a signed JAR request."
+			error_description: "Using client identifier prefix \"decentralized_identifier\" requires a signed JAR request."
 		});
 		if (jar.signer.method !== "did") throw new Oauth2ServerErrorResponseError({
 			error: Oauth2ErrorCodes.InvalidRequest,
@@ -617,7 +700,7 @@ async function validateOpenid4vpClientId(options, parserConfig) {
 				error: Oauth2ErrorCodes.InvalidRequest,
 				error_description: `Invalid client identifier. One of the leaf certificates san dns names [${sanDnsNames.join(", ")}] must match the client identifier '${clientIdIdentifier}'. `
 			});
-			if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
+			if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) && !isOpenid4vpAuthorizationRequestIae(authorizationRequestPayload)) {
 				const uri = authorizationRequestPayload.redirect_uri ?? authorizationRequestPayload.response_uri;
 				if (!uri || new URL(uri).hostname !== clientIdIdentifier) throw new Oauth2ServerErrorResponseError({
 					error: Oauth2ErrorCodes.InvalidRequest,
@@ -630,7 +713,7 @@ async function validateOpenid4vpClientId(options, parserConfig) {
 				error: Oauth2ErrorCodes.InvalidRequest,
 				error_description: `Invalid client identifier. One of the leaf certificates san uri names [${sanUriNames.join(", ")}] must match the client identifier '${clientIdIdentifier}'.`
 			});
-			if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
+			if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) && !isOpenid4vpAuthorizationRequestIae(authorizationRequestPayload)) {
 				const uri = authorizationRequestPayload.redirect_uri || authorizationRequestPayload.response_uri;
 				if (!uri || uri !== clientIdIdentifier) throw new Oauth2ServerErrorResponseError({
 					error: Oauth2ErrorCodes.InvalidRequest,
@@ -656,13 +739,19 @@ async function validateOpenid4vpClientId(options, parserConfig) {
 			clientMetadata: authorizationRequestPayload.client_metadata
 		};
 	}
-	if (clientIdPrefix === "origin") return {
-		prefix: clientIdPrefix,
-		identifier: clientIdIdentifier,
-		effective: effectiveClientId,
-		original,
-		clientMetadata: authorizationRequestPayload.client_metadata
-	};
+	if (clientIdPrefix === "origin") {
+		if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) throw new Oauth2ServerErrorResponseError({
+			error: Oauth2ErrorCodes.InvalidRequest,
+			error_description: `The client identifier prefix 'origin' is only supported when using a DC API response mode.`
+		});
+		return {
+			prefix: clientIdPrefix,
+			identifier: clientIdIdentifier,
+			effective: effectiveClientId,
+			original,
+			clientMetadata: authorizationRequestPayload.client_metadata
+		};
+	}
 	if (clientIdPrefix === "verifier_attestation") {
 		if (!jar) throw new Oauth2ServerErrorResponseError({
 			error: Oauth2ErrorCodes.InvalidRequest,
@@ -701,9 +790,10 @@ async function fetchClientMetadata(options) {
 //#region src/version.ts
 function parseAuthorizationRequestVersion(request) {
 	const requirements = [];
+	if (isOpenid4vpAuthorizationRequestIae(request)) requirements.push([">=", 101]);
 	if (request.verifier_info) requirements.push([">=", 100]);
 	if (request.verifier_attestations) requirements.push(["<", 100]);
-	if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values) requirements.push([">=", 28]);
+	if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.deviceauth_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuerauth_alg_values) requirements.push([">=", 28]);
 	if (request.client_metadata?.vp_formats_supported?.mso_mdoc?.issuer_signed_alg_values || request.client_metadata?.vp_formats_supported?.mso_mdoc?.device_signed_alg_values) requirements.push(["<", 28]);
 	if (request.client_metadata?.vp_formats_supported) requirements.push([">=", 27]);
 	if (request.client_metadata?.vp_formats) requirements.push(["<", 27]);
@@ -738,7 +828,7 @@ function parseAuthorizationRequestVersion(request) {
 	if (request.client_id_scheme === "x509_san_dns" || request.client_id_scheme === "x509_san_uri") requirements.push([">=", 19]);
 	const lessThanVersions = requirements.filter(([operator]) => operator === "<").map(([_, version]) => version);
 	const greaterThanVersions = requirements.filter(([operator]) => operator === ">=").map(([_, version]) => version);
-	const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 100;
+	const highestPossibleVersion = lessThanVersions.length > 0 ? Math.max(Math.min(...lessThanVersions) - 1, 18) : 101;
 	const lowestRequiredVersion = greaterThanVersions.length > 0 ? Math.max(...greaterThanVersions) : 18;
 	if (lowestRequiredVersion > highestPossibleVersion) throw new Oauth2ServerErrorResponseError({
 		error: Oauth2ErrorCodes.InvalidRequest,
@@ -806,8 +896,8 @@ async function fetchJarRequestObject(options) {
 async function verifyJarRequest(options) {
 	const { callbacks, wallet = {} } = options;
 	const jarRequestParams = {
-		...validateJarRequestParams(options),
-		...options.jarRequestParams
+		...options.jarRequestParams,
+		...validateJarRequestParams(options)
 	};
 	const sendBy = jarRequestParams.request ? "value" : "reference";
 	const clientIdPrefix = jarRequestParams.client_id ? zClientIdPrefix.safeParse(jarRequestParams.client_id.split(":")[0]).data : "origin";
@@ -842,7 +932,7 @@ async function verifyJarRequest(options) {
 		error: Oauth2ErrorCodes.InvalidRequestObject,
 		error_description: "Jar Request Object is missing the required \"client_id\" field."
 	});
-	if (!isOpenid4vpResponseModeDcApi(authorizationRequestPayload.response_mode) && jarRequestParams.client_id !== authorizationRequestPayload.client_id) throw new Oauth2ServerErrorResponseError({
+	if (!isOpenid4vpResponseModeDcApi(authorizationRequestPayload.response_mode) && !isOpenid4vpResponseModeIae(authorizationRequestPayload.response_mode) && jarRequestParams.client_id !== authorizationRequestPayload.client_id) throw new Oauth2ServerErrorResponseError({
 		error: Oauth2ErrorCodes.InvalidRequest,
 		error_description: "client_id does not match the request object client_id."
 	});
@@ -965,10 +1055,11 @@ function parseTransactionData(options) {
 //#endregion
 //#region src/authorization-request/resolve-authorization-request.ts
 async function resolveOpenid4vpAuthorizationRequest(options) {
-	const { wallet, callbacks, origin, disableOriginValidation } = options;
+	const { wallet, callbacks } = options;
 	let authorizationRequestPayload;
 	const parsed = parseWithErrorHandling(z$1.union([
 		zOpenid4vpAuthorizationRequestDcApi,
+		zOpenid4vpAuthorizationRequestIae,
 		zOpenid4vpAuthorizationRequest,
 		zOpenid4vpJarAuthorizationRequest
 	]), options.authorizationRequestPayload, "Invalid authorization request. Could not parse openid4vp authorization request as openid4vp or jar auth request.");
@@ -977,25 +1068,28 @@ async function resolveOpenid4vpAuthorizationRequest(options) {
 		jar = await verifyJarRequest({
 			jarRequestParams: parsed,
 			callbacks,
-			wallet
+			wallet,
+			allowRequestUri: options.responseMode.type === "direct_post"
 		});
 		authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({
-			authorizationRequestPayload: parseWithErrorHandling(z$1.union([zOpenid4vpAuthorizationRequestDcApi, zOpenid4vpAuthorizationRequest]), jar.authorizationRequestPayload, "Invalid authorization request. Could not parse jar request payload as openid4vp auth request."),
+			authorizationRequestPayload: parseWithErrorHandling(z$1.union([
+				zOpenid4vpAuthorizationRequestDcApi,
+				zOpenid4vpAuthorizationRequestIae,
+				zOpenid4vpAuthorizationRequest
+			]), jar.authorizationRequestPayload, "Invalid authorization request. Could not parse jar request payload as openid4vp auth request."),
 			wallet,
 			jar: true,
-			origin,
-			disableOriginValidation
+			responseMode: options.responseMode
 		});
 	} else authorizationRequestPayload = validateOpenId4vpAuthorizationRequestPayload({
 		authorizationRequestPayload: parsed,
 		wallet,
 		jar: false,
-		origin,
-		disableOriginValidation
+		responseMode: options.responseMode
 	});
 	const version = parseAuthorizationRequestVersion(authorizationRequestPayload);
 	let clientMetadata = authorizationRequestPayload.client_metadata;
-	if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) && !clientMetadata && authorizationRequestPayload.client_metadata_uri) clientMetadata = await fetchClientMetadata({ clientMetadataUri: authorizationRequestPayload.client_metadata_uri });
+	if (!isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload) && !isOpenid4vpAuthorizationRequestIae(authorizationRequestPayload) && !clientMetadata && authorizationRequestPayload.client_metadata_uri) clientMetadata = await fetchClientMetadata({ clientMetadataUri: authorizationRequestPayload.client_metadata_uri });
 	const clientMeta = await validateOpenid4vpClientId({
 		authorizationRequestPayload: {
 			...authorizationRequestPayload,
@@ -1003,7 +1097,7 @@ async function resolveOpenid4vpAuthorizationRequest(options) {
 		},
 		jar,
 		callbacks,
-		origin,
+		origin: options.responseMode.type === "dc_api" ? options.responseMode.expectedOrigin : void 0,
 		version
 	});
 	let pex;
@@ -1030,16 +1124,26 @@ async function resolveOpenid4vpAuthorizationRequest(options) {
 	};
 }
 function validateOpenId4vpAuthorizationRequestPayload(options) {
-	const { authorizationRequestPayload, wallet, jar, origin, disableOriginValidation } = options;
+	const { authorizationRequestPayload, wallet, jar, responseMode } = options;
 	if (isOpenid4vpAuthorizationRequestDcApi(authorizationRequestPayload)) {
+		if (responseMode.type !== "dc_api") throw new Oauth2Error(`Authorization request uses response mode ${authorizationRequestPayload.response_mode}, but expected to use a response mode in the ${responseMode.type} category.`);
 		validateOpenid4vpAuthorizationRequestDcApiPayload({
 			params: authorizationRequestPayload,
 			isJarRequest: jar,
-			disableOriginValidation,
-			origin
+			origin: responseMode.expectedOrigin
+		});
+		return authorizationRequestPayload;
+	}
+	if (isOpenid4vpAuthorizationRequestIae(authorizationRequestPayload)) {
+		if (responseMode.type !== "iae") throw new Oauth2Error(`Authorization request uses response mode ${authorizationRequestPayload.response_mode}, but expected to use a response mode in the ${responseMode.type} category.`);
+		validateOpenid4vpAuthorizationRequestIaePayload({
+			params: authorizationRequestPayload,
+			isJarRequest: jar,
+			expectedUrl: responseMode.expectedUrl
 		});
 		return authorizationRequestPayload;
 	}
+	if (responseMode.type !== "direct_post") throw new Oauth2Error(`Authorization request uses response mode ${authorizationRequestPayload.response_mode}, but expected to use a response mode in the ${responseMode.type} category.`);
 	validateOpenid4vpAuthorizationRequestPayload({
 		params: authorizationRequestPayload,
 		walletVerificationOptions: wallet
@@ -1699,5 +1803,5 @@ var Openid4vpVerifier = class {
 };
 
 //#endregion
-export { JarmMode, Openid4vpClient, Openid4vpVerifier, calculateX509HashClientIdPrefixValue, createOpenid4vpAuthorizationRequest, createOpenid4vpAuthorizationResponse, extractEncryptionJwkFromJwks, getOpenid4vpClientId, isJarmResponseMode, isOpenid4vpAuthorizationRequestDcApi, parseAuthorizationRequestVersion, parseDcqlVpToken, parseJarmAuthorizationResponse, parseOpenid4VpAuthorizationResponsePayload, parseOpenid4vpAuthorizationRequest, parseOpenid4vpAuthorizationResponse, parsePexVpToken, parseTransactionData, resolveOpenid4vpAuthorizationRequest, submitOpenid4vpAuthorizationResponse, validateOpenid4vpAuthorizationRequestPayload, validateOpenid4vpAuthorizationResponsePayload, verifyJarmAuthorizationResponse, zClientIdPrefix, zClientMetadata, zCredentialFormat, zJarmClientMetadata, zOpenid4vpAuthorizationResponse, zProofFormat, zVerifierAttestations, zWalletMetadata };
+export { JarmMode, Openid4vpClient, Openid4vpVerifier, calculateX509HashClientIdPrefixValue, createOpenid4vpAuthorizationRequest, createOpenid4vpAuthorizationResponse, extractEncryptionJwkFromJwks, getOpenid4vpClientId, isJarmResponseMode, isOpenid4vpAuthorizationRequestDcApi, isOpenid4vpAuthorizationRequestIae, parseAuthorizationRequestVersion, parseDcqlVpToken, parseJarmAuthorizationResponse, parseOpenid4VpAuthorizationResponsePayload, parseOpenid4vpAuthorizationRequest, parseOpenid4vpAuthorizationResponse, parsePexVpToken, parseTransactionData, resolveOpenid4vpAuthorizationRequest, submitOpenid4vpAuthorizationResponse, validateOpenid4vpAuthorizationRequestDcApiPayload, validateOpenid4vpAuthorizationRequestIaePayload, validateOpenid4vpAuthorizationRequestPayload, validateOpenid4vpAuthorizationResponsePayload, verifyJarmAuthorizationResponse, zClientIdPrefix, zClientMetadata, zCredentialFormat, zJarmClientMetadata, zOpenid4vpAuthorizationResponse, zProofFormat, zVerifierAttestations, zWalletMetadata };
 //# sourceMappingURL=index.mjs.map