@sd-jwt/core 0.19.1-next.5 → 0.19.1-next.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sd-jwt/core",
-  "version": "0.19.1-next.5+7e24764",
+  "version": "0.19.1-next.6+2bc47b2",
   "description": "sd-jwt draft 7 implementation in typescript",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
@@ -37,13 +37,10 @@
   },
   "license": "Apache-2.0",
   "devDependencies": {
-    "@sd-jwt/crypto-nodejs": "0.19.1-next.5+7e24764"
+    "@owf/crypto": "^0.1.0-alpha-20260312123226"
   },
   "dependencies": {
-    "@sd-jwt/decode": "0.19.1-next.5+7e24764",
-    "@sd-jwt/present": "0.19.1-next.5+7e24764",
-    "@sd-jwt/types": "0.19.1-next.5+7e24764",
-    "@sd-jwt/utils": "0.19.1-next.5+7e24764"
+    "@owf/identity-common": "^0.1.0-alpha-20260312123226"
   },
   "publishConfig": {
     "access": "public"
@@ -61,5 +58,5 @@
       "esm"
     ]
   },
-  "gitHead": "7e2476423c6f51158d98d3cd3b78fa53166e8e81"
+  "gitHead": "2bc47b207fc23ea7ef340d81fac91e84c13ad58b"
 }

package/src/decode/decode.ts

@@ -0,0 +1,366 @@
+import type { HasherAndAlgSync, HasherSync } from '../types';
+import {
+  type Hasher,
+  type HasherAndAlg,
+  SD_DIGEST,
+  SD_LIST_KEY,
+  SD_SEPARATOR,
+} from '../types';
+import { base64urlDecode, Disclosure, SDJWTException } from '../utils';
+
+export const decodeJwt = <
+  H extends Record<string, unknown>,
+  T extends Record<string, unknown>,
+>(
+  jwt: string,
+): { header: H; payload: T; signature: string } => {
+  const { 0: header, 1: payload, 2: signature, length } = jwt.split('.');
+  if (length !== 3) {
+    throw new SDJWTException('Invalid JWT as input');
+  }
+
+  return {
+    header: JSON.parse(base64urlDecode(header)),
+    payload: JSON.parse(base64urlDecode(payload)),
+    signature: signature,
+  };
+};
+
+// Split the sdjwt into 3 parts: jwt, disclosures and keybinding jwt. each part is base64url encoded
+// It's separated by the ~ character
+//
+// If there is no keybinding jwt, the third part will be undefined
+// If there are no disclosures, the second part will be an empty array
+export const splitSdJwt = (
+  sdjwt: string,
+): { jwt: string; disclosures: string[]; kbJwt?: string } => {
+  const [encodedJwt, ...encodedDisclosures] = sdjwt.split(SD_SEPARATOR);
+  if (encodedDisclosures.length === 0) {
+    // if input is just jwt, then return here.
+    // This is for compatibility with jwt
+    return {
+      jwt: encodedJwt,
+      disclosures: [],
+    };
+  }
+
+  const encodedKeyBindingJwt = encodedDisclosures.pop();
+  return {
+    jwt: encodedJwt,
+    disclosures: encodedDisclosures,
+    kbJwt: encodedKeyBindingJwt || undefined,
+  };
+};
+
+// Decode the sdjwt into the jwt, disclosures and keybinding jwt
+// jwt, disclosures and keybinding jwt are also decoded
+export const decodeSdJwt = async (
+  sdjwt: string,
+  hasher: Hasher,
+): Promise<DecodedSDJwt> => {
+  const [encodedJwt, ...encodedDisclosures] = sdjwt.split(SD_SEPARATOR);
+  const jwt = decodeJwt(encodedJwt);
+
+  if (encodedDisclosures.length === 0) {
+    // if input is just jwt, then return here.
+    // This is for compatibility with jwt
+    return {
+      jwt,
+      disclosures: [],
+    };
+  }
+
+  const encodedKeyBindingJwt = encodedDisclosures.pop();
+  const kbJwt = encodedKeyBindingJwt
+    ? decodeJwt(encodedKeyBindingJwt)
+    : undefined;
+
+  const { _sd_alg } = getSDAlgAndPayload(jwt.payload);
+
+  const disclosures = await Promise.all(
+    encodedDisclosures.map((ed) =>
+      Disclosure.fromEncode(ed, { alg: _sd_alg, hasher }),
+    ),
+  );
+
+  return {
+    jwt,
+    disclosures,
+    kbJwt,
+  };
+};
+
+export const decodeSdJwtSync = (
+  sdjwt: string,
+  hasher: HasherSync,
+): DecodedSDJwt => {
+  const [encodedJwt, ...encodedDisclosures] = sdjwt.split(SD_SEPARATOR);
+  const jwt = decodeJwt(encodedJwt);
+
+  if (encodedDisclosures.length === 0) {
+    // if input is just jwt, then return here.
+    // This is for compatibility with jwt
+    return {
+      jwt,
+      disclosures: [],
+    };
+  }
+
+  const encodedKeyBindingJwt = encodedDisclosures.pop();
+  const kbJwt = encodedKeyBindingJwt
+    ? decodeJwt(encodedKeyBindingJwt)
+    : undefined;
+
+  const { _sd_alg } = getSDAlgAndPayload(jwt.payload);
+
+  const disclosures = encodedDisclosures.map((ed) =>
+    Disclosure.fromEncodeSync(ed, { alg: _sd_alg, hasher }),
+  );
+
+  return {
+    jwt,
+    disclosures,
+    kbJwt,
+  };
+};
+
+// Get the claims from jwt and disclosures
+// The digested values are matched with the disclosures and the claims are extracted
+export const getClaims = async <T = Record<string, unknown>>(
+  rawPayload: Record<string, unknown>,
+  disclosures: Array<Disclosure>,
+  hasher: Hasher,
+): Promise<T> => {
+  const { unpackedObj } = await unpack(rawPayload, disclosures, hasher);
+  // The caller supplies T to match their expected shape
+  return unpackedObj as T;
+};
+
+export const getClaimsSync = <T = Record<string, unknown>>(
+  rawPayload: Record<string, unknown>,
+  disclosures: Array<Disclosure>,
+  hasher: HasherSync,
+): T => {
+  const { unpackedObj } = unpackSync(rawPayload, disclosures, hasher);
+  // The caller supplies T to match their expected shape
+  return unpackedObj as T;
+};
+
+const isRecord = (v: unknown): v is Record<string, unknown> =>
+  typeof v === 'object' && v !== null && !Array.isArray(v);
+
+const unpackArray = (
+  arr: Array<unknown>,
+  map: Record<string, Disclosure>,
+  prefix = '',
+  seenDigests?: Set<string>,
+): { unpackedObj: unknown; disclosureKeymap: Record<string, string> } => {
+  const keys: Record<string, string> = {};
+  const unpackedArray: unknown[] = [];
+  arr.forEach((item, idx) => {
+    if (isRecord(item)) {
+      const hash = item[SD_LIST_KEY];
+      if (typeof hash === 'string') {
+        // RFC 9901 Section 7.1 step 4: reject duplicate digests
+        if (seenDigests) {
+          if (seenDigests.has(hash)) {
+            throw new SDJWTException(
+              'Duplicate digest found in SD-JWT payload',
+            );
+          }
+          seenDigests.add(hash);
+        }
+        const disclosed = map[hash];
+        if (disclosed) {
+          const presentKey = prefix ? `${prefix}.${idx}` : `${idx}`;
+          keys[presentKey] = hash;
+
+          const { unpackedObj, disclosureKeymap: disclosureKeys } =
+            unpackObjInternal(disclosed.value, map, presentKey, seenDigests);
+          unpackedArray.push(unpackedObj);
+          Object.assign(keys, disclosureKeys);
+        }
+      } else {
+        const newKey = prefix ? `${prefix}.${idx}` : `${idx}`;
+        const { unpackedObj, disclosureKeymap: disclosureKeys } =
+          unpackObjInternal(item, map, newKey, seenDigests);
+        unpackedArray.push(unpackedObj);
+        Object.assign(keys, disclosureKeys);
+      }
+    } else if (Array.isArray(item)) {
+      const newKey = prefix ? `${prefix}.${idx}` : `${idx}`;
+      const { unpackedObj, disclosureKeymap: disclosureKeys } =
+        unpackObjInternal(item, map, newKey, seenDigests);
+      unpackedArray.push(unpackedObj);
+      Object.assign(keys, disclosureKeys);
+    } else {
+      unpackedArray.push(item);
+    }
+  });
+  return { unpackedObj: unpackedArray, disclosureKeymap: keys };
+};
+
+export const unpackObj = (obj: unknown, map: Record<string, Disclosure>) => {
+  const copiedObj = JSON.parse(JSON.stringify(obj));
+  const seenDigests = new Set<string>();
+  const result = unpackObjInternal(copiedObj, map, '', seenDigests);
+
+  // RFC 9901 Section 7.1 step 5: reject unreferenced disclosures
+  const mapDigests = Object.keys(map);
+  const unusedDigests = mapDigests.filter((d) => !seenDigests.has(d));
+  if (unusedDigests.length > 0) {
+    throw new SDJWTException('Unreferenced disclosure(s) detected in SD-JWT');
+  }
+
+  return result;
+};
+
+const unpackObjInternal = (
+  obj: unknown,
+  map: Record<string, Disclosure>,
+  prefix = '',
+  seenDigests?: Set<string>,
+): { unpackedObj: unknown; disclosureKeymap: Record<string, string> } => {
+  const keys: Record<string, string> = {};
+  if (typeof obj === 'object' && obj !== null) {
+    if (Array.isArray(obj)) {
+      return unpackArray(obj, map, prefix, seenDigests);
+    }
+
+    const record = obj as Record<string, unknown>;
+    for (const key in record) {
+      if (
+        key !== SD_DIGEST &&
+        key !== SD_LIST_KEY &&
+        typeof record[key] === 'object'
+      ) {
+        const newKey = prefix ? `${prefix}.${key}` : key;
+        const { unpackedObj, disclosureKeymap: disclosureKeys } =
+          unpackObjInternal(record[key], map, newKey, seenDigests);
+        record[key] = unpackedObj;
+        Object.assign(keys, disclosureKeys);
+      }
+    }
+
+    const { _sd, ...payload } = record as Record<string, unknown> & {
+      _sd?: Array<string>;
+    };
+    const claims: Record<string, unknown> = {};
+    if (_sd) {
+      for (const hash of _sd) {
+        // RFC 9901 Section 7.1 step 4: reject duplicate digests
+        if (seenDigests) {
+          if (seenDigests.has(hash)) {
+            throw new SDJWTException(
+              'Duplicate digest found in SD-JWT payload',
+            );
+          }
+          seenDigests.add(hash);
+        }
+        const disclosed = map[hash];
+        if (disclosed?.key) {
+          // RFC 9901 Section 7.1 step 3c.ii.3: reject if claim name already exists
+          if (disclosed.key in payload) {
+            throw new SDJWTException(
+              `Disclosed claim name "${disclosed.key}" conflicts with existing payload key`,
+            );
+          }
+
+          const presentKey = prefix
+            ? `${prefix}.${disclosed.key}`
+            : disclosed.key;
+          keys[presentKey] = hash;
+
+          const { unpackedObj, disclosureKeymap: disclosureKeys } =
+            unpackObjInternal(disclosed.value, map, presentKey, seenDigests);
+          claims[disclosed.key] = unpackedObj;
+          Object.assign(keys, disclosureKeys);
+        }
+      }
+    }
+
+    const unpackedObj = Object.assign(payload, claims);
+    return { unpackedObj, disclosureKeymap: keys };
+  }
+  return { unpackedObj: obj, disclosureKeymap: keys };
+};
+
+// Creates a mapping of the digests of the disclosures to the actual disclosures
+export const createHashMapping = async (
+  disclosures: Array<Disclosure>,
+  hash: HasherAndAlg,
+) => {
+  const map: Record<string, Disclosure> = {};
+  for (let i = 0; i < disclosures.length; i++) {
+    const disclosure = disclosures[i];
+    const digest = await disclosure.digest(hash);
+    map[digest] = disclosure;
+  }
+  return map;
+};
+
+export const createHashMappingSync = (
+  disclosures: Array<Disclosure>,
+  hash: HasherAndAlgSync,
+) => {
+  const map: Record<string, Disclosure> = {};
+  for (let i = 0; i < disclosures.length; i++) {
+    const disclosure = disclosures[i];
+    const digest = disclosure.digestSync(hash);
+    map[digest] = disclosure;
+  }
+  return map;
+};
+
+// Extract _sd_alg. If it is not present, it is assumed to be sha-256
+export const getSDAlgAndPayload = (SdJwtPayload: Record<string, unknown>) => {
+  const { _sd_alg, ...payload } = SdJwtPayload;
+  if (typeof _sd_alg !== 'string') {
+    // This is for compatibility
+    return { _sd_alg: 'sha-256', payload };
+  }
+  return { _sd_alg, payload };
+};
+
+// Match the digests of the disclosures with the claims and extract the claims
+// unpack function use unpackObjInternal and unpackArray to recursively unpack the claims
+// Since getSDAlgAndPayload create new object So we don't need to clone it again
+export const unpack = async (
+  SdJwtPayload: Record<string, unknown>,
+  disclosures: Array<Disclosure>,
+  hasher: Hasher,
+) => {
+  const { _sd_alg, payload } = getSDAlgAndPayload(SdJwtPayload);
+  const hash = { hasher, alg: _sd_alg };
+  const map = await createHashMapping(disclosures, hash);
+
+  return unpackObj(payload, map);
+};
+
+export const unpackSync = (
+  SdJwtPayload: Record<string, unknown>,
+  disclosures: Array<Disclosure>,
+  hasher: HasherSync,
+) => {
+  const { _sd_alg, payload } = getSDAlgAndPayload(SdJwtPayload);
+  const hash = { hasher, alg: _sd_alg };
+  const map = createHashMappingSync(disclosures, hash);
+
+  return unpackObj(payload, map);
+};
+
+// This is the type of the object that is returned by the decodeSdJwt function
+// It is a combination of the decoded jwt, the disclosures and the keybinding jwt
+export type DecodedSDJwt = {
+  jwt: {
+    header: Record<string, unknown>;
+    payload: Record<string, unknown>; // raw payload of sd-jwt
+    signature: string;
+  };
+  disclosures: Array<Disclosure>;
+  kbJwt?: {
+    header: Record<string, unknown>;
+    payload: Record<string, unknown>;
+    signature: string;
+  };
+};

package/src/decode/index.ts

@@ -0,0 +1 @@
+export * from './decode';

package/src/decoy.ts

@@ -1,5 +1,5 @@
-import type { HasherAndAlg, SaltGenerator } from '@sd-jwt/types';
-import { uint8ArrayToBase64Url } from '@sd-jwt/utils';
+import type { HasherAndAlg, SaltGenerator } from './types';
+import { uint8ArrayToBase64Url } from './utils';
 
 // This function creates a decoy value that can be used to obscure SD JWT payload.
 // The value is basically a hash of a random salt. So the value is not predictable.

package/src/flattenJSON.ts

@@ -1,6 +1,6 @@
-import { splitSdJwt } from '@sd-jwt/decode';
-import { SD_SEPARATOR } from '@sd-jwt/types';
-import { SDJWTException } from '@sd-jwt/utils';
+import { splitSdJwt } from './decode';
+import { SD_SEPARATOR } from './types';
+import { SDJWTException } from './utils';
 
 export type FlattenJSONData = {
   jwtData: {

package/src/generalJSON.ts

@@ -1,6 +1,6 @@
-import { splitSdJwt } from '@sd-jwt/decode';
-import { SD_SEPARATOR, type Signer } from '@sd-jwt/types';
-import { base64urlEncode, SDJWTException } from '@sd-jwt/utils';
+import { splitSdJwt } from './decode';
+import { SD_SEPARATOR, type Signer } from './types';
+import { base64urlEncode, SDJWTException } from './utils';
 
 export type GeneralJSONData = {
   payload: string;

package/src/index.ts

@@ -1,9 +1,13 @@
-import { getSDAlgAndPayload } from '@sd-jwt/decode';
+import { getSDAlgAndPayload } from './decode';
+import { FlattenJSON } from './flattenJSON';
+import { GeneralJSON } from './generalJSON';
+import { Jwt, type VerifierOptions } from './jwt';
+import { KBJwt } from './kbjwt';
+import { pack, SDJwt } from './sdjwt';
 import {
   type DisclosureFrame,
   type Hasher,
   IANA_HASH_ALGORITHMS,
-  type JwtPayload,
   KB_JWT_TYP,
   type KBOptions,
   type PresentationFrame,
@@ -13,25 +17,26 @@ import {
   type Signer,
   type VerificationError,
   type VerificationErrorCode,
-} from '@sd-jwt/types';
+} from './types';
 import {
   base64urlDecode,
   base64urlEncode,
+  ensureError,
   SDJWTException,
   uint8ArrayToBase64Url,
-} from '@sd-jwt/utils';
-import { FlattenJSON } from './flattenJSON';
-import { GeneralJSON } from './generalJSON';
-import { Jwt, type VerifierOptions } from './jwt';
-import { KBJwt } from './kbjwt';
-import { pack, SDJwt } from './sdjwt';
+} from './utils';
 
+export * from './decode';
 export * from './decoy';
 export * from './flattenJSON';
 export * from './generalJSON';
 export * from './jwt';
 export * from './kbjwt';
+export * from './present';
 export * from './sdjwt';
+// Re-export all types, utils, decode, and present functionality
+export * from './types';
+export * from './utils';
 
 export type SdJwtPayload = Record<string, unknown>;
 
@@ -235,7 +240,7 @@ export class SDJwtInstance<ExtendedPayload extends SdJwtPayload, T = unknown> {
     }
     const kb = await sdjwt.kbJwt.verifyKB({
       verifier: this.userConfig.kbVerifier,
-      payload: payload as JwtPayload,
+      payload,
       nonce: options.keyBindingNonce,
     });
     if (!kb) {
@@ -327,7 +332,12 @@ export class SDJwtInstance<ExtendedPayload extends SdJwtPayload, T = unknown> {
       return { success: false, errors };
     }
 
-    const hasher = this.userConfig.hasher as Hasher;
+    if (!this.userConfig.hasher) {
+      throw new SDJWTException('Hasher not found');
+    }
+
+    // hasher and verifier are guaranteed to be defined here
+    const hasher = this.userConfig.hasher;
 
     // Try to decode and validate the SD-JWT
     let sdjwt: SDJwt | undefined;
@@ -339,10 +349,11 @@ export class SDJwtInstance<ExtendedPayload extends SdJwtPayload, T = unknown> {
       if (!sdjwt.jwt || !sdjwt.jwt.payload) {
         addError('INVALID_SD_JWT', 'Invalid SD JWT: missing JWT or payload');
       }
-    } catch (error) {
+    } catch (e) {
+      const error = ensureError(e);
       addError(
         'INVALID_SD_JWT',
-        `Failed to decode SD-JWT: ${(error as Error).message}`,
+        `Failed to decode SD-JWT: ${error.message}`,
         error,
       );
     }
@@ -354,9 +365,10 @@ export class SDJwtInstance<ExtendedPayload extends SdJwtPayload, T = unknown> {
         header = result.header;
         const claims = await sdjwt.getClaims(hasher);
         payload = claims as ExtendedPayload;
-      } catch (error) {
-        const code = exceptionToCode(error as Error);
-        addError(code, (error as Error).message, error);
+      } catch (e) {
+        const error = ensureError(e);
+        const code = exceptionToCode(error);
+        addError(code, error.message, error);
       }
     }
 
@@ -374,10 +386,11 @@ export class SDJwtInstance<ExtendedPayload extends SdJwtPayload, T = unknown> {
             { missingKeys },
           );
         }
-      } catch (error) {
+      } catch (e) {
+        const error = ensureError(e);
         addError(
           'UNKNOWN_ERROR',
-          `Failed to check required claims: ${(error as Error).message}`,
+          `Failed to check required claims: ${error.message}`,
           error,
         );
       }
@@ -399,7 +412,7 @@ export class SDJwtInstance<ExtendedPayload extends SdJwtPayload, T = unknown> {
         try {
           const kbResult = await sdjwt.kbJwt.verifyKB({
             verifier: this.userConfig.kbVerifier,
-            payload: payload as JwtPayload,
+            payload,
             nonce: options.keyBindingNonce,
           });
           if (!kbResult) {
@@ -433,10 +446,11 @@ export class SDJwtInstance<ExtendedPayload extends SdJwtPayload, T = unknown> {
               );
             }
           }
-        } catch (error) {
+        } catch (e) {
+          const error = ensureError(e);
           addError(
             'KEY_BINDING_SIGNATURE_INVALID',
-            `Key binding verification failed: ${(error as Error).message}`,
+            `Key binding verification failed: ${error.message}`,
             error,
           );
         }
@@ -491,7 +505,7 @@ export class SDJwtInstance<ExtendedPayload extends SdJwtPayload, T = unknown> {
     }
 
     const verifiedPayloads = await this.VerifyJwt(sdjwt.jwt, options);
-    const claims = await sdjwt.getClaims(hasher);
+    const claims = await sdjwt.getClaims<ExtendedPayload>(hasher);
     return { payload: claims, header: verifiedPayloads.header };
   }
 
@@ -758,8 +772,8 @@ export class SDJwtGeneralJSONInstance<ExtendedPayload extends SdJwtPayload> {
     }
     const kb = await sdjwt.kbJwt.verifyKB({
       verifier: this.userConfig.kbVerifier,
-      payload: payload as JwtPayload,
-      nonce: options.keyBindingNonce as string,
+      payload,
+      nonce: options.keyBindingNonce,
     });
     if (!kb) {
       throw new Error('signature is not valid');
@@ -835,7 +849,7 @@ export class SDJwtGeneralJSONInstance<ExtendedPayload extends SdJwtPayload> {
       throw new SDJWTException('Invalid SD JWT');
     }
 
-    const claims = await sdjwt.getClaims(hasher);
+    const claims = await sdjwt.getClaims<ExtendedPayload>(hasher);
     return { payload: claims, headers: results.map((r) => r.header) };
   }
 

package/src/jwt.ts

@@ -1,6 +1,6 @@
-import { decodeJwt } from '@sd-jwt/decode';
-import type { Base64urlString, Signer, Verifier } from '@sd-jwt/types';
-import { base64urlEncode, SDJWTException } from '@sd-jwt/utils';
+import { decodeJwt } from './decode';
+import type { Base64urlString, Signer, Verifier } from './types';
+import { base64urlEncode, SDJWTException } from './utils';
 
 export type JwtData<
   Header extends Record<string, unknown>,
@@ -154,23 +154,18 @@ export class Jwt<
   public async verify<T>(verifier: Verifier<T>, options?: T & VerifierOptions) {
     const skew = options?.skewSeconds ? options.skewSeconds : 0;
     const currentDate = options?.currentDate ?? Math.floor(Date.now() / 1000);
-    if (
-      this.payload?.iat &&
-      (this.payload.iat as number) - skew > currentDate
-    ) {
+    const iat = this.payload?.iat;
+    const nbf = this.payload?.nbf;
+    const exp = this.payload?.exp;
+
+    if (typeof iat === 'number' && iat - skew > currentDate) {
       throw new SDJWTException('Verify Error: JWT is not yet valid');
     }
 
-    if (
-      this.payload?.nbf &&
-      (this.payload.nbf as number) - skew > currentDate
-    ) {
+    if (typeof nbf === 'number' && nbf - skew > currentDate) {
       throw new SDJWTException('Verify Error: JWT is not yet valid');
     }
-    if (
-      this.payload?.exp &&
-      (this.payload.exp as number) + skew < currentDate
-    ) {
+    if (typeof exp === 'number' && exp + skew < currentDate) {
       throw new SDJWTException('Verify Error: JWT is expired');
     }
 

package/src/kbjwt.ts

@@ -1,12 +1,11 @@
+import { Jwt } from './jwt';
 import {
-  type JwtPayload,
   KB_JWT_TYP,
   type KbVerifier,
   type kbHeader,
   type kbPayload,
-} from '@sd-jwt/types';
-import { SDJWTException } from '@sd-jwt/utils';
-import { Jwt } from './jwt';
+} from './types';
+import { SDJWTException } from './utils';
 
 export class KBJwt<
   Header extends kbHeader = kbHeader,
@@ -16,7 +15,7 @@ export class KBJwt<
   // the type unknown is not good, but we don't know at this point how to get the public key of the signer, this is defined in the kbVerifier
   public async verifyKB(values: {
     verifier: KbVerifier;
-    payload: JwtPayload;
+    payload: Record<string, unknown>;
     nonce: string;
   }) {
     if (!this.header || !this.payload || !this.signature) {
@@ -34,7 +33,7 @@ export class KBJwt<
       // this is for backward compatibility with version 06
       !(
         this.payload.sd_hash ||
-        (this.payload as Record<string, unknown> | undefined)?._sd_hash
+        ('_sd_hash' in this.payload && this.payload._sd_hash)
       )
     ) {
       throw new SDJWTException('Invalid Key Binding Jwt');

package/src/present/index.ts

@@ -0,0 +1 @@
+export * from './present';