@sphereon/oid4vci-client 0.17.0 → 0.17.1-feature.esm.cjs.25

package/dist/index.cjs

@@ -0,0 +1,4679 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// lib/index.ts
+var index_exports = {};
+__export(index_exports, {
+  AccessTokenClient: () => AccessTokenClient,
+  AccessTokenClientV1_0_11: () => AccessTokenClientV1_0_11,
+  CredentialOfferClient: () => CredentialOfferClient,
+  CredentialOfferClientV1_0_11: () => CredentialOfferClientV1_0_11,
+  CredentialOfferClientV1_0_13: () => CredentialOfferClientV1_0_13,
+  CredentialRequestClient: () => CredentialRequestClient,
+  CredentialRequestClientBuilder: () => CredentialRequestClientBuilder,
+  CredentialRequestClientBuilderV1_0_11: () => CredentialRequestClientBuilderV1_0_11,
+  CredentialRequestClientBuilderV1_0_13: () => CredentialRequestClientBuilderV1_0_13,
+  CredentialRequestClientV1_0_11: () => CredentialRequestClientV1_0_11,
+  LOG: () => LOG2,
+  MetadataClient: () => MetadataClient,
+  MetadataClientV1_0_11: () => MetadataClientV1_0_11,
+  MetadataClientV1_0_13: () => MetadataClientV1_0_13,
+  OpenID4VCIClient: () => OpenID4VCIClient,
+  OpenID4VCIClientV1_0_11: () => OpenID4VCIClientV1_0_11,
+  OpenID4VCIClientV1_0_13: () => OpenID4VCIClientV1_0_13,
+  ProofOfPossessionBuilder: () => ProofOfPossessionBuilder,
+  acquireAuthorizationChallengeAuthCode: () => acquireAuthorizationChallengeAuthCode,
+  acquireAuthorizationChallengeAuthCodeUsingRequest: () => acquireAuthorizationChallengeAuthCodeUsingRequest,
+  buildProof: () => buildProof,
+  constructBaseResponse: () => constructBaseResponse,
+  createAuthorizationChallengeRequest: () => createAuthorizationChallengeRequest,
+  createAuthorizationRequestUrl: () => createAuthorizationRequestUrl,
+  createAuthorizationRequestUrlV1_0_11: () => createAuthorizationRequestUrlV1_0_11,
+  createJwtBearerClientAssertion: () => createJwtBearerClientAssertion,
+  createSignedAuthRequestWhenNeeded: () => createSignedAuthRequestWhenNeeded,
+  generateMissingPKCEOpts: () => generateMissingPKCEOpts,
+  handleCredentialOfferUri: () => handleCredentialOfferUri,
+  isUriEncoded: () => isUriEncoded,
+  retrieveWellknown: () => retrieveWellknown,
+  sendAuthorizationChallengeRequest: () => sendAuthorizationChallengeRequest,
+  sendNotification: () => sendNotification
+});
+module.exports = __toCommonJS(index_exports);
+var import_oid4vci_common26 = require("@sphereon/oid4vci-common");
+
+// lib/AccessTokenClient.ts
+var import_oid4vc_common3 = require("@sphereon/oid4vc-common");
+var import_oid4vci_common9 = require("@sphereon/oid4vci-common");
+var import_ssi_types2 = require("@sphereon/ssi-types");
+
+// lib/MetadataClientV1_0_13.ts
+var import_oid4vci_common8 = require("@sphereon/oid4vci-common");
+var import_debug2 = __toESM(require("debug"), 1);
+
+// lib/functions/AuthorizationUtil.ts
+var import_oid4vci_common = require("@sphereon/oid4vci-common");
+var generateMissingPKCEOpts = /* @__PURE__ */ __name((pkce) => {
+  if (pkce.disabled) {
+    return pkce;
+  }
+  if (!pkce.codeChallengeMethod) {
+    pkce.codeChallengeMethod = import_oid4vci_common.CodeChallengeMethod.S256;
+  }
+  if (!pkce.codeVerifier) {
+    pkce.codeVerifier = (0, import_oid4vci_common.generateCodeVerifier)();
+  }
+  (0, import_oid4vci_common.assertValidCodeVerifier)(pkce.codeVerifier);
+  if (!pkce.codeChallenge) {
+    pkce.codeChallenge = (0, import_oid4vci_common.createCodeChallenge)(pkce.codeVerifier, pkce.codeChallengeMethod);
+  }
+  return pkce;
+}, "generateMissingPKCEOpts");
+
+// lib/functions/notifications.ts
+var import_oid4vci_common3 = require("@sphereon/oid4vci-common");
+
+// lib/types/index.ts
+var import_oid4vci_common2 = require("@sphereon/oid4vci-common");
+var import_ssi_types = require("@sphereon/ssi-types");
+var LOG = import_oid4vci_common2.VCI_LOGGERS.options("sphereon:oid4vci:client", {
+  methods: [
+    import_ssi_types.LogMethod.EVENT,
+    import_ssi_types.LogMethod.DEBUG_PKG
+  ]
+}).get("sphereon:oid4vci:client");
+
+// lib/functions/notifications.ts
+async function sendNotification(credentialRequestOpts, request, accessToken) {
+  LOG.info(`Sending status notification event '${request.event}' for id ${request.notification_id}`);
+  if (!credentialRequestOpts.notificationEndpoint) {
+    throw Error(`Cannot send notification when no notification endpoint is provided`);
+  }
+  const token = accessToken ?? credentialRequestOpts.token;
+  const response = await (0, import_oid4vci_common3.post)(credentialRequestOpts.notificationEndpoint, JSON.stringify(request), {
+    ...token && {
+      bearerToken: token
+    }
+  });
+  const error = response.errorBody?.error !== void 0;
+  const result = {
+    error,
+    response: error ? response.errorBody : void 0
+  };
+  if (error) {
+    LOG.warning(`Notification endpoint returned an error for event '${request.event}' and id ${request.notification_id}: ${response.errorBody}`);
+  } else {
+    LOG.debug(`Notification endpoint returned success for event '${request.event}' and id ${request.notification_id}`);
+  }
+  return result;
+}
+__name(sendNotification, "sendNotification");
+
+// lib/functions/OpenIDUtils.ts
+var import_oid4vci_common4 = require("@sphereon/oid4vci-common");
+var import_debug = __toESM(require("debug"), 1);
+var debug = (0, import_debug.default)("sphereon:openid4vci:openid-utils");
+var retrieveWellknown = /* @__PURE__ */ __name(async (host, endpointType, opts) => {
+  const result = await (0, import_oid4vci_common4.getJson)(`${host.endsWith("/") ? host.slice(0, -1) : host}${endpointType}`, {
+    exceptionOnHttpErrorStatus: opts?.errorOnNotFound
+  });
+  if (result.origResponse.status >= 400) {
+    debug(`host ${host} with endpoint type ${endpointType} status: ${result.origResponse.status}, ${result.origResponse.statusText}`);
+  }
+  return result;
+}, "retrieveWellknown");
+
+// lib/functions/AccessTokenUtil.ts
+var import_oid4vc_common = require("@sphereon/oid4vc-common");
+var import_oid4vci_common6 = require("@sphereon/oid4vci-common");
+
+// lib/ProofOfPossessionBuilder.ts
+var import_oid4vci_common5 = require("@sphereon/oid4vci-common");
+var ProofOfPossessionBuilder = class _ProofOfPossessionBuilder {
+  static {
+    __name(this, "ProofOfPossessionBuilder");
+  }
+  proof;
+  callbacks;
+  version;
+  mode = "pop";
+  kid;
+  jwk;
+  aud;
+  clientId;
+  issuer;
+  jwt;
+  alg;
+  jti;
+  cNonce;
+  typ;
+  constructor({ proof, callbacks, jwt, accessTokenResponse, version, mode = "pop" }) {
+    this.mode = mode;
+    this.proof = proof;
+    this.callbacks = callbacks;
+    this.version = version;
+    if (jwt) {
+      this.withJwt(jwt);
+    } else {
+      this.withTyp(version < import_oid4vci_common5.OpenId4VCIVersion.VER_1_0_11 || mode === "JWT" ? "JWT" : "openid4vci-proof+jwt");
+    }
+    if (accessTokenResponse) {
+      this.withAccessTokenResponse(accessTokenResponse);
+    }
+  }
+  static manual({ jwt, callbacks, version, mode = "JWT" }) {
+    return new _ProofOfPossessionBuilder({
+      callbacks,
+      jwt,
+      version,
+      mode
+    });
+  }
+  static fromJwt({ jwt, callbacks, version, mode = "pop" }) {
+    return new _ProofOfPossessionBuilder({
+      callbacks,
+      jwt,
+      version,
+      mode
+    });
+  }
+  static fromAccessTokenResponse({ accessTokenResponse, callbacks, version, mode = "pop" }) {
+    return new _ProofOfPossessionBuilder({
+      callbacks,
+      accessTokenResponse,
+      version,
+      mode
+    });
+  }
+  static fromProof(proof, version) {
+    return new _ProofOfPossessionBuilder({
+      proof,
+      version
+    });
+  }
+  withAud(aud) {
+    this.aud = aud;
+    return this;
+  }
+  withClientId(clientId) {
+    this.clientId = clientId;
+    return this;
+  }
+  withKid(kid) {
+    this.kid = kid;
+    return this;
+  }
+  withJWK(jwk) {
+    this.jwk = jwk;
+    return this;
+  }
+  withIssuer(issuer) {
+    this.issuer = issuer;
+    return this;
+  }
+  withAlg(alg) {
+    this.alg = alg;
+    return this;
+  }
+  withJti(jti) {
+    this.jti = jti;
+    return this;
+  }
+  withTyp(typ) {
+    if (this.mode === "pop" && this.version >= import_oid4vci_common5.OpenId4VCIVersion.VER_1_0_11) {
+      if (!!typ && typ !== "openid4vci-proof+jwt") {
+        throw Error(`typ must be openid4vci-proof+jwt for version 1.0.11 and up. Provided: ${typ}`);
+      }
+    } else {
+      if (!!typ && typ !== "JWT") {
+        throw Error(`typ must be jwt for version 1.0.10 and below. Provided: ${typ}`);
+      }
+    }
+    this.typ = typ;
+    return this;
+  }
+  withAccessTokenNonce(cNonce) {
+    this.cNonce = cNonce;
+    return this;
+  }
+  withAccessTokenResponse(accessToken) {
+    if (accessToken.c_nonce) {
+      this.withAccessTokenNonce(accessToken.c_nonce);
+    }
+    return this;
+  }
+  withEndpointMetadata(endpointMetadata) {
+    this.withIssuer(endpointMetadata.issuer);
+    return this;
+  }
+  withJwt(jwt) {
+    if (!jwt) {
+      throw new Error(import_oid4vci_common5.NO_JWT_PROVIDED);
+    }
+    this.jwt = jwt;
+    if (!jwt.header) {
+      throw Error(`No JWT header present`);
+    } else if (!jwt.payload) {
+      throw Error(`No JWT payload present`);
+    }
+    if (jwt.header.kid) {
+      this.withKid(jwt.header.kid);
+    }
+    if (jwt.header.typ) {
+      this.withTyp(jwt.header.typ);
+    }
+    if (!this.typ && this.version >= import_oid4vci_common5.OpenId4VCIVersion.VER_1_0_11) {
+      this.withTyp("openid4vci-proof+jwt");
+    }
+    this.withAlg(jwt.header.alg);
+    if (Array.isArray(jwt.payload.aud)) {
+      throw Error("We cannot handle multiple aud values currently");
+    }
+    if (jwt.payload) {
+      if (jwt.payload.iss) this.mode === "pop" ? this.withClientId(jwt.payload.iss) : this.withIssuer(jwt.payload.iss);
+      if (jwt.payload.aud) this.mode === "pop" ? this.withIssuer(jwt.payload.aud) : this.withAud(jwt.payload.aud);
+      if (jwt.payload.jti) this.withJti(jwt.payload.jti);
+      if (jwt.payload.nonce) this.withAccessTokenNonce(jwt.payload.nonce);
+    }
+    return this;
+  }
+  async build() {
+    if (this.proof) {
+      return Promise.resolve(this.proof);
+    } else if (this.callbacks) {
+      return await (0, import_oid4vci_common5.createProofOfPossession)(this.mode, this.callbacks, {
+        typ: this.typ ?? (this.version < import_oid4vci_common5.OpenId4VCIVersion.VER_1_0_11 || this.mode === "JWT" ? "JWT" : "openid4vci-proof+jwt"),
+        kid: this.kid,
+        jwk: this.jwk,
+        jti: this.jti,
+        alg: this.alg,
+        aud: this.aud,
+        issuer: this.issuer,
+        clientId: this.clientId,
+        ...this.cNonce && {
+          nonce: this.cNonce
+        }
+      }, this.jwt);
+    }
+    throw new Error(import_oid4vci_common5.PROOF_CANT_BE_CONSTRUCTED);
+  }
+};
+
+// lib/functions/AccessTokenUtil.ts
+var createJwtBearerClientAssertion = /* @__PURE__ */ __name(async (request, opts) => {
+  const { asOpts, credentialIssuer } = opts;
+  if (asOpts?.clientOpts?.clientAssertionType === "urn:ietf:params:oauth:client-assertion-type:jwt-bearer") {
+    const { clientId = request.client_id, signCallbacks, alg } = asOpts.clientOpts;
+    let { kid } = asOpts.clientOpts;
+    if (!clientId) {
+      return Promise.reject(Error(`Not client_id supplied, but client-assertion jwt-bearer requested.`));
+    } else if (!kid) {
+      return Promise.reject(Error(`No kid supplied, but client-assertion jwt-bearer requested.`));
+    } else if (typeof signCallbacks?.signCallback !== "function") {
+      return Promise.reject(Error(`No sign callback supplied, but client-assertion jwt-bearer requested.`));
+    } else if (!credentialIssuer) {
+      return Promise.reject(Error(`No credential issuer supplied, but client-assertion jwt-bearer requested.`));
+    }
+    if (clientId.startsWith("http") && kid.includes("#")) {
+      kid = kid.split("#")[1];
+    }
+    const jwt = {
+      header: {
+        typ: "JWT",
+        kid,
+        alg: alg ?? "ES256"
+      },
+      payload: {
+        iss: clientId,
+        sub: clientId,
+        aud: credentialIssuer,
+        jti: (0, import_oid4vc_common.uuidv4)(),
+        exp: Math.floor(Date.now()) / 1e3 + 60,
+        iat: Math.floor(Date.now()) / 1e3 - 60
+      }
+    };
+    const pop = await ProofOfPossessionBuilder.fromJwt({
+      jwt,
+      callbacks: signCallbacks,
+      version: opts.version ?? import_oid4vci_common6.OpenId4VCIVersion.VER_1_0_13,
+      mode: "JWT"
+    }).build();
+    request.client_assertion_type = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
+    request.client_assertion = pop.jwt;
+  }
+}, "createJwtBearerClientAssertion");
+
+// lib/functions/CredentialOfferCommons.ts
+var import_oid4vci_common7 = require("@sphereon/oid4vci-common");
+var import_cross_fetch = require("cross-fetch");
+function isUriEncoded(str) {
+  const pattern = /%[0-9A-F]{2}/i;
+  return pattern.test(str);
+}
+__name(isUriEncoded, "isUriEncoded");
+async function handleCredentialOfferUri(uri) {
+  const uriObj = (0, import_oid4vci_common7.getURIComponentsAsArray)(uri);
+  const credentialOfferUri = decodeURIComponent(uriObj["credential_offer_uri"]);
+  const decodedUri = isUriEncoded(credentialOfferUri) ? decodeURIComponent(credentialOfferUri) : credentialOfferUri;
+  const response = await (0, import_cross_fetch.fetch)(decodedUri);
+  if (!(response && response.status >= 200 && response.status < 400)) {
+    return Promise.reject(`the credential offer URI endpoint call was not successful. http code ${response.status} - reason ${response.statusText}`);
+  }
+  if (response.headers.get("Content-Type")?.startsWith("application/json") === false) {
+    return Promise.reject("the credential offer URI endpoint did not return content type application/json");
+  }
+  return {
+    credential_offer: (0, import_oid4vci_common7.decodeJsonProperties)(await response.json())
+  };
+}
+__name(handleCredentialOfferUri, "handleCredentialOfferUri");
+function constructBaseResponse(request, scheme, baseUrl) {
+  const clientId = (0, import_oid4vci_common7.getClientIdFromCredentialOfferPayload)(request.credential_offer);
+  const grants = request.credential_offer?.grants;
+  return {
+    scheme,
+    baseUrl,
+    ...clientId && {
+      clientId
+    },
+    ...request,
+    ...grants?.authorization_code?.issuer_state && {
+      issuerState: grants.authorization_code.issuer_state
+    },
+    ...grants?.[import_oid4vci_common7.PRE_AUTH_GRANT_LITERAL]?.[import_oid4vci_common7.PRE_AUTH_CODE_LITERAL] && {
+      preAuthorizedCode: grants[import_oid4vci_common7.PRE_AUTH_GRANT_LITERAL][import_oid4vci_common7.PRE_AUTH_CODE_LITERAL]
+    },
+    ...request.credential_offer?.grants?.[import_oid4vci_common7.PRE_AUTH_GRANT_LITERAL]?.tx_code && {
+      txCode: request.credential_offer.grants[import_oid4vci_common7.PRE_AUTH_GRANT_LITERAL].tx_code
+    }
+  };
+}
+__name(constructBaseResponse, "constructBaseResponse");
+
+// lib/MetadataClientV1_0_13.ts
+var debug2 = (0, import_debug2.default)("sphereon:oid4vci:metadata");
+var MetadataClientV1_0_13 = class _MetadataClientV1_0_13 {
+  static {
+    __name(this, "MetadataClientV1_0_13");
+  }
+  /**
+  * Retrieve metadata using the Initiation obtained from a previous step
+  *
+  * @param credentialOffer
+  */
+  static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
+    return _MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer);
+  }
+  /**
+  * Retrieve the metada using the initiation request obtained from a previous step
+  * @param request
+  */
+  static async retrieveAllMetadataFromCredentialOfferRequest(request) {
+    const issuer = (0, import_oid4vci_common8.getIssuerFromCredentialOfferPayload)(request);
+    if (issuer) {
+      return _MetadataClientV1_0_13.retrieveAllMetadata(issuer);
+    }
+    throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
+  }
+  /**
+  * Retrieve all metadata from an issuer
+  * @param issuer The issuer URL
+  * @param opts
+  */
+  static async retrieveAllMetadata(issuer, opts) {
+    let token_endpoint;
+    let credential_endpoint;
+    let deferred_credential_endpoint;
+    let authorization_endpoint;
+    let authorization_challenge_endpoint;
+    let authorizationServerType = "OID4VCI";
+    let authorization_servers = [
+      issuer
+    ];
+    const oid4vciResponse = await _MetadataClientV1_0_13.retrieveOpenID4VCIServerMetadata(issuer, {
+      errorOnNotFound: false
+    });
+    let credentialIssuerMetadata = oid4vciResponse?.successBody;
+    if (credentialIssuerMetadata) {
+      debug2(`Issuer ${issuer} OID4VCI well-known server metadata\r
+${JSON.stringify(credentialIssuerMetadata)}`);
+      credential_endpoint = credentialIssuerMetadata.credential_endpoint;
+      deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint;
+      if (credentialIssuerMetadata.token_endpoint) {
+        token_endpoint = credentialIssuerMetadata.token_endpoint;
+      }
+      authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint;
+      if (credentialIssuerMetadata.authorization_servers) {
+        authorization_servers = credentialIssuerMetadata.authorization_servers;
+      }
+    }
+    let response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common8.WellKnownEndpoints.OPENID_CONFIGURATION, {
+      errorOnNotFound: false
+    });
+    let authMetadata = response.successBody;
+    if (authMetadata) {
+      debug2(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
+      authorizationServerType = "OIDC";
+    } else {
+      response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common8.WellKnownEndpoints.OAUTH_AS, {
+        errorOnNotFound: false
+      });
+      authMetadata = response.successBody;
+    }
+    if (!authMetadata) {
+      if (!authorization_servers.includes(issuer)) {
+        throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_servers}, but that server did not provide metadata`);
+      }
+    } else {
+      if (!authorizationServerType) {
+        authorizationServerType = "OAuth 2.0";
+      }
+      debug2(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
+      if (!authMetadata.authorization_endpoint) {
+        console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
+      } else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {
+        throw Error(`Credential issuer has a different authorization_endpoint (${authorization_endpoint}) from the Authorization Server (${authMetadata.authorization_endpoint})`);
+      }
+      authorization_endpoint = authMetadata.authorization_endpoint;
+      if (authorization_challenge_endpoint && authMetadata.authorization_challenge_endpoint !== authorization_challenge_endpoint) {
+        throw Error(`Credential issuer has a different authorization_challenge_endpoint (${authorization_challenge_endpoint}) from the Authorization Server (${authMetadata.authorization_challenge_endpoint})`);
+      }
+      authorization_challenge_endpoint = authMetadata.authorization_challenge_endpoint;
+      if (!authMetadata.token_endpoint) {
+        throw Error(`Authorization Server ${authorization_servers} did not provide a token_endpoint`);
+      } else if (token_endpoint && authMetadata.token_endpoint !== token_endpoint) {
+        throw Error(`Credential issuer has a different token_endpoint (${token_endpoint}) from the Authorization Server (${authMetadata.token_endpoint})`);
+      }
+      token_endpoint = authMetadata.token_endpoint;
+      if (authMetadata.credential_endpoint) {
+        if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {
+          debug2(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
+        } else {
+          credential_endpoint = authMetadata.credential_endpoint;
+        }
+      }
+      if (authMetadata.deferred_credential_endpoint) {
+        if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {
+          debug2(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
+        } else {
+          deferred_credential_endpoint = authMetadata.deferred_credential_endpoint;
+        }
+      }
+    }
+    if (!authorization_endpoint) {
+      debug2(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
+    }
+    if (!token_endpoint) {
+      debug2(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
+      if (opts?.errorOnNotFound) {
+        throw Error(`Could not deduce the token_endpoint for ${issuer}`);
+      } else {
+        token_endpoint = `${issuer}${issuer.endsWith("/") ? "token" : "/token"}`;
+      }
+    }
+    if (!credential_endpoint) {
+      debug2(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
+      if (opts?.errorOnNotFound) {
+        throw Error(`Could not deduce the credential endpoint for ${issuer}`);
+      } else {
+        credential_endpoint = `${issuer}${issuer.endsWith("/") ? "credential" : "/credential"}`;
+      }
+    }
+    if (!credentialIssuerMetadata && authMetadata) {
+      credentialIssuerMetadata = authMetadata;
+    }
+    debug2(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
+    return {
+      issuer,
+      token_endpoint,
+      credential_endpoint,
+      deferred_credential_endpoint,
+      authorization_server: authorization_servers[0],
+      authorization_endpoint,
+      authorization_challenge_endpoint,
+      authorizationServerType,
+      credentialIssuerMetadata,
+      authorizationServerMetadata: authMetadata
+    };
+  }
+  /**
+  * Retrieve only the OID4VCI metadata for the issuer. So no OIDC/OAuth2 metadata
+  *
+  * @param issuerHost The issuer hostname
+  * @param opts
+  */
+  static async retrieveOpenID4VCIServerMetadata(issuerHost, opts) {
+    return retrieveWellknown(issuerHost, import_oid4vci_common8.WellKnownEndpoints.OPENID4VCI_ISSUER, {
+      errorOnNotFound: opts?.errorOnNotFound === void 0 ? true : opts.errorOnNotFound
+    });
+  }
+};
+
+// lib/functions/dpopUtil.ts
+var import_oid4vc_common2 = require("@sphereon/oid4vc-common");
+function shouldRetryTokenRequestWithDPoPNonce(response) {
+  if (!response.errorBody || response.errorBody.error !== import_oid4vc_common2.dpopTokenRequestNonceError) {
+    return {
+      ok: false
+    };
+  }
+  const dPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
+  if (!dPoPNonce) {
+    throw new Error("Missing required DPoP-Nonce header.");
+  }
+  return {
+    ok: true,
+    dpopNonce: dPoPNonce
+  };
+}
+__name(shouldRetryTokenRequestWithDPoPNonce, "shouldRetryTokenRequestWithDPoPNonce");
+function shouldRetryResourceRequestWithDPoPNonce(response) {
+  if (!response.errorBody || response.origResponse.status !== 401) {
+    return {
+      ok: false
+    };
+  }
+  const wwwAuthenticateHeader = response.origResponse.headers.get("WWW-Authenticate");
+  if (!wwwAuthenticateHeader?.includes(import_oid4vc_common2.dpopTokenRequestNonceError)) {
+    return {
+      ok: false
+    };
+  }
+  const dPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
+  if (!dPoPNonce) {
+    throw new Error("Missing required DPoP-Nonce header.");
+  }
+  return {
+    ok: true,
+    dpopNonce: dPoPNonce
+  };
+}
+__name(shouldRetryResourceRequestWithDPoPNonce, "shouldRetryResourceRequestWithDPoPNonce");
+
+// lib/AccessTokenClient.ts
+var AccessTokenClient = class _AccessTokenClient {
+  static {
+    __name(this, "AccessTokenClient");
+  }
+  async acquireAccessToken(opts) {
+    const { asOpts, pin, codeVerifier, code, redirectUri, metadata, createDPoPOpts } = opts;
+    const credentialOffer = opts.credentialOffer ? await (0, import_oid4vci_common9.assertedUniformCredentialOffer)(opts.credentialOffer) : void 0;
+    const pinMetadata = credentialOffer && this.getPinMetadata(credentialOffer.credential_offer);
+    const issuer = opts.credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common9.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : metadata?.issuer);
+    if (!issuer) {
+      throw Error("Issuer required at this point");
+    }
+    const issuerOpts = {
+      issuer
+    };
+    return await this.acquireAccessTokenUsingRequest({
+      accessTokenRequest: await this.createAccessTokenRequest({
+        credentialOffer,
+        asOpts,
+        codeVerifier,
+        code,
+        redirectUri,
+        pin,
+        credentialIssuer: issuer,
+        metadata,
+        additionalParams: opts.additionalParams,
+        pinMetadata
+      }),
+      pinMetadata,
+      metadata,
+      asOpts,
+      issuerOpts,
+      createDPoPOpts
+    });
+  }
+  async acquireAccessTokenUsingRequest({ accessTokenRequest, pinMetadata, metadata, asOpts, issuerOpts, createDPoPOpts }) {
+    this.validate(accessTokenRequest, pinMetadata);
+    const requestTokenURL = _AccessTokenClient.determineTokenURL({
+      asOpts,
+      issuerOpts,
+      metadata: metadata ? metadata : issuerOpts?.fetchMetadata ? await MetadataClientV1_0_13.retrieveAllMetadata(issuerOpts.issuer, {
+        errorOnNotFound: false
+      }) : void 0
+    });
+    const useDpop = createDPoPOpts?.dPoPSigningAlgValuesSupported && createDPoPOpts.dPoPSigningAlgValuesSupported.length > 0;
+    let dPoP = useDpop ? await (0, import_oid4vc_common3.createDPoP)((0, import_oid4vc_common3.getCreateDPoPOptions)(createDPoPOpts, requestTokenURL)) : void 0;
+    let response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? {
+      headers: {
+        dpop: dPoP
+      }
+    } : void 0);
+    let nextDPoPNonce = createDPoPOpts?.jwtPayloadProps.nonce;
+    const retryWithNonce = shouldRetryTokenRequestWithDPoPNonce(response);
+    if (retryWithNonce.ok && createDPoPOpts) {
+      createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce;
+      dPoP = await (0, import_oid4vc_common3.createDPoP)((0, import_oid4vc_common3.getCreateDPoPOptions)(createDPoPOpts, requestTokenURL));
+      response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? {
+        headers: {
+          dpop: dPoP
+        }
+      } : void 0);
+      const successDPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
+      nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce;
+    }
+    if (response.successBody && createDPoPOpts && response.successBody.token_type !== "DPoP") {
+      throw new Error("Invalid token type returned. Expected DPoP. Received: " + response.successBody.token_type);
+    }
+    return {
+      ...response,
+      ...nextDPoPNonce && {
+        params: {
+          dpop: {
+            dpopNonce: nextDPoPNonce
+          }
+        }
+      }
+    };
+  }
+  async createAccessTokenRequest(opts) {
+    const { asOpts, pin, codeVerifier, code, redirectUri } = opts;
+    const credentialOfferRequest = opts.credentialOffer ? await (0, import_oid4vci_common9.toUniformCredentialOfferRequest)(opts.credentialOffer) : void 0;
+    const request = {
+      ...opts.additionalParams
+    };
+    if (asOpts?.clientOpts?.clientId) {
+      request.client_id = asOpts.clientOpts.clientId;
+    }
+    const credentialIssuer = opts.credentialIssuer ?? credentialOfferRequest?.credential_offer?.credential_issuer ?? opts.metadata?.issuer;
+    await createJwtBearerClientAssertion(request, {
+      ...opts,
+      credentialIssuer
+    });
+    if (!credentialOfferRequest || credentialOfferRequest.supportedFlows.includes(import_oid4vci_common9.AuthzFlowType.AUTHORIZATION_CODE_FLOW)) {
+      request.grant_type = import_oid4vci_common9.GrantTypes.AUTHORIZATION_CODE;
+      request.code = code;
+      request.redirect_uri = redirectUri;
+      if (codeVerifier) {
+        request.code_verifier = codeVerifier;
+      }
+      return request;
+    }
+    if (credentialOfferRequest?.supportedFlows.includes(import_oid4vci_common9.AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
+      this.assertAlphanumericPin(opts.pinMetadata, pin);
+      request.user_pin = pin;
+      request.tx_code = pin;
+      request.grant_type = import_oid4vci_common9.GrantTypes.PRE_AUTHORIZED_CODE;
+      request[import_oid4vci_common9.PRE_AUTH_CODE_LITERAL] = credentialOfferRequest?.credential_offer.grants?.[import_oid4vci_common9.PRE_AUTH_GRANT_LITERAL]?.[import_oid4vci_common9.PRE_AUTH_CODE_LITERAL];
+      return request;
+    }
+    throw new Error("Credential offer request follows neither pre-authorized code nor authorization code flow requirements.");
+  }
+  assertPreAuthorizedGrantType(grantType) {
+    if (import_oid4vci_common9.GrantTypes.PRE_AUTHORIZED_CODE !== grantType) {
+      throw new Error("grant type must be 'urn:ietf:params:oauth:grant-type:pre-authorized_code'");
+    }
+  }
+  assertAuthorizationGrantType(grantType) {
+    if (import_oid4vci_common9.GrantTypes.AUTHORIZATION_CODE !== grantType) {
+      throw new Error("grant type must be 'authorization_code'");
+    }
+  }
+  getPinMetadata(requestPayload) {
+    if (!requestPayload) {
+      throw new Error(import_oid4vci_common9.TokenErrorResponse.invalid_request);
+    }
+    const issuer = (0, import_oid4vci_common9.getIssuerFromCredentialOfferPayload)(requestPayload);
+    const grantDetails = requestPayload.grants?.[import_oid4vci_common9.PRE_AUTH_GRANT_LITERAL];
+    const isPinRequired = !!(grantDetails?.tx_code ?? false);
+    LOG.warning(`Pin required for issuer ${issuer}: ${isPinRequired}`);
+    return {
+      txCode: grantDetails?.tx_code,
+      isPinRequired
+    };
+  }
+  assertAlphanumericPin(pinMeta, pin) {
+    if (pinMeta && pinMeta.isPinRequired) {
+      let regex;
+      if (pinMeta.txCode) {
+        const { input_mode, length } = pinMeta.txCode;
+        if (input_mode === "numeric") {
+          regex = length ? new RegExp(`^\\d{1,${length}}$`) : /^\d+$/;
+        } else if (input_mode === "text") {
+          regex = length ? new RegExp(`^[a-zA-Z0-9]{1,${length}}$`) : /^[a-zA-Z0-9]+$/;
+        }
+      }
+      regex = regex || /^[a-zA-Z0-9]+$|^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+$/;
+      if (!pin || !regex.test(pin)) {
+        LOG.warning(`Pin is not valid. Expected format: ${pinMeta?.txCode?.input_mode || "alphanumeric"}, Length: up to ${pinMeta?.txCode?.length || "any number of"} characters`);
+        throw new Error("A valid pin must be present according to the specified transaction code requirements.");
+      }
+    } else if (pin) {
+      LOG.warning("Pin set, whilst not required");
+      throw new Error("Cannot set a pin when the pin is not required.");
+    }
+  }
+  assertNonEmptyPreAuthorizedCode(accessTokenRequest) {
+    if (!accessTokenRequest[import_oid4vci_common9.PRE_AUTH_CODE_LITERAL]) {
+      LOG.warning(`No pre-authorized code present, whilst it is required`, accessTokenRequest);
+      throw new Error("Pre-authorization must be proven by presenting the pre-authorized code. Code must be present.");
+    }
+  }
+  assertNonEmptyCodeVerifier(accessTokenRequest) {
+    if (!accessTokenRequest.code_verifier) {
+      LOG.warning("No code_verifier present, whilst it is required", accessTokenRequest);
+      throw new Error("Authorization flow requires the code_verifier to be present");
+    }
+  }
+  assertNonEmptyCode(accessTokenRequest) {
+    if (!accessTokenRequest.code) {
+      LOG.warning("No code present, whilst it is required");
+      throw new Error("Authorization flow requires the code to be present");
+    }
+  }
+  validate(accessTokenRequest, pinMeta) {
+    if (accessTokenRequest.grant_type === import_oid4vci_common9.GrantTypes.PRE_AUTHORIZED_CODE) {
+      this.assertPreAuthorizedGrantType(accessTokenRequest.grant_type);
+      this.assertNonEmptyPreAuthorizedCode(accessTokenRequest);
+      this.assertAlphanumericPin(pinMeta, accessTokenRequest.tx_code ?? accessTokenRequest.user_pin);
+    } else if (accessTokenRequest.grant_type === import_oid4vci_common9.GrantTypes.AUTHORIZATION_CODE) {
+      this.assertAuthorizationGrantType(accessTokenRequest.grant_type);
+      this.assertNonEmptyCodeVerifier(accessTokenRequest);
+      this.assertNonEmptyCode(accessTokenRequest);
+    } else {
+      this.throwNotSupportedFlow();
+    }
+  }
+  async sendAuthCode(requestTokenURL, accessTokenRequest, opts) {
+    return await (0, import_oid4vci_common9.formPost)(requestTokenURL, (0, import_oid4vci_common9.convertJsonToURI)(accessTokenRequest, {
+      mode: import_oid4vci_common9.JsonURIMode.X_FORM_WWW_URLENCODED
+    }), {
+      customHeaders: opts?.headers ? opts.headers : void 0
+    });
+  }
+  static determineTokenURL({ asOpts, issuerOpts, metadata }) {
+    if (!asOpts && !metadata?.token_endpoint && !issuerOpts) {
+      throw new Error("Cannot determine token URL if no issuer, metadata and no Authorization Server values are present");
+    }
+    let url;
+    if (asOpts && asOpts.as) {
+      url = this.creatTokenURLFromURL(asOpts.as, asOpts?.allowInsecureEndpoints, asOpts.tokenEndpoint);
+    } else if (metadata?.token_endpoint) {
+      url = metadata.token_endpoint;
+    } else {
+      if (!issuerOpts?.issuer) {
+        throw Error("Either authorization server options, a token endpoint or issuer options are required at this point");
+      }
+      url = this.creatTokenURLFromURL(issuerOpts.issuer, asOpts?.allowInsecureEndpoints, issuerOpts.tokenEndpoint);
+    }
+    if (!url || !import_ssi_types2.ObjectUtils.isString(url)) {
+      throw new Error("No authorization server token URL present. Cannot acquire access token");
+    }
+    LOG.debug(`Token endpoint determined to be ${url}`);
+    return url;
+  }
+  static creatTokenURLFromURL(url, allowInsecureEndpoints, tokenEndpoint) {
+    if (allowInsecureEndpoints !== true && url.startsWith("http:")) {
+      throw Error(`Unprotected token endpoints are not allowed ${url}. Use the 'allowInsecureEndpoints' param if you really need this for dev/testing!`);
+    }
+    const hostname = url.replace(/https?:\/\//, "").replace(/\/$/, "");
+    const endpoint = tokenEndpoint ? tokenEndpoint.startsWith("/") ? tokenEndpoint : tokenEndpoint.substring(1) : "/token";
+    const scheme = url.split("://")[0];
+    return `${scheme ? scheme + "://" : "https://"}${hostname}${endpoint}`;
+  }
+  throwNotSupportedFlow() {
+    LOG.warning(`Only pre-authorized or authorization code flows supported.`);
+    throw new Error("Only pre-authorized-code or authorization code flows are supported");
+  }
+};
+
+// lib/AccessTokenClientV1_0_11.ts
+var import_oid4vc_common4 = require("@sphereon/oid4vc-common");
+var import_oid4vci_common10 = require("@sphereon/oid4vci-common");
+var import_ssi_types3 = require("@sphereon/ssi-types");
+var import_debug3 = __toESM(require("debug"), 1);
+var debug3 = (0, import_debug3.default)("sphereon:oid4vci:token");
+var AccessTokenClientV1_0_11 = class _AccessTokenClientV1_0_11 {
+  static {
+    __name(this, "AccessTokenClientV1_0_11");
+  }
+  async acquireAccessToken(opts) {
+    const { asOpts, pin, codeVerifier, code, redirectUri, metadata, createDPoPOpts } = opts;
+    const credentialOffer = opts.credentialOffer ? await (0, import_oid4vci_common10.assertedUniformCredentialOffer)(opts.credentialOffer) : void 0;
+    const isPinRequired = credentialOffer && this.isPinRequiredValue(credentialOffer.credential_offer);
+    const issuer = opts.credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common10.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : metadata?.issuer);
+    if (!issuer) {
+      throw Error("Issuer required at this point");
+    }
+    const issuerOpts = {
+      issuer
+    };
+    return await this.acquireAccessTokenUsingRequest({
+      accessTokenRequest: await this.createAccessTokenRequest({
+        credentialOffer,
+        asOpts,
+        codeVerifier,
+        code,
+        redirectUri,
+        pin,
+        credentialIssuer: issuer,
+        metadata,
+        additionalParams: opts.additionalParams,
+        pinMetadata: opts.pinMetadata
+      }),
+      isPinRequired,
+      metadata,
+      asOpts,
+      issuerOpts,
+      createDPoPOpts
+    });
+  }
+  async acquireAccessTokenUsingRequest({ accessTokenRequest, isPinRequired, metadata, asOpts, createDPoPOpts, issuerOpts }) {
+    this.validate(accessTokenRequest, isPinRequired);
+    const requestTokenURL = _AccessTokenClientV1_0_11.determineTokenURL({
+      asOpts,
+      issuerOpts,
+      metadata: metadata ? metadata : issuerOpts?.fetchMetadata ? await MetadataClientV1_0_13.retrieveAllMetadata(issuerOpts.issuer, {
+        errorOnNotFound: false
+      }) : void 0
+    });
+    const useDpop = createDPoPOpts?.dPoPSigningAlgValuesSupported && createDPoPOpts.dPoPSigningAlgValuesSupported.length > 0;
+    let dPoP = useDpop ? await (0, import_oid4vc_common4.createDPoP)((0, import_oid4vc_common4.getCreateDPoPOptions)(createDPoPOpts, requestTokenURL)) : void 0;
+    let response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? {
+      headers: {
+        dpop: dPoP
+      }
+    } : void 0);
+    let nextDPoPNonce = createDPoPOpts?.jwtPayloadProps.nonce;
+    const retryWithNonce = shouldRetryTokenRequestWithDPoPNonce(response);
+    if (retryWithNonce.ok && createDPoPOpts) {
+      createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce;
+      dPoP = await (0, import_oid4vc_common4.createDPoP)((0, import_oid4vc_common4.getCreateDPoPOptions)(createDPoPOpts, requestTokenURL));
+      response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? {
+        headers: {
+          dpop: dPoP
+        }
+      } : void 0);
+      const successDPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
+      nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce;
+    }
+    if (response.successBody && createDPoPOpts && response.successBody.token_type !== "DPoP") {
+      throw new Error("Invalid token type returned. Expected DPoP. Received: " + response.successBody.token_type);
+    }
+    return {
+      ...response,
+      ...nextDPoPNonce && {
+        params: {
+          dpop: {
+            dpopNonce: nextDPoPNonce
+          }
+        }
+      }
+    };
+  }
+  async createAccessTokenRequest(opts) {
+    const { asOpts, pin, codeVerifier, code, redirectUri } = opts;
+    const credentialOfferRequest = opts.credentialOffer ? await (0, import_oid4vci_common10.toUniformCredentialOfferRequest)(opts.credentialOffer) : void 0;
+    const request = {
+      ...opts.additionalParams
+    };
+    const credentialIssuer = opts.credentialIssuer ?? credentialOfferRequest?.credential_offer?.credential_issuer ?? opts.metadata?.issuer;
+    if (asOpts?.clientOpts?.clientId) {
+      request.client_id = asOpts.clientOpts.clientId;
+    }
+    await createJwtBearerClientAssertion(request, {
+      ...opts,
+      version: import_oid4vci_common10.OpenId4VCIVersion.VER_1_0_11,
+      credentialIssuer
+    });
+    if (!credentialOfferRequest || credentialOfferRequest.supportedFlows.includes(import_oid4vci_common10.AuthzFlowType.AUTHORIZATION_CODE_FLOW)) {
+      request.grant_type = import_oid4vci_common10.GrantTypes.AUTHORIZATION_CODE;
+      request.code = code;
+      request.redirect_uri = redirectUri;
+      if (codeVerifier) {
+        request.code_verifier = codeVerifier;
+      }
+      return request;
+    }
+    if (credentialOfferRequest?.supportedFlows.includes(import_oid4vci_common10.AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {
+      this.assertNumericPin(this.isPinRequiredValue(credentialOfferRequest.credential_offer), pin);
+      request.user_pin = pin;
+      request.grant_type = import_oid4vci_common10.GrantTypes.PRE_AUTHORIZED_CODE;
+      request[import_oid4vci_common10.PRE_AUTH_CODE_LITERAL] = credentialOfferRequest?.credential_offer.grants?.[import_oid4vci_common10.PRE_AUTH_GRANT_LITERAL]?.[import_oid4vci_common10.PRE_AUTH_CODE_LITERAL];
+      return request;
+    }
+    throw new Error("Credential offer request does not follow neither pre-authorized code nor authorization code flow requirements.");
+  }
+  assertPreAuthorizedGrantType(grantType) {
+    if (import_oid4vci_common10.GrantTypes.PRE_AUTHORIZED_CODE !== grantType) {
+      throw new Error("grant type must be PRE_AUTH_GRANT_LITERAL");
+    }
+  }
+  assertAuthorizationGrantType(grantType) {
+    if (import_oid4vci_common10.GrantTypes.AUTHORIZATION_CODE !== grantType) {
+      throw new Error("grant type must be 'authorization_code'");
+    }
+  }
+  isPinRequiredValue(requestPayload) {
+    let isPinRequired = false;
+    if (!requestPayload) {
+      throw new Error(import_oid4vci_common10.TokenErrorResponse.invalid_request);
+    }
+    const issuer = (0, import_oid4vci_common10.getIssuerFromCredentialOfferPayload)(requestPayload);
+    if (requestPayload.grants?.[import_oid4vci_common10.PRE_AUTH_GRANT_LITERAL]) {
+      isPinRequired = requestPayload.grants[import_oid4vci_common10.PRE_AUTH_GRANT_LITERAL]?.user_pin_required ?? false;
+    }
+    debug3(`Pin required for issuer ${issuer}: ${isPinRequired}`);
+    return isPinRequired;
+  }
+  assertNumericPin(isPinRequired, pin) {
+    if (isPinRequired) {
+      if (!pin || !/^\d{1,8}$/.test(pin)) {
+        debug3(`Pin is not 1 to 8 digits long`);
+        throw new Error("A valid pin consisting of maximal 8 numeric characters must be present.");
+      }
+    } else if (pin) {
+      debug3(`Pin set, whilst not required`);
+      throw new Error("Cannot set a pin, when the pin is not required.");
+    }
+  }
+  assertNonEmptyPreAuthorizedCode(accessTokenRequest) {
+    if (!accessTokenRequest[import_oid4vci_common10.PRE_AUTH_CODE_LITERAL]) {
+      debug3(`No pre-authorized code present, whilst it is required`);
+      throw new Error("Pre-authorization must be proven by presenting the pre-authorized code. Code must be present.");
+    }
+  }
+  assertNonEmptyCodeVerifier(accessTokenRequest) {
+    if (!accessTokenRequest.code_verifier) {
+      debug3("No code_verifier present, whilst it is required");
+      throw new Error("Authorization flow requires the code_verifier to be present");
+    }
+  }
+  assertNonEmptyCode(accessTokenRequest) {
+    if (!accessTokenRequest.code) {
+      debug3("No code present, whilst it is required");
+      throw new Error("Authorization flow requires the code to be present");
+    }
+  }
+  validate(accessTokenRequest, isPinRequired) {
+    if (accessTokenRequest.grant_type === import_oid4vci_common10.GrantTypes.PRE_AUTHORIZED_CODE) {
+      this.assertPreAuthorizedGrantType(accessTokenRequest.grant_type);
+      this.assertNonEmptyPreAuthorizedCode(accessTokenRequest);
+      this.assertNumericPin(isPinRequired, accessTokenRequest.user_pin);
+    } else if (accessTokenRequest.grant_type === import_oid4vci_common10.GrantTypes.AUTHORIZATION_CODE) {
+      this.assertAuthorizationGrantType(accessTokenRequest.grant_type);
+      this.assertNonEmptyCodeVerifier(accessTokenRequest);
+      this.assertNonEmptyCode(accessTokenRequest);
+    } else {
+      this.throwNotSupportedFlow();
+    }
+  }
+  async sendAuthCode(requestTokenURL, accessTokenRequest, opts) {
+    return await (0, import_oid4vci_common10.formPost)(requestTokenURL, (0, import_oid4vci_common10.convertJsonToURI)(accessTokenRequest, {
+      mode: import_oid4vci_common10.JsonURIMode.X_FORM_WWW_URLENCODED
+    }), {
+      customHeaders: opts?.headers ? opts.headers : void 0
+    });
+  }
+  static determineTokenURL({ asOpts, issuerOpts, metadata }) {
+    if (!asOpts && !metadata?.token_endpoint && !issuerOpts) {
+      throw new Error("Cannot determine token URL if no issuer, metadata and no Authorization Server values are present");
+    }
+    let url;
+    if (asOpts && asOpts.as) {
+      url = this.creatTokenURLFromURL(asOpts.as, asOpts?.allowInsecureEndpoints, asOpts.tokenEndpoint);
+    } else if (metadata?.token_endpoint) {
+      url = metadata.token_endpoint;
+    } else {
+      if (!issuerOpts?.issuer) {
+        throw Error("Either authorization server options, a token endpoint or issuer options are required at this point");
+      }
+      url = this.creatTokenURLFromURL(issuerOpts.issuer, asOpts?.allowInsecureEndpoints, issuerOpts.tokenEndpoint);
+    }
+    if (!url || !import_ssi_types3.ObjectUtils.isString(url)) {
+      throw new Error("No authorization server token URL present. Cannot acquire access token");
+    }
+    debug3(`Token endpoint determined to be ${url}`);
+    return url;
+  }
+  static creatTokenURLFromURL(url, allowInsecureEndpoints, tokenEndpoint) {
+    if (allowInsecureEndpoints !== true && url.startsWith("http:")) {
+      throw Error(`Unprotected token endpoints are not allowed ${url}. Use the 'allowInsecureEndpoints' param if you really need this for dev/testing!`);
+    }
+    const hostname = url.replace(/https?:\/\//, "").replace(/\/$/, "");
+    const endpoint = tokenEndpoint ? tokenEndpoint.startsWith("/") ? tokenEndpoint : tokenEndpoint.substring(1) : "/token";
+    const scheme = url.split("://")[0];
+    return `${scheme ? scheme + "://" : "https://"}${hostname}${endpoint}`;
+  }
+  throwNotSupportedFlow() {
+    debug3(`Only pre-authorized or authorization code flows supported.`);
+    throw new Error("Only pre-authorized-code or authorization code flows are supported");
+  }
+};
+
+// lib/AuthorizationCodeClient.ts
+var import_oid4vci_common13 = require("@sphereon/oid4vci-common");
+var import_debug6 = __toESM(require("debug"), 1);
+
+// lib/MetadataClient.ts
+var import_oid4vci_common12 = require("@sphereon/oid4vci-common");
+var import_debug5 = __toESM(require("debug"), 1);
+
+// lib/MetadataClientV1_0_11.ts
+var import_oid4vci_common11 = require("@sphereon/oid4vci-common");
+var import_debug4 = __toESM(require("debug"), 1);
+var debug4 = (0, import_debug4.default)("sphereon:oid4vci:metadata");
+var MetadataClientV1_0_11 = class _MetadataClientV1_0_11 {
+  static {
+    __name(this, "MetadataClientV1_0_11");
+  }
+  /**
+  * Retrieve metadata using the Initiation obtained from a previous step
+  *
+  * @param credentialOffer
+  */
+  static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
+    return _MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer);
+  }
+  /**
+  * Retrieve the metada using the initiation request obtained from a previous step
+  * @param request
+  */
+  static async retrieveAllMetadataFromCredentialOfferRequest(request) {
+    const issuer = (0, import_oid4vci_common11.getIssuerFromCredentialOfferPayload)(request);
+    if (issuer) {
+      return _MetadataClientV1_0_11.retrieveAllMetadata(issuer);
+    }
+    throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
+  }
+  /**
+  * Retrieve all metadata from an issuer
+  * @param issuer The issuer URL
+  * @param opts
+  */
+  static async retrieveAllMetadata(issuer, opts) {
+    let token_endpoint;
+    let credential_endpoint;
+    let deferred_credential_endpoint;
+    let authorization_endpoint;
+    let authorization_challenge_endpoint;
+    let authorizationServerType = "OID4VCI";
+    let authorization_server = issuer;
+    const oid4vciResponse = await _MetadataClientV1_0_11.retrieveOpenID4VCIServerMetadata(issuer, {
+      errorOnNotFound: false
+    });
+    let credentialIssuerMetadata = oid4vciResponse?.successBody;
+    if (credentialIssuerMetadata) {
+      debug4(`Issuer ${issuer} OID4VCI well-known server metadata\r
+${JSON.stringify(credentialIssuerMetadata)}`);
+      credential_endpoint = credentialIssuerMetadata.credential_endpoint;
+      deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint;
+      if (credentialIssuerMetadata.token_endpoint) {
+        token_endpoint = credentialIssuerMetadata.token_endpoint;
+      }
+      authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint;
+      if (credentialIssuerMetadata.authorization_server) {
+        authorization_server = credentialIssuerMetadata.authorization_server;
+      }
+      if (credentialIssuerMetadata.authorization_endpoint) {
+        authorization_endpoint = credentialIssuerMetadata.authorization_endpoint;
+      }
+    }
+    let response = await retrieveWellknown(authorization_server, import_oid4vci_common11.WellKnownEndpoints.OPENID_CONFIGURATION, {
+      errorOnNotFound: false
+    });
+    let authMetadata = response.successBody;
+    if (authMetadata) {
+      debug4(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
+      authorizationServerType = "OIDC";
+    } else {
+      response = await retrieveWellknown(authorization_server, import_oid4vci_common11.WellKnownEndpoints.OAUTH_AS, {
+        errorOnNotFound: false
+      });
+      authMetadata = response.successBody;
+    }
+    if (!authMetadata) {
+      if (issuer !== authorization_server) {
+        throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_server}, but that server did not provide metadata`);
+      }
+    } else {
+      if (!authorizationServerType) {
+        authorizationServerType = "OAuth 2.0";
+      }
+      debug4(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
+      if (!authMetadata.authorization_endpoint) {
+        console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
+      } else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {
+        throw Error(`Credential issuer has a different authorization_endpoint (${authorization_endpoint}) from the Authorization Server (${authMetadata.authorization_endpoint})`);
+      }
+      authorization_endpoint = authMetadata.authorization_endpoint;
+      if (authorization_challenge_endpoint && authMetadata.authorization_challenge_endpoint !== authorization_challenge_endpoint) {
+        throw Error(`Credential issuer has a different authorization_challenge_endpoint (${authorization_challenge_endpoint}) from the Authorization Server (${authMetadata.authorization_challenge_endpoint})`);
+      }
+      authorization_challenge_endpoint = authMetadata.authorization_challenge_endpoint;
+      if (!authMetadata.token_endpoint) {
+        throw Error(`Authorization Server ${authorization_server} did not provide a token_endpoint`);
+      } else if (token_endpoint && authMetadata.token_endpoint !== token_endpoint) {
+        throw Error(`Credential issuer has a different token_endpoint (${token_endpoint}) from the Authorization Server (${authMetadata.token_endpoint})`);
+      }
+      token_endpoint = authMetadata.token_endpoint;
+      if (authMetadata.credential_endpoint) {
+        if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {
+          debug4(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
+        } else {
+          credential_endpoint = authMetadata.credential_endpoint;
+        }
+      }
+      if (authMetadata.deferred_credential_endpoint) {
+        if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {
+          debug4(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
+        } else {
+          deferred_credential_endpoint = authMetadata.deferred_credential_endpoint;
+        }
+      }
+    }
+    if (!authorization_endpoint) {
+      debug4(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
+    }
+    if (!token_endpoint) {
+      debug4(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
+      if (opts?.errorOnNotFound) {
+        throw Error(`Could not deduce the token_endpoint for ${issuer}`);
+      } else {
+        token_endpoint = `${issuer}${issuer.endsWith("/") ? "token" : "/token"}`;
+      }
+    }
+    if (!credential_endpoint) {
+      debug4(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
+      if (opts?.errorOnNotFound) {
+        throw Error(`Could not deduce the credential endpoint for ${issuer}`);
+      } else {
+        credential_endpoint = `${issuer}${issuer.endsWith("/") ? "credential" : "/credential"}`;
+      }
+    }
+    if (!credentialIssuerMetadata && authMetadata) {
+      credentialIssuerMetadata = authMetadata;
+    }
+    debug4(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
+    return {
+      issuer,
+      token_endpoint,
+      credential_endpoint,
+      deferred_credential_endpoint,
+      authorization_server,
+      authorization_endpoint,
+      authorization_challenge_endpoint,
+      authorizationServerType,
+      credentialIssuerMetadata,
+      authorizationServerMetadata: authMetadata
+    };
+  }
+  /**
+  * Retrieve only the OID4VCI metadata for the issuer. So no OIDC/OAuth2 metadata
+  *
+  * @param issuerHost The issuer hostname
+  */
+  static async retrieveOpenID4VCIServerMetadata(issuerHost, opts) {
+    return retrieveWellknown(issuerHost, import_oid4vci_common11.WellKnownEndpoints.OPENID4VCI_ISSUER, {
+      errorOnNotFound: opts?.errorOnNotFound === void 0 ? true : opts.errorOnNotFound
+    });
+  }
+};
+
+// lib/MetadataClient.ts
+var debug5 = (0, import_debug5.default)("sphereon:oid4vci:metadata");
+var MetadataClient = class _MetadataClient {
+  static {
+    __name(this, "MetadataClient");
+  }
+  /**
+  * Retrieve metadata using the Initiation obtained from a previous step
+  *
+  * @param credentialOffer
+  */
+  static async retrieveAllMetadataFromCredentialOffer(credentialOffer) {
+    if ((0, import_oid4vci_common12.determineSpecVersionFromOffer)(credentialOffer.credential_offer) >= import_oid4vci_common12.OpenId4VCIVersion.VER_1_0_13) {
+      return await MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOffer(credentialOffer);
+    } else {
+      return await MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOffer(credentialOffer);
+    }
+  }
+  /**
+  * Retrieve the metada using the initiation request obtained from a previous step
+  * @param request
+  */
+  static async retrieveAllMetadataFromCredentialOfferRequest(request) {
+    const issuer = (0, import_oid4vci_common12.getIssuerFromCredentialOfferPayload)(request);
+    if (issuer) {
+      if ((0, import_oid4vci_common12.determineSpecVersionFromOffer)(request) >= import_oid4vci_common12.OpenId4VCIVersion.VER_1_0_13) {
+        return MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOfferRequest(request);
+      } else {
+        return MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOfferRequest(request);
+      }
+    }
+    throw new Error("can't retrieve metadata from CredentialOfferRequest. No issuer field is present");
+  }
+  /**
+  * Retrieve all metadata from an issuer
+  * @param issuer The issuer URL
+  * @param opts
+  */
+  static async retrieveAllMetadata(issuer, opts) {
+    let token_endpoint;
+    let credential_endpoint;
+    let deferred_credential_endpoint;
+    let authorization_endpoint;
+    let authorization_challenge_endpoint;
+    let authorizationServerType = "OID4VCI";
+    let authorization_servers = [
+      issuer
+    ];
+    let authorization_server = void 0;
+    const oid4vciResponse = await _MetadataClient.retrieveOpenID4VCIServerMetadata(issuer, {
+      errorOnNotFound: false
+    });
+    let credentialIssuerMetadata = oid4vciResponse?.successBody;
+    if (credentialIssuerMetadata) {
+      debug5(`Issuer ${issuer} OID4VCI well-known server metadata\r
+${JSON.stringify(credentialIssuerMetadata)}`);
+      credential_endpoint = credentialIssuerMetadata.credential_endpoint;
+      deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint ? credentialIssuerMetadata.deferred_credential_endpoint : void 0;
+      if (credentialIssuerMetadata.token_endpoint) {
+        token_endpoint = credentialIssuerMetadata.token_endpoint;
+      }
+      authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint;
+      if (credentialIssuerMetadata.authorization_servers) {
+        authorization_servers = credentialIssuerMetadata.authorization_servers;
+      } else if (credentialIssuerMetadata.authorization_server) {
+        authorization_server = credentialIssuerMetadata.authorization_server;
+        authorization_servers = [
+          authorization_server
+        ];
+      }
+    }
+    let response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common12.WellKnownEndpoints.OPENID_CONFIGURATION, {
+      errorOnNotFound: false
+    });
+    let authMetadata = response.successBody;
+    if (authMetadata) {
+      debug5(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`);
+      authorizationServerType = "OIDC";
+    } else {
+      response = await retrieveWellknown(authorization_servers[0], import_oid4vci_common12.WellKnownEndpoints.OAUTH_AS, {
+        errorOnNotFound: false
+      });
+      authMetadata = response.successBody;
+    }
+    if (!authMetadata) {
+      if (!authorization_servers.includes(issuer)) {
+        throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_servers}, but that server did not provide metadata`);
+      }
+    } else {
+      if (!authorizationServerType) {
+        authorizationServerType = "OAuth 2.0";
+      }
+      debug5(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`);
+      if (!authMetadata.authorization_endpoint) {
+        console.warn(`Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`);
+      } else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {
+        throw Error(`Credential issuer has a different authorization_endpoint (${authorization_endpoint}) from the Authorization Server (${authMetadata.authorization_endpoint})`);
+      }
+      authorization_endpoint = authMetadata.authorization_endpoint;
+      if (authorization_challenge_endpoint && authMetadata.authorization_challenge_endpoint !== authorization_challenge_endpoint) {
+        throw Error(`Credential issuer has a different authorization_challenge_endpoint (${authorization_challenge_endpoint}) from the Authorization Server (${authMetadata.authorization_challenge_endpoint})`);
+      }
+      authorization_challenge_endpoint = authMetadata.authorization_challenge_endpoint;
+      if (!authMetadata.token_endpoint) {
+        throw Error(`Authorization Server ${authorization_servers} did not provide a token_endpoint`);
+      } else if (token_endpoint && authMetadata.token_endpoint !== token_endpoint) {
+        throw Error(`Credential issuer has a different token_endpoint (${token_endpoint}) from the Authorization Server (${authMetadata.token_endpoint})`);
+      }
+      token_endpoint = authMetadata.token_endpoint;
+      if (authMetadata.credential_endpoint) {
+        if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {
+          debug5(`Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`);
+        } else {
+          credential_endpoint = authMetadata.credential_endpoint;
+        }
+      }
+      if (authMetadata.deferred_credential_endpoint) {
+        if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {
+          debug5(`Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`);
+        } else {
+          deferred_credential_endpoint = authMetadata.deferred_credential_endpoint;
+        }
+      }
+    }
+    if (!authorization_endpoint) {
+      debug5(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`);
+    }
+    if (!token_endpoint) {
+      debug5(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`);
+      if (opts?.errorOnNotFound) {
+        throw Error(`Could not deduce the token_endpoint for ${issuer}`);
+      } else {
+        token_endpoint = `${issuer}${issuer.endsWith("/") ? "token" : "/token"}`;
+      }
+    }
+    if (!credential_endpoint) {
+      debug5(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`);
+      if (opts?.errorOnNotFound) {
+        throw Error(`Could not deduce the credential endpoint for ${issuer}`);
+      } else {
+        credential_endpoint = `${issuer}${issuer.endsWith("/") ? "credential" : "/credential"}`;
+      }
+    }
+    if (!credentialIssuerMetadata && authMetadata) {
+      credentialIssuerMetadata = authorization_server ? authMetadata : authMetadata;
+    }
+    debug5(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`);
+    return {
+      issuer,
+      token_endpoint,
+      credential_endpoint,
+      deferred_credential_endpoint,
+      ...authorization_server ? {
+        authorization_server
+      } : {
+        authorization_servers
+      },
+      authorization_endpoint,
+      authorization_challenge_endpoint,
+      authorizationServerType,
+      credentialIssuerMetadata: authorization_server ? credentialIssuerMetadata : credentialIssuerMetadata,
+      authorizationServerMetadata: authMetadata
+    };
+  }
+  /**
+  * Retrieve only the OID4VCI metadata for the issuer. So no OIDC/OAuth2 metadata
+  *
+  * @param issuerHost The issuer hostname
+  * @param opts
+  */
+  static async retrieveOpenID4VCIServerMetadata(issuerHost, opts) {
+    return retrieveWellknown(issuerHost, import_oid4vci_common12.WellKnownEndpoints.OPENID4VCI_ISSUER, {
+      errorOnNotFound: opts?.errorOnNotFound === void 0 ? true : opts.errorOnNotFound
+    });
+  }
+};
+
+// lib/AuthorizationCodeClient.ts
+var debug6 = (0, import_debug6.default)("sphereon:oid4vci");
+async function createSignedAuthRequestWhenNeeded(requestObject, opts) {
+  if (opts.requestObjectMode === import_oid4vci_common13.CreateRequestObjectMode.REQUEST_URI) {
+    throw Error(`Request Object Mode ${opts.requestObjectMode} is not supported yet`);
+  } else if (opts.requestObjectMode === import_oid4vci_common13.CreateRequestObjectMode.REQUEST_OBJECT) {
+    if (typeof opts.signCallbacks?.signCallback !== "function") {
+      throw Error(`No request object sign callback found, whilst request object mode was set to ${opts.requestObjectMode}`);
+    } else if (!opts.kid) {
+      throw Error(`No kid found, whilst request object mode was set to ${opts.requestObjectMode}`);
+    }
+    let client_metadata;
+    if (opts.clientMetadata || opts.jwksUri) {
+      client_metadata = opts.clientMetadata ?? {};
+      if (opts.jwksUri) {
+        client_metadata["jwks_uri"] = opts.jwksUri;
+      }
+    }
+    let authorization_details = requestObject["authorization_details"];
+    if (typeof authorization_details === "string") {
+      authorization_details = JSON.parse(requestObject.authorization_details);
+    }
+    if (!requestObject.aud && opts.aud) {
+      requestObject.aud = opts.aud;
+    }
+    const iss = requestObject.iss ?? opts.iss ?? requestObject.client_id;
+    const jwt = {
+      header: {
+        alg: "ES256",
+        kid: opts.kid,
+        typ: "JWT"
+      },
+      payload: {
+        ...requestObject,
+        iss,
+        authorization_details,
+        ...client_metadata && {
+          client_metadata
+        }
+      }
+    };
+    const pop = await ProofOfPossessionBuilder.fromJwt({
+      jwt,
+      callbacks: opts.signCallbacks,
+      version: import_oid4vci_common13.OpenId4VCIVersion.VER_1_0_11,
+      mode: "JWT"
+    }).build();
+    requestObject["request"] = pop.jwt;
+  }
+}
+__name(createSignedAuthRequestWhenNeeded, "createSignedAuthRequestWhenNeeded");
+function filterSupportedCredentials(credentialOffer, credentialsSupported) {
+  if (!credentialOffer.credential_configuration_ids || !credentialsSupported) {
+    return [];
+  }
+  return Object.entries(credentialsSupported).filter((entry) => credentialOffer.credential_configuration_ids?.includes(entry[0])).map((entry) => {
+    return {
+      ...entry[1],
+      configuration_id: entry[0]
+    };
+  });
+}
+__name(filterSupportedCredentials, "filterSupportedCredentials");
+var createAuthorizationRequestUrl = /* @__PURE__ */ __name(async ({ pkce, endpointMetadata, authorizationRequest, credentialOffer, credentialConfigurationSupported, clientId, version }) => {
+  function removeDisplayAndValueTypes(obj) {
+    const newObj = {
+      ...obj
+    };
+    for (const prop in newObj) {
+      if ([
+        "display",
+        "value_type"
+      ].includes(prop)) {
+        delete newObj[prop];
+      } else if (typeof newObj[prop] === "object") {
+        newObj[prop] = removeDisplayAndValueTypes(newObj[prop]);
+      }
+    }
+    return newObj;
+  }
+  __name(removeDisplayAndValueTypes, "removeDisplayAndValueTypes");
+  const { redirectUri, requestObjectOpts = {
+    requestObjectMode: import_oid4vci_common13.CreateRequestObjectMode.NONE
+  } } = authorizationRequest;
+  const client_id = clientId ?? authorizationRequest.clientId;
+  const authorizationMetadata = endpointMetadata.authorizationServerMetadata ?? endpointMetadata.credentialIssuerMetadata;
+  let { authorizationDetails } = authorizationRequest;
+  const parMode = authorizationMetadata?.require_pushed_authorization_requests ? import_oid4vci_common13.PARMode.REQUIRE : authorizationRequest.parMode ?? (client_id ? import_oid4vci_common13.PARMode.AUTO : import_oid4vci_common13.PARMode.NEVER);
+  if (!authorizationRequest.scope && !authorizationDetails) {
+    if (!credentialOffer) {
+      throw Error("Please provide a scope or authorization_details if no credential offer is present");
+    }
+    if ("credentials" in credentialOffer.credential_offer) {
+      throw new Error("CredentialOffer format is wrong.");
+    }
+    const ver = version ?? (0, import_oid4vci_common13.determineSpecVersionFromOffer)(credentialOffer.credential_offer) ?? import_oid4vci_common13.OpenId4VCIVersion.VER_1_0_13;
+    const creds = ver === import_oid4vci_common13.OpenId4VCIVersion.VER_1_0_13 ? filterSupportedCredentials(credentialOffer.credential_offer, credentialConfigurationSupported) : [];
+    authorizationDetails = creds.flatMap((cred) => {
+      const locations = [
+        credentialOffer?.credential_offer.credential_issuer ?? endpointMetadata.issuer
+      ];
+      const credential_configuration_id = cred.configuration_id;
+      const format = credential_configuration_id ? void 0 : cred.format;
+      if (!credential_configuration_id && !cred.format) {
+        throw Error("format is required in authorization details");
+      }
+      const vct = cred.format === "vc+sd-jwt" ? cred.vct : void 0;
+      const doctype = cred.format === "mso_mdoc" ? cred.doctype : void 0;
+      let credential_definition = void 0;
+      if ((0, import_oid4vci_common13.isW3cCredentialSupported)(cred)) {
+        credential_definition = {
+          ...cred.credential_definition,
+          // type: OPTIONAL. Array as defined in Appendix A.1.1.2. This claim contains the type values the Wallet requests authorization for at the Credential Issuer. It MUST be present if the claim format is present in the root of the authorization details object. It MUST not be present otherwise.
+          // It meens we have a config_id, already mapping it to an explicit format and types
+          type: format ? cred.credential_definition.type : void 0,
+          credentialSubject: cred.credential_definition.credentialSubject ? removeDisplayAndValueTypes(cred.credential_definition.credentialSubject) : void 0
+        };
+      }
+      return {
+        type: "openid_credential",
+        locations,
+        ...credential_definition && {
+          credential_definition
+        },
+        ...credential_configuration_id && {
+          credential_configuration_id
+        },
+        ...format && {
+          format
+        },
+        ...vct && {
+          vct,
+          claims: cred.claims ? removeDisplayAndValueTypes(cred.claims) : void 0
+        },
+        ...doctype && {
+          doctype,
+          claims: cred.claims ? removeDisplayAndValueTypes(cred.claims) : void 0
+        }
+      };
+    });
+    if (!authorizationDetails || authorizationDetails.length === 0) {
+      throw Error(`Could not create authorization details from credential offer. Please pass in explicit details`);
+    }
+  }
+  if (!endpointMetadata?.authorization_endpoint) {
+    throw Error("Server metadata does not contain authorization endpoint");
+  }
+  const parEndpoint = authorizationMetadata?.pushed_authorization_request_endpoint;
+  let queryObj = {
+    response_type: import_oid4vci_common13.ResponseType.AUTH_CODE,
+    ...!pkce.disabled && {
+      code_challenge_method: pkce.codeChallengeMethod ?? import_oid4vci_common13.CodeChallengeMethod.S256,
+      code_challenge: pkce.codeChallenge
+    },
+    authorization_details: JSON.stringify(handleAuthorizationDetails(endpointMetadata, authorizationDetails)),
+    ...redirectUri && {
+      redirect_uri: redirectUri
+    },
+    ...client_id && {
+      client_id
+    },
+    ...credentialOffer?.issuerState && {
+      issuer_state: credentialOffer.issuerState
+    },
+    scope: authorizationRequest.scope
+  };
+  if (credentialOffer?.issuerState) {
+    queryObj.state = credentialOffer?.issuerState;
+  }
+  if (!parEndpoint && parMode === import_oid4vci_common13.PARMode.REQUIRE) {
+    throw Error(`PAR mode is set to required by Authorization Server does not support PAR!`);
+  } else if (parEndpoint && parMode !== import_oid4vci_common13.PARMode.NEVER) {
+    debug6(`USING PAR with endpoint ${parEndpoint}`);
+    const parResponse = await (0, import_oid4vci_common13.formPost)(parEndpoint, (0, import_oid4vci_common13.convertJsonToURI)(queryObj, {
+      mode: import_oid4vci_common13.JsonURIMode.X_FORM_WWW_URLENCODED,
+      uriTypeProperties: [
+        "client_id",
+        "request_uri",
+        "redirect_uri",
+        "scope",
+        "authorization_details",
+        "issuer_state",
+        "state"
+      ]
+    }), {
+      contentType: "application/x-www-form-urlencoded",
+      accept: "application/json"
+    });
+    if (parResponse.errorBody || !parResponse.successBody) {
+      if (parMode === import_oid4vci_common13.PARMode.REQUIRE) {
+        throw Error(`PAR error: ${parResponse.origResponse.statusText}`);
+      }
+      debug6("Falling back to regular request URI, since PAR failed", JSON.stringify(parResponse.errorBody));
+    } else {
+      debug6(`PAR response: ${JSON.stringify(parResponse.successBody, null, 2)}`);
+      queryObj = {
+        client_id,
+        request_uri: parResponse.successBody.request_uri
+      };
+    }
+  }
+  await createSignedAuthRequestWhenNeeded(queryObj, {
+    ...requestObjectOpts,
+    aud: endpointMetadata.authorization_server
+  });
+  debug6(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2));
+  const url = (0, import_oid4vci_common13.convertJsonToURI)(queryObj, {
+    baseUrl: endpointMetadata.authorization_endpoint,
+    uriTypeProperties: [
+      "client_id",
+      "request_uri",
+      "redirect_uri",
+      "scope",
+      "authorization_details",
+      "issuer_state",
+      "state"
+    ],
+    // arrayTypeProperties: ['authorization_details'],
+    mode: import_oid4vci_common13.JsonURIMode.X_FORM_WWW_URLENCODED
+  });
+  debug6(`Authorization Request URL: ${url}`);
+  return url;
+}, "createAuthorizationRequestUrl");
+var handleAuthorizationDetails = /* @__PURE__ */ __name((endpointMetadata, authorizationDetails) => {
+  if (authorizationDetails) {
+    if (typeof authorizationDetails === "string") {
+      return authorizationDetails;
+    }
+    if (Array.isArray(authorizationDetails)) {
+      return authorizationDetails.filter((value) => typeof value !== "string").map((value) => handleLocations(endpointMetadata, typeof value === "string" ? value : {
+        ...value
+      }));
+    } else {
+      return handleLocations(endpointMetadata, {
+        ...authorizationDetails
+      });
+    }
+  }
+  return authorizationDetails;
+}, "handleAuthorizationDetails");
+var handleLocations = /* @__PURE__ */ __name((endpointMetadata, authorizationDetails) => {
+  if (typeof authorizationDetails === "string") {
+    return authorizationDetails;
+  }
+  if (authorizationDetails && (endpointMetadata.credentialIssuerMetadata?.authorization_server || endpointMetadata.authorization_endpoint)) {
+    if (authorizationDetails.locations) {
+      if (Array.isArray(authorizationDetails.locations)) {
+        authorizationDetails.locations.push(endpointMetadata.issuer);
+      } else {
+        authorizationDetails.locations = [
+          authorizationDetails.locations,
+          endpointMetadata.issuer
+        ];
+      }
+    } else {
+      authorizationDetails.locations = [
+        endpointMetadata.issuer
+      ];
+    }
+  }
+  return authorizationDetails;
+}, "handleLocations");
+var acquireAuthorizationChallengeAuthCode = /* @__PURE__ */ __name(async (opts) => {
+  const { metadata } = opts;
+  const issuer = opts.credentialIssuer ?? opts?.metadata?.issuer;
+  if (!issuer) {
+    throw Error("Issuer required at this point");
+  }
+  const issuerOpts = {
+    issuer
+  };
+  return await acquireAuthorizationChallengeAuthCodeUsingRequest({
+    authorizationChallengeRequest: await createAuthorizationChallengeRequest(opts),
+    metadata,
+    issuerOpts
+  });
+}, "acquireAuthorizationChallengeAuthCode");
+var acquireAuthorizationChallengeAuthCodeUsingRequest = /* @__PURE__ */ __name(async (opts) => {
+  const { authorizationChallengeRequest, issuerOpts } = opts;
+  const metadata = opts?.metadata ? opts?.metadata : issuerOpts?.fetchMetadata ? await MetadataClient.retrieveAllMetadata(issuerOpts.issuer, {
+    errorOnNotFound: false
+  }) : void 0;
+  const authorizationChallengeCodeUrl = metadata?.authorization_challenge_endpoint;
+  if (!authorizationChallengeCodeUrl) {
+    return Promise.reject(Error("Cannot determine authorization challenge endpoint URL"));
+  }
+  const response = await sendAuthorizationChallengeRequest(authorizationChallengeCodeUrl, authorizationChallengeRequest);
+  return response;
+}, "acquireAuthorizationChallengeAuthCodeUsingRequest");
+var createAuthorizationChallengeRequest = /* @__PURE__ */ __name(async (opts) => {
+  const { clientId, issuerState, authSession, scope, codeChallenge, codeChallengeMethod, presentationDuringIssuanceSession } = opts;
+  const request = {
+    client_id: clientId,
+    issuer_state: issuerState,
+    auth_session: authSession,
+    scope,
+    code_challenge: codeChallenge,
+    code_challenge_method: codeChallengeMethod,
+    presentation_during_issuance_session: presentationDuringIssuanceSession
+  };
+  return request;
+}, "createAuthorizationChallengeRequest");
+var sendAuthorizationChallengeRequest = /* @__PURE__ */ __name(async (authorizationChallengeCodeUrl, authorizationChallengeRequest, opts) => {
+  return await (0, import_oid4vci_common13.formPost)(authorizationChallengeCodeUrl, (0, import_oid4vci_common13.convertJsonToURI)(authorizationChallengeRequest, {
+    mode: import_oid4vci_common13.JsonURIMode.X_FORM_WWW_URLENCODED
+  }), {
+    customHeaders: opts?.headers ? opts.headers : void 0
+  });
+}, "sendAuthorizationChallengeRequest");
+
+// lib/AuthorizationCodeClientV1_0_11.ts
+var import_oid4vci_common14 = require("@sphereon/oid4vci-common");
+var import_debug7 = __toESM(require("debug"), 1);
+var debug7 = (0, import_debug7.default)("sphereon:oid4vci");
+var createAuthorizationRequestUrlV1_0_11 = /* @__PURE__ */ __name(async ({ pkce, endpointMetadata, authorizationRequest, credentialOffer, credentialsSupported }) => {
+  const { redirectUri, clientId, requestObjectOpts = {
+    requestObjectMode: import_oid4vci_common14.CreateRequestObjectMode.NONE
+  } } = authorizationRequest;
+  let { scope, authorizationDetails } = authorizationRequest;
+  const parMode = endpointMetadata?.credentialIssuerMetadata?.require_pushed_authorization_requests ? import_oid4vci_common14.PARMode.REQUIRE : authorizationRequest.parMode ?? import_oid4vci_common14.PARMode.AUTO;
+  if (!scope && !authorizationDetails) {
+    if (!credentialOffer) {
+      throw Error("Please provide a scope or authorization_details if no credential offer is present");
+    }
+    const creds = credentialOffer.credential_offer.credentials;
+    authorizationDetails = creds.flatMap((cred) => typeof cred === "string" ? credentialsSupported : cred).filter((cred) => !!cred).map((cred) => {
+      return {
+        ...cred,
+        type: "openid_credential",
+        locations: [
+          endpointMetadata.issuer
+        ],
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+        // @ts-ignore
+        format: cred.format
+      };
+    });
+    if (!authorizationDetails || Array.isArray(authorizationDetails) && authorizationDetails.length === 0) {
+      throw Error(`Could not create authorization details from credential offer. Please pass in explicit details`);
+    }
+  }
+  if (!endpointMetadata?.authorization_endpoint) {
+    throw Error("Server metadata does not contain authorization endpoint");
+  }
+  const parEndpoint = endpointMetadata.credentialIssuerMetadata?.pushed_authorization_request_endpoint;
+  if (!scope?.includes("openid")) {
+    scope = [
+      "openid",
+      scope
+    ].filter((s) => !!s).join(" ");
+  }
+  let queryObj = {
+    response_type: import_oid4vci_common14.ResponseType.AUTH_CODE,
+    ...!pkce.disabled && {
+      code_challenge_method: pkce.codeChallengeMethod ?? import_oid4vci_common14.CodeChallengeMethod.S256,
+      code_challenge: pkce.codeChallenge
+    },
+    authorization_details: JSON.stringify(handleAuthorizationDetailsV1_0_11(endpointMetadata, authorizationDetails)),
+    ...redirectUri && {
+      redirect_uri: redirectUri
+    },
+    ...clientId && {
+      client_id: clientId
+    },
+    ...credentialOffer?.issuerState && {
+      issuer_state: credentialOffer.issuerState
+    },
+    scope
+  };
+  if (!parEndpoint && parMode === import_oid4vci_common14.PARMode.REQUIRE) {
+    throw Error(`PAR mode is set to required by Authorization Server does not support PAR!`);
+  } else if (parEndpoint && parMode !== import_oid4vci_common14.PARMode.NEVER) {
+    debug7(`USING PAR with endpoint ${parEndpoint}`);
+    const parResponse = await (0, import_oid4vci_common14.formPost)(parEndpoint, (0, import_oid4vci_common14.convertJsonToURI)(queryObj, {
+      mode: import_oid4vci_common14.JsonURIMode.X_FORM_WWW_URLENCODED,
+      uriTypeProperties: [
+        "client_id",
+        "request_uri",
+        "redirect_uri",
+        "scope",
+        "authorization_details",
+        "issuer_state"
+      ]
+    }), {
+      contentType: "application/x-www-form-urlencoded",
+      accept: "application/json"
+    });
+    if (parResponse.errorBody || !parResponse.successBody) {
+      console.log(JSON.stringify(parResponse.errorBody));
+      console.log("Falling back to regular request URI, since PAR failed");
+      if (parMode === import_oid4vci_common14.PARMode.REQUIRE) {
+        throw Error(`PAR error: ${parResponse.origResponse.statusText}`);
+      }
+    } else {
+      debug7(`PAR response: ${JSON.stringify(parResponse.successBody, null, 2)}`);
+      queryObj = {
+        request_uri: parResponse.successBody.request_uri
+      };
+    }
+  }
+  await createSignedAuthRequestWhenNeeded(queryObj, {
+    ...requestObjectOpts,
+    aud: endpointMetadata.authorization_server
+  });
+  debug7(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2));
+  const url = (0, import_oid4vci_common14.convertJsonToURI)(queryObj, {
+    baseUrl: endpointMetadata.authorization_endpoint,
+    uriTypeProperties: [
+      "client_id",
+      "request_uri",
+      "redirect_uri",
+      "scope",
+      "authorization_details",
+      "issuer_state"
+    ],
+    // arrayTypeProperties: ['authorization_details'],
+    mode: import_oid4vci_common14.JsonURIMode.X_FORM_WWW_URLENCODED
+  });
+  debug7(`Authorization Request URL: ${url}`);
+  return url;
+}, "createAuthorizationRequestUrlV1_0_11");
+var handleAuthorizationDetailsV1_0_11 = /* @__PURE__ */ __name((endpointMetadata, authorizationDetails) => {
+  if (authorizationDetails) {
+    if (typeof authorizationDetails === "string") {
+      return authorizationDetails;
+    }
+    if (Array.isArray(authorizationDetails)) {
+      return authorizationDetails.filter((value) => typeof value !== "string").map((value) => handleLocations2(endpointMetadata, typeof value === "string" ? value : {
+        ...value
+      }));
+    } else {
+      return handleLocations2(endpointMetadata, {
+        ...authorizationDetails
+      });
+    }
+  }
+  return authorizationDetails;
+}, "handleAuthorizationDetailsV1_0_11");
+var handleLocations2 = /* @__PURE__ */ __name((endpointMetadata, authorizationDetails) => {
+  if (typeof authorizationDetails === "string") {
+    return authorizationDetails;
+  }
+  if (authorizationDetails && (endpointMetadata.credentialIssuerMetadata?.authorization_server || endpointMetadata.authorization_endpoint)) {
+    if (authorizationDetails.locations) {
+      if (Array.isArray(authorizationDetails.locations)) {
+        authorizationDetails.locations.push(endpointMetadata.issuer);
+      } else {
+        authorizationDetails.locations = [
+          authorizationDetails.locations,
+          endpointMetadata.issuer
+        ];
+      }
+    } else {
+      authorizationDetails.locations = [
+        endpointMetadata.issuer
+      ];
+    }
+  }
+  return authorizationDetails;
+}, "handleLocations");
+
+// lib/CredentialRequestClient.ts
+var import_oid4vc_common5 = require("@sphereon/oid4vc-common");
+var import_oid4vci_common15 = require("@sphereon/oid4vci-common");
+var import_debug8 = __toESM(require("debug"), 1);
+var debug8 = (0, import_debug8.default)("sphereon:oid4vci:credential");
+async function buildProof(proofInput, opts) {
+  if ("proof_type" in proofInput) {
+    if (opts.cNonce) {
+      throw Error(`Cnonce param is only supported when using a Proof of possession builder`);
+    }
+    return await ProofOfPossessionBuilder.fromProof(proofInput, opts.version).build();
+  }
+  if (opts.cNonce) {
+    proofInput.withAccessTokenNonce(opts.cNonce);
+  }
+  return await proofInput.build();
+}
+__name(buildProof, "buildProof");
+var CredentialRequestClient = class {
+  static {
+    __name(this, "CredentialRequestClient");
+  }
+  _credentialRequestOpts;
+  _isDeferred = false;
+  get credentialRequestOpts() {
+    return this._credentialRequestOpts;
+  }
+  isDeferred() {
+    return this._isDeferred;
+  }
+  getCredentialEndpoint() {
+    return this.credentialRequestOpts.credentialEndpoint;
+  }
+  getDeferredCredentialEndpoint() {
+    return this.credentialRequestOpts.deferredCredentialEndpoint;
+  }
+  constructor(builder) {
+    this._credentialRequestOpts = {
+      ...builder
+    };
+  }
+  /**
+  * Typically you should not use this method, as it omits a proof from the request.
+  * There are certain issuers that in specific circumstances can do without this proof, because they have other means of user binding
+  * like using DPoP together with an authorization code flow. These are however rare, so you should be using the acquireCredentialsUsingProof normally
+  * @param opts
+  */
+  async acquireCredentialsWithoutProof(opts) {
+    const { credentialIdentifier, credentialTypes, format, context, subjectIssuance } = opts;
+    const request = await this.createCredentialRequestWithoutProof({
+      credentialTypes,
+      context,
+      format,
+      version: this.version(),
+      credentialIdentifier,
+      subjectIssuance
+    });
+    return await this.acquireCredentialsUsingRequestWithoutProof(request, opts.createDPoPOpts);
+  }
+  async acquireCredentialsUsingProof(opts) {
+    const { credentialIdentifier, credentialTypes, proofInput, format, context, subjectIssuance } = opts;
+    const request = await this.createCredentialRequest({
+      proofInput,
+      credentialTypes,
+      context,
+      format,
+      version: this.version(),
+      credentialIdentifier,
+      subjectIssuance
+    });
+    return await this.acquireCredentialsUsingRequest(request, opts.createDPoPOpts);
+  }
+  async acquireCredentialsUsingRequestWithoutProof(uniformRequest, createDPoPOpts) {
+    return await this.acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts);
+  }
+  async acquireCredentialsUsingRequest(uniformRequest, createDPoPOpts) {
+    return await this.acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts);
+  }
+  async acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts) {
+    if (this.version() < import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_13) {
+      throw new Error("Versions below v1.0.13 (draft 13) are not supported by the V13 credential request client.");
+    }
+    const request = (0, import_oid4vci_common15.getCredentialRequestForVersion)(uniformRequest, this.version());
+    const credentialEndpoint = this.credentialRequestOpts.credentialEndpoint;
+    if (!(0, import_oid4vci_common15.isValidURL)(credentialEndpoint)) {
+      debug8(`Invalid credential endpoint: ${credentialEndpoint}`);
+      throw new Error(import_oid4vci_common15.URL_NOT_VALID);
+    }
+    debug8(`Acquiring credential(s) from: ${credentialEndpoint}`);
+    debug8(`request
+: ${JSON.stringify(request, null, 2)}`);
+    const requestToken = this.credentialRequestOpts.token;
+    let dPoP = createDPoPOpts ? await (0, import_oid4vc_common5.createDPoP)((0, import_oid4vc_common5.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
+      accessToken: requestToken
+    })) : void 0;
+    let response = await (0, import_oid4vci_common15.post)(credentialEndpoint, JSON.stringify(request), {
+      bearerToken: requestToken,
+      ...dPoP && {
+        customHeaders: {
+          dpop: dPoP
+        }
+      }
+    });
+    let nextDPoPNonce = createDPoPOpts?.jwtPayloadProps.nonce;
+    const retryWithNonce = shouldRetryResourceRequestWithDPoPNonce(response);
+    if (retryWithNonce.ok && createDPoPOpts) {
+      createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce;
+      dPoP = await (0, import_oid4vc_common5.createDPoP)((0, import_oid4vc_common5.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
+        accessToken: requestToken
+      }));
+      response = await (0, import_oid4vci_common15.post)(credentialEndpoint, JSON.stringify(request), {
+        bearerToken: requestToken,
+        ...createDPoPOpts && {
+          customHeaders: {
+            dpop: dPoP
+          }
+        }
+      });
+      const successDPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
+      nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce;
+    }
+    this._isDeferred = (0, import_oid4vci_common15.isDeferredCredentialResponse)(response);
+    if (this.isDeferred() && this.credentialRequestOpts.deferredCredentialAwait && response.successBody) {
+      response = await this.acquireDeferredCredential(response.successBody, {
+        bearerToken: this.credentialRequestOpts.token
+      });
+    }
+    response.access_token = requestToken;
+    if (uniformRequest.credential_subject_issuance && response.successBody || response.successBody?.credential_subject_issuance) {
+      if (JSON.stringify(uniformRequest.credential_subject_issuance) !== JSON.stringify(response.successBody?.credential_subject_issuance)) {
+        throw Error("Subject signing was requested, but issuer did not provide the options in its response");
+      }
+    }
+    debug8(`Credential endpoint ${credentialEndpoint} response:\r
+${JSON.stringify(response, null, 2)}`);
+    return {
+      ...response,
+      ...nextDPoPNonce && {
+        params: {
+          dpop: {
+            dpopNonce: nextDPoPNonce
+          }
+        }
+      }
+    };
+  }
+  async acquireDeferredCredential(response, opts) {
+    const transactionId = response.transaction_id;
+    const bearerToken = response.acceptance_token ?? opts?.bearerToken;
+    const deferredCredentialEndpoint = this.getDeferredCredentialEndpoint();
+    if (!deferredCredentialEndpoint) {
+      throw Error(`No deferred credential endpoint supplied.`);
+    } else if (!bearerToken) {
+      throw Error(`No bearer token present and refresh for defered endpoint not supported yet`);
+    }
+    return await (0, import_oid4vci_common15.acquireDeferredCredential)({
+      bearerToken,
+      transactionId,
+      deferredCredentialEndpoint,
+      deferredCredentialAwait: this.credentialRequestOpts.deferredCredentialAwait,
+      deferredCredentialIntervalInMS: this.credentialRequestOpts.deferredCredentialIntervalInMS
+    });
+  }
+  async createCredentialRequestWithoutProof(opts) {
+    return await this.createCredentialRequestImpl(opts);
+  }
+  async createCredentialRequest(opts) {
+    return await this.createCredentialRequestImpl(opts);
+  }
+  async createCredentialRequestImpl(opts) {
+    const { proofInput, credentialIdentifier: credential_identifier } = opts;
+    let proof = void 0;
+    if (proofInput) {
+      proof = await buildProof(proofInput, opts);
+    }
+    if (credential_identifier) {
+      if (opts.format || opts.credentialTypes || opts.context) {
+        throw Error(`You cannot mix credential_identifier with format, credential types and/or context`);
+      }
+      return {
+        credential_identifier,
+        ...proof && {
+          proof
+        }
+      };
+    }
+    const formatSelection = opts.format ?? this.credentialRequestOpts.format;
+    if (!formatSelection) {
+      throw Error(`Format of credential to be issued is missing`);
+    }
+    const format = (0, import_oid4vci_common15.getUniformFormat)(formatSelection);
+    const typesSelection = opts?.credentialTypes && (typeof opts.credentialTypes === "string" || opts.credentialTypes.length > 0) ? opts.credentialTypes : this.credentialRequestOpts.credentialTypes;
+    if (!typesSelection) {
+      throw Error(`Credential type(s) need to be provided`);
+    }
+    const types = Array.isArray(typesSelection) ? typesSelection : [
+      typesSelection
+    ];
+    if (types.length === 0) {
+      throw Error(`Credential type(s) need to be provided`);
+    }
+    const issuer_state = this.credentialRequestOpts.issuerState;
+    if (format === "jwt_vc_json" || format === "jwt_vc") {
+      return {
+        credential_definition: {
+          type: types
+        },
+        format,
+        ...issuer_state && {
+          issuer_state
+        },
+        ...proof && {
+          proof
+        },
+        ...opts.subjectIssuance
+      };
+    } else if (format === "jwt_vc_json-ld" || format === "ldp_vc") {
+      if (this.version() >= import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_12 && !opts.context) {
+        throw Error("No @context value present, but it is required");
+      }
+      return {
+        format,
+        ...issuer_state && {
+          issuer_state
+        },
+        ...proof && {
+          proof
+        },
+        ...opts.subjectIssuance,
+        credential_definition: {
+          type: types,
+          "@context": opts.context
+        }
+      };
+    } else if (format === "vc+sd-jwt") {
+      if (types.length > 1) {
+        throw Error(`Only a single credential type is supported for ${format}`);
+      }
+      return {
+        format,
+        ...issuer_state && {
+          issuer_state
+        },
+        ...proof && {
+          proof
+        },
+        vct: types[0],
+        ...opts.subjectIssuance
+      };
+    } else if (format === "mso_mdoc") {
+      if (types.length > 1) {
+        throw Error(`Only a single credential type is supported for ${format}`);
+      }
+      return {
+        format,
+        ...issuer_state && {
+          issuer_state
+        },
+        ...proof && {
+          proof
+        },
+        doctype: types[0],
+        ...opts.subjectIssuance
+      };
+    }
+    throw new Error(`Unsupported credential format: ${format}`);
+  }
+  version() {
+    return this.credentialRequestOpts?.version ?? import_oid4vci_common15.OpenId4VCIVersion.VER_1_0_13;
+  }
+};
+
+// lib/CredentialOfferClient.ts
+var import_oid4vci_common16 = require("@sphereon/oid4vci-common");
+var import_debug9 = __toESM(require("debug"), 1);
+var debug9 = (0, import_debug9.default)("sphereon:oid4vci:offer");
+var CredentialOfferClient = class {
+  static {
+    __name(this, "CredentialOfferClient");
+  }
+  static async fromURI(uri, opts) {
+    debug9(`Credential Offer URI: ${uri}`);
+    if (!uri.includes("?") || !uri.includes("://")) {
+      debug9(`Invalid Credential Offer URI: ${uri}`);
+      throw Error(`Invalid Credential Offer Request`);
+    }
+    const scheme = uri.split("://")[0];
+    const baseUrl = uri.split("?")[0];
+    const version = (0, import_oid4vci_common16.determineSpecVersionFromURI)(uri);
+    LOG.log(`Offer URL determined to be of version ${version}`);
+    let credentialOffer;
+    let credentialOfferPayload;
+    if (version < import_oid4vci_common16.OpenId4VCIVersion.VER_1_0_11) {
+      credentialOfferPayload = (0, import_oid4vci_common16.convertURIToJsonObject)(uri, {
+        arrayTypeProperties: [
+          "credential_type"
+        ],
+        requiredProperties: uri.includes("credential_offer=") ? [
+          "credential_offer"
+        ] : [
+          "issuer",
+          "credential_type"
+        ]
+      });
+      credentialOffer = {
+        credential_offer: credentialOfferPayload
+      };
+    } else {
+      if (uri.includes("credential_offer_uri")) {
+        credentialOffer = await handleCredentialOfferUri(uri);
+      } else {
+        credentialOffer = (0, import_oid4vci_common16.convertURIToJsonObject)(uri, {
+          // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
+          arrayTypeProperties: uri.includes("credential_offer_uri=") ? [
+            "credential_offer_uri="
+          ] : [
+            "credential_offer="
+          ],
+          requiredProperties: uri.includes("credential_offer_uri=") ? [
+            "credential_offer_uri="
+          ] : [
+            "credential_offer="
+          ]
+        });
+      }
+      if (credentialOffer?.credential_offer_uri === void 0 && !credentialOffer?.credential_offer) {
+        throw Error("Either a credential_offer or credential_offer_uri should be present in " + uri);
+      }
+    }
+    const request = await (0, import_oid4vci_common16.toUniformCredentialOfferRequest)(credentialOffer, {
+      ...opts,
+      version
+    });
+    return {
+      ...constructBaseResponse(request, scheme, baseUrl),
+      userPinRequired: request.credential_offer?.grants?.[import_oid4vci_common16.PRE_AUTH_GRANT_LITERAL]?.user_pin_required ?? !!request.credential_offer?.grants?.[import_oid4vci_common16.PRE_AUTH_GRANT_LITERAL]?.tx_code ?? false
+    };
+  }
+  static toURI(requestWithBaseUrl, opts) {
+    debug9(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
+    const version = opts?.version ?? requestWithBaseUrl.version;
+    let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme) ? requestWithBaseUrl.baseUrl : `${requestWithBaseUrl.scheme.replace("://", "")}://${requestWithBaseUrl.baseUrl}`;
+    let param;
+    const isUri = requestWithBaseUrl.credential_offer_uri !== void 0;
+    if (version.valueOf() >= import_oid4vci_common16.OpenId4VCIVersion.VER_1_0_11.valueOf()) {
+      if (!baseUrl.includes("?")) {
+        param = isUri ? "credential_offer_uri" : "credential_offer";
+      } else {
+        const split = baseUrl.split("?");
+        if (split.length > 1 && split[1] !== "") {
+          if (baseUrl.endsWith("&")) {
+            param = isUri ? "credential_offer_uri" : "credential_offer";
+          } else if (!baseUrl.endsWith("=")) {
+            baseUrl += `&`;
+            param = isUri ? "credential_offer_uri" : "credential_offer";
+          }
+        }
+      }
+    }
+    return (0, import_oid4vci_common16.convertJsonToURI)(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
+      baseUrl,
+      arrayTypeProperties: isUri ? [] : [
+        "credential_type"
+      ],
+      uriTypeProperties: isUri ? [
+        "credential_offer_uri"
+      ] : version >= import_oid4vci_common16.OpenId4VCIVersion.VER_1_0_13 ? [
+        "credential_issuer",
+        "credential_type"
+      ] : [
+        "issuer",
+        "credential_type"
+      ],
+      param,
+      version
+    });
+  }
+};
+
+// lib/CredentialOfferClientV1_0_11.ts
+var import_oid4vci_common17 = require("@sphereon/oid4vci-common");
+var import_debug10 = __toESM(require("debug"), 1);
+var debug10 = (0, import_debug10.default)("sphereon:oid4vci:offer");
+var CredentialOfferClientV1_0_11 = class {
+  static {
+    __name(this, "CredentialOfferClientV1_0_11");
+  }
+  static async fromURI(uri, opts) {
+    debug10(`Credential Offer URI: ${uri}`);
+    if (!uri.includes("?") || !uri.includes("://")) {
+      debug10(`Invalid Credential Offer URI: ${uri}`);
+      throw Error(`Invalid Credential Offer Request`);
+    }
+    const scheme = uri.split("://")[0];
+    const baseUrl = uri.split("?")[0];
+    const version = (0, import_oid4vci_common17.determineSpecVersionFromURI)(uri);
+    let credentialOffer;
+    let credentialOfferPayload;
+    if (version < import_oid4vci_common17.OpenId4VCIVersion.VER_1_0_11) {
+      credentialOfferPayload = (0, import_oid4vci_common17.convertURIToJsonObject)(uri, {
+        arrayTypeProperties: [
+          "credential_type"
+        ],
+        requiredProperties: uri.includes("credential_offer_uri=") ? [
+          "credential_offer_uri="
+        ] : [
+          "issuer",
+          "credential_type="
+        ]
+      });
+      credentialOffer = {
+        credential_offer: credentialOfferPayload
+      };
+    } else {
+      credentialOffer = (0, import_oid4vci_common17.convertURIToJsonObject)(uri, {
+        arrayTypeProperties: [
+          "credentials"
+        ],
+        requiredProperties: uri.includes("credential_offer_uri=") ? [
+          "credential_offer_uri="
+        ] : [
+          "credential_offer="
+        ]
+      });
+      if (credentialOffer?.credential_offer_uri === void 0 && !credentialOffer?.credential_offer) {
+        throw Error("Either a credential_offer or credential_offer_uri should be present in " + uri);
+      }
+    }
+    const request = await (0, import_oid4vci_common17.toUniformCredentialOfferRequest)(credentialOffer, {
+      ...opts,
+      version
+    });
+    const clientId = (0, import_oid4vci_common17.getClientIdFromCredentialOfferPayload)(request.credential_offer);
+    const grants = request.credential_offer?.grants;
+    return {
+      scheme,
+      baseUrl,
+      ...clientId && {
+        clientId
+      },
+      ...request,
+      ...grants?.authorization_code?.issuer_state && {
+        issuerState: grants.authorization_code.issuer_state
+      },
+      ...grants?.[import_oid4vci_common17.PRE_AUTH_GRANT_LITERAL]?.[import_oid4vci_common17.PRE_AUTH_CODE_LITERAL] && {
+        preAuthorizedCode: grants[import_oid4vci_common17.PRE_AUTH_GRANT_LITERAL][import_oid4vci_common17.PRE_AUTH_CODE_LITERAL]
+      },
+      userPinRequired: !!(request.credential_offer?.grants?.[import_oid4vci_common17.PRE_AUTH_GRANT_LITERAL]?.user_pin_required ?? false)
+    };
+  }
+  static toURI(requestWithBaseUrl, opts) {
+    debug10(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
+    const version = opts?.version ?? requestWithBaseUrl.version;
+    let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme) ? requestWithBaseUrl.baseUrl : `${requestWithBaseUrl.scheme.replace("://", "")}://${requestWithBaseUrl.baseUrl}`;
+    let param;
+    const isUri = requestWithBaseUrl.credential_offer_uri !== void 0;
+    if (version.valueOf() >= import_oid4vci_common17.OpenId4VCIVersion.VER_1_0_11.valueOf()) {
+      if (!baseUrl.includes("?")) {
+        param = isUri ? "credential_offer_uri" : "credential_offer";
+      } else {
+        const split = baseUrl.split("?");
+        if (split.length > 1 && split[1] !== "") {
+          if (baseUrl.endsWith("&")) {
+            param = isUri ? "credential_offer_uri" : "credential_offer";
+          } else if (!baseUrl.endsWith("=")) {
+            baseUrl += `&`;
+            param = isUri ? "credential_offer_uri" : "credential_offer";
+          }
+        }
+      }
+    }
+    return (0, import_oid4vci_common17.convertJsonToURI)(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
+      baseUrl,
+      arrayTypeProperties: isUri ? [] : [
+        "credential_type"
+      ],
+      uriTypeProperties: isUri ? [
+        "credential_offer_uri"
+      ] : version >= import_oid4vci_common17.OpenId4VCIVersion.VER_1_0_11 ? [
+        "credential_issuer",
+        "credential_type"
+      ] : [
+        "issuer",
+        "credential_type"
+      ],
+      param,
+      version
+    });
+  }
+};
+
+// lib/CredentialOfferClientV1_0_13.ts
+var import_oid4vci_common18 = require("@sphereon/oid4vci-common");
+var import_debug11 = __toESM(require("debug"), 1);
+var debug11 = (0, import_debug11.default)("sphereon:oid4vci:offer");
+var CredentialOfferClientV1_0_13 = class {
+  static {
+    __name(this, "CredentialOfferClientV1_0_13");
+  }
+  static async fromURI(uri, opts) {
+    debug11(`Credential Offer URI: ${uri}`);
+    if (!uri.includes("?") || !uri.includes("://")) {
+      debug11(`Invalid Credential Offer URI: ${uri}`);
+      throw Error(`Invalid Credential Offer Request`);
+    }
+    const scheme = uri.split("://")[0];
+    const baseUrl = uri.split("?")[0];
+    const version = (0, import_oid4vci_common18.determineSpecVersionFromURI)(uri);
+    let credentialOffer;
+    if (uri.includes("credential_offer_uri")) {
+      credentialOffer = await handleCredentialOfferUri(uri);
+    } else {
+      credentialOffer = (0, import_oid4vci_common18.convertURIToJsonObject)(uri, {
+        // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer
+        arrayTypeProperties: uri.includes("credential_offer_uri=") ? [
+          "credential_configuration_ids",
+          "credential_offer_uri="
+        ] : [
+          "credential_configuration_ids",
+          "credential_offer="
+        ],
+        requiredProperties: uri.includes("credential_offer_uri=") ? [
+          "credential_offer_uri="
+        ] : [
+          "credential_offer="
+        ]
+      });
+    }
+    if (credentialOffer?.credential_offer_uri === void 0 && !credentialOffer?.credential_offer) {
+      throw Error("Either a credential_offer or credential_offer_uri should be present in " + uri);
+    }
+    const request = await (0, import_oid4vci_common18.toUniformCredentialOfferRequest)(credentialOffer, {
+      ...opts,
+      version
+    });
+    return {
+      ...constructBaseResponse(request, scheme, baseUrl),
+      userPinRequired: !!(request.credential_offer?.grants?.[import_oid4vci_common18.PRE_AUTH_GRANT_LITERAL]?.tx_code ?? false)
+    };
+  }
+  static toURI(requestWithBaseUrl, opts) {
+    debug11(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`);
+    const version = opts?.version ?? requestWithBaseUrl.version;
+    let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme) ? requestWithBaseUrl.baseUrl : `${requestWithBaseUrl.scheme.replace("://", "")}://${requestWithBaseUrl.baseUrl}`;
+    let param;
+    const isUri = requestWithBaseUrl.credential_offer_uri !== void 0;
+    if (version.valueOf() >= import_oid4vci_common18.OpenId4VCIVersion.VER_1_0_11.valueOf()) {
+      if (!baseUrl.includes("?")) {
+        param = isUri ? "credential_offer_uri" : "credential_offer";
+      } else {
+        const split = baseUrl.split("?");
+        if (split.length > 1 && split[1] !== "") {
+          if (baseUrl.endsWith("&")) {
+            param = isUri ? "credential_offer_uri" : "credential_offer";
+          } else if (!baseUrl.endsWith("=")) {
+            baseUrl += `&`;
+            param = isUri ? "credential_offer_uri" : "credential_offer";
+          }
+        }
+      }
+    }
+    return (0, import_oid4vci_common18.convertJsonToURI)(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {
+      baseUrl,
+      arrayTypeProperties: isUri ? [] : [
+        "credential_type"
+      ],
+      uriTypeProperties: isUri ? [
+        "credential_offer_uri"
+      ] : version >= import_oid4vci_common18.OpenId4VCIVersion.VER_1_0_13 ? [
+        "credential_issuer",
+        "credential_type"
+      ] : [
+        "issuer",
+        "credential_type"
+      ],
+      param,
+      version
+    });
+  }
+};
+
+// lib/CredentialRequestClientV1_0_11.ts
+var import_oid4vc_common6 = require("@sphereon/oid4vc-common");
+var import_oid4vci_common19 = require("@sphereon/oid4vci-common");
+var import_debug12 = __toESM(require("debug"), 1);
+var debug12 = (0, import_debug12.default)("sphereon:oid4vci:credential");
+var CredentialRequestClientV1_0_11 = class {
+  static {
+    __name(this, "CredentialRequestClientV1_0_11");
+  }
+  _credentialRequestOpts;
+  _isDeferred = false;
+  get credentialRequestOpts() {
+    return this._credentialRequestOpts;
+  }
+  isDeferred() {
+    return this._isDeferred;
+  }
+  getCredentialEndpoint() {
+    return this.credentialRequestOpts.credentialEndpoint;
+  }
+  getDeferredCredentialEndpoint() {
+    return this.credentialRequestOpts.deferredCredentialEndpoint;
+  }
+  constructor(builder) {
+    this._credentialRequestOpts = {
+      ...builder
+    };
+  }
+  async acquireCredentialsUsingProof(opts) {
+    const { credentialTypes, proofInput, format, context } = opts;
+    const request = await this.createCredentialRequest({
+      proofInput,
+      credentialTypes,
+      context,
+      format,
+      version: this.version()
+    });
+    return await this.acquireCredentialsUsingRequest(request, opts.createDPoPOpts);
+  }
+  async acquireCredentialsUsingRequest(uniformRequest, createDPoPOpts) {
+    const request = (0, import_oid4vci_common19.getCredentialRequestForVersion)(uniformRequest, this.version());
+    const credentialEndpoint = this.credentialRequestOpts.credentialEndpoint;
+    if (!(0, import_oid4vci_common19.isValidURL)(credentialEndpoint)) {
+      debug12(`Invalid credential endpoint: ${credentialEndpoint}`);
+      throw new Error(import_oid4vci_common19.URL_NOT_VALID);
+    }
+    debug12(`Acquiring credential(s) from: ${credentialEndpoint}`);
+    debug12(`request
+: ${JSON.stringify(request, null, 2)}`);
+    const requestToken = this.credentialRequestOpts.token;
+    let dPoP = createDPoPOpts ? await (0, import_oid4vc_common6.createDPoP)((0, import_oid4vc_common6.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
+      accessToken: requestToken
+    })) : void 0;
+    let response = await (0, import_oid4vci_common19.post)(credentialEndpoint, JSON.stringify(request), {
+      bearerToken: requestToken,
+      customHeaders: {
+        ...createDPoPOpts && {
+          dpop: dPoP
+        }
+      }
+    });
+    let nextDPoPNonce = createDPoPOpts?.jwtPayloadProps.nonce;
+    const retryWithNonce = shouldRetryResourceRequestWithDPoPNonce(response);
+    if (retryWithNonce.ok && createDPoPOpts) {
+      createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce;
+      dPoP = await (0, import_oid4vc_common6.createDPoP)((0, import_oid4vc_common6.getCreateDPoPOptions)(createDPoPOpts, credentialEndpoint, {
+        accessToken: requestToken
+      }));
+      response = await (0, import_oid4vci_common19.post)(credentialEndpoint, JSON.stringify(request), {
+        bearerToken: requestToken,
+        customHeaders: {
+          ...createDPoPOpts && {
+            dpop: dPoP
+          }
+        }
+      });
+      const successDPoPNonce = response.origResponse.headers.get("DPoP-Nonce");
+      nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce;
+    }
+    this._isDeferred = (0, import_oid4vci_common19.isDeferredCredentialResponse)(response);
+    if (this.isDeferred() && this.credentialRequestOpts.deferredCredentialAwait && response.successBody) {
+      response = await this.acquireDeferredCredential(response.successBody, {
+        bearerToken: this.credentialRequestOpts.token
+      });
+    }
+    response.access_token = requestToken;
+    debug12(`Credential endpoint ${credentialEndpoint} response:\r
+${JSON.stringify(response, null, 2)}`);
+    return {
+      ...response,
+      ...nextDPoPNonce && {
+        params: {
+          dpop: {
+            dpopNonce: nextDPoPNonce
+          }
+        }
+      }
+    };
+  }
+  async acquireDeferredCredential(response, opts) {
+    const transactionId = response.transaction_id;
+    const bearerToken = response.acceptance_token ?? opts?.bearerToken;
+    const deferredCredentialEndpoint = this.getDeferredCredentialEndpoint();
+    if (!deferredCredentialEndpoint) {
+      throw Error(`No deferred credential endpoint supplied.`);
+    } else if (!bearerToken) {
+      throw Error(`No bearer token present and refresh for defered endpoint not supported yet`);
+    }
+    return await (0, import_oid4vci_common19.acquireDeferredCredential)({
+      bearerToken,
+      transactionId,
+      deferredCredentialEndpoint,
+      deferredCredentialAwait: this.credentialRequestOpts.deferredCredentialAwait,
+      deferredCredentialIntervalInMS: this.credentialRequestOpts.deferredCredentialIntervalInMS
+    });
+  }
+  async createCredentialRequest(opts) {
+    const { proofInput } = opts;
+    const formatSelection = opts.format ?? this.credentialRequestOpts.format;
+    if (!formatSelection) {
+      throw Error(`Format of credential to be issued is missing`);
+    }
+    const format = (0, import_oid4vci_common19.getUniformFormat)(formatSelection);
+    const typesSelection = opts?.credentialTypes && (typeof opts.credentialTypes === "string" || opts.credentialTypes.length > 0) ? opts.credentialTypes : this.credentialRequestOpts.credentialTypes;
+    const types = Array.isArray(typesSelection) ? typesSelection : [
+      typesSelection
+    ];
+    if (types.length === 0) {
+      throw Error(`Credential type(s) need to be provided`);
+    } else if (!this.isV11OrHigher() && types.length !== 1) {
+      throw Error("Only a single credential type is supported for V8/V9");
+    }
+    const proof = await buildProof(proofInput, opts);
+    if (format === "jwt_vc_json" || format === "jwt_vc") {
+      return {
+        types,
+        format,
+        proof
+      };
+    } else if (format === "jwt_vc_json-ld" || format === "ldp_vc") {
+      if (this.version() >= import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_12 && !opts.context) {
+        throw Error("No @context value present, but it is required");
+      }
+      return {
+        format,
+        proof,
+        // Ignored because v11 does not have the context value, but it is required in v12
+        // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+        // @ts-ignore
+        credential_definition: {
+          types,
+          ...opts.context && {
+            "@context": opts.context
+          }
+        }
+      };
+    } else if (format === "vc+sd-jwt") {
+      if (types.length > 1) {
+        throw Error(`Only a single credential type is supported for ${format}`);
+      }
+      return {
+        format,
+        proof,
+        vct: types[0]
+      };
+    } else if (format === "mso_mdoc") {
+      if (types.length > 1) {
+        throw Error(`Only a single credential type is supported for ${format}`);
+      }
+      return {
+        format,
+        proof,
+        doctype: types[0]
+      };
+    }
+    throw new Error(`Unsupported format: ${format}`);
+  }
+  version() {
+    return this.credentialRequestOpts?.version ?? import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_11;
+  }
+  isV11OrHigher() {
+    return this.version() >= import_oid4vci_common19.OpenId4VCIVersion.VER_1_0_11;
+  }
+};
+
+// lib/CredentialRequestClientBuilder.ts
+var import_oid4vci_common22 = require("@sphereon/oid4vci-common");
+
+// lib/CredentialRequestClientBuilderV1_0_11.ts
+var import_oid4vci_common20 = require("@sphereon/oid4vci-common");
+var CredentialRequestClientBuilderV1_0_11 = class _CredentialRequestClientBuilderV1_0_11 {
+  static {
+    __name(this, "CredentialRequestClientBuilderV1_0_11");
+  }
+  credentialEndpoint;
+  deferredCredentialEndpoint;
+  deferredCredentialAwait = false;
+  deferredCredentialIntervalInMS = 5e3;
+  credentialTypes = [];
+  format;
+  token;
+  version;
+  subjectIssuance;
+  issuerState;
+  static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialTypes }) {
+    const issuer = credentialIssuer;
+    const builder = new _CredentialRequestClientBuilderV1_0_11();
+    builder.withVersion(version ?? import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_11);
+    builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
+    if (metadata?.deferred_credential_endpoint) {
+      builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
+    }
+    builder.withCredentialType(credentialTypes);
+    return builder;
+  }
+  static async fromURI({ uri, metadata }) {
+    const offer = await CredentialOfferClientV1_0_11.fromURI(uri);
+    return _CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest({
+      request: offer,
+      ...offer,
+      metadata,
+      version: offer.version
+    });
+  }
+  static fromCredentialOfferRequest(opts) {
+    const { request, metadata } = opts;
+    const version = opts.version ?? request.version ?? (0, import_oid4vci_common20.determineSpecVersionFromOffer)(request.original_credential_offer);
+    const builder = new _CredentialRequestClientBuilderV1_0_11();
+    const issuer = (0, import_oid4vci_common20.getIssuerFromCredentialOfferPayload)(request.credential_offer) ?? metadata?.issuer;
+    builder.withVersion(version);
+    builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
+    if (metadata?.deferred_credential_endpoint) {
+      builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
+    }
+    if (version <= import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_08) {
+      builder.withCredentialType(request.original_credential_offer.credential_type);
+    } else if (version <= import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_11) {
+      builder.withCredentialType((0, import_oid4vci_common20.getTypesFromOfferV1_0_11)(request.credential_offer));
+    }
+    return builder;
+  }
+  static fromCredentialOffer({ credentialOffer, metadata }) {
+    return _CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest({
+      request: credentialOffer,
+      metadata,
+      version: credentialOffer.version
+    });
+  }
+  withIssuerState(issuerState) {
+    this.issuerState = issuerState;
+    return this;
+  }
+  withCredentialEndpointFromMetadata(metadata) {
+    this.credentialEndpoint = metadata.credential_endpoint;
+    return this;
+  }
+  withCredentialEndpoint(credentialEndpoint) {
+    this.credentialEndpoint = credentialEndpoint;
+    return this;
+  }
+  withDeferredCredentialEndpointFromMetadata(metadata) {
+    this.deferredCredentialEndpoint = metadata.deferred_credential_endpoint;
+    return this;
+  }
+  withDeferredCredentialEndpoint(deferredCredentialEndpoint) {
+    this.deferredCredentialEndpoint = deferredCredentialEndpoint;
+    return this;
+  }
+  withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
+    this.deferredCredentialAwait = deferredCredentialAwait;
+    this.deferredCredentialIntervalInMS = deferredCredentialIntervalInMS ?? 5e3;
+    return this;
+  }
+  withCredentialType(credentialTypes) {
+    this.credentialTypes = Array.isArray(credentialTypes) ? credentialTypes : [
+      credentialTypes
+    ];
+    return this;
+  }
+  withFormat(format) {
+    this.format = format;
+    return this;
+  }
+  withSubjectIssuance(subjectIssuance) {
+    this.subjectIssuance = subjectIssuance;
+    return this;
+  }
+  withToken(accessToken) {
+    this.token = accessToken;
+    return this;
+  }
+  withTokenFromResponse(response) {
+    this.token = response.access_token;
+    return this;
+  }
+  withVersion(version) {
+    this.version = version;
+    return this;
+  }
+  build() {
+    if (!this.version) {
+      this.withVersion(import_oid4vci_common20.OpenId4VCIVersion.VER_1_0_11);
+    }
+    return new CredentialRequestClientV1_0_11(this);
+  }
+};
+
+// lib/CredentialRequestClientBuilderV1_0_13.ts
+var import_oid4vci_common21 = require("@sphereon/oid4vci-common");
+var CredentialRequestClientBuilderV1_0_13 = class _CredentialRequestClientBuilderV1_0_13 {
+  static {
+    __name(this, "CredentialRequestClientBuilderV1_0_13");
+  }
+  credentialEndpoint;
+  deferredCredentialEndpoint;
+  deferredCredentialAwait = false;
+  deferredCredentialIntervalInMS = 5e3;
+  credentialIdentifier;
+  credentialTypes = [];
+  format;
+  token;
+  version;
+  subjectIssuance;
+  issuerState;
+  static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialTypes }) {
+    const issuer = credentialIssuer;
+    const builder = new _CredentialRequestClientBuilderV1_0_13();
+    builder.withVersion(version ?? import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_13);
+    builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
+    if (metadata?.deferred_credential_endpoint) {
+      builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
+    }
+    if (credentialIdentifier) {
+      builder.withCredentialIdentifier(credentialIdentifier);
+    }
+    if (credentialTypes) {
+      builder.withCredentialType(credentialTypes);
+    }
+    return builder;
+  }
+  static async fromURI({ uri, metadata }) {
+    const offer = await CredentialOfferClient.fromURI(uri);
+    return _CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest({
+      request: offer,
+      ...offer,
+      metadata,
+      version: offer.version
+    });
+  }
+  static fromCredentialOfferRequest(opts) {
+    const { request, metadata } = opts;
+    const version = opts.version ?? request.version ?? (0, import_oid4vci_common21.determineSpecVersionFromOffer)(request.original_credential_offer);
+    if (version < import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_13) {
+      throw new Error("Versions below v1.0.13 (draft 13) are not supported.");
+    }
+    const builder = new _CredentialRequestClientBuilderV1_0_13();
+    const issuer = (0, import_oid4vci_common21.getIssuerFromCredentialOfferPayload)(request.credential_offer) ?? metadata?.issuer;
+    builder.withVersion(version);
+    builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith("/") ? `${issuer}credential` : `${issuer}/credential`));
+    if (metadata?.deferred_credential_endpoint) {
+      builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint);
+    }
+    const ids = request.credential_offer.credential_configuration_ids;
+    if (ids.length && ids.length === 1) {
+      builder.withCredentialIdentifier(ids[0]);
+    }
+    return builder;
+  }
+  static fromCredentialOffer({ credentialOffer, metadata }) {
+    const builder = _CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest({
+      request: credentialOffer,
+      metadata,
+      version: credentialOffer.version
+    });
+    return builder;
+  }
+  withCredentialEndpointFromMetadata(metadata) {
+    this.credentialEndpoint = metadata.credential_endpoint;
+    return this;
+  }
+  withCredentialEndpoint(credentialEndpoint) {
+    this.credentialEndpoint = credentialEndpoint;
+    return this;
+  }
+  withIssuerState(issuerState) {
+    this.issuerState = issuerState;
+    return this;
+  }
+  withDeferredCredentialEndpointFromMetadata(metadata) {
+    this.deferredCredentialEndpoint = metadata.deferred_credential_endpoint;
+    return this;
+  }
+  withDeferredCredentialEndpoint(deferredCredentialEndpoint) {
+    this.deferredCredentialEndpoint = deferredCredentialEndpoint;
+    return this;
+  }
+  withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
+    this.deferredCredentialAwait = deferredCredentialAwait;
+    this.deferredCredentialIntervalInMS = deferredCredentialIntervalInMS ?? 5e3;
+    return this;
+  }
+  withCredentialIdentifier(credentialIdentifier) {
+    this.credentialIdentifier = credentialIdentifier;
+    return this;
+  }
+  withCredentialType(credentialTypes) {
+    this.credentialTypes = Array.isArray(credentialTypes) ? credentialTypes : [
+      credentialTypes
+    ];
+    return this;
+  }
+  withFormat(format) {
+    this.format = format;
+    return this;
+  }
+  withSubjectIssuance(subjectIssuance) {
+    this.subjectIssuance = subjectIssuance;
+    return this;
+  }
+  withToken(accessToken) {
+    this.token = accessToken;
+    return this;
+  }
+  withTokenFromResponse(response) {
+    this.token = response.access_token;
+    return this;
+  }
+  withVersion(version) {
+    this.version = version;
+    return this;
+  }
+  build() {
+    if (!this.version) {
+      this.withVersion(import_oid4vci_common21.OpenId4VCIVersion.VER_1_0_11);
+    }
+    return new CredentialRequestClient(this);
+  }
+};
+
+// lib/CredentialRequestClientBuilder.ts
+function isV1_0_13(builder) {
+  return builder.withCredentialIdentifier !== void 0;
+}
+__name(isV1_0_13, "isV1_0_13");
+var CredentialRequestClientBuilder = class _CredentialRequestClientBuilder {
+  static {
+    __name(this, "CredentialRequestClientBuilder");
+  }
+  _builder;
+  constructor(builder) {
+    this._builder = builder;
+  }
+  static fromCredentialIssuer({ credentialIssuer, metadata, version, credentialIdentifier, credentialTypes }) {
+    const specVersion = version ?? import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13;
+    let builder;
+    if (specVersion >= import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13) {
+      builder = CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
+        credentialIssuer,
+        metadata,
+        version,
+        credentialIdentifier,
+        credentialTypes
+      });
+    } else {
+      if (!credentialTypes || credentialTypes.length === 0) {
+        throw new Error("CredentialTypes must be provided for v1_0_11");
+      }
+      builder = CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
+        credentialIssuer,
+        metadata,
+        version,
+        credentialTypes
+      });
+    }
+    return new _CredentialRequestClientBuilder(builder);
+  }
+  static async fromURI({ uri, metadata }) {
+    const offer = await CredentialOfferClient.fromURI(uri);
+    return _CredentialRequestClientBuilder.fromCredentialOfferRequest({
+      request: offer,
+      ...offer,
+      metadata,
+      version: offer.version
+    });
+  }
+  static fromCredentialOfferRequest(opts) {
+    const { request } = opts;
+    const version = opts.version ?? request.version ?? (0, import_oid4vci_common22.determineSpecVersionFromOffer)(request.original_credential_offer);
+    let builder;
+    if (version < import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13) {
+      builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest(opts);
+    } else {
+      builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest(opts);
+    }
+    return new _CredentialRequestClientBuilder(builder);
+  }
+  static fromCredentialOffer({ credentialOffer, metadata }) {
+    const version = (0, import_oid4vci_common22.determineSpecVersionFromOffer)(credentialOffer.credential_offer);
+    let builder;
+    if (version < import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13) {
+      builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
+        credentialOffer,
+        metadata
+      });
+    } else {
+      builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({
+        credentialOffer,
+        metadata
+      });
+    }
+    return new _CredentialRequestClientBuilder(builder);
+  }
+  getVersion() {
+    return this._builder.version;
+  }
+  withCredentialEndpointFromMetadata(metadata) {
+    if (isV1_0_13(this._builder)) {
+      this._builder.withCredentialEndpointFromMetadata(metadata);
+    } else {
+      this._builder.withCredentialEndpointFromMetadata(metadata);
+    }
+    return this;
+  }
+  withCredentialEndpoint(credentialEndpoint) {
+    this._builder.withCredentialEndpoint(credentialEndpoint);
+    return this;
+  }
+  withDeferredCredentialEndpointFromMetadata(metadata) {
+    if (isV1_0_13(this._builder)) {
+      this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
+    } else {
+      this._builder.withDeferredCredentialEndpointFromMetadata(metadata);
+    }
+    return this;
+  }
+  withDeferredCredentialEndpoint(deferredCredentialEndpoint) {
+    this._builder.withDeferredCredentialEndpoint(deferredCredentialEndpoint);
+    return this;
+  }
+  withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS) {
+    this._builder.withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS);
+    return this;
+  }
+  withCredentialIdentifier(credentialIdentifier) {
+    if (this._builder.version === void 0 || this._builder.version < import_oid4vci_common22.OpenId4VCIVersion.VER_1_0_13) {
+      throw new Error("Version of spec should be equal or higher than v1_0_13");
+    }
+    this._builder.withCredentialIdentifier(credentialIdentifier);
+    return this;
+  }
+  withIssuerState(issuerState) {
+    this._builder.withIssuerState(issuerState);
+    return this;
+  }
+  withCredentialType(credentialTypes) {
+    this._builder.withCredentialType(credentialTypes);
+    return this;
+  }
+  withFormat(format) {
+    this._builder.withFormat(format);
+    return this;
+  }
+  withSubjectIssuance(subjectIssuance) {
+    this._builder.withSubjectIssuance(subjectIssuance);
+    return this;
+  }
+  withToken(accessToken) {
+    this._builder.withToken(accessToken);
+    return this;
+  }
+  withTokenFromResponse(response) {
+    this._builder.withTokenFromResponse(response);
+    return this;
+  }
+  withVersion(version) {
+    this._builder.withVersion(version);
+    return this;
+  }
+  build() {
+    return this._builder.build();
+  }
+};
+
+// lib/OpenID4VCIClient.ts
+var import_oid4vci_common23 = require("@sphereon/oid4vci-common");
+var import_debug13 = __toESM(require("debug"), 1);
+var debug13 = (0, import_debug13.default)("sphereon:oid4vci");
+var OpenID4VCIClient = class _OpenID4VCIClient {
+  static {
+    __name(this, "OpenID4VCIClient");
+  }
+  _state;
+  constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, accessToken, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
+    const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common23.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
+    if (!issuer) {
+      throw Error("No credential issuer supplied or deduced from offer");
+    }
+    this._state = {
+      credentialOffer,
+      credentialIssuer: issuer,
+      kid,
+      alg,
+      // TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
+      clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common23.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
+      pkce: {
+        disabled: false,
+        codeChallengeMethod: import_oid4vci_common23.CodeChallengeMethod.S256,
+        ...pkce
+      },
+      authorizationRequestOpts,
+      authorizationCodeResponse,
+      accessToken,
+      jwk,
+      endpointMetadata: endpointMetadata?.credentialIssuerMetadata?.authorization_server ? endpointMetadata : endpointMetadata,
+      accessTokenResponse,
+      authorizationURL
+    };
+    if (!this._state.authorizationRequestOpts) {
+      this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
+    }
+    debug13(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
+  }
+  static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL, endpointMetadata }) {
+    const client = new _OpenID4VCIClient({
+      kid,
+      alg,
+      clientId: clientId ?? authorizationRequest?.clientId,
+      credentialIssuer,
+      pkce,
+      authorizationRequest,
+      endpointMetadata
+    });
+    if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
+      await client.retrieveServerMetadata();
+    }
+    if (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL) {
+      await client.createAuthorizationRequestUrl({
+        authorizationRequest,
+        pkce
+      });
+    }
+    return client;
+  }
+  static async fromState({ state }) {
+    const clientState = typeof state === "string" ? JSON.parse(state) : state;
+    return new _OpenID4VCIClient(clientState);
+  }
+  static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri, endpointMetadata }) {
+    const credentialOfferClient = await CredentialOfferClient.fromURI(uri, {
+      resolve: resolveOfferUri
+    });
+    const client = new _OpenID4VCIClient({
+      credentialOffer: credentialOfferClient,
+      kid,
+      alg,
+      clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
+      pkce,
+      authorizationRequest,
+      endpointMetadata
+    });
+    if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
+      await client.retrieveServerMetadata();
+    }
+    if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common23.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
+      await client.createAuthorizationRequestUrl({
+        authorizationRequest,
+        pkce
+      });
+      debug13(`Authorization Request URL: ${client._state.authorizationURL}`);
+    }
+    return client;
+  }
+  /**
+  * Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)
+  *
+  * The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device
+  * @param opts
+  */
+  async createAuthorizationRequestUrl(opts) {
+    if (!this._state.authorizationURL) {
+      this.calculatePKCEOpts(opts?.pkce);
+      this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(opts?.authorizationRequest);
+      if (!this._state.authorizationRequestOpts) {
+        throw Error(`No Authorization Request options present or provided in this call`);
+      }
+      if (this._state.endpointMetadata?.credentialIssuerMetadata && "authorization_endpoint" in this._state.endpointMetadata.credentialIssuerMetadata) {
+        this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint;
+      }
+      if (this.version() <= import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_11) {
+        this._state.authorizationURL = await createAuthorizationRequestUrlV1_0_11({
+          pkce: this._state.pkce,
+          endpointMetadata: this.endpointMetadata,
+          authorizationRequest: this._state.authorizationRequestOpts,
+          credentialOffer: this.credentialOffer,
+          credentialsSupported: Object.values(this.getCredentialsSupported(true))
+        });
+      } else {
+        this._state.authorizationURL = await createAuthorizationRequestUrl({
+          pkce: this._state.pkce,
+          endpointMetadata: this.endpointMetadata,
+          authorizationRequest: this._state.authorizationRequestOpts,
+          credentialOffer: this.credentialOffer,
+          credentialConfigurationSupported: this.getCredentialsSupported(false)
+        });
+      }
+    }
+    return this._state.authorizationURL;
+  }
+  async retrieveServerMetadata() {
+    this.assertIssuerData();
+    if (!this._state.endpointMetadata) {
+      if (this.credentialOffer) {
+        this._state.endpointMetadata = await MetadataClient.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
+      } else if (this._state.credentialIssuer) {
+        this._state.endpointMetadata = await MetadataClient.retrieveAllMetadata(this._state.credentialIssuer);
+      } else {
+        throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
+      }
+    }
+    return this.endpointMetadata;
+  }
+  calculatePKCEOpts(pkce) {
+    this._state.pkce = generateMissingPKCEOpts({
+      ...this._state.pkce,
+      ...pkce
+    });
+  }
+  async acquireAuthorizationChallengeCode(opts) {
+    const response = await acquireAuthorizationChallengeAuthCode({
+      metadata: this.endpointMetadata,
+      credentialIssuer: this.getIssuer(),
+      clientId: this._state.clientId ?? this._state.authorizationRequestOpts?.clientId,
+      ...opts
+    });
+    if (response.errorBody) {
+      debug13(`Authorization code error:\r
+${JSON.stringify(response.errorBody)}`);
+      const error = response.errorBody;
+      return Promise.reject(error);
+    } else if (!response.successBody) {
+      debug13(`Authorization code error. No success body`);
+      return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
+    }
+    return {
+      ...response.successBody
+    };
+  }
+  async acquireAccessToken(opts) {
+    const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {};
+    let { redirectUri } = opts ?? {};
+    const code = this.getAuthorizationCode(opts?.authorizationResponse, opts?.code);
+    if (opts?.codeVerifier) {
+      this._state.pkce.codeVerifier = opts.codeVerifier;
+    }
+    this.assertIssuerData();
+    const asOpts = {
+      ...opts?.asOpts
+    };
+    const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
+    const clientAssertionType = asOpts.clientOpts?.clientAssertionType ?? (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === "function" ? "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" : void 0);
+    if (this.isEBSI() || clientId && kid) {
+      if (!clientId) {
+        throw Error(`Client id expected for EBSI`);
+      }
+      asOpts.clientOpts = {
+        ...asOpts.clientOpts,
+        clientId,
+        ...kid && {
+          kid
+        },
+        ...clientAssertionType && {
+          clientAssertionType
+        },
+        signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks
+      };
+    }
+    if (clientId) {
+      this._state.clientId = clientId;
+      if (!asOpts.clientOpts) {
+        asOpts.clientOpts = {
+          clientId
+        };
+      }
+      asOpts.clientOpts.clientId = clientId;
+    }
+    if (!this._state.accessTokenResponse) {
+      const accessTokenClient = this.version() <= import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_12 ? new AccessTokenClientV1_0_11() : new AccessTokenClient();
+      if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {
+        console.log(`Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`);
+      }
+      if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {
+        redirectUri = this._state.authorizationRequestOpts.redirectUri;
+      }
+      const response = await accessTokenClient.acquireAccessToken({
+        credentialOffer: this.credentialOffer,
+        metadata: this.endpointMetadata,
+        credentialIssuer: this.getIssuer(),
+        pin,
+        ...!this._state.pkce.disabled && {
+          codeVerifier: this._state.pkce.codeVerifier
+        },
+        code,
+        redirectUri,
+        asOpts,
+        ...opts?.createDPoPOpts && {
+          createDPoPOpts: opts.createDPoPOpts
+        },
+        ...opts?.additionalRequestParams && {
+          additionalParams: opts.additionalRequestParams
+        }
+      });
+      if (response.errorBody) {
+        debug13(`Access token error:\r
+${JSON.stringify(response.errorBody)}`);
+        throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
+      } else if (!response.successBody) {
+        debug13(`Access token error. No success body`);
+        throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
+      }
+      this._state.accessTokenResponse = response.successBody;
+      this._state.dpopResponseParams = response.params;
+      this._state.accessToken = response.successBody.access_token;
+    }
+    return {
+      ...this.accessTokenResponse,
+      ...this.dpopResponseParams && {
+        params: this.dpopResponseParams
+      }
+    };
+  }
+  async acquireCredentials({ credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
+    if ([
+      jwk,
+      kid
+    ].filter((v) => v !== void 0).length > 1) {
+      throw new Error(import_oid4vci_common23.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
+    }
+    if (alg) this._state.alg = alg;
+    if (jwk) this._state.jwk = jwk;
+    if (kid) this._state.kid = kid;
+    let requestBuilder;
+    if (this.version() < import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_13) {
+      requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
+        credentialOffer: this.credentialOffer,
+        metadata: this.endpointMetadata
+      }) : CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
+        credentialIssuer: this.getIssuer(),
+        credentialTypes,
+        metadata: this.endpointMetadata,
+        version: this.version()
+      });
+    } else {
+      requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({
+        credentialOffer: this.credentialOffer,
+        metadata: this.endpointMetadata
+      }) : CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
+        credentialIssuer: this.getIssuer(),
+        credentialTypes,
+        metadata: this.endpointMetadata,
+        version: this.version()
+      });
+    }
+    const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common23.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this.accessTokenResponse?.c_nonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
+    requestBuilder.withIssuerState(issuerState);
+    requestBuilder.withTokenFromResponse(this.accessTokenResponse);
+    requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
+    let subjectIssuance;
+    if (this.endpointMetadata?.credentialIssuerMetadata) {
+      const metadata = this.endpointMetadata.credentialIssuerMetadata;
+      const types = Array.isArray(credentialTypes) ? credentialTypes : [
+        credentialTypes
+      ];
+      if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
+        let typeSupported = false;
+        metadata.credentials_supported.forEach((supportedCredential) => {
+          const subTypes = (0, import_oid4vci_common23.getTypesFromCredentialSupported)(supportedCredential);
+          if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
+            typeSupported = true;
+            if (supportedCredential.credential_subject_issuance) {
+              subjectIssuance = {
+                credential_subject_issuance: supportedCredential.credential_subject_issuance
+              };
+            }
+          }
+        });
+        if (!typeSupported) {
+          console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
+        }
+      } else if (metadata.credentials_supported && !Array.isArray(metadata.credentials_supported)) {
+        const credentialsSupported = metadata.credentials_supported;
+        if (types.some((type) => !metadata.credentials_supported || !credentialsSupported[type])) {
+          throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
+        }
+      }
+    }
+    if (subjectIssuance) {
+      requestBuilder.withSubjectIssuance(subjectIssuance);
+    }
+    const credentialRequestClient = requestBuilder.build();
+    const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
+      accessTokenResponse: this.accessTokenResponse,
+      callbacks: proofCallbacks,
+      version: this.version()
+    }).withIssuer(this.getIssuer()).withAlg(this.alg);
+    if (this._state.jwk) {
+      proofBuilder.withJWK(this._state.jwk);
+    }
+    if (this._state.kid) {
+      proofBuilder.withKid(this._state.kid);
+    }
+    if (this.clientId) {
+      proofBuilder.withClientId(this.clientId);
+    }
+    if (jti) {
+      proofBuilder.withJti(jti);
+    }
+    const response = await credentialRequestClient.acquireCredentialsUsingProof({
+      proofInput: proofBuilder,
+      credentialTypes,
+      context,
+      format,
+      subjectIssuance,
+      createDPoPOpts
+    });
+    this._state.dpopResponseParams = response.params;
+    if (response.errorBody) {
+      debug13(`Credential request error:\r
+${JSON.stringify(response.errorBody)}`);
+      throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
+    } else if (!response.successBody) {
+      debug13(`Credential request error. No success body`);
+      throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
+    }
+    return {
+      ...response.successBody,
+      ...this.dpopResponseParams && {
+        params: this.dpopResponseParams
+      },
+      access_token: response.access_token
+    };
+  }
+  async exportState() {
+    return JSON.stringify(this._state);
+  }
+  getCredentialsSupported(restrictToInitiationTypes, format) {
+    return (0, import_oid4vci_common23.getSupportedCredentials)({
+      issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
+      version: this.version(),
+      format,
+      types: restrictToInitiationTypes ? this.getCredentialOfferTypes() : void 0
+    });
+  }
+  async sendNotification(credentialRequestOpts, request, accessToken) {
+    return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
+  }
+  getCredentialOfferTypes() {
+    if (!this.credentialOffer) {
+      return [];
+    } else if (this.version() < import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_11) {
+      const orig = this.credentialOffer.original_credential_offer;
+      const types = typeof orig.credential_type === "string" ? [
+        orig.credential_type
+      ] : orig.credential_type;
+      const result = [];
+      result[0] = types;
+      return result;
+    } else if (this.version() < import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_13) {
+      return this.credentialOffer.credential_offer.credentials.map((c) => (0, import_oid4vci_common23.getTypesFromObject)(c) ?? []);
+    }
+    return void 0;
+  }
+  issuerSupportedFlowTypes() {
+    return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server ? [
+      import_oid4vci_common23.AuthzFlowType.AUTHORIZATION_CODE_FLOW
+    ] : []);
+  }
+  isFlowTypeSupported(flowType) {
+    return this.issuerSupportedFlowTypes().includes(flowType);
+  }
+  get authorizationURL() {
+    return this._state.authorizationURL;
+  }
+  hasAuthorizationURL() {
+    return !!this.authorizationURL;
+  }
+  get credentialOffer() {
+    return this._state.credentialOffer;
+  }
+  version() {
+    if (this.credentialOffer?.version && this.credentialOffer.version !== import_oid4vci_common23.OpenId4VCIVersion.VER_UNKNOWN) {
+      return this.credentialOffer.version;
+    }
+    const metadata = this._state.endpointMetadata;
+    if (metadata?.credentialIssuerMetadata) {
+      const versions = (0, import_oid4vci_common23.determineVersionsFromIssuerMetadata)(metadata.credentialIssuerMetadata);
+      if (versions.length > 0 && !versions.includes(import_oid4vci_common23.OpenId4VCIVersion.VER_UNKNOWN)) {
+        return versions[0];
+      }
+    }
+    return import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_13;
+  }
+  get endpointMetadata() {
+    this.assertServerMetadata();
+    return this._state.endpointMetadata;
+  }
+  get kid() {
+    this.assertIssuerData();
+    if (!this._state.kid) {
+      throw new Error("No value for kid is supplied");
+    }
+    return this._state.kid;
+  }
+  get alg() {
+    this.assertIssuerData();
+    if (!this._state.alg) {
+      throw new Error("No value for alg is supplied");
+    }
+    return this._state.alg;
+  }
+  set clientId(value) {
+    this._state.clientId = value;
+  }
+  get clientId() {
+    return this._state.clientId;
+  }
+  hasAccessTokenResponse() {
+    return !!this._state.accessTokenResponse;
+  }
+  get accessTokenResponse() {
+    this.assertAccessToken();
+    return this._state.accessTokenResponse;
+  }
+  get dpopResponseParams() {
+    return this._state.dpopResponseParams;
+  }
+  getIssuer() {
+    this.assertIssuerData();
+    return this._state.credentialIssuer;
+  }
+  getAccessTokenEndpoint() {
+    this.assertIssuerData();
+    if (this.endpointMetadata) {
+      return this.endpointMetadata.token_endpoint;
+    }
+    return this.version() <= import_oid4vci_common23.OpenId4VCIVersion.VER_1_0_12 ? AccessTokenClientV1_0_11.determineTokenURL({
+      issuerOpts: {
+        issuer: this.getIssuer()
+      }
+    }) : AccessTokenClient.determineTokenURL({
+      issuerOpts: {
+        issuer: this.getIssuer()
+      }
+    });
+  }
+  getCredentialEndpoint() {
+    this.assertIssuerData();
+    return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
+  }
+  getAuthorizationChallengeEndpoint() {
+    this.assertIssuerData();
+    return this.endpointMetadata?.authorization_challenge_endpoint;
+  }
+  hasAuthorizationChallengeEndpoint() {
+    return !!this.getAuthorizationChallengeEndpoint();
+  }
+  hasDeferredCredentialEndpoint() {
+    return !!this.getAccessTokenEndpoint();
+  }
+  getDeferredCredentialEndpoint() {
+    this.assertIssuerData();
+    return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
+  }
+  /**
+  * Too bad we need a method like this, but EBSI is not exposing metadata
+  */
+  isEBSI() {
+    if (this.credentialOffer && this.credentialOffer?.credential_offer?.credentials?.find((cred) => (
+      // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+      // @ts-ignore
+      typeof cred !== "string" && "trust_framework" in cred && "name" in cred.trust_framework && cred.trust_framework.name.includes("ebsi")
+    ))) {
+      return true;
+    }
+    return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
+  }
+  assertIssuerData() {
+    if (!this._state.credentialIssuer) {
+      throw Error(`No credential issuer value present`);
+    } else if (!this._state.credentialOffer && this._state.endpointMetadata && this.issuerSupportedFlowTypes().length === 0) {
+      throw Error(`No issuance initiation or credential offer present`);
+    }
+  }
+  assertServerMetadata() {
+    if (!this._state.endpointMetadata) {
+      throw Error("No server metadata");
+    }
+  }
+  assertAccessToken() {
+    if (!this._state.accessTokenResponse) {
+      throw Error(`No access token present`);
+    }
+  }
+  syncAuthorizationRequestOpts(opts) {
+    const requestObjectOpts = {
+      ...this._state?.authorizationRequestOpts?.requestObjectOpts,
+      ...opts?.requestObjectOpts
+    };
+    let authorizationRequestOpts = {
+      ...this._state?.authorizationRequestOpts,
+      ...opts,
+      ...requestObjectOpts && {
+        requestObjectOpts
+      }
+    };
+    if (!authorizationRequestOpts) {
+      authorizationRequestOpts = {
+        redirectUri: `${import_oid4vci_common23.DefaultURISchemes.CREDENTIAL_OFFER}://`
+      };
+    }
+    const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
+    this._state.clientId = clientId;
+    authorizationRequestOpts.clientId = clientId;
+    return authorizationRequestOpts;
+  }
+  getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
+    if (authorizationResponse) {
+      this._state.authorizationCodeResponse = {
+        ...(0, import_oid4vci_common23.toAuthorizationResponsePayload)(authorizationResponse)
+      };
+    } else if (code) {
+      this._state.authorizationCodeResponse = {
+        code
+      };
+    }
+    return this._state.authorizationCodeResponse?.code ?? this._state.authorizationCodeResponse?.authorization_code;
+  }, "getAuthorizationCode");
+};
+
+// lib/OpenID4VCIClientV1_0_13.ts
+var import_oid4vci_common24 = require("@sphereon/oid4vci-common");
+var import_debug14 = __toESM(require("debug"), 1);
+var debug14 = (0, import_debug14.default)("sphereon:oid4vci");
+var OpenID4VCIClientV1_0_13 = class _OpenID4VCIClientV1_0_13 {
+  static {
+    __name(this, "OpenID4VCIClientV1_0_13");
+  }
+  _state;
+  constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, accessToken, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
+    const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common24.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
+    if (!issuer) {
+      throw Error("No credential issuer supplied or deduced from offer");
+    }
+    this._state = {
+      credentialOffer,
+      credentialIssuer: issuer,
+      kid,
+      alg,
+      // TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
+      clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common24.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
+      pkce: {
+        disabled: false,
+        codeChallengeMethod: import_oid4vci_common24.CodeChallengeMethod.S256,
+        ...pkce
+      },
+      authorizationRequestOpts,
+      authorizationCodeResponse,
+      accessToken,
+      jwk,
+      endpointMetadata,
+      accessTokenResponse,
+      authorizationURL
+    };
+    if (!this._state.authorizationRequestOpts) {
+      this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
+    }
+    debug14(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
+  }
+  static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL }) {
+    const client = new _OpenID4VCIClientV1_0_13({
+      kid,
+      alg,
+      clientId: clientId ?? authorizationRequest?.clientId,
+      credentialIssuer,
+      pkce,
+      authorizationRequest
+    });
+    if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
+      await client.retrieveServerMetadata();
+    }
+    if (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL) {
+      await client.createAuthorizationRequestUrl({
+        authorizationRequest,
+        pkce
+      });
+    }
+    return client;
+  }
+  static async fromState({ state }) {
+    const clientState = typeof state === "string" ? JSON.parse(state) : state;
+    return new _OpenID4VCIClientV1_0_13(clientState);
+  }
+  static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri }) {
+    const credentialOfferClient = await CredentialOfferClient.fromURI(uri, {
+      resolve: resolveOfferUri
+    });
+    const client = new _OpenID4VCIClientV1_0_13({
+      credentialOffer: credentialOfferClient,
+      kid,
+      alg,
+      clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
+      pkce,
+      authorizationRequest
+    });
+    if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
+      await client.retrieveServerMetadata();
+    }
+    if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common24.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
+      await client.createAuthorizationRequestUrl({
+        authorizationRequest,
+        pkce
+      });
+      debug14(`Authorization Request URL: ${client._state.authorizationURL}`);
+    }
+    return client;
+  }
+  /**
+  * Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)
+  *
+  * The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device
+  * @param opts
+  */
+  async createAuthorizationRequestUrl(opts) {
+    if (!this._state.authorizationURL) {
+      this.calculatePKCEOpts(opts?.pkce);
+      this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(opts?.authorizationRequest);
+      if (!this._state.authorizationRequestOpts) {
+        throw Error(`No Authorization Request options present or provided in this call`);
+      }
+      if (this._state.endpointMetadata?.credentialIssuerMetadata && "authorization_endpoint" in this._state.endpointMetadata.credentialIssuerMetadata) {
+        this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint;
+      }
+      this._state.authorizationURL = await createAuthorizationRequestUrl({
+        pkce: this._state.pkce,
+        endpointMetadata: this.endpointMetadata,
+        authorizationRequest: this._state.authorizationRequestOpts,
+        credentialOffer: this.credentialOffer,
+        credentialConfigurationSupported: this.getCredentialsSupported(),
+        version: this.version()
+      });
+    }
+    return this._state.authorizationURL;
+  }
+  async retrieveServerMetadata() {
+    this.assertIssuerData();
+    if (!this._state.endpointMetadata) {
+      if (this.credentialOffer) {
+        this._state.endpointMetadata = await MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
+      } else if (this._state.credentialIssuer) {
+        this._state.endpointMetadata = await MetadataClientV1_0_13.retrieveAllMetadata(this._state.credentialIssuer);
+      } else {
+        throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
+      }
+    }
+    return this.endpointMetadata;
+  }
+  calculatePKCEOpts(pkce) {
+    this._state.pkce = generateMissingPKCEOpts({
+      ...this._state.pkce,
+      ...pkce
+    });
+  }
+  async acquireAuthorizationChallengeCode(opts) {
+    const response = await acquireAuthorizationChallengeAuthCode({
+      metadata: this.endpointMetadata,
+      credentialIssuer: this.getIssuer(),
+      clientId: this._state.clientId ?? this._state.authorizationRequestOpts?.clientId,
+      ...opts
+    });
+    if (response.errorBody) {
+      debug14(`Authorization code error:\r
+${JSON.stringify(response.errorBody)}`);
+      const error = response.errorBody;
+      return Promise.reject(error);
+    } else if (!response.successBody) {
+      debug14(`Authorization code error. No success body`);
+      return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
+    }
+    return {
+      ...response.successBody
+    };
+  }
+  async acquireAccessToken(opts) {
+    const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {};
+    let { redirectUri } = opts ?? {};
+    const code = this.getAuthorizationCode(opts?.authorizationResponse, opts?.code);
+    if (opts?.codeVerifier) {
+      this._state.pkce.codeVerifier = opts.codeVerifier;
+    }
+    this.assertIssuerData();
+    const asOpts = {
+      ...opts?.asOpts
+    };
+    const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
+    const clientAssertionType = asOpts.clientOpts?.clientAssertionType ?? (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === "function" ? "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" : void 0);
+    if (this.isEBSI() || clientId && kid) {
+      if (!clientId) {
+        throw Error(`Client id expected for EBSI`);
+      }
+      asOpts.clientOpts = {
+        ...asOpts.clientOpts,
+        clientId,
+        ...kid && {
+          kid
+        },
+        ...clientAssertionType && {
+          clientAssertionType
+        },
+        signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks
+      };
+    }
+    if (clientId) {
+      this._state.clientId = clientId;
+      if (!asOpts.clientOpts) {
+        asOpts.clientOpts = {
+          clientId
+        };
+      }
+      asOpts.clientOpts.clientId = clientId;
+    }
+    if (!this._state.accessTokenResponse) {
+      const accessTokenClient = new AccessTokenClient();
+      if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {
+        console.log(`Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`);
+      }
+      if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {
+        redirectUri = this._state.authorizationRequestOpts.redirectUri;
+      }
+      const response = await accessTokenClient.acquireAccessToken({
+        credentialOffer: this.credentialOffer,
+        metadata: this.endpointMetadata,
+        credentialIssuer: this.getIssuer(),
+        pin,
+        ...!this._state.pkce.disabled && {
+          codeVerifier: this._state.pkce.codeVerifier
+        },
+        code,
+        redirectUri,
+        asOpts,
+        ...opts?.createDPoPOpts && {
+          createDPoPOpts: opts.createDPoPOpts
+        },
+        ...opts?.additionalRequestParams && {
+          additionalParams: opts.additionalRequestParams
+        }
+      });
+      if (response.errorBody) {
+        debug14(`Access token error:\r
+${JSON.stringify(response.errorBody)}`);
+        throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
+      } else if (!response.successBody) {
+        debug14(`Access token error. No success body`);
+        throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
+      }
+      this._state.accessTokenResponse = response.successBody;
+      this._state.dpopResponseParams = response.params;
+      this._state.accessToken = response.successBody.access_token;
+    }
+    return {
+      ...this.accessTokenResponse,
+      ...this.dpopResponseParams && {
+        params: this.dpopResponseParams
+      }
+    };
+  }
+  async acquireCredentialsWithoutProof(args) {
+    return await this.acquireCredentialsImpl(args);
+  }
+  async acquireCredentials(args) {
+    return await this.acquireCredentialsImpl(args);
+  }
+  async acquireCredentialsImpl({ credentialIdentifier, credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
+    if ([
+      jwk,
+      kid
+    ].filter((v) => v !== void 0).length > 1) {
+      throw new Error(import_oid4vci_common24.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
+    }
+    if (alg) this._state.alg = alg;
+    if (jwk) this._state.jwk = jwk;
+    if (kid) this._state.kid = kid;
+    const requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({
+      credentialOffer: this.credentialOffer,
+      metadata: this.endpointMetadata
+    }) : CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({
+      credentialIssuer: this.getIssuer(),
+      credentialIdentifier,
+      metadata: this.endpointMetadata,
+      version: this.version()
+    });
+    const issuerState = this.issuerSupportedFlowTypes().includes(import_oid4vci_common24.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && this._state.authorizationCodeResponse && !this.accessTokenResponse?.c_nonce && this._state.credentialOffer?.issuerState ? this._state.credentialOffer.issuerState : void 0;
+    requestBuilder.withIssuerState(issuerState);
+    requestBuilder.withTokenFromResponse(this.accessTokenResponse);
+    requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
+    let subjectIssuance;
+    if (this.endpointMetadata?.credentialIssuerMetadata) {
+      const metadata = this.endpointMetadata.credentialIssuerMetadata;
+      const types = credentialTypes ? Array.isArray(credentialTypes) ? credentialTypes : [
+        credentialTypes
+      ] : void 0;
+      if (credentialIdentifier) {
+        if (typeof metadata.credential_configurations_supported !== "object") {
+          throw Error(`Credentials_supported should be an object, current ${typeof metadata.credential_configurations_supported} when credential_identifier is used`);
+        }
+        const credentialsSupported = metadata.credential_configurations_supported;
+        if (!credentialsSupported || !credentialsSupported[credentialIdentifier]) {
+          throw new Error(`Credential type ${credentialIdentifier} is not supported by issuer ${this.getIssuer()}`);
+        }
+      } else if (!types) {
+        throw Error(`If no credential_identifier is used, we expect types`);
+      } else if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
+        let typeSupported = false;
+        metadata.credentials_supported.forEach((supportedCredential) => {
+          const subTypes = (0, import_oid4vci_common24.getTypesFromCredentialSupported)(supportedCredential);
+          if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
+            typeSupported = true;
+            if (supportedCredential.credential_subject_issuance) {
+              subjectIssuance = {
+                credential_subject_issuance: supportedCredential.credential_subject_issuance
+              };
+            }
+          }
+        });
+        if (!typeSupported) {
+          console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
+        }
+      } else if (metadata.credential_configurations_supported && typeof metadata.credential_configurations_supported === "object") {
+        let typeSupported = false;
+        Object.values(metadata.credential_configurations_supported).forEach((supportedCredential) => {
+          const subTypes = (0, import_oid4vci_common24.getTypesFromCredentialSupported)(supportedCredential);
+          if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
+            typeSupported = true;
+          }
+        });
+        if (!typeSupported) {
+          throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
+        }
+      }
+    }
+    if (subjectIssuance) {
+      requestBuilder.withSubjectIssuance(subjectIssuance);
+    }
+    const credentialRequestClient = requestBuilder.build();
+    let proofBuilder;
+    if (proofCallbacks) {
+      proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
+        accessTokenResponse: this.accessTokenResponse,
+        callbacks: proofCallbacks,
+        version: this.version()
+      }).withIssuer(this.getIssuer()).withAlg(this.alg);
+      if (this._state.jwk) {
+        proofBuilder.withJWK(this._state.jwk);
+      }
+      if (this._state.kid) {
+        proofBuilder.withKid(this._state.kid);
+      }
+      if (this.clientId) {
+        proofBuilder.withClientId(this.clientId);
+      }
+      if (jti) {
+        proofBuilder.withJti(jti);
+      }
+    }
+    const request = proofBuilder ? await credentialRequestClient.createCredentialRequest({
+      proofInput: proofBuilder,
+      credentialTypes,
+      context,
+      format,
+      version: this.version(),
+      credentialIdentifier,
+      subjectIssuance
+    }) : await credentialRequestClient.createCredentialRequestWithoutProof({
+      credentialTypes,
+      context,
+      format,
+      version: this.version(),
+      credentialIdentifier,
+      subjectIssuance
+    });
+    const response = await credentialRequestClient.acquireCredentialsUsingRequest(request, createDPoPOpts);
+    this._state.dpopResponseParams = response.params;
+    if (response.errorBody) {
+      debug14(`Credential request error:\r
+${JSON.stringify(response.errorBody)}`);
+      throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
+    } else if (!response.successBody) {
+      debug14(`Credential request error. No success body`);
+      throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
+    }
+    return {
+      ...response.successBody,
+      ...this.dpopResponseParams && {
+        params: this.dpopResponseParams
+      },
+      access_token: response.access_token
+    };
+  }
+  async exportState() {
+    return JSON.stringify(this._state);
+  }
+  getCredentialsSupported(format) {
+    return (0, import_oid4vci_common24.getSupportedCredentials)({
+      issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
+      version: this.version(),
+      format,
+      types: void 0
+    });
+  }
+  async sendNotification(credentialRequestOpts, request, accessToken) {
+    return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token);
+  }
+  /* getCredentialOfferTypes(): string[][] {
+    if (!this.credentialOffer) {
+      return [];
+    } else if (this.credentialOffer.version < OpenId4VCIVersion.VER_1_0_11) {
+      const orig = this.credentialOffer.original_credential_offer as CredentialOfferPayloadV1_0_08;
+      const types: string[] = typeof orig.credential_type === 'string' ? [orig.credential_type] : orig.credential_type;
+      const result: string[][] = [];
+      result[0] = types;
+      return result;
+    } else {
+      return this.credentialOffer.credential_offer.credentials.map((c) => {
+        if (typeof c === 'string') {
+          return [c];
+        } else if ('types' in c) {
+          return c.types;
+        } else if ('vct' in c) {
+          return [c.vct];
+        } else {
+          return c.credential_definition.types;
+        }
+      });
+    }
+  }*/
+  issuerSupportedFlowTypes() {
+    return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [
+      import_oid4vci_common24.AuthzFlowType.AUTHORIZATION_CODE_FLOW
+    ] : []);
+  }
+  isFlowTypeSupported(flowType) {
+    return this.issuerSupportedFlowTypes().includes(flowType);
+  }
+  hasAuthorizationURL() {
+    return !!this.authorizationURL;
+  }
+  get authorizationURL() {
+    return this._state.authorizationURL;
+  }
+  get credentialOffer() {
+    return this._state.credentialOffer;
+  }
+  version() {
+    return this.credentialOffer?.version ?? import_oid4vci_common24.OpenId4VCIVersion.VER_1_0_13;
+  }
+  get endpointMetadata() {
+    this.assertServerMetadata();
+    return this._state.endpointMetadata;
+  }
+  get kid() {
+    this.assertIssuerData();
+    if (!this._state.kid) {
+      throw new Error("No value for kid is supplied");
+    }
+    return this._state.kid;
+  }
+  get alg() {
+    this.assertIssuerData();
+    if (!this._state.alg) {
+      throw new Error("No value for alg is supplied");
+    }
+    return this._state.alg;
+  }
+  set clientId(value) {
+    this._state.clientId = value;
+  }
+  get clientId() {
+    return this._state.clientId;
+  }
+  hasAccessTokenResponse() {
+    return !!this._state.accessTokenResponse;
+  }
+  get accessTokenResponse() {
+    this.assertAccessToken();
+    return this._state.accessTokenResponse;
+  }
+  get dpopResponseParams() {
+    return this._state.dpopResponseParams;
+  }
+  getIssuer() {
+    this.assertIssuerData();
+    return this._state.credentialIssuer;
+  }
+  getAccessTokenEndpoint() {
+    this.assertIssuerData();
+    return this.endpointMetadata ? this.endpointMetadata.token_endpoint : AccessTokenClient.determineTokenURL({
+      issuerOpts: {
+        issuer: this.getIssuer()
+      }
+    });
+  }
+  getCredentialEndpoint() {
+    this.assertIssuerData();
+    return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
+  }
+  hasDeferredCredentialEndpoint() {
+    return !!this.getAccessTokenEndpoint();
+  }
+  getDeferredCredentialEndpoint() {
+    this.assertIssuerData();
+    return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
+  }
+  /**
+  * Too bad we need a method like this, but EBSI is not exposing metadata
+  */
+  isEBSI() {
+    const credentialOffer = this.credentialOffer?.credential_offer;
+    if (credentialOffer?.credential_configuration_ids) {
+      const credentialConfigurations = this.endpointMetadata.credentialIssuerMetadata?.credential_configurations_supported;
+      if (credentialConfigurations) {
+        const isEBSITrustFramework = credentialOffer.credential_configuration_ids.map((id) => credentialConfigurations[id]).filter((config) => (
+          // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+          // @ts-ignore
+          config !== void 0 && "trust_framework" in config && "name" in config.trust_framework
+        )).some((config) => config.trust_framework.name.includes("ebsi"));
+        if (isEBSITrustFramework) {
+          return true;
+        }
+      }
+    }
+    return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
+  }
+  assertIssuerData() {
+    if (!this._state.credentialIssuer) {
+      throw Error(`No credential issuer value present`);
+    } else if (!this._state.credentialOffer && this._state.endpointMetadata && this.issuerSupportedFlowTypes().length === 0) {
+      throw Error(`No issuance initiation or credential offer present`);
+    }
+  }
+  assertServerMetadata() {
+    if (!this._state.endpointMetadata) {
+      throw Error("No server metadata");
+    }
+  }
+  assertAccessToken() {
+    if (!this._state.accessTokenResponse) {
+      throw Error(`No access token present`);
+    }
+  }
+  syncAuthorizationRequestOpts(opts) {
+    let authorizationRequestOpts = {
+      ...this._state?.authorizationRequestOpts,
+      ...opts
+    };
+    if (!authorizationRequestOpts) {
+      authorizationRequestOpts = {
+        redirectUri: `${import_oid4vci_common24.DefaultURISchemes.CREDENTIAL_OFFER}://`
+      };
+    }
+    const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
+    this._state.clientId = clientId;
+    authorizationRequestOpts.clientId = clientId;
+    return authorizationRequestOpts;
+  }
+  getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
+    if (authorizationResponse) {
+      this._state.authorizationCodeResponse = {
+        ...(0, import_oid4vci_common24.toAuthorizationResponsePayload)(authorizationResponse)
+      };
+    } else if (code) {
+      this._state.authorizationCodeResponse = {
+        code
+      };
+    }
+    return this._state.authorizationCodeResponse?.code ?? this._state.authorizationCodeResponse?.authorization_code;
+  }, "getAuthorizationCode");
+};
+
+// lib/OpenID4VCIClientV1_0_11.ts
+var import_oid4vci_common25 = require("@sphereon/oid4vci-common");
+var import_debug15 = __toESM(require("debug"), 1);
+var debug15 = (0, import_debug15.default)("sphereon:oid4vci");
+var OpenID4VCIClientV1_0_11 = class _OpenID4VCIClientV1_0_11 {
+  static {
+    __name(this, "OpenID4VCIClientV1_0_11");
+  }
+  _state;
+  constructor({ credentialOffer, clientId, kid, alg, credentialIssuer, pkce, authorizationRequest, jwk, endpointMetadata, accessTokenResponse, authorizationRequestOpts, authorizationCodeResponse, authorizationURL }) {
+    const issuer = credentialIssuer ?? (credentialOffer ? (0, import_oid4vci_common25.getIssuerFromCredentialOfferPayload)(credentialOffer.credential_offer) : void 0);
+    if (!issuer) {
+      throw Error("No credential issuer supplied or deduced from offer");
+    }
+    this._state = {
+      credentialOffer,
+      credentialIssuer: issuer,
+      kid,
+      alg,
+      // TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id
+      clientId: clientId ?? (credentialOffer && (0, import_oid4vci_common25.getClientIdFromCredentialOfferPayload)(credentialOffer.credential_offer)) ?? kid?.split("#")[0],
+      pkce: {
+        disabled: false,
+        codeChallengeMethod: import_oid4vci_common25.CodeChallengeMethod.S256,
+        ...pkce
+      },
+      authorizationRequestOpts,
+      authorizationCodeResponse,
+      jwk,
+      endpointMetadata,
+      accessTokenResponse,
+      authorizationURL
+    };
+    if (!this._state.authorizationRequestOpts) {
+      this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest);
+    }
+    debug15(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`);
+  }
+  static async fromCredentialIssuer({ kid, alg, retrieveServerMetadata, clientId, credentialIssuer, pkce, authorizationRequest, createAuthorizationRequestURL }) {
+    const client = new _OpenID4VCIClientV1_0_11({
+      kid,
+      alg,
+      clientId: clientId ?? authorizationRequest?.clientId,
+      credentialIssuer,
+      pkce,
+      authorizationRequest
+    });
+    if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
+      await client.retrieveServerMetadata();
+    }
+    if (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL) {
+      await client.createAuthorizationRequestUrl({
+        authorizationRequest,
+        pkce
+      });
+    }
+    return client;
+  }
+  static async fromState({ state }) {
+    const clientState = typeof state === "string" ? JSON.parse(state) : state;
+    return new _OpenID4VCIClientV1_0_11(clientState);
+  }
+  static async fromURI({ uri, kid, alg, retrieveServerMetadata, clientId, pkce, createAuthorizationRequestURL, authorizationRequest, resolveOfferUri }) {
+    const credentialOfferClient = await CredentialOfferClientV1_0_11.fromURI(uri, {
+      resolve: resolveOfferUri
+    });
+    const client = new _OpenID4VCIClientV1_0_11({
+      credentialOffer: credentialOfferClient,
+      kid,
+      alg,
+      clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,
+      pkce,
+      authorizationRequest
+    });
+    if (retrieveServerMetadata === void 0 || retrieveServerMetadata) {
+      await client.retrieveServerMetadata();
+    }
+    if (credentialOfferClient.supportedFlows.includes(import_oid4vci_common25.AuthzFlowType.AUTHORIZATION_CODE_FLOW) && (createAuthorizationRequestURL === void 0 || createAuthorizationRequestURL)) {
+      await client.createAuthorizationRequestUrl({
+        authorizationRequest,
+        pkce
+      });
+      debug15(`Authorization Request URL: ${client._state.authorizationURL}`);
+    }
+    return client;
+  }
+  /**
+  * Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)
+  *
+  * The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device
+  * @param opts
+  */
+  async createAuthorizationRequestUrl(opts) {
+    if (!this._state.authorizationURL) {
+      this.calculatePKCEOpts(opts?.pkce);
+      this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(opts?.authorizationRequest);
+      if (!this._state.authorizationRequestOpts) {
+        throw Error(`No Authorization Request options present or provided in this call`);
+      }
+      if (this._state.endpointMetadata?.credentialIssuerMetadata && "authorization_endpoint" in this._state.endpointMetadata.credentialIssuerMetadata) {
+        this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint;
+      }
+      this._state.authorizationURL = await createAuthorizationRequestUrlV1_0_11({
+        pkce: this._state.pkce,
+        endpointMetadata: this.endpointMetadata,
+        authorizationRequest: this._state.authorizationRequestOpts,
+        credentialOffer: this.credentialOffer,
+        credentialsSupported: Object.values(this.getCredentialsSupported())
+      });
+    }
+    return this._state.authorizationURL;
+  }
+  async retrieveServerMetadata() {
+    this.assertIssuerData();
+    if (!this._state.endpointMetadata) {
+      if (this.credentialOffer) {
+        this._state.endpointMetadata = await MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOffer(this.credentialOffer);
+      } else if (this._state.credentialIssuer) {
+        this._state.endpointMetadata = await MetadataClientV1_0_11.retrieveAllMetadata(this._state.credentialIssuer);
+      } else {
+        throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`);
+      }
+    }
+    return this.endpointMetadata;
+  }
+  calculatePKCEOpts(pkce) {
+    this._state.pkce = generateMissingPKCEOpts({
+      ...this._state.pkce,
+      ...pkce
+    });
+  }
+  async acquireAuthorizationChallengeCode(opts) {
+    const response = await acquireAuthorizationChallengeAuthCode({
+      metadata: this.endpointMetadata,
+      credentialIssuer: this.getIssuer(),
+      clientId: this._state.clientId ?? this._state.authorizationRequestOpts?.clientId,
+      ...opts
+    });
+    if (response.errorBody) {
+      debug15(`Authorization code error:\r
+${JSON.stringify(response.errorBody)}`);
+      const error = response.errorBody;
+      return Promise.reject(error);
+    } else if (!response.successBody) {
+      debug15(`Authorization code error. No success body`);
+      return Promise.reject(Error(`Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`));
+    }
+    return {
+      ...response.successBody
+    };
+  }
+  async acquireAccessToken(opts) {
+    const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {};
+    let { redirectUri } = opts ?? {};
+    const code = this.getAuthorizationCode(opts?.authorizationResponse, opts?.code);
+    if (opts?.codeVerifier) {
+      this._state.pkce.codeVerifier = opts.codeVerifier;
+    }
+    this.assertIssuerData();
+    const asOpts = {
+      ...opts?.asOpts
+    };
+    if (clientId) {
+      this._state.clientId = clientId;
+      if (!asOpts.clientOpts) {
+        asOpts.clientOpts = {
+          clientId
+        };
+      }
+      asOpts.clientOpts.clientId = clientId;
+    }
+    if (!this._state.accessTokenResponse) {
+      const accessTokenClient = new AccessTokenClientV1_0_11();
+      if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {
+        console.log(`Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`);
+      }
+      if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {
+        redirectUri = this._state.authorizationRequestOpts.redirectUri;
+      }
+      const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid;
+      const clientAssertionType = asOpts.clientOpts?.clientAssertionType ?? (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === "function" ? "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" : void 0);
+      if (this.isEBSI() || clientId && kid) {
+        if (!clientId) {
+          throw Error(`Client id expected for EBSI`);
+        }
+        asOpts.clientOpts = {
+          ...asOpts.clientOpts,
+          clientId,
+          ...kid && {
+            kid
+          },
+          ...clientAssertionType && {
+            clientAssertionType
+          },
+          signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks
+        };
+      }
+      const response = await accessTokenClient.acquireAccessToken({
+        credentialOffer: this.credentialOffer,
+        metadata: this.endpointMetadata,
+        credentialIssuer: this.getIssuer(),
+        pin,
+        ...!this._state.pkce.disabled && {
+          codeVerifier: this._state.pkce.codeVerifier
+        },
+        code,
+        redirectUri,
+        asOpts,
+        ...opts?.createDPoPOpts && {
+          createDPoPOpts: opts.createDPoPOpts
+        },
+        ...opts?.additionalRequestParams && {
+          additionalParams: opts.additionalRequestParams
+        }
+      });
+      if (response.errorBody) {
+        debug15(`Access token error:\r
+${JSON.stringify(response.errorBody)}`);
+        throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
+      } else if (!response.successBody) {
+        debug15(`Access token error. No success body`);
+        throw Error(`Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
+      }
+      this._state.accessTokenResponse = response.successBody;
+      this._state.dpopResponseParams = response.params;
+      this._state.accessToken = response.successBody.access_token;
+    }
+    return {
+      ...this.accessTokenResponse,
+      ...this.dpopResponseParams && {
+        params: this.dpopResponseParams
+      }
+    };
+  }
+  async acquireCredentials({ credentialTypes, context, proofCallbacks, format, kid, jwk, alg, jti, deferredCredentialAwait, deferredCredentialIntervalInMS, createDPoPOpts }) {
+    if ([
+      jwk,
+      kid
+    ].filter((v) => v !== void 0).length > 1) {
+      throw new Error(import_oid4vci_common25.KID_JWK_X5C_ERROR + `. jwk: ${jwk !== void 0}, kid: ${kid !== void 0}`);
+    }
+    if (alg) this._state.alg = alg;
+    if (jwk) this._state.jwk = jwk;
+    if (kid) this._state.kid = kid;
+    const requestBuilder = this.credentialOffer ? CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({
+      credentialOffer: this.credentialOffer,
+      metadata: this.endpointMetadata
+    }) : CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({
+      credentialIssuer: this.getIssuer(),
+      credentialTypes,
+      metadata: this.endpointMetadata,
+      version: this.version()
+    });
+    requestBuilder.withTokenFromResponse(this.accessTokenResponse);
+    requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS);
+    if (this.endpointMetadata?.credentialIssuerMetadata) {
+      const metadata = this.endpointMetadata.credentialIssuerMetadata;
+      const types = Array.isArray(credentialTypes) ? credentialTypes : [
+        credentialTypes
+      ];
+      if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {
+        let typeSupported = false;
+        metadata.credentials_supported.forEach((supportedCredential) => {
+          const subTypes = (0, import_oid4vci_common25.getTypesFromCredentialSupported)(supportedCredential);
+          if (subTypes.every((t, i) => types[i] === t) || types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0]))) {
+            typeSupported = true;
+          }
+        });
+        if (!typeSupported) {
+          console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`);
+        }
+      } else if (metadata.credentials_supported && !Array.isArray(metadata.credentials_supported)) {
+        const credentialsSupported = metadata.credentials_supported;
+        if (types.some((type) => !metadata.credentials_supported || !credentialsSupported[type])) {
+          throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);
+        }
+      }
+    }
+    const credentialRequestClient = requestBuilder.build();
+    const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({
+      accessTokenResponse: this.accessTokenResponse,
+      callbacks: proofCallbacks,
+      version: this.version()
+    }).withIssuer(this.getIssuer()).withAlg(this.alg);
+    if (this._state.jwk) {
+      proofBuilder.withJWK(this._state.jwk);
+    }
+    if (this._state.kid) {
+      proofBuilder.withKid(this._state.kid);
+    }
+    if (this.clientId) {
+      proofBuilder.withClientId(this.clientId);
+    }
+    if (jti) {
+      proofBuilder.withJti(jti);
+    }
+    const response = await credentialRequestClient.acquireCredentialsUsingProof({
+      proofInput: proofBuilder,
+      credentialTypes,
+      context,
+      format,
+      createDPoPOpts
+    });
+    this._state.dpopResponseParams = response.params;
+    if (response.errorBody) {
+      debug15(`Credential request error:\r
+${JSON.stringify(response.errorBody)}`);
+      throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${response.origResponse.status}`);
+    } else if (!response.successBody) {
+      debug15(`Credential request error. No success body`);
+      throw Error(`Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`);
+    }
+    return {
+      ...response.successBody,
+      ...this.dpopResponseParams && {
+        params: this.dpopResponseParams
+      }
+    };
+  }
+  async exportState() {
+    return JSON.stringify(this._state);
+  }
+  // FIXME: We really should convert <v11 to v12 objects first. Right now the logic doesn't map nicely and is brittle.
+  // We should resolve IDs to objects first in case of strings.
+  // When < v11 convert into a v12 object. When v12 object retain it.
+  // Then match the object array on server metadata
+  getCredentialsSupportedV11(restrictToInitiationTypes, format) {
+    return (0, import_oid4vci_common25.getSupportedCredentials)({
+      issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
+      version: this.version(),
+      format,
+      types: restrictToInitiationTypes ? this.getCredentialOfferTypes() : void 0
+    });
+  }
+  getCredentialsSupported(format) {
+    return (0, import_oid4vci_common25.getSupportedCredentials)({
+      issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,
+      version: this.version(),
+      format,
+      types: void 0
+    });
+  }
+  getCredentialOfferTypes() {
+    if (!this.credentialOffer) {
+      return [];
+    } else if (this.credentialOffer.version < import_oid4vci_common25.OpenId4VCIVersion.VER_1_0_11) {
+      const orig = this.credentialOffer.original_credential_offer;
+      const types = typeof orig.credential_type === "string" ? [
+        orig.credential_type
+      ] : orig.credential_type;
+      const result = [];
+      result[0] = types;
+      return result;
+    } else if (this.credentialOffer.version < import_oid4vci_common25.OpenId4VCIVersion.VER_1_0_13) {
+      return this.credentialOffer.credential_offer.credentials.map((c) => (0, import_oid4vci_common25.getTypesFromObject)(c) ?? []);
+    }
+    throw Error(`This class only supports version 11 and lower! Version: ${this.version()}`);
+  }
+  issuerSupportedFlowTypes() {
+    return this.credentialOffer?.supportedFlows ?? (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [
+      import_oid4vci_common25.AuthzFlowType.AUTHORIZATION_CODE_FLOW
+    ] : []);
+  }
+  isFlowTypeSupported(flowType) {
+    return this.issuerSupportedFlowTypes().includes(flowType);
+  }
+  get authorizationURL() {
+    return this._state.authorizationURL;
+  }
+  hasAuthorizationURL() {
+    return !!this.authorizationURL;
+  }
+  get credentialOffer() {
+    return this._state.credentialOffer;
+  }
+  version() {
+    return this.credentialOffer?.version ?? import_oid4vci_common25.OpenId4VCIVersion.VER_1_0_11;
+  }
+  get endpointMetadata() {
+    this.assertServerMetadata();
+    return this._state.endpointMetadata;
+  }
+  get kid() {
+    this.assertIssuerData();
+    if (!this._state.kid) {
+      throw new Error("No value for kid is supplied");
+    }
+    return this._state.kid;
+  }
+  get alg() {
+    this.assertIssuerData();
+    if (!this._state.alg) {
+      throw new Error("No value for alg is supplied");
+    }
+    return this._state.alg;
+  }
+  set clientId(value) {
+    this._state.clientId = value;
+  }
+  get clientId() {
+    return this._state.clientId;
+  }
+  hasAccessTokenResponse() {
+    return !!this._state.accessTokenResponse;
+  }
+  get accessTokenResponse() {
+    this.assertAccessToken();
+    return this._state.accessTokenResponse;
+  }
+  get dpopResponseParams() {
+    return this._state.dpopResponseParams;
+  }
+  getIssuer() {
+    this.assertIssuerData();
+    return this._state.credentialIssuer;
+  }
+  getAccessTokenEndpoint() {
+    this.assertIssuerData();
+    return this.endpointMetadata ? this.endpointMetadata.token_endpoint : AccessTokenClientV1_0_11.determineTokenURL({
+      issuerOpts: {
+        issuer: this.getIssuer()
+      }
+    });
+  }
+  getCredentialEndpoint() {
+    this.assertIssuerData();
+    return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
+  }
+  hasDeferredCredentialEndpoint() {
+    return !!this.getAccessTokenEndpoint();
+  }
+  getDeferredCredentialEndpoint() {
+    this.assertIssuerData();
+    return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`;
+  }
+  /**
+  * Too bad we need a method like this, but EBSI is not exposing metadata
+  */
+  isEBSI() {
+    if (this.credentialOffer && this.credentialOffer?.credential_offer?.credentials?.find((cred) => (
+      // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+      // @ts-ignore
+      typeof cred !== "string" && "trust_framework" in cred && "name" in cred.trust_framework && cred.trust_framework.name.includes("ebsi")
+    ))) {
+      return true;
+    }
+    return this.clientId?.includes("ebsi") || this._state.kid?.includes("did:ebsi:") || this.getIssuer().includes("ebsi") || this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes("ebsi.eu") || this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes("ebsi.eu");
+  }
+  assertIssuerData() {
+    if (!this._state.credentialIssuer) {
+      throw Error(`No credential issuer value present`);
+    } else if (!this._state.credentialOffer && this._state.endpointMetadata && this.issuerSupportedFlowTypes().length === 0) {
+      throw Error(`No issuance initiation or credential offer present`);
+    }
+  }
+  assertServerMetadata() {
+    if (!this._state.endpointMetadata) {
+      throw Error("No server metadata");
+    }
+  }
+  assertAccessToken() {
+    if (!this._state.accessTokenResponse) {
+      throw Error(`No access token present`);
+    }
+  }
+  syncAuthorizationRequestOpts(opts) {
+    let authorizationRequestOpts = {
+      ...this._state?.authorizationRequestOpts,
+      ...opts
+    };
+    if (!authorizationRequestOpts) {
+      authorizationRequestOpts = {
+        redirectUri: `${import_oid4vci_common25.DefaultURISchemes.CREDENTIAL_OFFER}://`
+      };
+    }
+    const clientId = authorizationRequestOpts.clientId ?? this._state.clientId;
+    this._state.clientId = clientId;
+    authorizationRequestOpts.clientId = clientId;
+    return authorizationRequestOpts;
+  }
+  getAuthorizationCode = /* @__PURE__ */ __name((authorizationResponse, code) => {
+    if (authorizationResponse) {
+      this._state.authorizationCodeResponse = {
+        ...(0, import_oid4vci_common25.toAuthorizationResponsePayload)(authorizationResponse)
+      };
+    } else if (code) {
+      this._state.authorizationCodeResponse = {
+        code
+      };
+    }
+    return this._state.authorizationCodeResponse?.code ?? this._state.authorizationCodeResponse?.authorization_code;
+  }, "getAuthorizationCode");
+};
+
+// lib/index.ts
+var LOG2 = import_oid4vci_common26.VCI_LOGGERS.get("sphereon:oid4vci:client");
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AccessTokenClient,
+  AccessTokenClientV1_0_11,
+  CredentialOfferClient,
+  CredentialOfferClientV1_0_11,
+  CredentialOfferClientV1_0_13,
+  CredentialRequestClient,
+  CredentialRequestClientBuilder,
+  CredentialRequestClientBuilderV1_0_11,
+  CredentialRequestClientBuilderV1_0_13,
+  CredentialRequestClientV1_0_11,
+  LOG,
+  MetadataClient,
+  MetadataClientV1_0_11,
+  MetadataClientV1_0_13,
+  OpenID4VCIClient,
+  OpenID4VCIClientV1_0_11,
+  OpenID4VCIClientV1_0_13,
+  ProofOfPossessionBuilder,
+  acquireAuthorizationChallengeAuthCode,
+  acquireAuthorizationChallengeAuthCodeUsingRequest,
+  buildProof,
+  constructBaseResponse,
+  createAuthorizationChallengeRequest,
+  createAuthorizationRequestUrl,
+  createAuthorizationRequestUrlV1_0_11,
+  createJwtBearerClientAssertion,
+  createSignedAuthRequestWhenNeeded,
+  generateMissingPKCEOpts,
+  handleCredentialOfferUri,
+  isUriEncoded,
+  retrieveWellknown,
+  sendAuthorizationChallengeRequest,
+  sendNotification
+});
+//# sourceMappingURL=index.cjs.map