nmshd · Magnus-Kuhn · Mar 19, 2026 · Mar 17, 2026 · Mar 18, 2026 · Mar 18, 2026
diff --git a/.ci/runChecks.sh b/.ci/runChecks.sh
@@ -6,4 +6,4 @@ npm run lint:eslint
 npm run lint:prettier
 npm run --workspaces cdep
 npx --workspaces license-check
-npx better-npm-audit audit --exclude 1112030
+npx better-npm-audit audit --exclude 1112030,1114592,1114594,1114638,1114640,1114642
diff --git a/package-lock.json b/package-lock.json
diff --git a/packages/consumption/src/modules/openid4vc/OpenId4VcController.ts b/packages/consumption/src/modules/openid4vc/OpenId4VcController.ts
@@ -130,7 +130,7 @@ export class OpenId4VcController extends ConsumptionBaseController {
         return { status: serverResponse.status, message: serverResponse.body };
     }
 
-    public async createPresentationTokenContent(credential: VerifiableCredential): Promise<TokenContentVerifiablePresentation> {
-        return await this.holder.createPresentationTokenContent(credential);
+    public async createPresentationTokenContent(credential: VerifiableCredential, nonce: string): Promise<TokenContentVerifiablePresentation> {
+        return await this.holder.createPresentationTokenContent(credential, nonce);
     }
 }
diff --git a/packages/consumption/src/modules/openid4vc/local/Holder.ts b/packages/consumption/src/modules/openid4vc/local/Holder.ts
@@ -204,7 +204,7 @@ export class Holder extends BaseAgent<ReturnType<typeof getOpenIdHolderModules>>
 
     // hacky solution because credo doesn't support credentials without key binding
     // TODO: use credentials without key binding once supported
-    public async createPresentationTokenContent(credential: VerifiableCredential): Promise<TokenContentVerifiablePresentation> {
+    public async createPresentationTokenContent(credential: VerifiableCredential, nonce: string): Promise<TokenContentVerifiablePresentation> {
         if (credential.type !== ClaimFormat.SdJwtDc) throw new Error("Only SD-JWT credentials have been tested so far with token presentation");
 
         const sdJwtVcApi = this.agent.dependencyManager.resolve(SdJwtVcApi);
@@ -213,7 +213,7 @@ export class Holder extends BaseAgent<ReturnType<typeof getOpenIdHolderModules>>
             verifierMetadata: {
                 audience: "defaultPresentationAudience",
                 issuedAt: Date.now() / 1000,
-                nonce: "defaultPresentationNonce"
+                nonce
             }
         });
 

diff --git a/packages/runtime/src/useCases/consumption/openid4vc/CreatePresentationToken.ts b/packages/runtime/src/useCases/consumption/openid4vc/CreatePresentationToken.ts
@@ -34,14 +34,17 @@ export class CreatePresentationTokenUseCase extends UseCase<CreatePresentationTo
         const attribute = await this.attributesController.getLocalAttribute(CoreId.from(request.attributeId));
         if (!(attribute?.content.value instanceof VerifiableCredential)) return Result.fail(RuntimeErrors.general.recordNotFound("Attribute with Verifiable Credential"));
 
-        const presentationTokenContent = await this.openId4VcController.createPresentationTokenContent(attribute.content.value);
+        const emptyToken = await this.tokenController.sendEmptyToken({ expiresAt: CoreDate.from(request.expiresAt), ephemeral: request.ephemeral });
 
-        const token = await this.tokenController.sendToken({
-            content: presentationTokenContent.toJSON(),
-            expiresAt: CoreDate.from(request.expiresAt),
-            ephemeral: request.ephemeral
+        const presentationTokenContent = await this.openId4VcController.createPresentationTokenContent(attribute.content.value, emptyToken.id.toString());
+
+        const presentationToken = await this.tokenController.updateTokenContent({
+            id: emptyToken.id,
+            secretKey: emptyToken.secretKey,
+            content: presentationTokenContent,
+            passwordProtection: emptyToken.passwordProtection
         });
 
-        return Result.ok(TokenMapper.toTokenDTO(token, true));
+        return Result.ok(TokenMapper.toTokenDTO(presentationToken, true));
     }
 }