From 338b785ac60b6021873d384a916fd405f561915a Mon Sep 17 00:00:00 2001
From: Nader Helmy <creator.nader@gmail.com>
Date: Sun, 28 Jun 2026 18:28:09 -0400
Subject: [PATCH] fix: sync current x401 wire names

---
 README.md                                     | 158 ++--
 package.json                                  |   1 +
 scripts/sync-spec-fixtures.ts                 |  12 +-
 spec/SPEC_SOURCE.json                         |   4 +-
 spec/conformance.md                           | 109 ++-
 spec/fixtures/error-object.json               |   4 +-
 spec/fixtures/payload-1.json                  |   3 +-
 spec/fixtures/payload-2.json                  |  18 +-
 spec/fixtures/payload-3.json                  |  18 +-
 spec/fixtures/payload-4.json                  |  19 +-
 spec/fixtures/payload-5.json                  |  18 +-
 spec/fixtures/request.schema.json             |  72 +-
 ...artifact-1.json => result-artifact-1.json} |   4 +-
 ...artifact-2.json => result-artifact-2.json} |   4 +-
 ...artifact-5.json => result-artifact-3.json} |   2 +-
 ...artifact-4.json => result-artifact-4.json} |   4 +-
 ...artifact-3.json => result-artifact-5.json} |   2 +-
 spec/normative-ledger.json                    |  95 ++-
 spec/spec.md                                  | 805 +++++++++---------
 src/agent.ts                                  |  67 +-
 src/constants.ts                              |  10 +-
 src/index.ts                                  |   7 +-
 src/types.ts                                  |  58 +-
 src/validate.ts                               |  51 +-
 src/verifier.ts                               |  32 +-
 tests/spec-fixtures.test.ts                   |  31 +-
 tests/spec-schema.test.ts                     |  51 +-
 tests/x401.test.ts                            | 137 +--
 28 files changed, 941 insertions(+), 855 deletions(-)
 rename spec/fixtures/{vp-artifact-1.json => result-artifact-1.json} (57%)
 rename spec/fixtures/{vp-artifact-2.json => result-artifact-2.json} (57%)
 rename spec/fixtures/{vp-artifact-5.json => result-artifact-3.json} (52%)
 rename spec/fixtures/{vp-artifact-4.json => result-artifact-4.json} (57%)
 rename spec/fixtures/{vp-artifact-3.json => result-artifact-5.json} (52%)

diff --git a/README.md b/README.md
index 240da65..7c5347a 100644
--- a/README.md
+++ b/README.md
@@ -1,105 +1,106 @@
 # @proof.com/x401-node
 
-Node.js SDK for the [x401 protocol](https://x401.proof.com/spec) (v0.2.0).
-
-x401 gates an HTTP resource behind an identity proof requirement. The server (_verifier_) returns a
-[`PROOF-REQUIRED`](https://x401.proof.com/spec/#proof-header-fields) header carrying a composed
-[Digital Credentials API](https://www.w3.org/TR/digital-credentials/) request; the user _agent_
-obtains a presentation for that request and retries with a
-[`PROOF-PRESENTATION`](https://x401.proof.com/spec/#route-retry-headers) header. This package
-implements the data types and processing rules for both the _verifier_ and the user _agent_.
-
-It does **not** verify credentials — the presentation result is opaque, so pair it with a credential
-library such as [`@proof.com/proof-vc-common`](https://www.npmjs.com/package/@proof.com/proof-vc-common).
-It also does **not** compose or sign the OpenID4VP request, nor invoke the wallet; the verifier
-authors the request (out of scope here) and this package carries it opaque in `presentation_requirements`.
+Node.js SDK for the [x401 protocol](https://x401.proof.com/spec/latest/) (v0.2.0).
+
+x401 gates an HTTP resource behind an identity proof requirement. The server (Verifier) returns a
+[`PROOF-REQUEST`](https://x401.proof.com/spec/latest/#proof-header-fields) header carrying a
+composed [Digital Credentials API](https://www.w3.org/TR/digital-credentials/) request. The user
+Agent obtains a credential result for that request and retries with a
+[`PROOF-RESPONSE`](https://x401.proof.com/spec/latest/#route-retry-headers) header. The Verifier
+reports x401-specific results and errors in
+[`PROOF-RESULT`](https://x401.proof.com/spec/latest/#proof-header-fields).
+
+This package implements data types and wire-object processing rules for both the Verifier and the
+Agent. It does not verify credentials. Pair it with a credential verification library such as
+[`@proof.com/proof-vc-common`](https://www.npmjs.com/package/@proof.com/proof-vc-common). It also
+does not compose or sign the OpenID4VP request, nor invoke a wallet. The Verifier authors the
+request, and this package carries it opaque in `credential_requirements`.
 
 ## Table of Contents
 
 - [Installation](#installation)
 - [Verifier](#verifier)
-  - [Protect a resource (`PROOF-REQUIRED`)](#protect-a-resource-proof-required)
-  - [Verify a Proof (`PROOF-PRESENTATION`)](#verify-a-proof-proof-presentation)
+  - [Protect a resource (`PROOF-REQUEST`)](#protect-a-resource-proof-request)
+  - [Verify a result (`PROOF-RESPONSE`)](#verify-a-result-proof-response)
 - [Agent](#agent)
-  - [Read a Proof requirement (`PROOF-REQUIRED`)](#read-a-proof-requirement-proof-required)
-  - [Present a Proof (`PROOF-PRESENTATION`)](#present-a-proof-proof-presentation)
-  - [Exchange a Proof for a token](#exchange-a-proof-for-a-token)
+  - [Read a proof requirement (`PROOF-REQUEST`)](#read-a-proof-requirement-proof-request)
+  - [Present a result (`PROOF-RESPONSE`)](#present-a-result-proof-response)
+  - [Exchange a result for a token](#exchange-a-result-for-a-token)
 - [Contributing](#contributing)
 
 ## Installation
 
-```
+```sh
 npm install @proof.com/x401-node
 ```
 
 ## Verifier
 
-### Protect a resource (`PROOF-REQUIRED`)
+### Protect a resource (`PROOF-REQUEST`)
 
-The [x401 payload](https://x401.proof.com/spec/#x401-payload) carries the Verifier-composed
-[Digital Credentials request](https://x401.proof.com/spec/#presentation-requirements) and the OAuth
-token endpoint used for [token exchange](#exchange-a-proof-for-a-token). You compose and (for the
-RECOMMENDED signed mode) sign the OpenID4VP request yourself; this package carries it opaque.
+The [x401 payload](https://x401.proof.com/spec/latest/#x401-payload) carries the
+Verifier-composed credential request and the OAuth token endpoint used for
+[token exchange](#exchange-a-result-for-a-token). You compose and, for the recommended signed mode,
+sign the OpenID4VP request yourself. This package carries it opaque.
 
 ```ts
 import { verifier } from "@proof.com/x401-node";
 
 const payload = verifier.buildPayload({
-  presentationRequirements: {
-    requests: [
-      {
-        protocol: "openid4vp-v1-signed",
-        data: { request: signedOpenId4vpRequestJwt },
-      },
-    ],
+  credentialRequirements: {
+    digital: {
+      requests: [
+        {
+          protocol: "openid4vp-v1-signed",
+          data: { request: signedOpenId4vpRequestJwt },
+        },
+      ],
+    },
   },
   oauth: { token_endpoint: "https://research.example.com/oauth/token" },
-  trustEstablishment:
-    "https://research.example.com/.well-known/x401/trust/basic-v1",
   requestId: "proof-template-basic-v1",
   satisfiedRequirements: ["urn:proof:x401:satisfaction:basic:v1"],
 });
 ```
 
-`protocol` is `openid4vp-v1-signed` (RECOMMENDED) or `openid4vp-v1-unsigned`, and its `data`
-carries the request you composed and signed. `trustEstablishment`, `requestId`, and
-`satisfiedRequirements` are optional hints.
+`protocol` is `openid4vp-v1-signed` or `openid4vp-v1-unsigned`, and its `data` carries the request
+you composed and signed. `requestId` and `satisfiedRequirements` are optional hints.
 
 Return it as a header:
 
 ```ts
-response.setHeader("PROOF-REQUIRED", verifier.encodePayload(payload));
+response.setHeader("PROOF-REQUEST", verifier.encodePayload(payload));
 ```
 
 For clients that read the body but not the headers, mirror the requirement as an
-[embedded `<data>` element](https://x401.proof.com/spec/#embedded-proof-requirements-in-html-content)
-(the `$schema` marker is added automatically). The header remains authoritative and must still be set.
+[embedded `<data>` element](https://x401.proof.com/spec/latest/#embedded-proof-requirements-in-html-content).
+The `$schema` marker is added automatically. The header remains authoritative and must still be set.
 
 ```ts
-const html = `<article>…</article>${verifier.embedHtmlData(payload)}`;
+const html = `<article>...</article>${verifier.embedHtmlData(payload)}`;
 ```
 
-### Verify a Proof (`PROOF-PRESENTATION`)
+### Verify a result (`PROOF-RESPONSE`)
 
-Decode the artifact, then validate the presentation against the request you composed (binding,
-`nonce` freshness, credential query) with your credential library and route policy. The artifact may
-carry the result inline (`response`) or by reference (`presentation_uri`, which you dereference). On
-failure, return an [x401 Error Object](https://x401.proof.com/spec/#x401-error-object) in
-`PROOF-RESPONSE`. See the full
-[verifier processing rules](https://x401.proof.com/spec/#verifier-processing-rules).
+Decode the Result Artifact, then validate the credential result against the request you composed
+with your credential library and route policy. The artifact may carry the result inline
+(`credential_result`) or by reference (`credential_result_uri`, which you dereference). On failure,
+return an [x401 Error Object](https://x401.proof.com/spec/latest/#x401-error-object) in
+`PROOF-RESULT`. See the full
+[Verifier processing rules](https://x401.proof.com/spec/latest/#verifier-processing-rules).
 
 ```ts
-const artifact = verifier.decodeVPArtifact(
-  request.headers["proof-presentation"],
+const artifact = verifier.decodeResultArtifact(
+  request.headers["proof-response"],
 );
 
-const result = artifact.response
-  ? artifact.response
-  : await fetchPresentation(artifact.presentation_uri!);
+const result = artifact.credential_result
+  ? artifact.credential_result
+  : await fetchCredentialResult(artifact.credential_result_uri!);
 
-if (!validatePresentation(result)) {
+if (!validateCredentialResult(result)) {
   response.setHeader(
-    "PROOF-RESPONSE",
+    "PROOF-RESULT",
     verifier.encodeErrorObject(
       verifier.buildErrorObject({ error: "invalid_presentation" }),
     ),
@@ -110,13 +111,13 @@ if (!validatePresentation(result)) {
 
 ## Agent
 
-See the full [agent processing rules](https://x401.proof.com/spec/#agent-processing-rules).
+See the full [Agent processing rules](https://x401.proof.com/spec/latest/#agent-processing-rules).
 
-### Read a Proof requirement (`PROOF-REQUIRED`)
+### Read a proof requirement (`PROOF-REQUEST`)
 
 `detectProofRequirement` reads the header, falling back to the embedded `<data>` element.
-`getDigitalCredentialRequest` returns the Verifier-composed request unmodified — pass it straight to
-the Digital Credentials API (or relay it). The agent MUST NOT alter it.
+`getCredentialRequestOptions` returns the Verifier-composed credential request unmodified. Pass it
+straight to the Credential Manager, or relay it. The Agent must not alter it.
 
 ```ts
 import { agent } from "@proof.com/x401-node";
@@ -128,48 +129,49 @@ const requirement = agent.detectProofRequirement({
 });
 
 if (requirement) {
-  const dcRequest = agent.getDigitalCredentialRequest(requirement.payload);
-  const result = await navigator.credentials.get({ digital: dcRequest });
+  const credentialRequest = agent.getCredentialRequestOptions(
+    requirement.payload,
+  );
+  const result = await navigator.credentials.get(credentialRequest);
 }
 ```
 
-If you're an intermediary relaying the request to a **remote handler** (which POSTs the result
-back rather than invoking the DC API itself), add an `https` `return_uri` to the forwarded payload
-with `agent.addReturnUri(payload, returnUri)`. Only a relaying intermediary sets this — never the
-Verifier.
+If you are an intermediary relaying the request to a remote handler, add an `https` `return_uri` to
+the forwarded payload with `agent.addReturnUri(payload, returnUri)`. Only a relaying intermediary
+sets this. The Verifier never sets it.
 
-### Present a Proof (`PROOF-PRESENTATION`)
+### Present a result (`PROOF-RESPONSE`)
 
-Wrap the `{ protocol, data }` presentation result in a
-[VP Artifact](https://x401.proof.com/spec/#vp-artifact) and retry the same route. Use the
-by-reference form for results too large for a header.
+Wrap the `{ protocol, data }` credential result in a
+[Result Artifact](https://x401.proof.com/spec/latest/#result-artifact) and retry the same route. Use
+the by-reference form for results too large for a header.
 
 ```ts
-const artifact = agent.buildVPArtifact({
-  response: result,
+const artifact = agent.buildResultArtifact({
+  credentialResult: result,
   requestId: requirement.payload.request_id,
 });
 
 await fetch(url, {
-  headers: { "PROOF-PRESENTATION": agent.encodeVPArtifact(artifact) },
+  headers: { "PROOF-RESPONSE": agent.encodeResultArtifact(artifact) },
 });
 ```
 
 Or, by reference:
 
 ```ts
-const artifact = agent.buildVPArtifactReference({
-  presentationUri:
-    "https://research.example.com/.well-known/x401/presentations/abc",
+const artifact = agent.buildResultArtifactReference({
+  credentialResultUri:
+    "https://research.example.com/.well-known/x401/results/abc",
   expiresAt: "2026-05-06T18:50:00Z",
 });
 ```
 
-### Exchange a Proof for a token
+### Exchange a result for a token
 
 Exchange the artifact for a reusable Verification Token via
-[OAuth token exchange](https://x401.proof.com/spec/#oauth-token-exchange), then present it as an
-x401 Token Object.
+[OAuth token exchange](https://x401.proof.com/spec/latest/#oauth-token-exchange), then present it as
+an x401 Token Object.
 
 ```ts
 const form = agent.buildTokenExchangeForm(artifact, { resource: url });
@@ -183,7 +185,7 @@ const { access_token } = agent.parseTokenExchangeResponse(await res.json());
 const tokenHeader = agent.encodeTokenObject(
   agent.buildTokenObject(access_token),
 );
-await fetch(url, { headers: { "PROOF-PRESENTATION": tokenHeader } });
+await fetch(url, { headers: { "PROOF-RESPONSE": tokenHeader } });
 ```
 
 ## Contributing
diff --git a/package.json b/package.json
index fd2bf1d..2c003c9 100644
--- a/package.json
+++ b/package.json
@@ -39,6 +39,7 @@
     "format:check": "prettier --check .",
     "lint": "eslint . --fix",
     "lint:check": "eslint .",
+    "prepare": "npm run build",
     "publint": "publint --pack npm",
     "test": "node --test tests/*.test.ts",
     "typecheck": "tsc --noEmit"
diff --git a/scripts/sync-spec-fixtures.ts b/scripts/sync-spec-fixtures.ts
index 0680e6e..2b71d18 100644
--- a/scripts/sync-spec-fixtures.ts
+++ b/scripts/sync-spec-fixtures.ts
@@ -102,7 +102,7 @@ function main(): void {
   });
 
   let payloads = 0;
-  let vpArtifacts = 0;
+  let resultArtifacts = 0;
   let oid4vpRequests = 0;
   let schemaFound = false;
 
@@ -116,7 +116,7 @@ function main(): void {
       write("request.schema.json", obj);
       schemaFound = true;
     } else if (obj["scheme"] === "x401") {
-      if (obj["presentation_requirements"] !== undefined) {
+      if (obj["credential_requirements"] !== undefined) {
         write(`payload-${++payloads}.json`, obj);
       } else if (obj["error"] !== undefined) {
         write("error-object.json", obj);
@@ -124,10 +124,10 @@ function main(): void {
         write("token-object.json", obj);
       }
     } else if (
-      obj["response"] !== undefined ||
-      obj["presentation_uri"] !== undefined
+      obj["credential_result"] !== undefined ||
+      obj["credential_result_uri"] !== undefined
     ) {
-      write(`vp-artifact-${++vpArtifacts}.json`, obj);
+      write(`result-artifact-${++resultArtifacts}.json`, obj);
     } else if (obj["response_type"] === "vp_token") {
       // Informative: the decoded OpenID4VP request the Verifier signs into the JAR.
       write(`openid4vp-request-${++oid4vpRequests}.json`, obj);
@@ -148,7 +148,7 @@ function main(): void {
   };
   writeFileSync(SOURCE_FILE, JSON.stringify(updated, null, 2) + "\n", "utf8");
   console.log(
-    `Done. ${payloads} payload(s), ${vpArtifacts} VP artifact(s), ${oid4vpRequests} OID4VP request(s).`,
+    `Done. ${payloads} payload(s), ${resultArtifacts} result artifact(s), ${oid4vpRequests} OID4VP request(s).`,
   );
 }
 
diff --git a/spec/SPEC_SOURCE.json b/spec/SPEC_SOURCE.json
index 24de614..15e1016 100644
--- a/spec/SPEC_SOURCE.json
+++ b/spec/SPEC_SOURCE.json
@@ -1,9 +1,9 @@
 {
   "repo": "proof/x401",
-  "ref": "4057cacc41e9e20547f6a6949946e9e1115b37d2",
+  "ref": "3f73cf912cd05a40bf8de3fe6c1f4bb720341336",
   "branch": "main",
   "version": "0.2.0",
   "spec_url": "https://x401.proof.com/spec",
   "schema_url": "https://x401.id/spec/schemas/request.json",
-  "fetched_at": "2026-06-24T08:55:14.795Z"
+  "fetched_at": "2026-06-28T22:18:28.884Z"
 }
diff --git a/spec/conformance.md b/spec/conformance.md
index 0502975..a370d9b 100644
--- a/spec/conformance.md
+++ b/spec/conformance.md
@@ -1,70 +1,67 @@
 # x401 conformance map
 
-Maps the spec's RFC 2119 normative statements to where this library enforces them — or
-records why they are out of scope. The goal is to make "did we miss a MUST?" answerable.
+Maps the spec's RFC 2119 normative statements to where this library enforces them, or records why
+they are out of scope. The goal is to make "did we miss a MUST?" answerable.
 
-- **Source of truth:** `spec/spec.md` at the ref in `spec/SPEC_SOURCE.json` (currently
-  x401 **0.2.0**, proof/x401 `main` — PR #15 merged).
-- **Drift detection:** `spec/normative-ledger.json` snapshots every normative statement.
-  After `node scripts/sync-spec-fixtures.ts`, run `node scripts/extract-normative.ts` to see
-  what was **added/removed** since the ledger. Triage new statements here, then
+- **Source of truth:** `spec/spec.md` at the ref in `spec/SPEC_SOURCE.json` (currently x401
+  **0.2.0**, proof/x401 `main`).
+- **Drift detection:** `spec/normative-ledger.json` snapshots every normative statement. After
+  `node scripts/sync-spec-fixtures.ts`, run `node scripts/extract-normative.ts` to see what was
+  added or removed since the ledger. Triage new statements here, then run
   `node scripts/extract-normative.ts --update`.
-- **Scope of this library:** it produces, encodes, decodes, and structurally validates the
-  x401 **wire objects**. It does **not** verify credentials, validate presentation bindings,
-  sign/compose the OpenID4VP request, perform the DC API call, or make HTTP/transport
-  decisions. Those statements are marked out of scope with the responsible layer.
+- **Scope of this library:** it produces, encodes, decodes, and structurally validates the x401 wire
+  objects. It does not verify credentials, validate result bindings, sign or compose the OpenID4VP
+  request, perform the Credential Manager call, or make HTTP transport decisions. Those statements
+  are marked out of scope with the responsible layer.
 
-## In scope — enforced or produced by this library
+## In scope: enforced or produced by this library
 
-| Spec requirement                                                                                                                                                                                                      | Where                                                                                                                                                                                     |
-| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `scheme` MUST be `"x401"` (payload, error, token)                                                                                                                                                                     | `validate.ts` `parseX401Payload` / `parseX401ErrorObject` / `parseX401TokenObject`; builders in `verifier.ts`/`agent.ts` set the constant. Tests: `x401.test.ts`, `spec-fixtures.test.ts` |
-| `version` REQUIRED                                                                                                                                                                                                    | `validate.ts` (all three parsers); `X401_VERSION` constant                                                                                                                                |
-| `presentation_requirements` REQUIRED; `requests` a non-empty array; each `protocol` is `openid4vp-v1-signed`/`openid4vp-v1-unsigned`; each `data` an object                                                           | `validate.ts` `parseX401Payload`, `verifier.ts` `buildPayload`. Tests: `spec-schema.test.ts` (Appendix C schema), `x401.test.ts`                                                          |
-| `oauth` REQUIRED; `oauth.token_endpoint` REQUIRED                                                                                                                                                                     | `validate.ts` `parseX401Payload`. Tests: `spec-schema.test.ts`, `x401.test.ts`                                                                                                            |
-| Payload encoded value MUST be base64url UTF-8 JSON (RFC 4648 §5, no padding); decoded MUST be a single JSON object                                                                                                    | `encoding.ts` (`@owf/identity-common` base64url)                                                                                                                                          |
-| MUST NOT combine multiple objects in one proof header via commas/lists; comma value MUST be treated as invalid                                                                                                        | `encoding.ts` `decodeProofHeader` comma guard. Test: `x401.test.ts`                                                                                                                       |
-| VP Artifact MUST contain exactly one of `response` / `presentation_uri`                                                                                                                                               | `validate.ts` `parseVPArtifact`. Tests: `x401.test.ts` (both/neither), `spec-fixtures.test.ts`                                                                                            |
-| `response` is the `{ protocol, data }` DC API result                                                                                                                                                                  | `validate.ts` `parseVPArtifact`; `agent.ts` `buildVPArtifact`                                                                                                                             |
-| `presentation_uri` MUST be an `https` URL                                                                                                                                                                             | `validate.ts` `parseVPArtifact`. Test: `x401.test.ts` (non-https rejected)                                                                                                                |
-| Token Object `token_type` MUST be `"Bearer"`; `access_token` REQUIRED                                                                                                                                                 | `validate.ts` `parseX401TokenObject`; `agent.ts` `buildTokenObject`                                                                                                                       |
-| Error Object `error` REQUIRED                                                                                                                                                                                         | `validate.ts` `parseX401ErrorObject`                                                                                                                                                      |
-| Token-exchange fixed params (`grant_type`, `subject_token_type`, Bearer) MUST NOT be repeated in the payload                                                                                                          | not present in the payload type; set only on the form by `agent.ts` `buildTokenExchangeForm`; verified by `verifier.ts` `parseTokenExchange`. Test: `x401.test.ts`                        |
-| Embedded `<data>`: tag `data`, `value="application/json;x401=proof-required"`, `hidden`, single JSON object that is a valid payload and MUST include a `$schema` member = `https://x401.id/spec/schemas/request.json` | `verifier.ts` `embedHtmlData`; `agent.ts` `detectProofRequirement` + `parseX401Payload`. Test: `x401.test.ts` (embedded round-trip)                                                       |
-| Embedded object subject to the same structural validation as a header payload                                                                                                                                         | `agent.ts` `detectProofRequirement` runs `parseX401Payload`. Test: `x401.test.ts`                                                                                                         |
-| Agent MUST NOT modify any entry in `presentation_requirements`                                                                                                                                                        | `agent.ts` `getDigitalCredentialRequest` returns it unmodified; library never mutates it                                                                                                  |
-| A relaying intermediary MUST add a `return_uri` member (an `https` URL) to the forwarded payload; the Verifier never sets it                                                                                          | `agent.ts` `addReturnUri` (https-validated; `buildPayload` never emits it); `validate.ts` `parseX401Payload` enforces https. Tests: `x401.test.ts`                                        |
+| Spec requirement                                                                                                                                                                                                        | Where                                                                                                                                                                                     |
+| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `scheme` MUST be `"x401"` (payload, error, token)                                                                                                                                                                       | `validate.ts` `parseX401Payload` / `parseX401ErrorObject` / `parseX401TokenObject`; builders in `verifier.ts`/`agent.ts` set the constant. Tests: `x401.test.ts`, `spec-fixtures.test.ts` |
+| `version` REQUIRED                                                                                                                                                                                                      | `validate.ts` (all three parsers); `X401_VERSION` constant                                                                                                                                |
+| `credential_requirements` REQUIRED; `digital.requests` a non-empty array; each `protocol` is `openid4vp-v1-signed` or `openid4vp-v1-unsigned`; each `data` an object                                                    | `validate.ts` `parseX401Payload`, `verifier.ts` `buildPayload`. Tests: `spec-schema.test.ts`, `x401.test.ts`                                                                              |
+| `oauth` REQUIRED; `oauth.token_endpoint` REQUIRED                                                                                                                                                                       | `validate.ts` `parseX401Payload`. Tests: `spec-schema.test.ts`, `x401.test.ts`                                                                                                            |
+| Payload encoded value MUST be base64url UTF-8 JSON (RFC 4648 section 5, no padding); decoded value MUST be a single JSON object                                                                                         | `encoding.ts` (`@owf/identity-common` base64url)                                                                                                                                          |
+| MUST NOT combine multiple objects in one proof header through commas or lists; comma value MUST be treated as invalid                                                                                                   | `encoding.ts` `decodeProofHeader` comma guard. Test: `x401.test.ts`                                                                                                                       |
+| Result Artifact MUST contain exactly one of `credential_result` or `credential_result_uri`                                                                                                                              | `validate.ts` `parseResultArtifact`. Tests: `x401.test.ts`, `spec-fixtures.test.ts`                                                                                                       |
+| `credential_result` is the `{ protocol, data }` Credential Manager result                                                                                                                                               | `validate.ts` `parseResultArtifact`; `agent.ts` `buildResultArtifact`                                                                                                                     |
+| `credential_result_uri` MUST be an `https` URL                                                                                                                                                                          | `validate.ts` `parseResultArtifact`. Test: `x401.test.ts`                                                                                                                                 |
+| Token Object `token_type` MUST be `"Bearer"`; `access_token` REQUIRED                                                                                                                                                   | `validate.ts` `parseX401TokenObject`; `agent.ts` `buildTokenObject`                                                                                                                       |
+| Error Object `error` REQUIRED                                                                                                                                                                                           | `validate.ts` `parseX401ErrorObject`                                                                                                                                                      |
+| Token-exchange fixed params (`grant_type`, `subject_token_type`, Bearer) MUST NOT be repeated in the payload                                                                                                            | not present in the payload type; set only on the form by `agent.ts` `buildTokenExchangeForm`; verified by `verifier.ts` `parseTokenExchange`. Test: `x401.test.ts`                        |
+| Embedded `<data>`: tag `data`, `value="application/json;x401=proof-required"`, `hidden`, single JSON object that is a valid payload and SHOULD include a `$schema` member = `https://x401.id/spec/schemas/request.json` | `verifier.ts` `embedHtmlData`; `agent.ts` `detectProofRequirement` plus `parseX401Payload`. Test: `x401.test.ts`                                                                          |
+| Embedded object subject to the same structural validation as a header payload                                                                                                                                           | `agent.ts` `detectProofRequirement` runs `parseX401Payload`. Test: `x401.test.ts`                                                                                                         |
+| Agent MUST NOT modify any entry in `credential_requirements`                                                                                                                                                            | `agent.ts` `getCredentialRequestOptions` returns it unmodified; library never mutates it                                                                                                  |
+| A relaying intermediary MUST add a `return_uri` member (an `https` URL) to the forwarded payload; the Verifier never sets it                                                                                            | `agent.ts` `addReturnUri` (https-validated); `buildPayload` never emits it; `validate.ts` `parseX401Payload` enforces https. Tests: `x401.test.ts`                                        |
 
-## Out of scope — responsibility of another layer
+## Out of scope: responsibility of another layer
 
-These normative statements are real but fall outside an encode/decode/validate library.
+These normative statements are real but fall outside an encode, decode, and validate library.
 
-- **Remote handler processing** (matching `requests[]` against held credentials, satisfying
-  `dcql_query` incl. `credential_sets`/`claim_sets`, Holder selection, producing the presentation,
-  POSTing it to `return_uri`): the remote wallet/handler. This SDK only adds and validates the
-  `return_uri` member; it does not act as a handler.
-- **Verifier proof validation & crypto** (the "The Verifier MUST:" list, Verifier Binding,
-  nonce freshness/replay, dereferencing a `presentation_uri`, unique-URI issuance, issuer
-  trust enforcement, `trusted_authorities`): the verifier application. This library does not
-  verify presentations or sign requests (`CLAUDE.md` Hard Rules 1–3).
+- **Remote handler processing** (matching `credential_requirements.digital.requests[]` against held
+  credentials, satisfying `dcql_query` including `credential_sets` and `claim_sets`, holder
+  selection, producing the credential result, posting it to `return_uri`): the remote wallet or
+  handler. This SDK only adds and validates the `return_uri` member; it does not act as a handler.
+- **Verifier proof validation and crypto** (Verifier Binding, nonce freshness and replay,
+  dereferencing a `credential_result_uri`, unique URI issuance, issuer trust enforcement,
+  `trusted_authorities`): the verifier application. This library does not verify credential results
+  or sign requests.
 - **Credential verification** (issuer trust, status, revocation, claim satisfaction):
-  `@proof.com/proof-vc-common`. `vp_token`/`response.data` is opaque here.
-- **Agent runtime / transport** (obtaining a presentation via `navigator.credentials.get`,
-  relaying, remote fulfillment, retrying the route): the Agent application.
-- **OpenID4VP request composition/signing** (the JAR, `client_id`, `expected_origins`,
-  `nonce`, `dcql_query`, `exp`): the verifier; carried opaque in `data`. This includes the
-  "Composing a Request for Both Native and Relayed Fulfillment" rules added when PR #15 merged
-  (self-contained request, `x5c`/resolvable `client_id`, carrying all inputs inside the request
-  object, transport members optional) — all verifier request-authoring concerns, not wire-object
-  structure.
+  `@proof.com/proof-vc-common`. `vp_token` and `credential_result.data` are opaque here.
+- **Agent runtime and transport** (obtaining a credential result through
+  `navigator.credentials.get`, relaying, remote fulfillment, retrying the route): the Agent
+  application.
+- **OpenID4VP request composition and signing** (the JAR, `client_id`, `expected_origins`, `nonce`,
+  `dcql_query`, `exp`): the Verifier; carried opaque in `data`.
 - **HTTP semantics** (status-code independence, `WWW-Authenticate` non-use, `402` payment
-  separation, `Cache-Control`/`Vary`, CORS exposure): the HTTP server/deployment.
-- **Verification Token issuance, scope, binding, holder identity**; **Agent binding**
-  (OPTIONAL): the verifier/deployment.
+  separation, `Cache-Control`/`Vary`, CORS exposure): the HTTP server or deployment.
+- **Verification Token issuance, scope, binding, holder identity**, and **Agent binding**: the
+  verifier or deployment.
 
 ## Known coverage gap
 
-Only the **PROOF-REQUIRED payload** has an official JSON Schema (Appendix C). The VP Artifact,
-Error Object, and Token Object are checked against extracted spec examples + these parsers, not a
-published schema. If the spec later publishes schemas for those objects, add them to
-`spec/fixtures/` via `sync-spec-fixtures.ts` and extend `spec-schema.test.ts`.
+Only the `PROOF-REQUEST` payload has an official JSON Schema. The Result Artifact, Error Object, and
+Token Object are checked against extracted spec examples plus these parsers, not a published schema.
+If the spec later publishes schemas for those objects, add them to `spec/fixtures/` through
+`sync-spec-fixtures.ts` and extend `spec-schema.test.ts`.
diff --git a/spec/fixtures/error-object.json b/spec/fixtures/error-object.json
index ffe5864..a4979b2 100644
--- a/spec/fixtures/error-object.json
+++ b/spec/fixtures/error-object.json
@@ -1,7 +1,7 @@
 {
   "scheme": "x401",
   "version": "0.2.0",
-  "error": "invalid_presentation",
-  "error_description": "The presentation did not satisfy the route proof requirement.",
+  "error": "invalid_result",
+  "error_description": "The credential result did not satisfy the route proof requirement.",
   "request_id": "proof-template-financial-customer-v1"
 }
diff --git a/spec/fixtures/payload-1.json b/spec/fixtures/payload-1.json
index 042b3c6..a80b6b4 100644
--- a/spec/fixtures/payload-1.json
+++ b/spec/fixtures/payload-1.json
@@ -1,9 +1,8 @@
 {
   "scheme": "x401",
   "version": "0.2.0",
-  "presentation_requirements": {},
+  "credential_requirements": {},
   "oauth": {},
-  "trust_establishment": "https://...",
   "request_id": "...",
   "satisfied_requirements": [],
   "payment": {}
diff --git a/spec/fixtures/payload-2.json b/spec/fixtures/payload-2.json
index 6e485a9..43e36d6 100644
--- a/spec/fixtures/payload-2.json
+++ b/spec/fixtures/payload-2.json
@@ -1,15 +1,17 @@
 {
   "scheme": "x401",
   "version": "0.2.0",
-  "presentation_requirements": {
-    "requests": [
-      {
-        "protocol": "openid4vp-v1-signed",
-        "data": {
-          "request": "eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QifQ..."
+  "credential_requirements": {
+    "digital": {
+      "requests": [
+        {
+          "protocol": "openid4vp-v1-signed",
+          "data": {
+            "request": "eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QifQ..."
+          }
         }
-      }
-    ]
+      ]
+    }
   },
   "oauth": {
     "token_endpoint": "https://bank.example.com/oauth/token"
diff --git a/spec/fixtures/payload-3.json b/spec/fixtures/payload-3.json
index 058f99c..e72b91b 100644
--- a/spec/fixtures/payload-3.json
+++ b/spec/fixtures/payload-3.json
@@ -1,15 +1,17 @@
 {
   "scheme": "x401",
   "version": "0.2.0",
-  "presentation_requirements": {
-    "requests": [
-      {
-        "protocol": "openid4vp-v1-signed",
-        "data": {
-          "request": "eyJ..."
+  "credential_requirements": {
+    "digital": {
+      "requests": [
+        {
+          "protocol": "openid4vp-v1-signed",
+          "data": {
+            "request": "eyJ..."
+          }
         }
-      }
-    ]
+      ]
+    }
   },
   "oauth": {
     "token_endpoint": "https://bank.example.com/oauth/token"
diff --git a/spec/fixtures/payload-4.json b/spec/fixtures/payload-4.json
index f8caafd..43e36d6 100644
--- a/spec/fixtures/payload-4.json
+++ b/spec/fixtures/payload-4.json
@@ -1,20 +1,21 @@
 {
   "scheme": "x401",
   "version": "0.2.0",
-  "presentation_requirements": {
-    "requests": [
-      {
-        "protocol": "openid4vp-v1-signed",
-        "data": {
-          "request": "eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QifQ..."
+  "credential_requirements": {
+    "digital": {
+      "requests": [
+        {
+          "protocol": "openid4vp-v1-signed",
+          "data": {
+            "request": "eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QifQ..."
+          }
         }
-      }
-    ]
+      ]
+    }
   },
   "oauth": {
     "token_endpoint": "https://bank.example.com/oauth/token"
   },
-  "trust_establishment": "https://bank.example.com/.well-known/x401/trust/financial-customer-v1",
   "request_id": "proof-template-financial-customer-v1",
   "satisfied_requirements": [
     "urn:example:x401:satisfaction:financial-customer:v1"
diff --git a/spec/fixtures/payload-5.json b/spec/fixtures/payload-5.json
index 525c7b4..e8cf614 100644
--- a/spec/fixtures/payload-5.json
+++ b/spec/fixtures/payload-5.json
@@ -1,15 +1,17 @@
 {
   "scheme": "x401",
   "version": "0.2.0",
-  "presentation_requirements": {
-    "requests": [
-      {
-        "protocol": "openid4vp-v1-signed",
-        "data": {
-          "request": "eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QifQ..."
+  "credential_requirements": {
+    "digital": {
+      "requests": [
+        {
+          "protocol": "openid4vp-v1-signed",
+          "data": {
+            "request": "eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QifQ..."
+          }
         }
-      }
-    ]
+      ]
+    }
   },
   "oauth": {
     "token_endpoint": "https://bank.example.com/oauth/token"
diff --git a/spec/fixtures/request.schema.json b/spec/fixtures/request.schema.json
index 9af2e9b..f5a9823 100644
--- a/spec/fixtures/request.schema.json
+++ b/spec/fixtures/request.schema.json
@@ -7,7 +7,7 @@
   "required": [
     "scheme",
     "version",
-    "presentation_requirements",
+    "credential_requirements",
     "oauth"
   ],
   "properties": {
@@ -25,39 +25,48 @@
       "type": "string",
       "description": "The x401 payload version."
     },
-    "presentation_requirements": {
+    "credential_requirements": {
       "type": "object",
       "required": [
-        "requests"
+        "digital"
       ],
-      "description": "The composed Digital Credentials request (a DigitalCredentialRequestOptions value), usable as the digital member of navigator.credentials.get().",
+      "description": "The Verifier-composed credential request, a CredentialRequestOptions value usable as the argument to navigator.credentials.get(). This version of x401 specifies the digital member; additional navigator.credentials.get() request types (e.g. publicKey) may be specified in future versions.",
       "properties": {
-        "requests": {
-          "type": "array",
-          "minItems": 1,
-          "description": "Digital Credentials request entries. Every entry MUST be a valid OpenID4VP request for the DC API.",
-          "items": {
-            "type": "object",
-            "required": [
-              "protocol",
-              "data"
-            ],
-            "properties": {
-              "protocol": {
-                "type": "string",
-                "enum": [
-                  "openid4vp-v1-signed",
-                  "openid4vp-v1-unsigned"
-                ],
-                "description": "The DC API protocol identifier. openid4vp-v1-signed is RECOMMENDED; openid4vp-v1-unsigned is permitted. See Verifier Binding."
-              },
-              "data": {
+        "digital": {
+          "type": "object",
+          "required": [
+            "requests"
+          ],
+          "description": "The composed Digital Credentials request, a DigitalCredentialRequestOptions value (the value the digital member of navigator.credentials.get() takes).",
+          "properties": {
+            "requests": {
+              "type": "array",
+              "minItems": 1,
+              "description": "Digital Credentials request entries. Every entry MUST be a valid OpenID4VP request for the DC API.",
+              "items": {
                 "type": "object",
-                "description": "Protocol-specific request data. For openid4vp-v1-signed, an object carrying the signed OpenID4VP request (e.g. { \"request\": \"<JWT>\" }); for openid4vp-v1-unsigned, the OpenID4VP request parameters directly.",
+                "required": [
+                  "protocol",
+                  "data"
+                ],
                 "properties": {
-                  "request": {
+                  "protocol": {
                     "type": "string",
-                    "description": "The signed OpenID4VP request (a JWT-Secured Authorization Request); present for openid4vp-v1-signed."
+                    "enum": [
+                      "openid4vp-v1-signed",
+                      "openid4vp-v1-unsigned"
+                    ],
+                    "description": "The DC API protocol identifier. openid4vp-v1-signed is RECOMMENDED; openid4vp-v1-unsigned is permitted. See Verifier Binding."
+                  },
+                  "data": {
+                    "type": "object",
+                    "description": "Protocol-specific request data. For openid4vp-v1-signed, an object carrying the signed OpenID4VP request (e.g. { \"request\": \"<JWT>\" }); for openid4vp-v1-unsigned, the OpenID4VP request parameters directly.",
+                    "properties": {
+                      "request": {
+                        "type": "string",
+                        "description": "The signed OpenID4VP request (a JWT-Secured Authorization Request); present for openid4vp-v1-signed."
+                      }
+                    }
                   }
                 }
               }
@@ -75,7 +84,7 @@
         "token_endpoint": {
           "type": "string",
           "format": "uri",
-          "description": "OAuth 2.0 token endpoint where the Agent can exchange a VP Artifact for a Verification Token."
+          "description": "OAuth 2.0 token endpoint where the Agent can exchange a Result Artifact for a Verification Token."
         },
         "audience": {
           "type": "string",
@@ -89,11 +98,6 @@
       },
       "additionalProperties": false
     },
-    "trust_establishment": {
-      "type": "string",
-      "format": "uri",
-      "description": "Optional acquisition and discovery hint: HTTPS URL for a DIF Credential Trust Establishment document. Issuer enforcement is governed by the signed request (DCQL trusted_authorities), not by this member."
-    },
     "request_id": {
       "type": "string",
       "description": "Optional Agent-visible hint: a stable verifier-defined identifier for the proof template."
@@ -108,7 +112,7 @@
     "return_uri": {
       "type": "string",
       "format": "uri",
-      "description": "Optional. Added by a relaying intermediary (never by the Verifier) to tell a remote handler where to POST the presentation result. See Relayed Delivery to a Remote Handler."
+      "description": "Optional. Added by a relaying intermediary (never by the Verifier) to tell a remote handler where to POST the credential result. See Relayed Delivery to a Remote Handler."
     },
     "payment": {
       "type": "object",
diff --git a/spec/fixtures/vp-artifact-1.json b/spec/fixtures/result-artifact-1.json
similarity index 57%
rename from spec/fixtures/vp-artifact-1.json
rename to spec/fixtures/result-artifact-1.json
index c1e7aed..adb2d1c 100644
--- a/spec/fixtures/vp-artifact-1.json
+++ b/spec/fixtures/result-artifact-1.json
@@ -1,7 +1,7 @@
 {
   "request_id": "proof-template-financial-customer-v1",
-  "response": {
+  "credential_result": {
     "protocol": "openid4vp-v1-signed",
-    "data": "<wallet-returned-presentation-result>"
+    "data": "<credential-manager-returned-result>"
   }
 }
diff --git a/spec/fixtures/vp-artifact-2.json b/spec/fixtures/result-artifact-2.json
similarity index 57%
rename from spec/fixtures/vp-artifact-2.json
rename to spec/fixtures/result-artifact-2.json
index c1e7aed..adb2d1c 100644
--- a/spec/fixtures/vp-artifact-2.json
+++ b/spec/fixtures/result-artifact-2.json
@@ -1,7 +1,7 @@
 {
   "request_id": "proof-template-financial-customer-v1",
-  "response": {
+  "credential_result": {
     "protocol": "openid4vp-v1-signed",
-    "data": "<wallet-returned-presentation-result>"
+    "data": "<credential-manager-returned-result>"
   }
 }
diff --git a/spec/fixtures/vp-artifact-5.json b/spec/fixtures/result-artifact-3.json
similarity index 52%
rename from spec/fixtures/vp-artifact-5.json
rename to spec/fixtures/result-artifact-3.json
index 2e6855e..178006c 100644
--- a/spec/fixtures/vp-artifact-5.json
+++ b/spec/fixtures/result-artifact-3.json
@@ -1,5 +1,5 @@
 {
   "request_id": "proof-template-financial-customer-v1",
-  "presentation_uri": "https://bank.example.com/.well-known/x401/presentations/abc123",
+  "credential_result_uri": "https://bank.example.com/.well-known/x401/results/abc123",
   "expires_at": "2026-05-06T18:50:00Z"
 }
diff --git a/spec/fixtures/vp-artifact-4.json b/spec/fixtures/result-artifact-4.json
similarity index 57%
rename from spec/fixtures/vp-artifact-4.json
rename to spec/fixtures/result-artifact-4.json
index c1e7aed..adb2d1c 100644
--- a/spec/fixtures/vp-artifact-4.json
+++ b/spec/fixtures/result-artifact-4.json
@@ -1,7 +1,7 @@
 {
   "request_id": "proof-template-financial-customer-v1",
-  "response": {
+  "credential_result": {
     "protocol": "openid4vp-v1-signed",
-    "data": "<wallet-returned-presentation-result>"
+    "data": "<credential-manager-returned-result>"
   }
 }
diff --git a/spec/fixtures/vp-artifact-3.json b/spec/fixtures/result-artifact-5.json
similarity index 52%
rename from spec/fixtures/vp-artifact-3.json
rename to spec/fixtures/result-artifact-5.json
index 2e6855e..178006c 100644
--- a/spec/fixtures/vp-artifact-3.json
+++ b/spec/fixtures/result-artifact-5.json
@@ -1,5 +1,5 @@
 {
   "request_id": "proof-template-financial-customer-v1",
-  "presentation_uri": "https://bank.example.com/.well-known/x401/presentations/abc123",
+  "credential_result_uri": "https://bank.example.com/.well-known/x401/results/abc123",
   "expires_at": "2026-05-06T18:50:00Z"
 }
diff --git a/spec/normative-ledger.json b/spec/normative-ledger.json
index 5f9a76b..98da9d3 100644
--- a/spec/normative-ledger.json
+++ b/spec/normative-ledger.json
@@ -1,89 +1,90 @@
 [
   "1. MUST consider the `requests[]` entries whose `protocol` and credential formats it implements, and among those, MUST attempt to satisfy each entry's `dcql_query` — including any `credential_sets` / `claim_sets` alternatives within it — against the credentials available to it, with Holder selection where applicable. Which entry is used is the *outcome* of this matching, not a prior choice; an entry is usable only if a held credential satisfies its query.",
-  "1. MUST include `PROOF-REQUIRED: <base64url-x401-payload>` when proof is required or advertised.",
+  "1. MUST include `PROOF-REQUEST: <base64url-x401-payload>` when proof is required or advertised.",
   "1. MUST make each entry a valid OpenID4VP request for the Digital Credentials API, using `protocol: \"openid4vp-v1-signed\"` (RECOMMENDED) or `protocol: \"openid4vp-v1-unsigned\"`.",
   "1. MUST treat the parsed JSON object as an x401 payload subject to the same structural validation and composed-request processing defined elsewhere in this specification.",
   "1. MUST treat the response as a proof requirement.",
   "1. MUST use the tag name `data`.",
-  "1. The Agent MUST NOT modify any entry in `presentation_requirements`. The request signature binds its contents, so any modification invalidates it.",
-  "1. The `presentation_uri` MUST be an `https` URL.",
+  "1. The Agent MUST NOT modify any entry in `credential_requirements`. The request signature binds its contents, so any modification invalidates it.",
+  "1. The `credential_result_uri` MUST be an `https` URL.",
   "1. when the deployment binds the Agent, MUST be issued to the [[ref: Agent Identifier]] bound during the retry, and MUST NOT rely on the credential subject as the token holder identity unless the credential subject is also the Agent;",
-  "10. MUST evaluate issuer trust, status, revocation, and policy constraints independently of any Agent-side interpretation of the Issuer Trust List.",
+  "10. MUST evaluate issuer trust, status, revocation, and policy constraints independently of any Agent-side interpretation of the request's `trusted_authorities`.",
   "10. MUST retry the same route that produced the x401 proof requirement with one of:",
   "11. MUST NOT replace an existing application `Authorization` credential with an x401 Verification Token unless the deployment explicitly defines the returned token as valid for that route's ordinary authorization processing.",
-  "11. MUST accept a VP Artifact in a `PROOF-PRESENTATION` request header for protected-route retry, in both its inline and by-reference forms.",
-  "12. MUST treat a `PROOF-RESPONSE` carrying an x401 Error Object as an x401 proof failure for the route-scoped proof attempt, regardless of the HTTP status code.",
-  "13. MUST validate Verification Tokens on protected-route retry according to token scope, audience, expiration, any Agent binding, and satisfied requirement metadata, whether the token arrives in `Authorization` or as an x401 Token Object in `PROOF-PRESENTATION`.",
-  "14. MUST bind any Verification Token carried in `PROOF-PRESENTATION` to the existing application caller, credential, client, key, or Agent Identifier required by the protected route when an `Authorization` header is also present.",
+  "11. MUST accept a Result Artifact in a `PROOF-RESPONSE` request header for protected-route retry, in both its inline and by-reference forms.",
+  "12. MUST treat a `PROOF-RESULT` carrying an x401 Error Object as an x401 proof failure for the route-scoped proof attempt, regardless of the HTTP status code.",
+  "13. MUST validate Verification Tokens on protected-route retry according to token scope, audience, expiration, any Agent binding, and satisfied requirement metadata, whether the token arrives in `Authorization` or as an x401 Token Object in `PROOF-RESPONSE`.",
+  "14. MUST bind any Verification Token carried in `PROOF-RESPONSE` to the existing application caller, credential, client, key, or Agent Identifier required by the protected route when an `Authorization` header is also present.",
   "16. MUST use `402 Payment Required` separately if payment is required and remains unsatisfied.",
-  "2. For a satisfiable entry, MUST read the OpenID4VP request from its `data` — the claims of the signed request object for `openid4vp-v1-signed`, or the request parameters directly for `openid4vp-v1-unsigned` — and produce a presentation that satisfies that `dcql_query`, bound to its `nonce`. It honors `client_metadata` for accepted formats and any response-encryption key, and, for a signed request, binds the presentation's audience to the request's `client_id`.",
+  "2. For a satisfiable entry, MUST read the OpenID4VP request from its `data` — the claims of the signed request object for `openid4vp-v1-signed`, or the request parameters directly for `openid4vp-v1-unsigned` — and produce a result that satisfies that `dcql_query`, bound to its `nonce`. It honors `client_metadata` for accepted formats and any response-encryption key, and, for a signed request, binds the result's audience to the request's `client_id`.",
   "2. MUST be scoped to the Verifier audience and to the route, policy, action, resource, or resource class for which proof was accepted;",
-  "2. MUST extract the `PROOF-REQUIRED` field value and base64url-decode it as a UTF-8 JSON [[ref: x401 Payload]].",
-  "2. MUST include a valid base64url-encoded x401 payload in `PROOF-REQUIRED`.",
+  "2. MUST extract the `PROOF-REQUEST` field value and base64url-decode it as a UTF-8 JSON [[ref: x401 Payload]].",
+  "2. MUST include a valid base64url-encoded x401 payload in `PROOF-REQUEST`.",
   "2. MUST make its identity and request-signing key resolvable from the request alone. The Verifier SHOULD embed its signing certificate chain in the request JWS `x5c` header, or use a `client_id` whose key material is publicly resolvable (for example a `did:` or `https:` scheme), so a handler with no prior relationship can verify the signature and confirm it matches `client_id` offline. A Verifier MUST NOT rely on a `client_id` scheme or key whose resolution depends on the invoking Web origin or on prior DC-API interaction, because neither exists on the relayed path.",
   "2. MUST set the `value` attribute to the MIME-type expression `application/json;x401=proof-required`. The `x401` parameter identifies the embedded carrier and signals the role of the element's text content.",
-  "2. The Verifier MUST issue a unique `presentation_uri` for each presentation and MUST NOT reuse a URI value across presentations. Uniqueness per presentation is what lets the Verifier treat the reference as single-use and bind it to one retry.",
+  "2. The Verifier MUST issue a unique `credential_result_uri` for each result and MUST NOT reuse a URI value across results. Uniqueness per result is what lets the Verifier treat the reference as single-use and bind it to one retry.",
   "3. MUST carry every input a fulfiller needs inside the request object: the `nonce`, the `dcql_query` (including any `credential_sets` / `claim_sets` alternatives), the accepted formats and any response-encryption key in `client_metadata`, and the `exp`. A remote handler reads these directly from the request `data` — the signed request object's claims for a signed request — not from any API surface, so a value referenced only through the DC-API or a same-origin session is unavailable to it.",
   "3. MUST expire, and SHOULD be short-lived;",
   "3. MUST set the `hidden` attribute so the element is not visually rendered.",
   "3. MUST treat the Digital Credentials API transport members as not applicable to relayed delivery: it does not return through `response_mode: dc_api`/`dc_api.jwt` (it returns to `return_uri` instead) and does not enforce `expected_origins` (there is no invoking Web origin).",
   "3. MUST use an HTTP status code appropriate for the overall response and MUST NOT rely on the status code alone to convey x401 proof state.",
   "3. MUST validate the decoded payload structure and process the `proof` object.",
-  "3. The Agent MUST arrange to acquire the [[ref: Presentation Result]] returned for the request, whether it invokes the request itself, relays it, or acquires a remotely generated result.",
-  "4. MUST NOT weaken or alter the `dcql_query` or `nonce`, and MUST deliver the resulting [[ref: Presentation Result]] to `return_uri`. If it can satisfy no entry, it returns no presentation and SHOULD signal that failure to the intermediary rather than returning a partial or substitute result.",
+  "3. The Agent MUST arrange to acquire the [[ref: Credential Result]] returned for the request, whether it invokes the request itself, relays it, or acquires a remotely generated result.",
+  "4. MUST NOT weaken or alter the `dcql_query` or `nonce`, and MUST deliver the resulting [[ref: Credential Result]] to `return_uri`. If it can satisfy no entry, it returns no result and SHOULD signal that failure to the intermediary rather than returning a partial or substitute result.",
   "4. MUST contain a single JSON object as its text content. The JSON object MUST be a valid x401 payload as defined in [x401 Payload](#x401-payload), and MUST include a `$schema` member whose value is the JSON Schema URL for the x401 request object, `https://x401.id/spec/schemas/request.json`. The `$schema` member is an informational marker that allows AI scrapers, content processors, and validators that retain only the JSON object to recognize it as an x401 proof requirement without prior knowledge of the surrounding HTML carrier.",
-  "4. MUST include a `presentation_requirements` whose entries are valid OpenID4VP requests for the DC API, using `openid4vp-v1-signed` (RECOMMENDED) or `openid4vp-v1-unsigned`.",
-  "4. MUST treat `presentation_requirements` as the Verifier-composed [[ref: Digital Credentials Request]] and MUST NOT modify any of its entries.",
+  "4. MUST include a `credential_requirements` whose `digital` member's entries are valid OpenID4VP requests for the DC API, using `openid4vp-v1-signed` (RECOMMENDED) or `openid4vp-v1-unsigned`.",
+  "4. MUST treat `credential_requirements` as the Verifier-composed credential request and MUST NOT modify any of its entries.",
   "4. SHOULD still set the Digital Credentials API transport members — `response_mode` (`dc_api` / `dc_api.jwt`) and `expected_origins` — for the native path, but MUST NOT make correct processing depend on them. A remote handler treats them as not applicable (it returns to `return_uri` and there is no invoking origin to pre-authorize), so a request whose only Verifier binding is `expected_origins` degrades to `nonce`-only when relayed.",
-  "5. MUST obtain a [[ref: Presentation Result]] for `presentation_requirements` by invoking it through a native credential method, relaying it to a Wallet or remote service, or acquiring a remotely generated result.",
+  "5. MUST obtain a [[ref: Credential Result]] for `credential_requirements` by invoking it through a native credential method, relaying it to a Credential Manager or remote service, or acquiring a remotely generated result.",
   "5. SHOULD use signed requests and set their `client_id` and `expected_origins`; when using unsigned requests, MUST account for the weaker binding described in [Verifier Binding](#verifier-binding).",
   "6. MUST include OAuth token exchange metadata in `oauth`.",
-  "8. MUST NOT enumerate verifier-approved issuers inline in the x401 payload.",
-  "8. MUST NOT treat any Agent-side interpretation of the Issuer Trust List as proof of verifier acceptance.",
-  "9. MUST package the presentation result as a VP Artifact, inline or as a [[ref: Presentation Reference]].",
-  "9. MUST validate presentations according to the proof validation rules in this specification and the credential format rules it relies upon, dereferencing a [[ref: Presentation Reference]] when one is supplied.",
-  "A VP Artifact MUST contain exactly one of `response` or `presentation_uri`.",
-  "A Verifier MAY use the validated signing key, key directory authority, or derived service identity as the Agent Identifier, or as evidence that maps to an Agent Identifier. The Verifier MUST still validate the Wallet presentation binding for the request mode, the credential query satisfaction, issuer trust, token scope, and payment boundary. Web Bot Auth identifies the calling automation or service; it does not by itself prove the credential subject, satisfy the credential query, or prove end-user delegation.",
-  "A Verifier that emits embedded `<data>` elements MUST still enforce proof on the protected resource through the normal `PROOF-REQUIRED` / `PROOF-PRESENTATION` exchange. Embedding a requirement in HTML is informational disclosure and does not by itself grant access.",
-  "A Verifier that may have its request fulfilled either natively — invoked through `navigator.credentials.get()` by a Wallet enforcing the Digital Credentials API — or by a remote handler that parses the request and generates a presentation manually MUST compose the request so it is self-contained and verifiable by a party with no prior relationship and no browser context. The governing test is: *could a Wallet that has never interacted with this Verifier verify the request and produce a correctly bound presentation from the request bytes alone?* A request composed only for the native path can silently fail this test even though a DC-API Wallet accepts it. To satisfy both paths, a Verifier:",
-  "A `<data>` element placed at the document level applies to the page as a whole and SHOULD be used as a body-side mirror of the route-scoped `PROOF-REQUIRED` header so that header-blind clients can still discover the requirement. A response MAY include multiple `<data value=\"application/json;x401=proof-required\" hidden>` elements when a page surfaces multiple advertised requirements; each element MUST be a complete, independent x401 payload that can be processed without reference to the others.",
-  "A `presentation_uri` is a capability-style reference: possession of the URL is enough to retrieve the presentation. The Verifier MUST issue a unique URI per presentation, and SHOULD make it `https`, unguessable, short-lived, single-use, and scoped to the route and retry it serves; the URL SHOULD be treated as sensitive because it can leak through logs, history, and intermediaries. Because the Verifier issues these references, it SHOULD dereference only URIs it recognizes as its own, which also guards against being pointed at arbitrary locations; it SHOULD bound the response size and time of the fetch. A reference that is reused, expired, or unrecognized MUST be rejected. Integrity and authenticity of the fetched bytes do not depend on a separate digest: the presentation is validated against the issued request's `nonce` and the binding its request mode provides, so a substituted or tampered result fails normal proof validation.",
-  "A protected route MUST process the supplied `PROOF-PRESENTATION` value as a proof presentation or proof-token satisfaction attempt. If verification succeeds, the Verifier MAY return the protected resource directly.",
+  "8. MUST NOT enumerate verifier-approved issuers inline as an x401-specific payload member.",
+  "8. MUST NOT treat any Agent-side interpretation of the request's `trusted_authorities` as proof of verifier acceptance.",
+  "9. MUST package the credential result as a Result Artifact, inline or as a [[ref: Credential Reference]].",
+  "9. MUST validate credential results according to the proof validation rules in this specification and the credential format rules it relies upon, dereferencing a [[ref: Credential Reference]] when one is supplied.",
+  "A Result Artifact MUST contain exactly one of `credential_result` or `credential_result_uri`.",
+  "A Verifier MAY use the validated signing key, key directory authority, or derived service identity as the Agent Identifier, or as evidence that maps to an Agent Identifier. The Verifier MUST still validate the Credential Manager result binding for the request mode, the credential query satisfaction, issuer trust, token scope, and payment boundary. Web Bot Auth identifies the calling automation or service; it does not by itself prove the credential subject, satisfy the credential query, or prove end-user delegation.",
+  "A Verifier that emits embedded `<data>` elements MUST still enforce proof on the protected resource through the normal `PROOF-REQUEST` / `PROOF-RESPONSE` exchange. Embedding a requirement in HTML is informational disclosure and does not by itself grant access.",
+  "A Verifier that may have its request fulfilled either natively — invoked through `navigator.credentials.get()` by a Credential Manager enforcing the Digital Credentials API — or by a remote handler that parses the request and generates a result manually MUST compose the request so it is self-contained and verifiable by a party with no prior relationship and no browser context. The governing test is: *could a Credential Manager that has never interacted with this Verifier verify the request and produce a correctly bound result from the request bytes alone?* A request composed only for the native path can silently fail this test even though a DC-API Credential Manager accepts it. To satisfy both paths, a Verifier:",
+  "A `<data>` element placed at the document level applies to the page as a whole and SHOULD be used as a body-side mirror of the route-scoped `PROOF-REQUEST` header so that header-blind clients can still discover the requirement. A response MAY include multiple `<data value=\"application/json;x401=proof-required\" hidden>` elements when a page surfaces multiple advertised requirements; each element MUST be a complete, independent x401 payload that can be processed without reference to the others.",
+  "A `credential_result_uri` is a capability-style reference: possession of the URL is enough to retrieve the result. The Verifier MUST issue a unique URI per result, and SHOULD make it `https`, unguessable, short-lived, single-use, and scoped to the route and retry it serves; the URL SHOULD be treated as sensitive because it can leak through logs, history, and intermediaries. Because the Verifier issues these references, it SHOULD dereference only URIs it recognizes as its own, which also guards against being pointed at arbitrary locations; it SHOULD bound the response size and time of the fetch. A reference that is reused, expired, or unrecognized MUST be rejected. Integrity and authenticity of the fetched bytes do not depend on a separate digest: the result is validated against the issued request's `nonce` and the binding its request mode provides, so a substituted or tampered result fails normal proof validation.",
+  "A protected route MUST process the supplied `PROOF-RESPONSE` value as a credential-result or proof-token satisfaction attempt. If verification succeeds, the Verifier MAY return the protected resource directly.",
   "A sender MUST NOT generate more than one field line with the same x401 proof header name in the same HTTP message. A sender MUST NOT combine multiple x401 protocol objects in a single proof header using commas or other list syntax. If a recipient receives multiple field lines for the same proof header, or receives a proof header value containing a comma-separated list of messages, it MUST treat that proof header as invalid.",
   "A server that requires payment MUST use `402 Payment Required` and MUST NOT overload x401 to represent payment as proof.",
-  "A server that requires proof for access to a protected resource, route, representation, or operation whose response would be changed as a whole by fulfilling a single set of proof requirements MUST return `PROOF-REQUIRED: <base64url-x401-payload>`. The `PROOF-REQUIRED` header is the authoritative carrier for an x401 proof requirement that gates the entire response.",
+  "A server that requires proof for access to a protected resource, route, representation, or operation whose response would be changed as a whole by fulfilling a single set of proof requirements MUST return `PROOF-REQUEST: <base64url-x401-payload>`. The `PROOF-REQUEST` header is the authoritative carrier for an x401 proof requirement that gates the entire response.",
   "Acquisition hints MUST NOT be treated as sufficient trust material. Verifiers MUST apply their own trusted issuer policy and validation logic.",
-  "Agent binding is OPTIONAL. The presentation is bound to the Verifier, not to the Agent, so a deployment that does not bind the Agent still has a presentation it can trust. A deployment that additionally wants to tie the proof and retry to a specific Agent layers an HTTP-layer or token-layer caller authentication over x401; see [Agent Binding Options](#agent-binding-options). When a deployment binds the Agent, it MUST reject a retry whose caller cannot be bound to the required [[ref: Agent Identifier]]. Because the surface that invokes the request may differ from the Agent that retries the route, a binding mechanism that depends only on the presentation result is insufficient in relay and remote-fulfillment topologies.",
-  "An intermediary that relays the x401 payload to a remote handler MUST add a `return_uri` member to the payload it forwards. `return_uri` is an `https` URL the handler delivers the [[ref: Presentation Result]] to; it is supplied by the relaying intermediary, never by the Verifier, and SHOULD be unguessable, short-lived, single-use, and controlled by the intermediary. The handler returns the result by sending an HTTP `POST` of the `{ \"protocol\": ..., \"data\": ... }` Presentation Result to `return_uri`. The intermediary then packages that result into a VP Artifact (inline or as a [[ref: Presentation Reference]]) and retries the protected route.",
+  "Agent binding is OPTIONAL. The result is bound to the Verifier, not to the Agent, so a deployment that does not bind the Agent still has a result it can trust. A deployment that additionally wants to tie the proof and retry to a specific Agent layers an HTTP-layer or token-layer caller authentication over x401; see [Agent Binding Options](#agent-binding-options). When a deployment binds the Agent, it MUST reject a retry whose caller cannot be bound to the required [[ref: Agent Identifier]]. Because the surface that invokes the request may differ from the Agent that retries the route, a binding mechanism that depends only on the credential result is insufficient in relay and remote-fulfillment topologies.",
+  "An intermediary that relays the x401 payload to a remote handler MUST add a `return_uri` member to the payload it forwards. `return_uri` is an `https` URL the handler delivers the [[ref: Credential Result]] to; it is supplied by the relaying intermediary, never by the Verifier, and SHOULD be unguessable, short-lived, single-use, and controlled by the intermediary. The handler returns the result by sending an HTTP `POST` of the `{ \"protocol\": ..., \"data\": ... }` Credential Result to `return_uri`. The intermediary then packages that result into a Result Artifact (inline or as a [[ref: Credential Reference]]) and retries the protected route.",
   "DPoP can bind OAuth token requests and resource requests to an Agent-controlled key at the application layer. Because this version of x401 defines Bearer Verification Tokens, a DPoP-bound Verification Token retry needs either a deployment-specific profile or a future x401 token retry profile that permits `token_type: DPoP` and the `DPoP` proof header. When a deployment binds the Agent and uses DPoP at the token endpoint, the endpoint MUST ensure the DPoP key maps to the Agent Identifier the deployment requires for the retry.",
   "For Verification Tokens defined by this specification, the token endpoint MUST return `token_type` with the value `Bearer`.",
   "Implementations MUST keep proof and payment semantics separate. A proof artifact MUST NOT be treated as payment, and payment satisfaction MUST NOT be treated as proof satisfaction.",
-  "In all modes the Verifier MUST validate the binding its request mode and transport provide and MUST reject a presentation it cannot bind to the request it issued. The `nonce` provides freshness and correlation throughout; it does not, by itself, authenticate the Verifier or constrain the invocation origin.",
-  "Issuer enforcement is ultimately governed by the request, not by `trust_establishment`. Where the Verifier needs the Wallet to constrain acceptable issuers at presentation time, it expresses that with DCQL `trusted_authorities` inside the request in `presentation_requirements`. `trust_establishment` exists to help Agents and Wallets *discover* and *acquire* likely-acceptable credentials, and to convey richer ecosystem, role, or acquisition metadata than `trusted_authorities` carries; it MUST NOT enumerate approved issuers inline. The Verifier MUST enforce issuer trust during proof validation — against the `trusted_authorities` in the request and its own policy — and MUST NOT rely on the Agent's interpretation of the Issuer Trust List.",
-  "The Verifier MUST NOT treat the `request_id` or `agent_id` values inside the VP Artifact as authoritative by themselves. They are carried so the Verifier can correlate the retry. Correlation between the presentation and the issued request is established by the OpenID4VP `nonce` echoed inside the presentation result. The Verifier remains responsible for validating the presentation binding and, when it binds the Agent, authenticating the Agent Identifier.",
+  "In all modes the Verifier MUST validate the binding its request mode and transport provide and MUST reject a result it cannot bind to the request it issued. The `nonce` provides freshness and correlation throughout; it does not, by itself, authenticate the Verifier or constrain the invocation origin.",
+  "The Verifier MUST NOT treat the `request_id` or `agent_id` values inside the Result Artifact as authoritative by themselves. They are carried so the Verifier can correlate the retry. Correlation between the result and the issued request is established by the OpenID4VP `nonce` echoed inside the credential result. The Verifier remains responsible for validating the result binding and, when it binds the Agent, authenticating the Agent Identifier.",
   "The Verifier MUST:",
   "The encoded value MUST be base64url-encoded UTF-8 JSON using the URL and filename safe alphabet defined by RFC 4648 Section 5 without padding. The decoded value MUST be a single JSON object.",
+  "The issuer constraints that must hold at proof time belong in the request's DCQL `trusted_authorities`. An Agent MAY follow the dereferenceable entries (`openid_federation`, `etsi_tl`) to discover where to acquire a qualifying credential, but that resolution is an acquisition and discovery aid; it does not decide validity. The Verifier MUST independently validate that presented credentials were issued by parties approved under the request it issued and its own issuer policy, and MUST NOT rely on the Agent's interpretation of `trusted_authorities`. Because an `aki` entry is not dereferenceable, a request constrained only by `aki` offers no acquisition path; this does not weaken enforcement, which depends on the constraint, not on its resolvability.",
   "The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHALL**, **SHALL NOT**, **SHOULD**, **SHOULD NOT**, **RECOMMENDED**, **NOT RECOMMENDED**, **MAY**, and **OPTIONAL** in this document are to be interpreted as described in RFC 2119 and RFC 8174.",
-  "The submitted VP Artifact MAY carry the presentation result inline or as a [[ref: Presentation Reference]]; when it is a reference, the token endpoint dereferences it as described in [Presentation by Reference](#presentation-by-reference). The token endpoint MAY require normal OAuth client authentication. If the deployment binds the Agent and client authentication is used, the authenticated OAuth client MUST bind to the same Agent Identifier the deployment requires for the retry.",
-  "The token endpoint MUST process the submitted VP Artifact using the same proof validation rules that apply to direct protected-route retry. In particular, it MUST verify that:",
+  "The submitted Result Artifact MAY carry the credential result inline or as a [[ref: Credential Reference]]; when it is a reference, the token endpoint dereferences it as described in [Result by Reference](#result-by-reference). The token endpoint MAY require normal OAuth client authentication. If the deployment binds the Agent and client authentication is used, the authenticated OAuth client MUST bind to the same Agent Identifier the deployment requires for the retry.",
+  "The token endpoint MUST process the submitted Result Artifact using the same proof validation rules that apply to direct protected-route retry. In particular, it MUST verify that:",
   "The token request uses OAuth 2.0 Token Exchange. The Agent MUST use:",
   "The x401 OAuth profile fixes `grant_type`, `subject_token_type`, and Bearer token usage. These values MUST NOT be repeated in the x401 payload.",
   "Verification Tokens SHOULD be short-lived, revocable, and scoped to the accepted x401 proof requirement. When a deployment binds the Agent, a Verifier that issues a token MUST identify the Agent as the token holder and MUST NOT treat the credential subject as the token holder unless the credential subject is also the Agent.",
-  "When a Verifier receives a VP Artifact directly on a protected-route retry or through the OAuth token endpoint, it MUST validate the presentation against the request it composed for the route. When the VP Artifact is a [[ref: Presentation Reference]], the Verifier first dereferences `presentation_uri` to obtain the presentation result, then validates that result exactly as if it had been supplied inline.",
-  "When a x401 payload includes `trust_establishment`, that URL identifies the DIF Credential Trust Establishment document for the proof requirement. The document is an acquisition and discovery hint; it does not decide validity. Issuer constraints that must hold at presentation time belong in the request's DCQL `trusted_authorities`, and the Verifier MUST independently validate that presented credentials were issued by parties approved under that request and its own issuer policy. The Verifier MUST NOT rely on the Agent's interpretation of the Issuer Trust List.",
-  "When an Agent relays the request to a separate wallet, browser, device, or remote service, or acquires a remotely generated [[ref: Presentation Result]], the surface that obtains the result is not necessarily the Agent that retries the route. A deployment that binds the Agent in those topologies MUST choose a binding mechanism that survives the relay — for example, an HTTP-layer or token-layer caller authentication on the retry — rather than relying on the presentation result alone.",
-  "When processing a `PROOF-PRESENTATION` value that carries an x401 Token Object, the Verifier MUST decode the x401 Token Object, validate the contained Verification Token, and evaluate whether the token satisfies the route's x401 proof requirement. If an `Authorization` header is also present, the Verifier MUST ensure that the application credential and the x401 Verification Token are bound to the same Agent Identifier, client, subject, proof-of-possession key, certificate, or other verifier-accepted caller binding for the route. A Verifier MUST reject a request that combines an application credential and x401 Verification Token that cannot be safely bound to the same accepted caller context.",
+  "What this version does **not** specify, and what future work should define, includes: how the [[ref: Credential Result]], [[ref: Result Artifact]], and delivery in `PROOF-RESPONSE` generalize to non-presentation results such as a WebAuthn assertion; how [Verifier Binding](#verifier-binding) is expressed for request types with their own binding model (for example WebAuthn's `rpId`, `challenge`, and origin in `clientDataJSON`); how the OAuth token exchange represents a non-VP proof as the subject token; and how a Verifier signs or otherwise authors each additional request type. Until a future version specifies a given member, a Verifier MUST NOT rely on it and an Agent MUST treat only the `digital` member as defined by this specification.",
+  "When a Verifier receives a Result Artifact directly on a protected-route retry or through the OAuth token endpoint, it MUST validate the result against the request it composed for the route. When the Result Artifact is a [[ref: Credential Reference]], the Verifier first dereferences `credential_result_uri` to obtain the credential result, then validates that result exactly as if it had been supplied inline.",
+  "When an Agent relays the request to a separate Credential Manager, browser, device, or remote service, or acquires a remotely generated [[ref: Credential Result]], the surface that obtains the result is not necessarily the Agent that retries the route. A deployment that binds the Agent in those topologies MUST choose a binding mechanism that survives the relay — for example, an HTTP-layer or token-layer caller authentication on the retry — rather than relying on the credential result alone.",
+  "When processing a `PROOF-RESPONSE` value that carries an x401 Token Object, the Verifier MUST decode the x401 Token Object, validate the contained Verification Token, and evaluate whether the token satisfies the route's x401 proof requirement. If an `Authorization` header is also present, the Verifier MUST ensure that the application credential and the x401 Verification Token are bound to the same Agent Identifier, client, subject, proof-of-possession key, certificate, or other verifier-accepted caller binding for the route. A Verifier MUST reject a request that combines an application credential and x401 Verification Token that cannot be safely bound to the same accepted caller context.",
   "`access_token` | REQUIRED. The opaque or structured [[ref: Verification Token]] value issued to the [[ref: Agent]].",
+  "`credential_requirements` | REQUIRED. The Verifier-composed credential request, a `CredentialRequestOptions` value. This version of x401 specifies its `digital` member, the composed [[ref: Digital Credentials Request]]. See [Credential Requirements](#credential-requirements).",
+  "`credential_result_uri` | REQUIRED unless `credential_result` is present. An HTTPS URL the Verifier dereferences with `GET` to fetch the [[ref: Credential Result]]. The Verifier MUST issue a unique `credential_result_uri` value for each result and MUST NOT reuse one across results. See [Result by Reference](#result-by-reference).",
+  "`credential_result` | REQUIRED unless `credential_result_uri` is present. The [[ref: Credential Result]] returned by the Credential Manager, as the `{ protocol, data }` object produced by the Digital Credentials API.",
+  "`digital.requests[].data` | REQUIRED. The protocol-specific request data. For `openid4vp-v1-signed`, an object carrying the signed OpenID4VP request (a JWT-Secured Authorization Request); for `openid4vp-v1-unsigned`, the OpenID4VP request parameters directly.",
+  "`digital.requests[].protocol` | REQUIRED. The DC API protocol identifier. For this version of x401 the value MUST be `\"openid4vp-v1-signed\"` (RECOMMENDED) or `\"openid4vp-v1-unsigned\"`. See [Verifier Binding](#verifier-binding) for the trade-off.",
+  "`digital.requests` | REQUIRED. A non-empty array of Digital Credentials request entries. A Verifier MAY include more than one entry (for example, offering different credential formats) for a Credential Manager, handler, or remote service to select among. Every entry MUST be a valid OpenID4VP request for the DC API.",
+  "`digital` | REQUIRED in this version. The composed [[ref: Digital Credentials Request]], a `DigitalCredentialRequestOptions` carrying the `requests` array below.",
   "`error` | REQUIRED. A verifier-defined error code. The value SHOULD be a short ASCII token suitable for logs and programmatic handling.",
   "`oauth` | REQUIRED. OAuth token exchange metadata for obtaining a reusable Verification Token. See [OAuth Members](#oauth-members).",
-  "`presentation_requirements` | REQUIRED. The composed [[ref: Digital Credentials Request]]. See [Presentation Requirements](#presentation-requirements).",
-  "`presentation_uri` | REQUIRED unless `response` is present. An HTTPS URL the Verifier dereferences with `GET` to fetch the [[ref: Presentation Result]]. The Verifier MUST issue a unique `presentation_uri` value for each presentation and MUST NOT reuse one across presentations. See [Presentation by Reference](#presentation-by-reference).",
-  "`requests[].data` | REQUIRED. The protocol-specific request data. For `openid4vp-v1-signed`, an object carrying the signed OpenID4VP request (a JWT-Secured Authorization Request); for `openid4vp-v1-unsigned`, the OpenID4VP request parameters directly.",
-  "`requests[].protocol` | REQUIRED. The DC API protocol identifier. For this version of x401 the value MUST be `\"openid4vp-v1-signed\"` (RECOMMENDED) or `\"openid4vp-v1-unsigned\"`. See [Verifier Binding](#verifier-binding) for the trade-off.",
-  "`requests` | REQUIRED. A non-empty array of Digital Credentials request entries. A Verifier MAY include more than one entry (for example, offering different credential formats) for a Wallet, handler, or remote service to select among. Every entry MUST be a valid OpenID4VP request for the DC API.",
-  "`response` | REQUIRED unless `presentation_uri` is present. The [[ref: Presentation Result]] returned by the Wallet, as the `{ protocol, data }` object produced by the Digital Credentials API.",
   "`scheme` | REQUIRED. Value MUST be the string `\"x401\"`.",
-  "`token_endpoint` | REQUIRED. OAuth 2.0 token endpoint where the Agent can exchange a VP Artifact for a Verification Token.",
+  "`token_endpoint` | REQUIRED. OAuth 2.0 token endpoint where the Agent can exchange a Result Artifact for a Verification Token.",
   "`token_type` | REQUIRED. The HTTP authorization scheme the Agent uses with the token. The value defined by this specification is `Bearer`.",
   "`token_type` | REQUIRED. The token type of the supplied Verification Token. For Verification Tokens defined by this specification, the value is `\"Bearer\"`.",
   "`version` | REQUIRED. The x401 error object version.",
diff --git a/spec/spec.md b/spec/spec.md
index bc8f8fd..082fa40 100644
--- a/spec/spec.md
+++ b/spec/spec.md
@@ -13,12 +13,16 @@ Editors:
 ~ [Daniel Buchner](https://www.linkedin.com/in/dbuchner) - [Proof](https://proof.com)
 ~ [Bhushit Agarwal](https://www.linkedin.com/in/bhushitagarwal/) - [Circle](https://circle.com)
 
-Contributors & Reviewers:
-~ [Darren Louie](https://www.linkedin.com/in/darrenlouie) - [Proof](https://proof.com)
-~ [Lee Campbell](https://github.com/leecam) - [Google](https://google.com)
+Reviewers:
+~ [Jacky Lao](https://www.linkedin.com/in/jackylao/) - [Lightspark](https://www.lightspark.com/)
+~ [Oliver Terbu](https://www.linkedin.com/in/oliver-terbu/) - [MATTR](https://mattr.global/)
+~ [Tobias Looker](https://www.linkedin.com/in/tplooker/) - [MATTR](https://mattr.global/)
 ~ [Tim Cappalli](https://www.linkedin.com/in/timcappalli/) - [Okta](https://okta.com)
 ~ [Nick Steele](https://www.linkedin.com/in/nickelsteele/) - [OpenAI](https://openai.com)
-~ [Reema Bajwa](https://www.linkedin.com/in/reema-bajwa/) - [Google](https://google.com)
+~ [Darren Louie](https://www.linkedin.com/in/darrenlouie) - [Proof](https://proof.com)
+~ [Adam Lemmon](https://www.linkedin.com/in/adamjlemmon/) - [Proof](https://proof.com)
+~ [Tony England](https://www.linkedin.com/in/tony-england-a2898738/) - [Visa](https://visa.com)
+~ [Steven Sacia](https://www.linkedin.com/in/steven-sacia/) - [Visa](https://visa.com)
 
 Participate:
 ~ [GitHub repo](https://github.com/proof/x401)
@@ -33,17 +37,17 @@ x401 defines an HTTP-based, route-scoped proof requirement protocol for requirin
 
 x401 uses:
 
-- the **`PROOF-REQUIRED` HTTP header field** to carry proof requirements
-- the **`PROOF-PRESENTATION` HTTP header field** to carry proof presentations, presentation references, or reusable proof-satisfaction tokens
-- the **`PROOF-RESPONSE` HTTP header field** to carry verifier response information, including x401 proof errors
+- the **`PROOF-REQUEST` HTTP header field** to carry proof requirements
+- the **`PROOF-RESPONSE` HTTP header field** to carry credential results, result references, or reusable proof-satisfaction tokens
+- the **`PROOF-RESULT` HTTP header field** to carry verifier response information, including x401 proof errors
 - **HTTP status codes** to express the overall response semantics independently of x401 proof state
-- the **W3C Digital Credentials API (DC API)** request shape as the carrier for the Verifier-composed presentation request, so the request can be executed by native credential wallet/handler methods or relayed to other wallets and remote services
-- **OpenID for Verifiable Presentations (OpenID4VP)** over the DC API for the composed presentation request, using **Digital Credentials Query Language (DCQL)** to describe the credential requirements
-- **OAuth 2.0** for optional exchange of a verified presentation for an access token
-- **DIF Credential Trust Establishment** for verifier-approved issuer policy and non-authoritative acquisition guidance
-- **OpenID for Verifiable Credential Issuance (OpenID4VCI)** for resolving credential issuer metadata when the referenced trust document identifies OpenID4VCI issuers
+- the **W3C Digital Credentials API (DC API)** request shape as the carrier for the Verifier-composed proof request, so the request can be executed by native Credential Manager or handler methods or relayed to other Credential Managers and remote services
+- **OpenID for Verifiable Presentations (OpenID4VP)** over the DC API for the composed proof request, using **Digital Credentials Query Language (DCQL)** to describe the credential requirements
+- **OAuth 2.0** for optional exchange of a verified result for an access token
+- the **DCQL `trusted_authorities`** the Verifier already places inside the request as the authoritative issuer constraint, and — for its dereferenceable types (`openid_federation`, `etsi_tl`) — as the acquisition and discovery hint an Agent can follow to find where qualifying credentials are issued
+- **OpenID for Verifiable Credential Issuance (OpenID4VCI)** for resolving credential issuer metadata when the request's `trusted_authorities` resolve to OpenID4VCI issuers
 
-The x401 payload carries a composed, valid Digital Credentials request authored by the Verifier. The Verifier authors the request and, in the RECOMMENDED signed mode, is its relying party. The request is placed at the payload's `presentation_requirements` member so it can be executed directly through native credential wallet/handler methods (`navigator.credentials.get({ digital: payload.presentation_requirements })`), relayed to another web wallet or remote presentation service, or handed off for fully remote generation. The payload's other top-level members — such as OAuth token exchange metadata, an issuer trust reference, and reusable requirement identifiers — carry x401-specific values that are not yet expressible inside a native Digital Credentials request.
+The x401 payload carries a composed, valid Digital Credentials request authored by the Verifier. The Verifier authors the request and, in the RECOMMENDED signed mode, is its relying party. The request is carried in the `digital` member of the payload's `credential_requirements` — itself a `CredentialRequestOptions` value usable directly as the argument to native Credential Manager or handler methods (`navigator.credentials.get(payload.credential_requirements)`) — so it can be executed directly, relayed to another remote Credential Manager or presentation service, or handed off for fully remote generation. This version of x401 specifies only the `digital` member; the container leaves room for other `navigator.credentials.get()` request types in future versions. The payload's other top-level members — such as OAuth token exchange metadata and reusable requirement identifiers — carry x401-specific values that are not yet expressible inside a native Digital Credentials request.
 
 x401 is intentionally separate from payment protocols. When payment is required, it MUST be handled with **HTTP 402 Payment Required** and an appropriate payment protocol. x401 MUST NOT redefine payment semantics.
 
@@ -64,33 +68,33 @@ HTTP provides a standard challenge mechanism for authentication via `401 Unautho
 - proving organizational standing
 - proving workload identity attributes
 
-At the same time, OpenID4VP, DCQL, OAuth, OpenID4VCI, and the W3C Digital Credentials API define interoperable mechanisms for requesting presentations, evaluating credential requirements, invoking wallets, issuing access tokens, and issuing credentials, but they are not themselves an HTTP route proof requirement protocol.
+At the same time, OpenID4VP, DCQL, OAuth, OpenID4VCI, and the W3C Digital Credentials API define interoperable mechanisms for requesting presentations, evaluating credential requirements, invoking Credential Managers, issuing access tokens, and issuing credentials, but they are not themselves an HTTP route proof requirement protocol.
 
 x401 fills that gap by defining an HTTP-native wrapper that:
 
 - signals proof requirements at the protected route
 - carries x401 proof objects as base64url values in dedicated proof header fields
-- carries a composed, valid Digital Credentials request, authored and signed by the Verifier, at the payload's `presentation_requirements` member
+- carries a composed, valid Digital Credentials request, authored and signed by the Verifier, in the `digital` member of the payload's `credential_requirements`
 - recommends a signed OpenID4VP request for the DC API — making the Verifier the relying party and binding the request to the Verifier independently of which surface invokes it — while allowing an unsigned request when the request must be fulfilled at an invocation origin the Verifier cannot declare in advance
-- lets the [[ref: Agent]] execute the request through native credential methods, relay it to another wallet or remote service, or hand it off for fully remote generation and then acquire the result
+- lets the [[ref: Agent]] execute the request through native credential methods, relay it to another Credential Manager or remote service, or hand it off for fully remote generation and then acquire the result
 - includes OAuth token exchange metadata for Agents that want a reusable access token after proving
-- optionally includes a DIF Credential Trust Establishment URL that can help Agents discover acceptable credential issuers
+- lets Agents discover where to acquire qualifying credentials by following the dereferenceable issuer pointers (`openid_federation`, `etsi_tl`) the Verifier already places in the request's DCQL `trusted_authorities`, without adding an x401-specific issuer list
 - composes with, but does not subsume, payment protocols
 
-In the typical flow, an [[ref: Agent]] receives an x401 proof requirement from a [[ref: Verifier]], obtains a presentation for the Verifier-composed [[ref: Presentation Request]] — by invoking the request through native credential methods, relaying it to a [[ref: Wallet]], or acquiring a remotely generated result — and retries the original protected route with the presentation result inline or by reference. An [[ref: Issuer Trust List]] can help the Agent discover credentials or issuers, but the Verifier remains authoritative for issuer trust enforcement.
+In the typical flow, an [[ref: Agent]] receives an x401 proof requirement from a [[ref: Verifier]], obtains a result for the Verifier-composed [[ref: Proof Request]] — by invoking the request through native credential methods, relaying it to a [[ref: Credential Manager]], or acquiring a remotely generated result — and retries the original protected route with the credential result inline or by reference. The dereferenceable issuer pointers in the request's DCQL `trusted_authorities` can help the Agent discover where to acquire qualifying credentials, but the Verifier remains authoritative for issuer trust enforcement.
 
 ## Design Goals
 
 The goals of x401 are:
 
 1. Define a route-scoped proof requirement for HTTP resources.
-2. Carry a composed, valid Digital Credentials request, authored by the Verifier, that can be executed by native credential wallet/handler methods.
+2. Carry a composed, valid Digital Credentials request, authored by the Verifier, that can be executed by native Credential Manager or handler methods.
 3. Let the Verifier be the relying party for that request through a signed request, while allowing an unsigned request bound to the invoking origin and nonce when the invocation origin cannot be known in advance.
-4. Preserve the Agent's ability to execute the request natively, relay it to another wallet or remote service, or hand it off for fully remote generation and then acquire and present the result.
+4. Preserve the Agent's ability to execute the request natively, relay it to another Credential Manager or remote service, or hand it off for fully remote generation and then acquire and present the result.
 5. Reserve the top level of the x401 payload, alongside the native request, for x401-specific values that are not yet expressible inside a native Digital Credentials request.
 6. Reuse OpenID4VP over the DC API, DCQL, OAuth, and OpenID4VCI rather than redefining them.
 7. Remain separate from payment semantics.
-8. Allow issuer discovery by reference to verifier trust policy without listing issuers inline in the x401 payload.
+8. Allow issuer discovery and credential acquisition to follow the issuer constraints the Verifier already expresses in the request's DCQL `trusted_authorities`, without adding an x401-specific issuer list.
 9. Support stateless verifier deployments without dictating how the Verifier achieves it.
 10. Allow optional caller authentication, request signing, and delegation artifacts to compose with x401 without making any one agent identity or binding system mandatory.
 
@@ -102,7 +106,7 @@ x401 does not:
 - replace OpenID4VP or the W3C Digital Credentials API
 - replace OpenID4VCI
 - redefine how a Digital Credentials request is composed, signed, or invoked
-- mandate a single transport for delivering the composed request to a Wallet
+- mandate a single transport for delivering the composed request to a Credential Manager
 - define a payment protocol
 - require all Verifiers to maintain server-side session state
 - require VP response encryption or any single agent authentication or binding mechanism
@@ -115,89 +119,86 @@ The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHALL**, **SHALL NOT**, **
 ~ The party protecting a resource or operation and requiring proof.
 
 [[def: Agent]]:
-~ The HTTP caller that requests a protected route, receives an x401 proof requirement, obtains a presentation for the Verifier-composed [[ref: Presentation Request]] — by invoking it through native credential methods, relaying it to a Wallet or remote service, or acquiring a remotely generated result — and retries the protected route. The Agent does not compose the presentation request and is not, by default, the relying party for it. A deployment MAY additionally bind the Agent to the request using an optional [[ref: Agent Identifier]].
+~ The HTTP caller that requests a protected route, receives an x401 proof requirement, obtains a result for the Verifier-composed [[ref: Proof Request]] — by invoking it through native credential methods, relaying it to a Credential Manager or remote service, or acquiring a remotely generated result — and retries the protected route. The Agent does not compose the proof request and is not, by default, the relying party for it. A deployment MAY additionally bind the Agent to the request using an optional [[ref: Agent Identifier]].
 
 [[def: Agent Identifier]]:
 ~ An optional identifier for the Agent that a Verifier MAY bind to the HTTP caller. This specification does not register a single Agent Identifier scheme; a Verifier that chooses to bind the Agent MUST define which schemes it accepts, including any accepted DID, HTTPS origin, domain-bound client identifier, or certificate-bound identifier schemes. See [Agent Binding Options](#agent-binding-options).
 
 [[def: Holder]]:
-~ The subject or entity that possesses credentials and can authorize a Wallet to present proof.
+~ The subject or entity that possesses credentials and can authorize a Credential Manager to present proof.
 
-[[def: Wallet]]:
-~ Software capable of receiving an OpenID4VP request through the Digital Credentials API or another transport and returning a presentation result authorized by a [[ref: Holder]].
+[[def: Credential Manager]]:
+~ Software or a service that holds, or has access to, a [[ref: Holder]]'s credentials and can receive an OpenID4VP request — through the Digital Credentials API or another transport — and return a credential result authorized by the [[ref: Holder]]. The term is used broadly here and is **not** limited to a platform Credential Manager API entity: a Credential Manager can be a browser or operating-system credential manager, a remote or cloud wallet, or any other app or service that holds and offers credentials on a Holder's behalf.
 
 [[def: Digital Credentials Request]]:
-~ The composed, valid Digital Credentials request the Verifier places at the payload's `presentation_requirements` member. It is a `DigitalCredentialRequestOptions` value (`{ "requests": [ ... ] }`) usable directly as the `digital` member of `navigator.credentials.get()`. Each entry is an OpenID4VP request for the DC API, signed (RECOMMENDED) or unsigned.
+~ The composed, valid Digital Credentials request the Verifier places in the `digital` member of the payload's `credential_requirements`. It is a `DigitalCredentialRequestOptions` value (`{ "requests": [ ... ] }`) — the value the `digital` member of `navigator.credentials.get()` takes. Each entry is an OpenID4VP request for the DC API, signed (RECOMMENDED) or unsigned.
 
-[[def: Presentation Request]]:
+[[def: Proof Request]]:
 ~ The Verifier-authored OpenID4VP request carried inside the [[ref: Digital Credentials Request]]. It identifies the credential requirement as `dcql_query` and carries the OpenID4VP `nonce`. When signed (RECOMMENDED), the Verifier is its relying party and it binds to the Verifier through the request signature, `client_id`, and `expected_origins`; when unsigned, it binds to the invoking origin and the `nonce`. See [Verifier Binding](#verifier-binding).
 
-[[def: Presentation Result]]:
-~ The result a Wallet returns for a [[ref: Digital Credentials Request]], shaped as `{ "protocol": ..., "data": ... }` as returned by the Digital Credentials API.
-
-[[def: Issuer Trust List]]:
-~ A verifier-controlled DIF Credential Trust Establishment document that identifies the issuers, authorities, roles, activities, credential schemas, or credential types the Verifier accepts for a proof requirement. The same document can also help Agents discover where qualifying credentials may be obtained.
+[[def: Credential Result]]:
+~ The result a Credential Manager returns for a [[ref: Digital Credentials Request]], shaped as `{ "protocol": ..., "data": ... }` as returned by the Digital Credentials API.
 
-[[def: VP Artifact]]:
-~ A retry artifact carrying a [[ref: Presentation Result]] — either inline or as a [[ref: Presentation Reference]] — together with the x401 metadata the Verifier needs to correlate proof fulfillment, encoded for use in a `PROOF-PRESENTATION` request header or OAuth token exchange.
+[[def: Result Artifact]]:
+~ A retry artifact carrying a [[ref: Credential Result]] — either inline or as a [[ref: Credential Reference]] — together with the x401 metadata the Verifier needs to correlate proof fulfillment, encoded for use in a `PROOF-RESPONSE` request header or OAuth token exchange.
 
-[[def: Presentation Reference]]:
-~ A by-reference form of the [[ref: VP Artifact]] that carries a URL the Verifier dereferences to fetch a [[ref: Presentation Result]] instead of carrying it inline, for presentations that exceed header size limits or are generated at a remote location.
+[[def: Credential Reference]]:
+~ A by-reference form of the [[ref: Result Artifact]] that carries a URL the Verifier dereferences to fetch a [[ref: Credential Result]] instead of carrying it inline, for results that exceed header size limits or are generated at a remote location.
 
 [[def: Verification Token]]:
-~ A verifier-issued, short-lived access token returned after successful proof verification and used by the [[ref: Agent]] on later protected-route requests so that the VP Artifact does not need to be repeated. A Verification Token can be used as the route's normal `Authorization` token when the deployment supports that model, or carried as an x401 Token Object in `PROOF-PRESENTATION` when the route already uses `Authorization` for existing application authentication.
+~ A verifier-issued, short-lived access token returned after successful proof verification and used by the [[ref: Agent]] on later protected-route requests so that the Result Artifact does not need to be repeated. A Verification Token can be used as the route's normal `Authorization` token when the deployment supports that model, or carried as an x401 Token Object in `PROOF-RESPONSE` when the route already uses `Authorization` for existing application authentication.
 
 [[def: x401 Token Object]]:
-~ A JSON object carried as a base64url value in `PROOF-PRESENTATION` to pass a Verification Token without replacing the route's existing `Authorization` credentials.
+~ A JSON object carried as a base64url value in `PROOF-RESPONSE` to pass a Verification Token without replacing the route's existing `Authorization` credentials.
 
 [[def: x401 Payload]]:
-~ The JSON object defined by this specification, UTF-8 encoded, and carried as a base64url value in the `PROOF-REQUIRED` header field.
+~ The JSON object defined by this specification, UTF-8 encoded, and carried as a base64url value in the `PROOF-REQUEST` header field.
 
 [[def: x401 Error Object]]:
-~ A JSON object carried as a base64url value in the `PROOF-RESPONSE` header field to describe why a presented proof failed or could not be processed.
+~ A JSON object carried as a base64url value in the `PROOF-RESULT` header field to describe why a presented proof failed or could not be processed.
 
 ## Protocol Overview
 
-The x401 protocol is made up of four legs: a Verifier exposes identity proof requirements that gate access to a resource by composing a Digital Credentials request, the Agent obtains a presentation for that request, the Agent presents the result back to the Verifier, and the Agent may exchange that proof for a reusable Verification Token. The tabs below summarize each leg and link to the detailed section that defines the processing rules that pertain to them.
+The x401 protocol is made up of four legs: a Verifier exposes identity proof requirements that gate access to a resource by composing a Digital Credentials request, the Agent obtains a result for that request, the Agent presents the result back to the Verifier, and the Agent may exchange that proof for a reusable Verification Token. The tabs below summarize each leg and link to the detailed section that defines the processing rules that pertain to them.
 
 ::: tabs
 
 :: 1. Gated Resource
 
-The Verifier declares a route-scoped proof requirement by returning a `PROOF-REQUIRED` header. The header carries the base64url-encoded x401 payload that defines the route's proof requirement; see [x401 Gated Resource Configuration](#x401-gated-resource-configuration) for details. The response status code describes the overall HTTP response and is not the x401 protocol carrier.
+The Verifier declares a route-scoped proof requirement by returning a `PROOF-REQUEST` header. The header carries the base64url-encoded x401 payload that defines the route's proof requirement; see [x401 Gated Resource Configuration](#x401-gated-resource-configuration) for details. The response status code describes the overall HTTP response and is not the x401 protocol carrier.
 
 ```http
 HTTP/1.1 401 Unauthorized
-PROOF-REQUIRED: <base64url-x401-payload>
+PROOF-REQUEST: <base64url-x401-payload>
 Cache-Control: no-store
 ```
 
-:: 2. Obtaining a Presentation
+:: 2. Obtaining a Result
 
-The Agent decodes the x401 payload and obtains a presentation for the Verifier-composed request at the payload's `presentation_requirements` member. The Agent does not compose or alter the request; it invokes it through native credential methods, relays it to a Wallet or remote service, or acquires a remotely generated result; see [Obtaining a Presentation](#obtaining-a-presentation) for details. The composed request is directly usable as the `digital` member of `navigator.credentials.get()`.
+The Agent decodes the x401 payload and obtains a result for the Verifier-composed request carried in the `digital` member of the payload's `credential_requirements`. The Agent does not compose or alter the request; it invokes it through native credential methods, relays it to a Credential Manager or remote service, or acquires a remotely generated result; see [Obtaining a Result](#obtaining-a-result) for details. The `credential_requirements` object is directly usable as the argument to `navigator.credentials.get()`.
 
 ```js
-const result = await navigator.credentials.get({ digital: payload.presentation_requirements });
-// result => { protocol: "openid4vp-v1-signed", data: { /* presentation result */ } }
+const result = await navigator.credentials.get(payload.credential_requirements);
+// result => { protocol: "openid4vp-v1-signed", data: { /* credential result */ } }
 ```
 
-:: 3. VP Presentation
+:: 3. Result Delivery
 
-After obtaining a presentation result, the Agent packages it as a VP Artifact for protected-route retry. The VP Artifact carries the Wallet-returned presentation result inline, or a reference the Verifier dereferences; see [Verifiable Presentation Delivery](#verifiable-presentation-delivery) for details.
+After obtaining a credential result, the Agent packages it as a Result Artifact for protected-route retry. The Result Artifact carries the Credential Manager-returned credential result inline, or a reference the Verifier dereferences; see [Credential Result Delivery](#credential-result-delivery) for details.
 
 ```json
 {
   "request_id": "proof-template-financial-customer-v1",
-  "response": {
+  "credential_result": {
     "protocol": "openid4vp-v1-signed",
-    "data": "<wallet-returned-presentation-result>"
+    "data": "<credential-manager-returned-result>"
   }
 }
 ```
 
 :: 4. Token Acquisition
 
-The Agent can submit the same VP Artifact to the Verifier's OAuth token endpoint to obtain a reusable Verification Token. The token exchange uses fixed x401 token-exchange parameters and then the Agent retries protected routes with either an upgraded `Authorization` token or a `PROOF-PRESENTATION` proof-satisfaction token object; see [Access Token Acquisition](#access-token-acquisition) for details.
+The Agent can submit the same Result Artifact to the Verifier's OAuth token endpoint to obtain a reusable Verification Token. The token exchange uses fixed x401 token-exchange parameters and then the Agent retries protected routes with either an upgraded `Authorization` token or a `PROOF-RESPONSE` proof-satisfaction token object; see [Access Token Acquisition](#access-token-acquisition) for details.
 
 ```http
 POST /oauth/token HTTP/1.1
@@ -205,31 +206,31 @@ Host: bank.example.com
 Content-Type: application/x-www-form-urlencoded
 
 grant_type=urn:ietf:params:oauth:grant-type:token-exchange&
-subject_token_type=urn:x401:params:oauth:token-type:vp_artifact&
-subject_token=<base64url-vp-artifact-json>
+subject_token_type=urn:x401:params:oauth:token-type:result_artifact&
+subject_token=<base64url-result-artifact-json>
 ```
 
 :::
 
 ### Primary Flow
 
-In the primary x401 flow, the [[ref: Agent]] is the HTTP caller and is assumed to have access to a [[ref: Wallet]], keys, credentials, or local capabilities needed to fulfill the proof requirement.
+In the primary x401 flow, the [[ref: Agent]] is the HTTP caller and is assumed to have access to a [[ref: Credential Manager]], keys, credentials, or local capabilities needed to fulfill the proof requirement.
 
 1. The [[ref: Agent]] requests a protected route.
 2. The [[ref: Verifier]] determines that proof is required.
 3. The [[ref: Verifier]] returns an HTTP response with:
-   - `PROOF-REQUIRED: <base64url-x401-payload>`
-4. The [[ref: Agent]] decodes the x401 payload and reads the composed [[ref: Digital Credentials Request]] at the `presentation_requirements` member and the OAuth token endpoint.
-5. The [[ref: Agent]] obtains a [[ref: Presentation Result]] for `presentation_requirements` without altering it, by one of:
-   - invoking the request through a native credential method such as `navigator.credentials.get({ digital: payload.presentation_requirements })`,
-   - relaying the request to a Wallet or remote presentation service that can execute it, or
+   - `PROOF-REQUEST: <base64url-x401-payload>`
+4. The [[ref: Agent]] decodes the x401 payload and reads the composed [[ref: Digital Credentials Request]] in the `digital` member of `credential_requirements` and the OAuth token endpoint.
+5. The [[ref: Agent]] obtains a [[ref: Credential Result]] for `credential_requirements` without altering it, by one of:
+   - invoking the request through a native credential method such as `navigator.credentials.get(payload.credential_requirements)`,
+   - relaying the request to a Credential Manager or remote presentation service that can execute it, or
    - handing the request to a remote fulfillment surface and acquiring the generated result.
-6. The chosen Wallet, handler, or service returns a presentation result bound per the request's mode — to the Verifier as relying party for a signed request, or to the invoking origin and nonce for an unsigned request.
+6. The chosen Credential Manager, handler, or service returns a credential result bound per the request's mode — to the Verifier as relying party for a signed request, or to the invoking origin and nonce for an unsigned request.
 7. The [[ref: Agent]] retries the same protected route that produced the x401 proof requirement with one of:
-   - a [[ref: VP Artifact]] in a `PROOF-PRESENTATION` request header, carrying the presentation result inline or as a [[ref: Presentation Reference]],
-   - a [[ref: Verification Token]] carried as an x401 Token Object in a `PROOF-PRESENTATION` request header, or
+   - a [[ref: Result Artifact]] in a `PROOF-RESPONSE` request header, carrying the credential result inline or as a [[ref: Credential Reference]],
+   - a [[ref: Verification Token]] carried as an x401 Token Object in a `PROOF-RESPONSE` request header, or
    - a [[ref: Verification Token]] in the route's normal `Authorization` request header when the deployment uses x401 proof satisfaction to upgrade or replace the route's ordinary authorization credential.
-8. The [[ref: Verifier]] validates the VP Artifact or Verification Token, dereferencing a Presentation Reference when one is supplied.
+8. The [[ref: Verifier]] validates the Result Artifact or Verification Token, dereferencing a Credential Reference when one is supplied.
 9. If proof is satisfied and payment is not required or is already satisfied, the [[ref: Verifier]] returns the protected resource.
 10. If proof is satisfied but payment remains unsatisfied, the [[ref: Verifier]] returns `402 Payment Required` with payment protocol details. After satisfying payment, the [[ref: Agent]] retries the same route with proof or token material and the payment artifact required by the selected payment protocol.
 
@@ -237,13 +238,13 @@ In the primary x401 flow, the [[ref: Agent]] is the HTTP caller and is assumed t
 sequenceDiagram
     participant Agent
     participant Verifier
-    participant Wallet
+    participant CM as Credential Manager
     participant Payment
     Agent->>Verifier: Request protected route
-    Verifier-->>Agent: HTTP response + PROOF-REQUIRED (composed request)
-    Agent->>Wallet: Invoke / relay verifier-composed Digital Credentials request
-    Wallet-->>Agent: Presentation result (bound to Verifier as RP)
-    Agent->>Verifier: Retry route with PROOF-PRESENTATION result or OAuth token
+    Verifier-->>Agent: HTTP response + PROOF-REQUEST (composed request)
+    Agent->>CM: Invoke / relay verifier-composed Digital Credentials request
+    CM-->>Agent: Credential result (bound to Verifier as RP)
+    Agent->>Verifier: Retry route with PROOF-RESPONSE result or OAuth token
     opt Payment required after proof satisfaction
         Verifier-->>Agent: 402 Payment Required
         Agent->>Payment: Complete payment protocol
@@ -255,30 +256,30 @@ sequenceDiagram
 
 ### Optional OAuth Token Exchange
 
-An Agent MAY exchange a VP Artifact for a Verification Token before retrying the protected route. The token endpoint is supplied by the Verifier in the x401 payload.
+An Agent MAY exchange a Result Artifact for a Verification Token before retrying the protected route. The token endpoint is supplied by the Verifier in the x401 payload.
 
 ```mermaid
 sequenceDiagram
     participant Agent
     participant Verifier
-    participant Wallet
+    participant CM as Credential Manager
     Agent->>Verifier: Request protected route
-    Verifier-->>Agent: HTTP response + PROOF-REQUIRED (composed request)
-    Agent->>Wallet: Invoke / relay verifier-composed Digital Credentials request
-    Wallet-->>Agent: Presentation result (bound to Verifier as RP)
-    Agent->>Verifier: OAuth token request with VP artifact
+    Verifier-->>Agent: HTTP response + PROOF-REQUEST (composed request)
+    Agent->>CM: Invoke / relay verifier-composed Digital Credentials request
+    CM-->>Agent: Credential result (bound to Verifier as RP)
+    Agent->>Verifier: OAuth token request with Result Artifact
     Verifier-->>Agent: Verification token
-    Agent->>Verifier: Retry same route with Authorization token or PROOF-PRESENTATION token object
+    Agent->>Verifier: Retry same route with Authorization token or PROOF-RESPONSE token object
     Verifier-->>Agent: Protected resource
 ```
 
-The technical sections that follow are organized by the four main legs of the protocol: x401 gated resource configuration, obtaining a presentation, verifiable presentation delivery, and access token acquisition.
+The technical sections that follow are organized by the four main legs of the protocol: x401 gated resource configuration, obtaining a result, credential result delivery, and access token acquisition.
 
 ## x401 Gated Resource Configuration
 
-The initial leg of the protocol defines how a protected HTTP resource declares what proof is required. The Verifier responds to the original protected-route request with a `PROOF-REQUIRED` header whose value contains the base64url-encoded x401 payload.
+The initial leg of the protocol defines how a protected HTTP resource declares what proof is required. The Verifier responds to the original protected-route request with a `PROOF-REQUEST` header whose value contains the base64url-encoded x401 payload.
 
-The requirement is route-scoped. If a representation includes gated and ungated material, this version of x401 does not define per-fragment requirements or separate requirement mapping inside the page. Fulfillment of the complete credential demand in the `PROOF-REQUIRED` payload satisfies the route's x401 gate.
+The requirement is route-scoped. If a representation includes gated and ungated material, this version of x401 does not define per-fragment requirements or separate requirement mapping inside the page. Fulfillment of the complete credential demand in the `PROOF-REQUEST` payload satisfies the route's x401 gate.
 
 ```http
 POST /accounts/applications HTTP/1.1
@@ -286,7 +287,7 @@ Host: bank.example.com
 Accept: application/json
 
 HTTP/1.1 401 Unauthorized
-PROOF-REQUIRED: <base64url-x401-payload>
+PROOF-REQUEST: <base64url-x401-payload>
 Cache-Control: no-store
 ```
 
@@ -294,17 +295,17 @@ Cache-Control: no-store
 
 HTTP status or condition | Meaning in a x401-capable deployment | Agent expectation
 ------------------------ | ------------------------------------ | ----------------
-Any response with `PROOF-REQUIRED` | Proof is required, advertised, or not yet satisfied for the route | Decode the x401 payload from the `PROOF-REQUIRED` field value
-Any response with `PROOF-RESPONSE` containing an x401 Error Object | A presented x401 proof failed or could not be processed | Decode the x401 error object and treat the x401 proof branch as failed
-`2xx` with `PROOF-REQUIRED` | The HTTP response is otherwise successful, but the route includes x401-gated material or actions | Process the response normally and fulfill the route-scoped proof requirement when access to the gated material is needed
-`4xx` with `PROOF-REQUIRED` | The route cannot be completed without proof | Fulfill the route-scoped proof requirement before retrying
+Any response with `PROOF-REQUEST` | Proof is required, advertised, or not yet satisfied for the route | Decode the x401 payload from the `PROOF-REQUEST` field value
+Any response with `PROOF-RESULT` containing an x401 Error Object | A presented x401 proof failed or could not be processed | Decode the x401 error object and treat the x401 proof branch as failed
+`2xx` with `PROOF-REQUEST` | The HTTP response is otherwise successful, but the route includes x401-gated material or actions | Process the response normally and fulfill the route-scoped proof requirement when access to the gated material is needed
+`4xx` with `PROOF-REQUEST` | The route cannot be completed without proof | Fulfill the route-scoped proof requirement before retrying
 `402 Payment Required` | Payment remains unsatisfied | Switch to the payment protocol
 
 The x401 proof header fields are the x401 protocol carriers. HTTP status codes describe the overall response and do not, by themselves, define x401 proof state.
 
 #### Status Code Independence
 
-A server that requires proof for access to a protected resource, route, representation, or operation whose response would be changed as a whole by fulfilling a single set of proof requirements MUST return `PROOF-REQUIRED: <base64url-x401-payload>`. The `PROOF-REQUIRED` header is the authoritative carrier for an x401 proof requirement that gates the entire response.
+A server that requires proof for access to a protected resource, route, representation, or operation whose response would be changed as a whole by fulfilling a single set of proof requirements MUST return `PROOF-REQUEST: <base64url-x401-payload>`. The `PROOF-REQUEST` header is the authoritative carrier for an x401 proof requirement that gates the entire response.
 
 The response MAY use any HTTP status code appropriate for the whole response. A Verifier can use a successful status code when the response body is still useful without proof, or a client or server error status when the requested operation cannot proceed until proof is satisfied.
 
@@ -312,13 +313,13 @@ Example:
 
 ```http
 HTTP/1.1 200 OK
-PROOF-REQUIRED: <base64url-x401-payload>
+PROOF-REQUEST: <base64url-x401-payload>
 Cache-Control: no-store
 ```
 
-An x401 proof requirement carried in `PROOF-REQUIRED` SHOULD NOT require the Agent to parse a response body in order to understand the proof requirement.
+An x401 proof requirement carried in `PROOF-REQUEST` SHOULD NOT require the Agent to parse a response body in order to understand the proof requirement.
 
-This specification does not carry x401 proof requirements in `WWW-Authenticate`. A protected route may already use that header for an existing HTTP authentication scheme, and combining multiple schemes — whether through comma-separated field values or duplicate header lines — is not consistently or well handled by common HTTP servers, proxies, client libraries, and middleware. Carrying x401 proof requirements in a dedicated `PROOF-REQUIRED` field avoids those interoperability gaps and lets x401 compose with any existing `WWW-Authenticate`-based authentication without contention.
+This specification does not carry x401 proof requirements in `WWW-Authenticate`. A protected route may already use that header for an existing HTTP authentication scheme, and combining multiple schemes — whether through comma-separated field values or duplicate header lines — is not consistently or well handled by common HTTP servers, proxies, client libraries, and middleware. Carrying x401 proof requirements in a dedicated `PROOF-REQUEST` field avoids those interoperability gaps and lets x401 compose with any existing `WWW-Authenticate`-based authentication without contention.
 
 #### 402 for Payment
 
@@ -328,20 +329,20 @@ Payment metadata MAY be declared in a x401 payload for informational purposes wh
 
 #### x401 Error for Failed Policy Satisfaction
 
-If an Agent presents a proof artifact that is structurally valid but does not satisfy the Verifier's policy, the Verifier SHOULD return a `PROOF-RESPONSE: <base64url-x401-error-object>` header. The x401 Error Object is the protocol-specific indication of failure for x401 exchanges. The HTTP response status remains independent and describes the overall response.
+If an Agent presents a proof artifact that is structurally valid but does not satisfy the Verifier's policy, the Verifier SHOULD return a `PROOF-RESULT: <base64url-x401-error-object>` header. The x401 Error Object is the protocol-specific indication of failure for x401 exchanges. The HTTP response status remains independent and describes the overall response.
 
 Examples include:
 
 - credential from an untrusted issuer
 - credential does not satisfy predicates
 - expired or revoked credential
-- presentation is not bound as the request mode requires (wrong relying party, audience, or invoking origin)
+- result is not bound as the request mode requires (wrong relying party, audience, or invoking origin)
 - nonce is not one the Verifier issued, or is expired or replayed
 - insufficient assurance level
 
 ### Proof Header Fields
 
-The proof header fields carry x401 protocol objects. This specification uses "x401 proof requirement" for the overall route-gating declaration carried in `PROOF-REQUIRED`.
+The proof header fields carry x401 protocol objects. This specification uses "x401 proof requirement" for the overall route-gating declaration carried in `PROOF-REQUEST`.
 
 #### Header Syntax
 
@@ -350,34 +351,34 @@ Each x401 proof header field carries exactly one base64url-encoded UTF-8 JSON ob
 Header field names are shown in uppercase for consistency with the examples. As HTTP field names, they are case-insensitive.
 
 ```text
-PROOF-REQUIRED: <base64url-json>
-PROOF-PRESENTATION: <base64url-json>
+PROOF-REQUEST: <base64url-json>
 PROOF-RESPONSE: <base64url-json>
+PROOF-RESULT: <base64url-json>
 ```
 
 The defined x401 proof header fields are:
 
 Header field | Direction | Decoded payload
 ------------ | --------- | ---------------
-`PROOF-REQUIRED` | Verifier to Agent | [[ref: x401 Payload]]
-`PROOF-PRESENTATION` | Agent to Verifier | [[ref: VP Artifact]] or [[ref: x401 Token Object]]
-`PROOF-RESPONSE` | Verifier to Agent | x401 response information, including [[ref: x401 Error Object]]
+`PROOF-REQUEST` | Verifier to Agent | [[ref: x401 Payload]]
+`PROOF-RESPONSE` | Agent to Verifier | [[ref: Result Artifact]] or [[ref: x401 Token Object]]
+`PROOF-RESULT` | Verifier to Agent | x401 response information, including [[ref: x401 Error Object]]
 
 The encoded value MUST be base64url-encoded UTF-8 JSON using the URL and filename safe alphabet defined by RFC 4648 Section 5 without padding. The decoded value MUST be a single JSON object.
 
-When `PROOF-PRESENTATION` carries a VP Artifact, the request is a direct proof presentation. When it carries an x401 Token Object, the request is presenting a reusable proof-satisfaction token issued after prior verification.
+When `PROOF-RESPONSE` carries a Result Artifact, the request is presenting a credential result directly. When it carries an x401 Token Object, the request is presenting a reusable proof-satisfaction token issued after prior verification.
 
-`PROOF-RESPONSE` is the Verifier-to-Agent response information channel for x401-specific results and diagnostics. This specification defines the x401 Error Object for failed proof presentation or token processing. Deployments MAY define additional response objects for accepted proof state, token metadata, or other x401-specific return information.
+`PROOF-RESULT` is the Verifier-to-Agent response information channel for x401-specific results and diagnostics. This specification defines the x401 Error Object for failed proof or token processing. Deployments MAY define additional response objects for accepted proof state, token metadata, or other x401-specific return information.
 
 A sender MUST NOT generate more than one field line with the same x401 proof header name in the same HTTP message. A sender MUST NOT combine multiple x401 protocol objects in a single proof header using commas or other list syntax. If a recipient receives multiple field lines for the same proof header, or receives a proof header value containing a comma-separated list of messages, it MUST treat that proof header as invalid.
 
-A response SHOULD NOT contain both `PROOF-REQUIRED` and `PROOF-RESPONSE` unless the response both reports verifier response information and intentionally advertises a fresh proof requirement for a subsequent attempt. A request SHOULD NOT contain more than one `PROOF-PRESENTATION` value.
+A response SHOULD NOT contain both `PROOF-REQUEST` and `PROOF-RESULT` unless the response both reports verifier response information and intentionally advertises a fresh proof requirement for a subsequent attempt. A request SHOULD NOT contain more than one `PROOF-RESPONSE` value.
 
-When browser-based JavaScript needs to read `PROOF-REQUIRED` or `PROOF-RESPONSE` from a cross-origin response, the response needs CORS exposure for those fields. When browser-based JavaScript sends `PROOF-PRESENTATION` cross-origin, the server needs to allow the `PROOF-PRESENTATION` request header through CORS preflight.
+When browser-based JavaScript needs to read `PROOF-REQUEST` or `PROOF-RESULT` from a cross-origin response, the response needs CORS exposure for those fields. When browser-based JavaScript sends `PROOF-RESPONSE` cross-origin, the server needs to allow the `PROOF-RESPONSE` request header through CORS preflight.
 
 ### x401 Payload
 
-A x401 payload is a single JSON object encoded in the `PROOF-REQUIRED` header field.
+A x401 payload is a single JSON object encoded in the `PROOF-REQUEST` header field.
 
 The payload SHOULD remain compact. Sensitive route state SHOULD be omitted, stored server-side, or carried only inside verifier-protected nonce state.
 
@@ -387,16 +388,15 @@ The payload SHOULD remain compact. Sensitive route state SHOULD be omitted, stor
 {
   "scheme": "x401",
   "version": "0.2.0",
-  "presentation_requirements": {},
+  "credential_requirements": {},
   "oauth": {},
-  "trust_establishment": "https://...",
   "request_id": "...",
   "satisfied_requirements": [],
   "payment": {}
 }
 ```
 
-The top level of the x401 payload is itself the envelope: the native, standard Digital Credentials request is the `presentation_requirements` member, and the remaining x401-specific members — which are not yet expressible inside a native Digital Credentials request — sit alongside it so the Agent and Verifier can polyfill their use.
+The top level of the x401 payload is itself the envelope: the native, standard credential request is the `credential_requirements` member — a `CredentialRequestOptions` value whose `digital` member carries the Digital Credentials request — and the remaining x401-specific members, which are not yet expressible inside a native credential request, sit alongside it so the Agent and Verifier can polyfill their use.
 
 #### Member Definitions
 
@@ -404,38 +404,38 @@ Name | Definition
 ---- | ----------
 `scheme` | REQUIRED. Value MUST be the string `"x401"`.
 `version` | REQUIRED. The x401 payload version.
-`presentation_requirements` | REQUIRED. The composed [[ref: Digital Credentials Request]]. See [Presentation Requirements](#presentation-requirements).
+`credential_requirements` | REQUIRED. The Verifier-composed credential request, a `CredentialRequestOptions` value. This version of x401 specifies its `digital` member, the composed [[ref: Digital Credentials Request]]. See [Credential Requirements](#credential-requirements).
 `oauth` | REQUIRED. OAuth token exchange metadata for obtaining a reusable Verification Token. See [OAuth Members](#oauth-members).
-`trust_establishment` | OPTIONAL. HTTPS URL of a DIF Credential Trust Establishment document, as an acquisition and discovery hint. See [Trust Establishment](#trust-establishment).
 `request_id` | OPTIONAL. A stable verifier-defined identifier for the proof template, as an Agent-visible hint. See [Reusable Requirement Hints](#reusable-requirement-hints).
 `satisfied_requirements` | OPTIONAL. Stable verifier-defined identifiers for the reusable proof requirements this proof would satisfy, as an Agent-visible reuse hint. See [Reusable Requirement Hints](#reusable-requirement-hints).
-`return_uri` | OPTIONAL. An `https` URL added by a relaying intermediary (never by the Verifier) telling a remote handler where to deliver the presentation result. See [Relayed Delivery to a Remote Handler](#relayed-delivery-to-a-remote-handler).
+`return_uri` | OPTIONAL. An `https` URL added by a relaying intermediary (never by the Verifier) telling a remote handler where to deliver the credential result. See [Relayed Delivery to a Remote Handler](#relayed-delivery-to-a-remote-handler).
 `payment` | OPTIONAL. Describes that payment is additionally required, without replacing `402` semantics.
 
-The credential requirement, the OpenID4VP `nonce`, and the request expiry all live inside the request in `presentation_requirements`; x401 does not duplicate them at the payload level. Of the payload-level members, only `presentation_requirements` and `oauth` are load-bearing; `trust_establishment`, `request_id`, and `satisfied_requirements` are optional hints and optimizations.
+The credential requirement, the OpenID4VP `nonce`, and the request expiry all live inside the request in `credential_requirements.digital`; x401 does not duplicate them at the payload level. Of the payload-level members, only `credential_requirements` and `oauth` are load-bearing; `request_id` and `satisfied_requirements` are optional hints and optimizations. Issuer constraints and any acquisition pointers live inside the request, in its DCQL `trusted_authorities`, not at the payload level.
 
-### Presentation Requirements
+### Credential Requirements
 
-The `presentation_requirements` member carries the Verifier-composed [[ref: Digital Credentials Request]]. The Verifier authors it; in the RECOMMENDED signed mode it also signs the request and is its relying party (see [Verifier Binding](#verifier-binding)).
+The `credential_requirements` member is the Verifier-composed credential request: a `CredentialRequestOptions` value, usable directly as the argument to `navigator.credentials.get()`. This version of x401 specifies a single member, `digital`, which carries the [[ref: Digital Credentials Request]]. The object is structured so that other `navigator.credentials.get()` request types MAY be specified in future versions of x401; this version defines processing only for `digital` (see [Additional Credential Request Types](#additional-credential-request-types)). The Verifier authors the request; in the RECOMMENDED signed mode it also signs the request and is its relying party (see [Verifier Binding](#verifier-binding)).
 
 #### General Structure
 
 ```json
 {
-  "presentation_requirements": {
-    "requests": [
-      {
-        "protocol": "openid4vp-v1-signed",
-        "data": {
-          "request": "eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QifQ..."
+  "credential_requirements": {
+    "digital": {
+      "requests": [
+        {
+          "protocol": "openid4vp-v1-signed",
+          "data": {
+            "request": "eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QifQ..."
+          }
         }
-      }
-    ]
+      ]
+    }
   },
   "oauth": {
     "token_endpoint": "https://bank.example.com/oauth/token"
   },
-  "trust_establishment": "https://bank.example.com/.well-known/x401/trust/financial-customer-v1",
   "request_id": "proof-template-financial-customer-v1",
   "satisfied_requirements": [
     "urn:example:x401:satisfaction:financial-customer:v1"
@@ -443,7 +443,7 @@ The `presentation_requirements` member carries the Verifier-composed [[ref: Digi
 }
 ```
 
-`presentation_requirements` is a `DigitalCredentialRequestOptions` value, usable directly as the `digital` member of `navigator.credentials.get()`. Each entry in `requests` is an OpenID4VP request for the DC API. The example below uses the RECOMMENDED signed form, whose JAR carries the OpenID4VP request the Verifier authored — RP identity and freshness live there, not in any x401-specific field. Decoded for readability, a typical JAR payload is:
+The `digital` member is a `DigitalCredentialRequestOptions` value — the value the `digital` member of `navigator.credentials.get()` takes. Each entry in its `requests` array is an OpenID4VP request for the DC API. The example below uses the RECOMMENDED signed form, whose JAR carries the OpenID4VP request the Verifier authored — RP identity and freshness live there, not in any x401-specific field. Decoded for readability, a typical JAR payload is:
 
 ```json
 {
@@ -474,32 +474,29 @@ The `presentation_requirements` member carries the Verifier-composed [[ref: Digi
 }
 ```
 
-The `presentation_requirements` member is a `DigitalCredentialRequestOptions` value, usable directly as the `digital` member of `navigator.credentials.get()`. The credential requirement (`dcql_query`), the OpenID4VP `nonce`, and the request expiry (`exp`) all live inside the request; x401 does not restate or duplicate them at the payload level, and adds no expiry member of its own.
+The `credential_requirements.digital` value is a `DigitalCredentialRequestOptions`. The credential requirement (`dcql_query`), the OpenID4VP `nonce`, and the request expiry (`exp`) all live inside the request; x401 does not restate or duplicate them at the payload level, and adds no expiry member of its own.
 
 #### Request Members
 
+This version of x401 specifies the `digital` member of `credential_requirements`. It is a `DigitalCredentialRequestOptions` with the following members:
+
 Name | Definition
 ---- | ----------
-`requests` | REQUIRED. A non-empty array of Digital Credentials request entries. A Verifier MAY include more than one entry (for example, offering different credential formats) for a Wallet, handler, or remote service to select among. Every entry MUST be a valid OpenID4VP request for the DC API.
-`requests[].protocol` | REQUIRED. The DC API protocol identifier. For this version of x401 the value MUST be `"openid4vp-v1-signed"` (RECOMMENDED) or `"openid4vp-v1-unsigned"`. See [Verifier Binding](#verifier-binding) for the trade-off.
-`requests[].data` | REQUIRED. The protocol-specific request data. For `openid4vp-v1-signed`, an object carrying the signed OpenID4VP request (a JWT-Secured Authorization Request); for `openid4vp-v1-unsigned`, the OpenID4VP request parameters directly.
+`digital` | REQUIRED in this version. The composed [[ref: Digital Credentials Request]], a `DigitalCredentialRequestOptions` carrying the `requests` array below.
+`digital.requests` | REQUIRED. A non-empty array of Digital Credentials request entries. A Verifier MAY include more than one entry (for example, offering different credential formats) for a Credential Manager, handler, or remote service to select among. Every entry MUST be a valid OpenID4VP request for the DC API.
+`digital.requests[].protocol` | REQUIRED. The DC API protocol identifier. For this version of x401 the value MUST be `"openid4vp-v1-signed"` (RECOMMENDED) or `"openid4vp-v1-unsigned"`. See [Verifier Binding](#verifier-binding) for the trade-off.
+`digital.requests[].data` | REQUIRED. The protocol-specific request data. For `openid4vp-v1-signed`, an object carrying the signed OpenID4VP request (a JWT-Secured Authorization Request); for `openid4vp-v1-unsigned`, the OpenID4VP request parameters directly.
 
 ### OAuth Members
 
 Name | Definition
 ---- | ----------
-`token_endpoint` | REQUIRED. OAuth 2.0 token endpoint where the Agent can exchange a VP Artifact for a Verification Token.
+`token_endpoint` | REQUIRED. OAuth 2.0 token endpoint where the Agent can exchange a Result Artifact for a Verification Token.
 `audience` | OPTIONAL. OAuth token exchange `audience` value the Agent should request.
 `resource` | OPTIONAL. OAuth token exchange `resource` value the Agent should request.
 
 The x401 OAuth profile fixes `grant_type`, `subject_token_type`, and Bearer token usage. These values MUST NOT be repeated in the x401 payload.
 
-### Trust Establishment
-
-`trust_establishment` is an OPTIONAL acquisition and discovery hint. Its value is an HTTPS URL for a DIF Credential Trust Establishment document that describes the issuers, authorities, roles, activities, credential schemas, or credential types the Verifier approves for this proof requirement. It is not the mechanism that decides validity.
-
-Issuer enforcement is ultimately governed by the request, not by `trust_establishment`. Where the Verifier needs the Wallet to constrain acceptable issuers at presentation time, it expresses that with DCQL `trusted_authorities` inside the request in `presentation_requirements`. `trust_establishment` exists to help Agents and Wallets *discover* and *acquire* likely-acceptable credentials, and to convey richer ecosystem, role, or acquisition metadata than `trusted_authorities` carries; it MUST NOT enumerate approved issuers inline. The Verifier MUST enforce issuer trust during proof validation — against the `trusted_authorities` in the request and its own policy — and MUST NOT rely on the Agent's interpretation of the Issuer Trust List.
-
 ### Reusable Requirement Hints
 
 `request_id` and `satisfied_requirements` are OPTIONAL, Agent-visible hints that support cross-route token reuse. They are not inputs to proof validation or token issuance — the Verifier determines what a proof satisfies from its own policy. See [Reuse Across Routes](#reuse-across-routes).
@@ -516,15 +513,17 @@ Name | Definition
 {
   "scheme": "x401",
   "version": "0.2.0",
-  "presentation_requirements": {
-    "requests": [
-      {
-        "protocol": "openid4vp-v1-signed",
-        "data": {
-          "request": "eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QifQ..."
+  "credential_requirements": {
+    "digital": {
+      "requests": [
+        {
+          "protocol": "openid4vp-v1-signed",
+          "data": {
+            "request": "eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QifQ..."
+          }
         }
-      }
-    ]
+      ]
+    }
   },
   "oauth": {
     "token_endpoint": "https://bank.example.com/oauth/token"
@@ -539,19 +538,25 @@ Name | Definition
 
 ### Verifier State and Stateless Operation
 
-Because the Verifier authors, signs, and validates its own request, freshness, replay protection, and correlation between a returned presentation and the issued request are internal Verifier concerns. x401 places no requirements on how the Verifier composes the OpenID4VP `nonce`, recognizes a returned presentation as one it requested, or recovers route and policy context. The freshness and replay properties of the `nonce` are governed by OpenID4VP.
+Because the Verifier authors, signs, and validates its own request, freshness, replay protection, and correlation between a returned result and the issued request are internal Verifier concerns. x401 places no requirements on how the Verifier composes the OpenID4VP `nonce`, recognizes a returned result as one it requested, or recovers route and policy context. The freshness and replay properties of the `nonce` are governed by OpenID4VP.
 
 ::: note Stateless operation
-A Verifier MAY operate statelessly. Because the OpenID4VP `nonce` is the value echoed back and cryptographically bound in the returned presentation, a Verifier MAY make the `nonce` a verifier-protected, self-contained value that encodes the route, method, policy, and expiry it needs to validate the retry without server-side storage. How that value is constructed, whether one-time-use replay protection is enforced with a small shared cache, and how any response-encryption decryption key is managed are deployment decisions left to the implementer.
+A Verifier MAY operate statelessly. Because the OpenID4VP `nonce` is the value echoed back and cryptographically bound in the returned result, a Verifier MAY make the `nonce` a verifier-protected, self-contained value that encodes the route, method, policy, and expiry it needs to validate the retry without server-side storage. How that value is constructed, whether one-time-use replay protection is enforced with a small shared cache, and how any response-encryption decryption key is managed are deployment decisions left to the implementer.
 :::
 
 ### Credential Acquisition Guidance
 
-When a Verifier wants to disclose which issuers, authorities, roles, activities, credential schemas, or credential types can satisfy a proof requirement, it sets the `trust_establishment` member.
+x401 does not define a separate issuer list. The issuers a Verifier accepts are already expressed inside the request, as the DCQL `trusted_authorities` of each credential query in `credential_requirements.digital`. That same constraint is the acquisition hint: when an Agent does not already hold a qualifying credential, it discovers where to obtain one by resolving the `trusted_authorities` entries — for the entry types that are dereferenceable. This reuses the Verifier's authoritative issuer constraint as the discovery surface, so the discovery path and the enforcement path cannot diverge.
+
+Each `trusted_authorities` entry is a `{ "type": ..., "values": [...] }` object. How an Agent can resolve it for acquisition depends on its `type`:
 
-Its value is an HTTPS URL pointing to an [[ref: Issuer Trust List]]. The Agent MAY use the referenced document to discover candidate credentials or credential issuers, and the Wallet MAY use it to help select credentials that are likely to satisfy the Verifier.
+- **`openid_federation`** — each value is an HTTPS Entity Identifier. The Agent resolves it as an OpenID Federation entity by fetching `<value>/.well-known/openid-federation`. If the entity's `metadata` carries an `openid_credential_issuer` entry, that entity is itself a credential issuer and its OpenID4VCI metadata is published in-band. If the entity is a federation anchor or intermediate, the Agent walks the subordinate listing and trust chain to find subordinate entities that publish `openid_credential_issuer` metadata, validating the chain back to the anchor named in `values`. This is the fully resolvable path from issuer constraint to issuance endpoint.
+- **`etsi_tl`** — each value identifies an ETSI TS 119 612 Trusted List. The Agent MAY fetch and parse the list, enumerate the trust service providers and services whose service type matches the required credential, and follow a service's supply point to locate an issuer. Whether a listed service exposes an OpenID4VCI issuance endpoint is an ecosystem convention, not a guarantee of this format, so acquisition from `etsi_tl` is best-effort.
+- **`aki`** — each value is an Authority Key Identifier: an opaque issuer key identifier with no resolution mechanism. It constrains acceptable issuers but provides no acquisition pointer. For a request whose only issuer constraint is `aki`, x401 defines no native acquisition path; the Agent must already hold a qualifying credential or resolve the issuer out of band.
 
-If the referenced Issuer Trust List identifies OpenID4VCI Credential Issuer Identifiers, Agents resolve those issuer identifiers using the OpenID4VCI issuer metadata discovery rules. See OpenID4VCI Section 12.2.2: <https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-final.html>.
+When an entry resolves to one or more OpenID4VCI Credential Issuer Identifiers, the Agent resolves issuer metadata using the OpenID4VCI issuer metadata discovery rules and drives issuance against the discovered issuer. See OpenID4VCI Section 12.2.2: <https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-final.html>.
+
+Acquisition guidance is advisory and never decides validity. The Verifier enforces issuer trust during proof validation against the `trusted_authorities` in the request it issued and its own policy, independently of how — or whether — the Agent used these pointers to acquire a credential.
 
 ### Payment Object
 
@@ -585,59 +590,59 @@ Name | Definition
 
 If proof is accepted but payment is still unsatisfied, the Verifier responds with `402 Payment Required` using the payment protocol indicated by the verifier.
 
-## Obtaining a Presentation
+## Obtaining a Result
 
-This leg defines how the Agent obtains a presentation for the Verifier-composed request at the payload's `presentation_requirements` member. The Verifier authored the request; the Agent does not compose it and is not, by default, its audience. The Agent's task is to get the request executed and to acquire the resulting [[ref: Presentation Result]].
+This leg defines how the Agent obtains a result for the Verifier-composed request carried in the `digital` member of the payload's `credential_requirements`. The Verifier authored the request; the Agent does not compose it and is not, by default, its audience. The Agent's task is to get the request executed and to acquire the resulting [[ref: Credential Result]].
 
-An Agent obtains a presentation by one of the following, all of which carry the same Verifier-composed request unchanged:
+An Agent obtains a result by one of the following, all of which carry the same Verifier-composed request unchanged:
 
 1. **Native invocation.** In an environment with the Digital Credentials API, the Agent invokes the request directly:
 
    ```js
-   const result = await navigator.credentials.get({ digital: payload.presentation_requirements });
+   const result = await navigator.credentials.get(payload.credential_requirements);
    // result => { protocol, data }
    ```
 
    A native platform credential handler MAY be used in place of the Web API where an equivalent mechanism exists.
 
-2. **Relay to a remote handler.** The Agent forwards the request to a remote handler — a web wallet or service that produces the presentation without invoking the Digital Credentials API itself — and the handler returns the result to a URL the Agent supplies. See [Relayed Delivery to a Remote Handler](#relayed-delivery-to-a-remote-handler).
+2. **Relay to a remote handler.** The Agent forwards the request to a remote handler — a remote Credential Manager or service that produces the result without invoking the Digital Credentials API itself — and the handler returns the result to a URL the Agent supplies. See [Relayed Delivery to a Remote Handler](#relayed-delivery-to-a-remote-handler).
 
-3. **Remote, out-of-band generation.** When the Agent's environment cannot invoke the request directly — for example, a consumer AI client without a credential handler — the request can be handed to a remote fulfillment surface (such as a verifier-hosted page) that invokes the Digital Credentials API in its own context and generates the presentation. The Agent then acquires the result and replays the protected route. See [Remote and Out-of-Band Fulfillment](#remote-and-out-of-band-fulfillment).
+3. **Remote, out-of-band generation.** When the Agent's environment cannot invoke the request directly — for example, a consumer AI client without a credential handler — the request can be handed to a remote fulfillment surface (such as a verifier-hosted page) that invokes the Digital Credentials API in its own context and generates the result. The Agent then acquires the result and replays the protected route. See [Remote and Out-of-Band Fulfillment](#remote-and-out-of-band-fulfillment).
 
-In every case the resulting presentation is bound per the request's mode and transport — to the Verifier as relying party for a signed request, or to the invoking origin and the Verifier's `nonce` for an unsigned request (see [Verifier Binding](#verifier-binding)) — not to the Agent.
+In every case the result is bound per the request's mode and transport — to the Verifier as relying party for a signed request, or to the invoking origin and the Verifier's `nonce` for an unsigned request (see [Verifier Binding](#verifier-binding)) — not to the Agent.
 
 ### Composed Request Invariants
 
 The composed request is authored and signed by the Verifier. The Agent treats it as opaque:
 
-1. The Agent MUST NOT modify any entry in `presentation_requirements`. The request signature binds its contents, so any modification invalidates it.
-2. When `presentation_requirements.requests` contains more than one entry, the Agent MAY narrow them to entries whose `protocol` or credential formats the chosen Wallet or handler implements, and MAY pass the entries through unchanged; which entry is ultimately used is determined by the Wallet or handler matching the request against available credentials, not chosen up front by the Agent.
-3. The Agent MUST arrange to acquire the [[ref: Presentation Result]] returned for the request, whether it invokes the request itself, relays it, or acquires a remotely generated result.
+1. The Agent MUST NOT modify any entry in `credential_requirements`. The request signature binds its contents, so any modification invalidates it.
+2. When `credential_requirements.digital.requests` contains more than one entry, the Agent MAY narrow them to entries whose `protocol` or credential formats the chosen Credential Manager or handler implements, and MAY pass the entries through unchanged; which entry is ultimately used is determined by the Credential Manager or handler matching the request against available credentials, not chosen up front by the Agent.
+3. The Agent MUST arrange to acquire the [[ref: Credential Result]] returned for the request, whether it invokes the request itself, relays it, or acquires a remotely generated result.
 
-A Verifier composing `presentation_requirements`:
+A Verifier composing `credential_requirements.digital`:
 
 1. MUST make each entry a valid OpenID4VP request for the Digital Credentials API, using `protocol: "openid4vp-v1-signed"` (RECOMMENDED) or `protocol: "openid4vp-v1-unsigned"`.
-2. SHOULD use a signed request and set its `client_id` and `expected_origins`. A signed request lets the Wallet authenticate the Verifier, binds the presentation's audience to the Verifier's identity, and lets the Verifier pre-authorize the invocation origin; see [Verifier Binding](#verifier-binding).
-3. MAY use an unsigned request when it needs the request fulfilled at an invocation origin it cannot declare in advance — for example, when the Agent invokes the request directly in its own context or relays it to an arbitrary surface. An unsigned request binds the presentation to the invoking origin and the Verifier's `nonce` rather than to a signed Verifier identity, with the trade-offs described in [Verifier Binding](#verifier-binding).
+2. SHOULD use a signed request and set its `client_id` and `expected_origins`. A signed request lets the Credential Manager authenticate the Verifier, binds the result's audience to the Verifier's identity, and lets the Verifier pre-authorize the invocation origin; see [Verifier Binding](#verifier-binding).
+3. MAY use an unsigned request when it needs the request fulfilled at an invocation origin it cannot declare in advance — for example, when the Agent invokes the request directly in its own context or relays it to an arbitrary surface. An unsigned request binds the result to the invoking origin and the Verifier's `nonce` rather than to a signed Verifier identity, with the trade-offs described in [Verifier Binding](#verifier-binding).
 4. MAY request response encryption (for example, a `dc_api.jwt` response mode with encryption keys in `client_metadata`) or omit it. Response encryption is OPTIONAL in x401.
 
-x401 does not restate the field-level rules for composing, signing, or invoking a Digital Credentials request; those are defined by the W3C Digital Credentials API and by OpenID4VP for the DC API. x401 requires only that `presentation_requirements` is a valid OpenID4VP request for the DC API; the Verifier validates whichever binding its chosen request mode provides.
+x401 does not restate the field-level rules for composing, signing, or invoking a Digital Credentials request; those are defined by the W3C Digital Credentials API and by OpenID4VP for the DC API. x401 requires only that `credential_requirements.digital` is a valid `DigitalCredentialRequestOptions` whose entries are valid OpenID4VP requests for the DC API; the Verifier validates whichever binding its chosen request mode provides.
 
-`trust_establishment` can help Agents discover acceptable issuers, but it never delegates verification behavior to the Agent, and it does not decide validity — the request's `dcql_query` and `trusted_authorities` do. When the referenced Issuer Trust List identifies OpenID4VCI issuers, Agents resolve those issuers using OpenID4VCI issuer metadata discovery.
+The request's DCQL `trusted_authorities` can help Agents discover where to acquire acceptable credentials, but they never delegate verification behavior to the Agent, and discovery does not decide validity — the request's `dcql_query` and `trusted_authorities` do, as enforced by the Verifier. When a `trusted_authorities` entry resolves to OpenID4VCI issuers, Agents resolve those issuers using OpenID4VCI issuer metadata discovery; see [Credential Acquisition Guidance](#credential-acquisition-guidance).
 
 ### Relayed Delivery to a Remote Handler
 
-Native invocation returns the presentation through the `navigator.credentials.get()` call, so it needs no return channel. When an intermediary — for example, an MCP tool or other Agent — instead hands the request to a **remote handler** (a web wallet or service that produces the presentation without invoking the Digital Credentials API itself), two things must be supplied that the Verifier cannot know: where the result is returned, and how a non-DC-API handler is expected to process a Digital Credentials request. The intermediary forwards the request unchanged and adds only the return channel.
+Native invocation returns the result through the `navigator.credentials.get()` call, so it needs no return channel. When an intermediary — for example, an MCP tool or other Agent — instead hands the request to a **remote handler** (a remote Credential Manager or service that produces the result without invoking the Digital Credentials API itself), two things must be supplied that the Verifier cannot know: where the result is returned, and how a non-DC-API handler is expected to process a Digital Credentials request. The intermediary forwards the request unchanged and adds only the return channel.
 
 #### Return Channel
 
-An intermediary that relays the x401 payload to a remote handler MUST add a `return_uri` member to the payload it forwards. `return_uri` is an `https` URL the handler delivers the [[ref: Presentation Result]] to; it is supplied by the relaying intermediary, never by the Verifier, and SHOULD be unguessable, short-lived, single-use, and controlled by the intermediary. The handler returns the result by sending an HTTP `POST` of the `{ "protocol": ..., "data": ... }` Presentation Result to `return_uri`. The intermediary then packages that result into a VP Artifact (inline or as a [[ref: Presentation Reference]]) and retries the protected route.
+An intermediary that relays the x401 payload to a remote handler MUST add a `return_uri` member to the payload it forwards. `return_uri` is an `https` URL the handler delivers the [[ref: Credential Result]] to; it is supplied by the relaying intermediary, never by the Verifier, and SHOULD be unguessable, short-lived, single-use, and controlled by the intermediary. The handler returns the result by sending an HTTP `POST` of the `{ "protocol": ..., "data": ... }` Credential Result to `return_uri`. The intermediary then packages that result into a Result Artifact (inline or as a [[ref: Credential Reference]]) and retries the protected route.
 
 ```json
 {
   "scheme": "x401",
   "version": "0.2.0",
-  "presentation_requirements": { "requests": [ { "protocol": "openid4vp-v1-signed", "data": { "request": "eyJ..." } } ] },
+  "credential_requirements": { "digital": { "requests": [ { "protocol": "openid4vp-v1-signed", "data": { "request": "eyJ..." } } ] } },
   "oauth": { "token_endpoint": "https://bank.example.com/oauth/token" },
   "return_uri": "https://mcp.example/x401/return/9f1c2a"
 }
@@ -645,20 +650,20 @@ An intermediary that relays the x401 payload to a remote handler MUST add a `ret
 
 #### Handler Processing
 
-The intermediary passes `presentation_requirements` to the handler unchanged; the handler is not asked to disassemble it, nor is it told which entry to use. It evaluates the request the way the Digital Credentials API would and returns a presentation for whichever entry it can satisfy. A remote handler that does not invoke the Digital Credentials API:
+The intermediary passes `credential_requirements` to the handler unchanged; the handler is not asked to disassemble it, nor is it told which entry to use. It evaluates the request the way the Digital Credentials API would and returns a result for whichever entry it can satisfy. A remote handler that does not invoke the Digital Credentials API:
 
 1. MUST consider the `requests[]` entries whose `protocol` and credential formats it implements, and among those, MUST attempt to satisfy each entry's `dcql_query` — including any `credential_sets` / `claim_sets` alternatives within it — against the credentials available to it, with Holder selection where applicable. Which entry is used is the *outcome* of this matching, not a prior choice; an entry is usable only if a held credential satisfies its query.
-2. For a satisfiable entry, MUST read the OpenID4VP request from its `data` — the claims of the signed request object for `openid4vp-v1-signed`, or the request parameters directly for `openid4vp-v1-unsigned` — and produce a presentation that satisfies that `dcql_query`, bound to its `nonce`. It honors `client_metadata` for accepted formats and any response-encryption key, and, for a signed request, binds the presentation's audience to the request's `client_id`.
+2. For a satisfiable entry, MUST read the OpenID4VP request from its `data` — the claims of the signed request object for `openid4vp-v1-signed`, or the request parameters directly for `openid4vp-v1-unsigned` — and produce a result that satisfies that `dcql_query`, bound to its `nonce`. It honors `client_metadata` for accepted formats and any response-encryption key, and, for a signed request, binds the result's audience to the request's `client_id`.
 3. MUST treat the Digital Credentials API transport members as not applicable to relayed delivery: it does not return through `response_mode: dc_api`/`dc_api.jwt` (it returns to `return_uri` instead) and does not enforce `expected_origins` (there is no invoking Web origin).
-4. MUST NOT weaken or alter the `dcql_query` or `nonce`, and MUST deliver the resulting [[ref: Presentation Result]] to `return_uri`. If it can satisfy no entry, it returns no presentation and SHOULD signal that failure to the intermediary rather than returning a partial or substitute result.
+4. MUST NOT weaken or alter the `dcql_query` or `nonce`, and MUST deliver the resulting [[ref: Credential Result]] to `return_uri`. If it can satisfy no entry, it returns no result and SHOULD signal that failure to the intermediary rather than returning a partial or substitute result.
 
-This matching, credential discovery, and Holder selection follow the same OpenID4VP and DCQL rules a Wallet applies under the Digital Credentials API; x401 does not redefine them.
+This matching, credential discovery, and Holder selection follow the same OpenID4VP and DCQL rules a Credential Manager applies under the Digital Credentials API; x401 does not redefine them.
 
-Because relayed delivery does not go through a Web origin, `expected_origins` is not enforced. A signed request still binds the presentation's audience to the Verifier through its `client_id`, so signed requests are RECOMMENDED for relayed delivery — they preserve Verifier audience binding across the relay, losing only origin pre-authorization. An unsigned request has no `client_id` and so binds only to the `nonce`. A Verifier that supports relayed delivery validates the returned presentation by its `nonce` and, for a signed request, its `client_id`, accepting that origin pre-authorization was not enforced — the weaker-binding case described in [Verifier Binding](#verifier-binding).
+Because relayed delivery does not go through a Web origin, `expected_origins` is not enforced. A signed request still binds the result's audience to the Verifier through its `client_id`, so signed requests are RECOMMENDED for relayed delivery — they preserve Verifier audience binding across the relay, losing only origin pre-authorization. An unsigned request has no `client_id` and so binds only to the `nonce`. A Verifier that supports relayed delivery validates the returned result by its `nonce` and, for a signed request, its `client_id`, accepting that origin pre-authorization was not enforced — the weaker-binding case described in [Verifier Binding](#verifier-binding).
 
 #### Composing a Request for Both Native and Relayed Fulfillment
 
-A Verifier that may have its request fulfilled either natively — invoked through `navigator.credentials.get()` by a Wallet enforcing the Digital Credentials API — or by a remote handler that parses the request and generates a presentation manually MUST compose the request so it is self-contained and verifiable by a party with no prior relationship and no browser context. The governing test is: *could a Wallet that has never interacted with this Verifier verify the request and produce a correctly bound presentation from the request bytes alone?* A request composed only for the native path can silently fail this test even though a DC-API Wallet accepts it. To satisfy both paths, a Verifier:
+A Verifier that may have its request fulfilled either natively — invoked through `navigator.credentials.get()` by a Credential Manager enforcing the Digital Credentials API — or by a remote handler that parses the request and generates a result manually MUST compose the request so it is self-contained and verifiable by a party with no prior relationship and no browser context. The governing test is: *could a Credential Manager that has never interacted with this Verifier verify the request and produce a correctly bound result from the request bytes alone?* A request composed only for the native path can silently fail this test even though a DC-API Credential Manager accepts it. To satisfy both paths, a Verifier:
 
 1. SHOULD use a signed request (`openid4vp-v1-signed`). It is the only request mode that carries any Verifier binding across a relay (audience via `client_id`), and it is equally valid natively. An unsigned request is fulfillable by a remote handler but binds only to the `nonce`; see [Verifier Binding](#verifier-binding).
 2. MUST make its identity and request-signing key resolvable from the request alone. The Verifier SHOULD embed its signing certificate chain in the request JWS `x5c` header, or use a `client_id` whose key material is publicly resolvable (for example a `did:` or `https:` scheme), so a handler with no prior relationship can verify the signature and confirm it matches `client_id` offline. A Verifier MUST NOT rely on a `client_id` scheme or key whose resolution depends on the invoking Web origin or on prior DC-API interaction, because neither exists on the relayed path.
@@ -666,44 +671,44 @@ A Verifier that may have its request fulfilled either natively — invoked throu
 4. SHOULD still set the Digital Credentials API transport members — `response_mode` (`dc_api` / `dc_api.jwt`) and `expected_origins` — for the native path, but MUST NOT make correct processing depend on them. A remote handler treats them as not applicable (it returns to `return_uri` and there is no invoking origin to pre-authorize), so a request whose only Verifier binding is `expected_origins` degrades to `nonce`-only when relayed.
 5. SHOULD, when response confidentiality through the intermediary or `return_uri` host is required, supply a response-encryption key in `client_metadata` rather than relying on the `dc_api.jwt` response mode. The encryption key is honored on both paths, independent of `response_mode`; the transport-bound encryption of `dc_api.jwt` is not used when the result is delivered to `return_uri`.
 6. SHOULD size `exp` to accommodate relay latency and Holder interaction, which take longer than a same-device interactive flow, and SHOULD rely on the freshness and uniqueness of the `nonce` for replay protection rather than on a tight `exp`; see [Verifier State and Stateless Operation](#verifier-state-and-stateless-operation).
-7. SHOULD use signature algorithms and credential formats an arbitrary Wallet can verify and produce, and SHOULD NOT over-constrain `client_metadata` to formats only a specific native Wallet implements.
+7. SHOULD use signature algorithms and credential formats an arbitrary Credential Manager can verify and produce, and SHOULD NOT over-constrain `client_metadata` to formats only a specific native Credential Manager implements.
 
-A request composed this way is fulfillable on either path with no change: the native Wallet enforces `expected_origins` and returns through the DC-API, while the remote handler ignores those transport members, verifies the Verifier from the embedded key material, and returns the same `{ protocol, data }` result to `return_uri`. In both cases the Verifier validates the returned presentation by its `nonce` and the binding its request mode provides.
+A request composed this way is fulfillable on either path with no change: the native Credential Manager enforces `expected_origins` and returns through the DC-API, while the remote handler ignores those transport members, verifies the Verifier from the embedded key material, and returns the same `{ protocol, data }` result to `return_uri`. In both cases the Verifier validates the returned result by its `nonce` and the binding its request mode provides.
 
-## Verifiable Presentation Delivery
+## Credential Result Delivery
 
-This phase of the protocol defines how the Agent packages the Wallet's presentation result and presents it back to the Verifier. The Agent either retries the protected route directly with a VP Artifact or uses that same VP Artifact in the OAuth token exchange described in the next leg.
+This phase of the protocol defines how the Agent packages the Credential Manager's credential result and presents it back to the Verifier. The Agent either retries the protected route directly with a Result Artifact or uses that same Result Artifact in the OAuth token exchange described in the next leg.
 
 ```http
 POST /accounts/applications HTTP/1.1
 Host: bank.example.com
-PROOF-PRESENTATION: <base64url-vp-artifact-json>
+PROOF-RESPONSE: <base64url-result-artifact-json>
 ```
 
-### VP Artifact
+### Result Artifact
 
-After obtaining a [[ref: Presentation Result]], the Agent packages it as a VP Artifact for protected-route retry or OAuth token exchange. The VP Artifact carries the presentation result either inline or as a [[ref: Presentation Reference]].
+After obtaining a [[ref: Credential Result]], the Agent packages it as a Result Artifact for protected-route retry or OAuth token exchange. The Result Artifact carries the credential result either inline or as a [[ref: Credential Reference]].
 
 #### General Structure
 
-An inline VP Artifact carries the Digital Credentials API result `{ protocol, data }` directly:
+An inline Result Artifact carries the Digital Credentials API result `{ protocol, data }` directly:
 
 ```json
 {
   "request_id": "proof-template-financial-customer-v1",
-  "response": {
+  "credential_result": {
     "protocol": "openid4vp-v1-signed",
-    "data": "<wallet-returned-presentation-result>"
+    "data": "<credential-manager-returned-result>"
   }
 }
 ```
 
-A by-reference VP Artifact carries a URL the Verifier dereferences to fetch the presentation result, for results that exceed header size limits or are generated at a remote location:
+A by-reference Result Artifact carries a URL the Verifier dereferences to fetch the credential result, for results that exceed header size limits or are generated at a remote location:
 
 ```json
 {
   "request_id": "proof-template-financial-customer-v1",
-  "presentation_uri": "https://bank.example.com/.well-known/x401/presentations/abc123",
+  "credential_result_uri": "https://bank.example.com/.well-known/x401/results/abc123",
   "expires_at": "2026-05-06T18:50:00Z"
 }
 ```
@@ -712,32 +717,32 @@ A by-reference VP Artifact carries a URL the Verifier dereferences to fetch the
 
 Name | Definition
 ---- | ----------
-`response` | REQUIRED unless `presentation_uri` is present. The [[ref: Presentation Result]] returned by the Wallet, as the `{ protocol, data }` object produced by the Digital Credentials API.
-`presentation_uri` | REQUIRED unless `response` is present. An HTTPS URL the Verifier dereferences with `GET` to fetch the [[ref: Presentation Result]]. The Verifier MUST issue a unique `presentation_uri` value for each presentation and MUST NOT reuse one across presentations. See [Presentation by Reference](#presentation-by-reference).
-`expires_at` | OPTIONAL. RFC 3339 time after which the `presentation_uri` is no longer valid.
+`credential_result` | REQUIRED unless `credential_result_uri` is present. The [[ref: Credential Result]] returned by the Credential Manager, as the `{ protocol, data }` object produced by the Digital Credentials API.
+`credential_result_uri` | REQUIRED unless `credential_result` is present. An HTTPS URL the Verifier dereferences with `GET` to fetch the [[ref: Credential Result]]. The Verifier MUST issue a unique `credential_result_uri` value for each result and MUST NOT reuse one across results. See [Result by Reference](#result-by-reference).
+`expires_at` | OPTIONAL. RFC 3339 time after which the `credential_result_uri` is no longer valid.
 `request_id` | OPTIONAL. The x401 `request_id`, when present.
 `agent_id` | OPTIONAL. An [[ref: Agent Identifier]] for the HTTP caller, when the deployment binds the Agent to the retry. See [Agent Binding Options](#agent-binding-options).
 
-A VP Artifact MUST contain exactly one of `response` or `presentation_uri`.
+A Result Artifact MUST contain exactly one of `credential_result` or `credential_result_uri`.
 
-The Verifier MUST NOT treat the `request_id` or `agent_id` values inside the VP Artifact as authoritative by themselves. They are carried so the Verifier can correlate the retry. Correlation between the presentation and the issued request is established by the OpenID4VP `nonce` echoed inside the presentation result. The Verifier remains responsible for validating the presentation binding and, when it binds the Agent, authenticating the Agent Identifier.
+The Verifier MUST NOT treat the `request_id` or `agent_id` values inside the Result Artifact as authoritative by themselves. They are carried so the Verifier can correlate the retry. Correlation between the result and the issued request is established by the OpenID4VP `nonce` echoed inside the credential result. The Verifier remains responsible for validating the result binding and, when it binds the Agent, authenticating the Agent Identifier.
 
-### Presentation by Reference
+### Result by Reference
 
-A presentation result can be larger than an HTTP header field comfortably carries, and a remotely generated result may not be held by the Agent at all. For these cases the VP Artifact MAY carry a `presentation_uri` instead of an inline `response`. The Verifier dereferences the URL to obtain the same `{ protocol, data }` presentation result it would otherwise have received inline.
+A credential result can be larger than an HTTP header field comfortably carries, and a remotely generated result may not be held by the Agent at all. For these cases the Result Artifact MAY carry a `credential_result_uri` instead of an inline `credential_result`. The Verifier dereferences the URL to obtain the same `{ protocol, data }` credential result it would otherwise have received inline.
 
-When a VP Artifact carries `presentation_uri`:
+When a Result Artifact carries `credential_result_uri`:
 
-1. The `presentation_uri` MUST be an `https` URL.
-2. The Verifier MUST issue a unique `presentation_uri` for each presentation and MUST NOT reuse a URI value across presentations. Uniqueness per presentation is what lets the Verifier treat the reference as single-use and bind it to one retry.
-3. The Verifier fetches the presentation result with an HTTP `GET` and processes it exactly as if it had been supplied inline as `response`. The fetched presentation is self-authenticating — it is validated against the issued request's `nonce` and the binding its request mode provides, like any other — so a substituted or tampered result is rejected by normal proof validation without a separate integrity digest.
+1. The `credential_result_uri` MUST be an `https` URL.
+2. The Verifier MUST issue a unique `credential_result_uri` for each result and MUST NOT reuse a URI value across results. Uniqueness per result is what lets the Verifier treat the reference as single-use and bind it to one retry.
+3. The Verifier fetches the credential result with an HTTP `GET` and processes it exactly as if it had been supplied inline as `credential_result`. The fetched result is self-authenticating — it is validated against the issued request's `nonce` and the binding its request mode provides, like any other — so a substituted or tampered result is rejected by normal proof validation without a separate integrity digest.
 4. The reference SHOULD be short-lived and scoped to the route and retry it serves.
 
-This same mechanism lets a remote fulfillment surface generate a presentation, publish it at a `presentation_uri`, and let the Agent replay the protected route with only the reference. See [Remote and Out-of-Band Fulfillment](#remote-and-out-of-band-fulfillment).
+This same mechanism lets a remote fulfillment surface generate a result, publish it at a `credential_result_uri`, and let the Agent replay the protected route with only the reference. See [Remote and Out-of-Band Fulfillment](#remote-and-out-of-band-fulfillment).
 
 ### x401 Error Object
 
-When a Verifier reports that an x401 proof presentation failed or could not be processed, it returns a `PROOF-RESPONSE` header whose payload is a base64url-encoded x401 Error Object.
+When a Verifier reports that a submitted x401 credential result failed or could not be processed, it returns a `PROOF-RESULT` header whose payload is a base64url-encoded x401 Error Object.
 
 #### General Structure
 
@@ -745,8 +750,8 @@ When a Verifier reports that an x401 proof presentation failed or could not be p
 {
   "scheme": "x401",
   "version": "0.2.0",
-  "error": "invalid_presentation",
-  "error_description": "The presentation did not satisfy the route proof requirement.",
+  "error": "invalid_result",
+  "error_description": "The credential result did not satisfy the route proof requirement.",
   "request_id": "proof-template-financial-customer-v1"
 }
 ```
@@ -766,7 +771,7 @@ The x401 Error Object describes the x401 proof branch only. The HTTP status code
 
 ### x401 Token Object
 
-When an Agent has a Verification Token and the protected route already uses the `Authorization` request header for existing application authentication, the Agent can pass the Verification Token as an x401 Token Object in a `PROOF-PRESENTATION` header. This allows existing application credentials and x401 proof satisfaction to travel on the same request without overloading `Authorization`.
+When an Agent has a Verification Token and the protected route already uses the `Authorization` request header for existing application authentication, the Agent can pass the Verification Token as an x401 Token Object in a `PROOF-RESPONSE` header. This allows existing application credentials and x401 proof satisfaction to travel on the same request without overloading `Authorization`.
 
 #### General Structure
 
@@ -792,17 +797,17 @@ The x401 Token Object carries proof satisfaction only. It does not replace the r
 
 ### Route Retry Headers
 
-After receiving an x401 proof requirement and obtaining a presentation result, the Agent retries the protected route with either direct proof material or a reusable Verification Token.
+After receiving an x401 proof requirement and obtaining a credential result, the Agent retries the protected route with either direct proof material or a reusable Verification Token.
 
-When retrying with proof material directly, the Agent uses `PROOF-PRESENTATION`:
+When retrying with proof material directly, the Agent uses `PROOF-RESPONSE`:
 
 ```http
-PROOF-PRESENTATION: <base64url-vp-artifact-json>
+PROOF-RESPONSE: <base64url-result-artifact-json>
 ```
 
-The `PROOF-PRESENTATION` value is the base64url-encoded UTF-8 JSON serialization of the VP Artifact, using the same no-padding encoding as the x401 payload. The VP Artifact carries the presentation result inline or as a [[ref: Presentation Reference]]; for large presentations the Agent SHOULD use the reference form to keep the header within server and intermediary size limits.
+The `PROOF-RESPONSE` value is the base64url-encoded UTF-8 JSON serialization of the Result Artifact, using the same no-padding encoding as the x401 payload. The Result Artifact carries the credential result inline or as a [[ref: Credential Reference]]; for large results the Agent SHOULD use the reference form to keep the header within server and intermediary size limits.
 
-When retrying with a [[ref: Verification Token]], the Agent either uses the route's normal `Authorization` request header or carries an x401 Token Object in `PROOF-PRESENTATION`.
+When retrying with a [[ref: Verification Token]], the Agent either uses the route's normal `Authorization` request header or carries an x401 Token Object in `PROOF-RESPONSE`.
 
 A deployment MAY issue a Verification Token that is also the route's ordinary application authorization credential, or it MAY upgrade the caller's existing application access token with x401-specific proof satisfaction metadata. In that case, the Agent sends the token using the normal token type for the route. For Verification Tokens defined by this specification, the token type is `Bearer`:
 
@@ -814,71 +819,71 @@ If the protected route already uses `Authorization` for existing application aut
 
 ```http
 Authorization: Bearer <existing-application-token>
-PROOF-PRESENTATION: <base64url-x401-token-object>
+PROOF-RESPONSE: <base64url-x401-token-object>
 ```
 
-A protected route MUST process the supplied `PROOF-PRESENTATION` value as a proof presentation or proof-token satisfaction attempt. If verification succeeds, the Verifier MAY return the protected resource directly.
+A protected route MUST process the supplied `PROOF-RESPONSE` value as a credential-result or proof-token satisfaction attempt. If verification succeeds, the Verifier MAY return the protected resource directly.
 
 ### Agent Processing Rules
 
-An Agent receiving an HTTP response with a `PROOF-REQUIRED` proof requirement:
+An Agent receiving an HTTP response with a `PROOF-REQUEST` proof requirement:
 
 1. MUST treat the response as a proof requirement.
-2. MUST extract the `PROOF-REQUIRED` field value and base64url-decode it as a UTF-8 JSON [[ref: x401 Payload]].
+2. MUST extract the `PROOF-REQUEST` field value and base64url-decode it as a UTF-8 JSON [[ref: x401 Payload]].
 3. MUST validate the decoded payload structure and process the `proof` object.
-4. MUST treat `presentation_requirements` as the Verifier-composed [[ref: Digital Credentials Request]] and MUST NOT modify any of its entries.
-5. MUST obtain a [[ref: Presentation Result]] for `presentation_requirements` by invoking it through a native credential method, relaying it to a Wallet or remote service, or acquiring a remotely generated result.
-6. MAY select among multiple `presentation_requirements.requests` entries by protocol or supported credential format when more than one is present.
-7. MAY use `trust_establishment`, when present, to filter candidate credentials or guide acquisition.
-8. MUST NOT treat any Agent-side interpretation of the Issuer Trust List as proof of verifier acceptance.
-9. MUST package the presentation result as a VP Artifact, inline or as a [[ref: Presentation Reference]].
+4. MUST treat `credential_requirements` as the Verifier-composed credential request and MUST NOT modify any of its entries.
+5. MUST obtain a [[ref: Credential Result]] for `credential_requirements` by invoking it through a native credential method, relaying it to a Credential Manager or remote service, or acquiring a remotely generated result.
+6. MAY select among multiple `credential_requirements.digital.requests` entries by protocol or supported credential format when more than one is present.
+7. MAY use the dereferenceable issuer pointers in the request's DCQL `trusted_authorities` (`openid_federation`, `etsi_tl`) to filter candidate credentials or guide acquisition; see [Credential Acquisition Guidance](#credential-acquisition-guidance).
+8. MUST NOT treat any Agent-side interpretation of the request's `trusted_authorities` as proof of verifier acceptance.
+9. MUST package the credential result as a Result Artifact, inline or as a [[ref: Credential Reference]].
 10. MUST retry the same route that produced the x401 proof requirement with one of:
-    - a VP Artifact in a `PROOF-PRESENTATION` request header,
-    - a Verification Token carried as an x401 Token Object in a `PROOF-PRESENTATION` request header, or
+    - a Result Artifact in a `PROOF-RESPONSE` request header,
+    - a Verification Token carried as an x401 Token Object in a `PROOF-RESPONSE` request header, or
     - a Verification Token in the route's normal `Authorization` request header when the deployment specifies that the token is an upgraded or replacement application authorization credential.
 11. MUST NOT replace an existing application `Authorization` credential with an x401 Verification Token unless the deployment explicitly defines the returned token as valid for that route's ordinary authorization processing.
-12. MUST treat a `PROOF-RESPONSE` carrying an x401 Error Object as an x401 proof failure for the route-scoped proof attempt, regardless of the HTTP status code.
+12. MUST treat a `PROOF-RESULT` carrying an x401 Error Object as an x401 proof failure for the route-scoped proof attempt, regardless of the HTTP status code.
 
 ### Verifier Processing Rules
 
 A Verifier implementing x401:
 
-1. MUST include `PROOF-REQUIRED: <base64url-x401-payload>` when proof is required or advertised.
-2. MUST include a valid base64url-encoded x401 payload in `PROOF-REQUIRED`.
+1. MUST include `PROOF-REQUEST: <base64url-x401-payload>` when proof is required or advertised.
+2. MUST include a valid base64url-encoded x401 payload in `PROOF-REQUEST`.
 3. MUST use an HTTP status code appropriate for the overall response and MUST NOT rely on the status code alone to convey x401 proof state.
-4. MUST include a `presentation_requirements` whose entries are valid OpenID4VP requests for the DC API, using `openid4vp-v1-signed` (RECOMMENDED) or `openid4vp-v1-unsigned`.
+4. MUST include a `credential_requirements` whose `digital` member's entries are valid OpenID4VP requests for the DC API, using `openid4vp-v1-signed` (RECOMMENDED) or `openid4vp-v1-unsigned`.
 5. SHOULD use signed requests and set their `client_id` and `expected_origins`; when using unsigned requests, MUST account for the weaker binding described in [Verifier Binding](#verifier-binding).
 6. MUST include OAuth token exchange metadata in `oauth`.
-7. SHOULD provide `trust_establishment` when issuer approval policy is useful to disclose to Agents.
-8. MUST NOT enumerate verifier-approved issuers inline in the x401 payload.
-9. MUST validate presentations according to the proof validation rules in this specification and the credential format rules it relies upon, dereferencing a [[ref: Presentation Reference]] when one is supplied.
-10. MUST evaluate issuer trust, status, revocation, and policy constraints independently of any Agent-side interpretation of the Issuer Trust List.
-11. MUST accept a VP Artifact in a `PROOF-PRESENTATION` request header for protected-route retry, in both its inline and by-reference forms.
-12. MAY issue a Verification Token through the OAuth token endpoint after validating the presented VP Artifact.
-13. MUST validate Verification Tokens on protected-route retry according to token scope, audience, expiration, any Agent binding, and satisfied requirement metadata, whether the token arrives in `Authorization` or as an x401 Token Object in `PROOF-PRESENTATION`.
-14. MUST bind any Verification Token carried in `PROOF-PRESENTATION` to the existing application caller, credential, client, key, or Agent Identifier required by the protected route when an `Authorization` header is also present.
-15. SHOULD return `PROOF-RESPONSE: <base64url-x401-error-object>` if proof is presented but policy satisfaction fails or the presentation or token cannot be processed.
+7. SHOULD express its accepted issuers as DCQL `trusted_authorities` inside the request, preferring dereferenceable types (`openid_federation`, `etsi_tl`) when it wants Agents to be able to discover acquisition paths.
+8. MUST NOT enumerate verifier-approved issuers inline as an x401-specific payload member.
+9. MUST validate credential results according to the proof validation rules in this specification and the credential format rules it relies upon, dereferencing a [[ref: Credential Reference]] when one is supplied.
+10. MUST evaluate issuer trust, status, revocation, and policy constraints independently of any Agent-side interpretation of the request's `trusted_authorities`.
+11. MUST accept a Result Artifact in a `PROOF-RESPONSE` request header for protected-route retry, in both its inline and by-reference forms.
+12. MAY issue a Verification Token through the OAuth token endpoint after validating the presented Result Artifact.
+13. MUST validate Verification Tokens on protected-route retry according to token scope, audience, expiration, any Agent binding, and satisfied requirement metadata, whether the token arrives in `Authorization` or as an x401 Token Object in `PROOF-RESPONSE`.
+14. MUST bind any Verification Token carried in `PROOF-RESPONSE` to the existing application caller, credential, client, key, or Agent Identifier required by the protected route when an `Authorization` header is also present.
+15. SHOULD return `PROOF-RESULT: <base64url-x401-error-object>` if proof is presented but policy satisfaction fails or the result or token cannot be processed.
 16. MUST use `402 Payment Required` separately if payment is required and remains unsatisfied.
 
 ### Proof Validation
 
-When a Verifier receives a VP Artifact directly on a protected-route retry or through the OAuth token endpoint, it MUST validate the presentation against the request it composed for the route. When the VP Artifact is a [[ref: Presentation Reference]], the Verifier first dereferences `presentation_uri` to obtain the presentation result, then validates that result exactly as if it had been supplied inline.
+When a Verifier receives a Result Artifact directly on a protected-route retry or through the OAuth token endpoint, it MUST validate the result against the request it composed for the route. When the Result Artifact is a [[ref: Credential Reference]], the Verifier first dereferences `credential_result_uri` to obtain the credential result, then validates that result exactly as if it had been supplied inline.
 
 The Verifier MUST:
 
 1. recover the route, method, and policy context for the request it composed, by whatever stateful or stateless means it uses;
-2. verify that the presentation proof is cryptographically protected according to the credential and presentation formats in use;
-3. verify the presentation's binding for the request's mode: for a signed request, that it is bound to the Verifier as relying party through the request signature, `client_id`, and `expected_origins`; for an unsigned request, that it is bound to the invoking origin the Verifier is willing to accept (see [Verifier Binding](#verifier-binding));
-4. verify that the presentation's OpenID4VP `nonce` is the value the Verifier issued for the request, applying its freshness and replay policy;
+2. verify that the result's proof is cryptographically protected according to the credential and presentation formats in use;
+3. verify the result's binding for the request's mode: for a signed request, that it is bound to the Verifier as relying party through the request signature, `client_id`, and `expected_origins`; for an unsigned request, that it is bound to the invoking origin the Verifier is willing to accept (see [Verifier Binding](#verifier-binding));
+4. verify that the result's OpenID4VP `nonce` is the value the Verifier issued for the request, applying its freshness and replay policy;
 5. verify that the credentials and disclosed claims satisfy the `dcql_query` carried in the request;
 6. verify issuer trust, credential status, revocation, expiration, assurance, and any additional route policy;
 7. when the deployment binds the Agent, determine and verify the [[ref: Agent Identifier]] for the HTTP caller and reject the retry if it cannot be bound; see [Agent Binding Options](#agent-binding-options).
 
-With a signed request the returned presentation is bound to the Verifier as relying party; with an unsigned request it is bound to the invoking origin and the Verifier's `nonce`, which the Verifier SHOULD reinforce as described in [Verifier Binding](#verifier-binding). In either case the presentation is not, by itself, bound to the Agent: Agent binding is OPTIONAL and, when used, is an additional check layered over this validation.
+With a signed request the returned result is bound to the Verifier as relying party; with an unsigned request it is bound to the invoking origin and the Verifier's `nonce`, which the Verifier SHOULD reinforce as described in [Verifier Binding](#verifier-binding). In either case the result is not, by itself, bound to the Agent: Agent binding is OPTIONAL and, when used, is an additional check layered over this validation.
 
 ## Access Token Acquisition
 
-This optional leg of the protocol defines the optional exchange of a verified VP Artifact for a reusable Verification Token. The Agent submits the VP Artifact to the OAuth token endpoint from the x401 payload using OAuth 2.0 Token Exchange, then retries protected routes with the returned token either as the route's normal authorization credential or as an x401 proof-satisfaction token object in `PROOF-PRESENTATION`.
+This optional leg of the protocol defines the optional exchange of a verified Result Artifact for a reusable Verification Token. The Agent submits the Result Artifact to the OAuth token endpoint from the x401 payload using OAuth 2.0 Token Exchange, then retries protected routes with the returned token either as the route's normal authorization credential or as an x401 proof-satisfaction token object in `PROOF-RESPONSE`.
 
 ```http
 POST /oauth/token HTTP/1.1
@@ -886,19 +891,19 @@ Host: bank.example.com
 Content-Type: application/x-www-form-urlencoded
 
 grant_type=urn:ietf:params:oauth:grant-type:token-exchange&
-subject_token_type=urn:x401:params:oauth:token-type:vp_artifact&
-subject_token=<base64url-vp-artifact-json>
+subject_token_type=urn:x401:params:oauth:token-type:result_artifact&
+subject_token=<base64url-result-artifact-json>
 ```
 
 ### OAuth Token Exchange
 
-An Agent MAY exchange a VP Artifact for a [[ref: Verification Token]] at the OAuth token endpoint supplied in `oauth.token_endpoint`.
+An Agent MAY exchange a Result Artifact for a [[ref: Verification Token]] at the OAuth token endpoint supplied in `oauth.token_endpoint`.
 
 The token request uses OAuth 2.0 Token Exchange. The Agent MUST use:
 
 - `grant_type=urn:ietf:params:oauth:grant-type:token-exchange`
-- `subject_token_type=urn:x401:params:oauth:token-type:vp_artifact`
-- `subject_token=<base64url-vp-artifact-json>`
+- `subject_token_type=urn:x401:params:oauth:token-type:result_artifact`
+- `subject_token=<base64url-result-artifact-json>`
 
 The Agent SHOULD include the `resource` or `audience` value from `oauth` when present. If neither value is present, the Agent MAY use the original protected resource URL as the OAuth `resource` value.
 
@@ -908,19 +913,19 @@ Host: bank.example.com
 Content-Type: application/x-www-form-urlencoded
 
 grant_type=urn:ietf:params:oauth:grant-type:token-exchange&
-subject_token_type=urn:x401:params:oauth:token-type:vp_artifact&
-subject_token=<base64url-vp-artifact-json>&
+subject_token_type=urn:x401:params:oauth:token-type:result_artifact&
+subject_token=<base64url-result-artifact-json>&
 resource=https%3A%2F%2Fbank.example.com%2Faccounts%2Fapplications
 ```
 
-The submitted VP Artifact MAY carry the presentation result inline or as a [[ref: Presentation Reference]]; when it is a reference, the token endpoint dereferences it as described in [Presentation by Reference](#presentation-by-reference). The token endpoint MAY require normal OAuth client authentication. If the deployment binds the Agent and client authentication is used, the authenticated OAuth client MUST bind to the same Agent Identifier the deployment requires for the retry.
+The submitted Result Artifact MAY carry the credential result inline or as a [[ref: Credential Reference]]; when it is a reference, the token endpoint dereferences it as described in [Result by Reference](#result-by-reference). The token endpoint MAY require normal OAuth client authentication. If the deployment binds the Agent and client authentication is used, the authenticated OAuth client MUST bind to the same Agent Identifier the deployment requires for the retry.
 
-The token endpoint MUST process the submitted VP Artifact using the same proof validation rules that apply to direct protected-route retry. In particular, it MUST verify that:
+The token endpoint MUST process the submitted Result Artifact using the same proof validation rules that apply to direct protected-route retry. In particular, it MUST verify that:
 
-1. the presentation is cryptographically valid and bound per the request's mode — to the Verifier as relying party for a signed request, or to an acceptable invoking origin for an unsigned request;
+1. the result is cryptographically valid and bound per the request's mode — to the Verifier as relying party for a signed request, or to an acceptable invoking origin for an unsigned request;
 2. the credential material satisfies the `dcql_query` carried in the request for the requested resource;
-3. the presentation's OpenID4VP `nonce` is one the Verifier issued, applying its freshness and replay policy;
-4. when the deployment binds the Agent, the presentation and retry bind to the required Agent Identifier.
+3. the result's OpenID4VP `nonce` is one the Verifier issued, applying its freshness and replay policy;
+4. when the deployment binds the Agent, the result and retry bind to the required Agent Identifier.
 
 If verification succeeds and the Verifier chooses token retry, the token endpoint returns an OAuth-compatible successful access token response:
 
@@ -965,7 +970,7 @@ Name | Definition
 
 #### Verification Token Retry Placement
 
-A Verification Token can be placed in either `Authorization` or `PROOF-PRESENTATION`, depending on how the deployment composes x401 with existing application authorization.
+A Verification Token can be placed in either `Authorization` or `PROOF-RESPONSE`, depending on how the deployment composes x401 with existing application authorization.
 
 If the Verifier, authorization server, and protected application are integrated, the token endpoint MAY issue a token that is accepted as the route's normal application authorization credential. This can be a new token or an upgraded version of an existing application token that includes x401-specific proof satisfaction metadata. In that model, the Agent sends the returned token through the normal authorization mechanism for the route:
 
@@ -973,20 +978,20 @@ If the Verifier, authorization server, and protected application are integrated,
 Authorization: Bearer <verification-token-or-upgraded-application-token>
 ```
 
-If the protected route already requires an application token in `Authorization`, and the x401 Verification Token is separate from that application token, the Agent SHOULD preserve the existing `Authorization` value and send the Verification Token as an x401 Token Object in `PROOF-PRESENTATION`:
+If the protected route already requires an application token in `Authorization`, and the x401 Verification Token is separate from that application token, the Agent SHOULD preserve the existing `Authorization` value and send the Verification Token as an x401 Token Object in `PROOF-RESPONSE`:
 
 ```http
 Authorization: Bearer <existing-application-token>
-PROOF-PRESENTATION: <base64url-x401-token-object>
+PROOF-RESPONSE: <base64url-x401-token-object>
 ```
 
-When processing a `PROOF-PRESENTATION` value that carries an x401 Token Object, the Verifier MUST decode the x401 Token Object, validate the contained Verification Token, and evaluate whether the token satisfies the route's x401 proof requirement. If an `Authorization` header is also present, the Verifier MUST ensure that the application credential and the x401 Verification Token are bound to the same Agent Identifier, client, subject, proof-of-possession key, certificate, or other verifier-accepted caller binding for the route. A Verifier MUST reject a request that combines an application credential and x401 Verification Token that cannot be safely bound to the same accepted caller context.
+When processing a `PROOF-RESPONSE` value that carries an x401 Token Object, the Verifier MUST decode the x401 Token Object, validate the contained Verification Token, and evaluate whether the token satisfies the route's x401 proof requirement. If an `Authorization` header is also present, the Verifier MUST ensure that the application credential and the x401 Verification Token are bound to the same Agent Identifier, client, subject, proof-of-possession key, certificate, or other verifier-accepted caller binding for the route. A Verifier MUST reject a request that combines an application credential and x401 Verification Token that cannot be safely bound to the same accepted caller context.
 
 #### Verification Token Contents
 
-A [[ref: Verification Token]] records the Verifier's decision that a presentation satisfied an x401 proof requirement. It is not a credential, payment artifact, or new issuer attestation about the credential subject.
+A [[ref: Verification Token]] records the Verifier's decision that a credential result satisfied an x401 proof requirement. It is not a credential, payment artifact, or new issuer attestation about the credential subject.
 
-A Verifier MAY issue a Verification Token after accepting a VP Artifact. The token:
+A Verifier MAY issue a Verification Token after accepting a Result Artifact. The token:
 
 1. when the deployment binds the Agent, MUST be issued to the [[ref: Agent Identifier]] bound during the retry, and MUST NOT rely on the credential subject as the token holder identity unless the credential subject is also the Agent;
 2. MUST be scoped to the Verifier audience and to the route, policy, action, resource, or resource class for which proof was accepted;
@@ -1009,7 +1014,7 @@ When a Verification Token is represented as a JWT, its exact claim set is deploy
 
 #### Reuse Across Routes
 
-OpenID4VP `state`, presentation `nonce`, and DCQL Credential Query `id` values are useful for request-response correlation, holder binding, or wallet-facing query selection inside a single presentation transaction. They are not, by themselves, stable semantic identifiers for cross-route token reuse.
+OpenID4VP `state`, presentation `nonce`, and DCQL Credential Query `id` values are useful for request-response correlation, holder binding, or Credential-Manager-facing query selection inside a single presentation transaction. They are not, by themselves, stable semantic identifiers for cross-route token reuse.
 
 x401 uses `request_id` and `satisfied_requirements` for reusable proof semantics. A Verifier MAY accept a Verification Token issued for one route on another route only when:
 
@@ -1036,7 +1041,7 @@ Host: bank.example.com
 
 ```http
 HTTP/1.1 401 Unauthorized
-PROOF-REQUIRED: <base64url-x401-payload>
+PROOF-REQUEST: <base64url-x401-payload>
 Cache-Control: no-store
 ```
 
@@ -1046,20 +1051,21 @@ Decoded x401 payload, shown for readability:
 {
   "scheme": "x401",
   "version": "0.2.0",
-  "presentation_requirements": {
-    "requests": [
-      {
-        "protocol": "openid4vp-v1-signed",
-        "data": {
-          "request": "eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QifQ..."
+  "credential_requirements": {
+    "digital": {
+      "requests": [
+        {
+          "protocol": "openid4vp-v1-signed",
+          "data": {
+            "request": "eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QifQ..."
+          }
         }
-      }
-    ]
+      ]
+    }
   },
   "oauth": {
     "token_endpoint": "https://bank.example.com/oauth/token"
   },
-  "trust_establishment": "https://bank.example.com/.well-known/x401/trust/financial-customer-v1",
   "request_id": "proof-template-financial-customer-v1",
   "satisfied_requirements": [
     "urn:example:x401:satisfaction:financial-customer:v1"
@@ -1067,7 +1073,7 @@ Decoded x401 payload, shown for readability:
 }
 ```
 
-The signed OpenID4VP request inside `presentation_requirements.requests[0].data.request`, decoded for readability, is authored and signed by the Verifier:
+The signed OpenID4VP request inside `credential_requirements.digital.requests[0].data.request`, decoded for readability, is authored and signed by the Verifier:
 
 ```json
 {
@@ -1097,43 +1103,43 @@ The signed OpenID4VP request inside `presentation_requirements.requests[0].data.
 }
 ```
 
-#### Obtaining the Presentation
+#### Obtaining the Result
 
-The Agent invokes the Verifier-composed request directly through the Digital Credentials API, or relays it to a Wallet or remote service. The composed request is the `digital` member argument:
+The Agent invokes the Verifier-composed request directly through the Digital Credentials API, or relays it to a Credential Manager or remote service. The composed request is the `digital` member argument:
 
 ```js
-const result = await navigator.credentials.get({ digital: payload.presentation_requirements });
-// result => { protocol: "openid4vp-v1-signed", data: { /* presentation result bound to the Verifier */ } }
+const result = await navigator.credentials.get(payload.credential_requirements);
+// result => { protocol: "openid4vp-v1-signed", data: { /* credential result bound to the Verifier */ } }
 ```
 
-#### Successful Retry With VP Artifact
+#### Successful Retry With Result Artifact
 
 ```http
 POST /accounts/applications HTTP/1.1
 Host: bank.example.com
-PROOF-PRESENTATION: <base64url-vp-artifact-json>
+PROOF-RESPONSE: <base64url-result-artifact-json>
 ```
 
-The decoded VP Artifact carries the presentation result inline:
+The decoded Result Artifact carries the credential result inline:
 
 ```json
 {
   "request_id": "proof-template-financial-customer-v1",
-  "response": {
+  "credential_result": {
     "protocol": "openid4vp-v1-signed",
-    "data": "<wallet-returned-presentation-result>"
+    "data": "<credential-manager-returned-result>"
   }
 }
 ```
 
-#### Successful Retry With a Presentation Reference
+#### Successful Retry With a Credential Reference
 
-When the presentation result is too large for a header field, or was generated at a remote location, the VP Artifact carries a reference the Verifier dereferences:
+When the credential result is too large for a header field, or was generated at a remote location, the Result Artifact carries a reference the Verifier dereferences:
 
 ```json
 {
   "request_id": "proof-template-financial-customer-v1",
-  "presentation_uri": "https://bank.example.com/.well-known/x401/presentations/abc123",
+  "credential_result_uri": "https://bank.example.com/.well-known/x401/results/abc123",
   "expires_at": "2026-05-06T18:50:00Z"
 }
 ```
@@ -1142,15 +1148,15 @@ When the presentation result is too large for a header field, or was generated a
 
 ```http
 HTTP/1.1 401 Unauthorized
-PROOF-RESPONSE: <base64url-x401-error-object>
+PROOF-RESULT: <base64url-x401-error-object>
 Cache-Control: no-store
 ```
 
-The decoded x401 Error Object describes the failed proof presentation. The `401 Unauthorized` status in this example means the route was not completed because the x401 proof branch failed.
+The decoded x401 Error Object describes the failed credential result. The `401 Unauthorized` status in this example means the route was not completed because the x401 proof branch failed.
 
 ### Example 2: OAuth Token Exchange
 
-After receiving the Wallet presentation result, the Agent may exchange the VP Artifact for a token.
+After receiving the Credential Manager credential result, the Agent may exchange the Result Artifact for a token.
 
 ```http
 POST /oauth/token HTTP/1.1
@@ -1158,8 +1164,8 @@ Host: bank.example.com
 Content-Type: application/x-www-form-urlencoded
 
 grant_type=urn:ietf:params:oauth:grant-type:token-exchange&
-subject_token_type=urn:x401:params:oauth:token-type:vp_artifact&
-subject_token=<base64url-vp-artifact-json>&
+subject_token_type=urn:x401:params:oauth:token-type:result_artifact&
+subject_token=<base64url-result-artifact-json>&
 resource=https%3A%2F%2Fbank.example.com%2Faccounts%2Fapplications
 ```
 
@@ -1193,40 +1199,40 @@ Host: bank.example.com
 Authorization: Bearer eyJhbGciOi...
 ```
 
-If the application already requires an existing `Authorization` token and the x401 Verification Token is separate, the Agent preserves the application token and carries the x401 Verification Token as an x401 Token Object in `PROOF-PRESENTATION`:
+If the application already requires an existing `Authorization` token and the x401 Verification Token is separate, the Agent preserves the application token and carries the x401 Verification Token as an x401 Token Object in `PROOF-RESPONSE`:
 
 ```http
 POST /accounts/applications HTTP/1.1
 Host: bank.example.com
 Authorization: Bearer <existing-application-token>
-PROOF-PRESENTATION: <base64url-x401-token-object>
+PROOF-RESPONSE: <base64url-x401-token-object>
 ```
 
 ## Composable Agent and Entity Identification
 
-A returned presentation is already bound to the Verifier (for a signed request) or to the invoking origin and the Verifier's nonce (for an unsigned request); see [Verifier Binding](#verifier-binding). x401 does not, by default, require the presentation to be bound to the Agent, and it does not define a single global agent identity system. Deployments MAY layer additional mechanisms over x401 to authenticate the calling agent, bind an entity identity to the HTTP request, sender-constrain a Verification Token, or carry delegation evidence from a user, organization, workload, or upstream agent.
+A returned result is already bound to the Verifier (for a signed request) or to the invoking origin and the Verifier's nonce (for an unsigned request); see [Verifier Binding](#verifier-binding). x401 does not, by default, require the result to be bound to the Agent, and it does not define a single global agent identity system. Deployments MAY layer additional mechanisms over x401 to authenticate the calling agent, bind an entity identity to the HTTP request, sender-constrain a Verification Token, or carry delegation evidence from a user, organization, workload, or upstream agent.
 
 These mechanisms compose cleanly with x401 when they:
 
 1. produce an authenticated caller identifier the Verifier can map to the route's accepted Agent Identifier policy;
 2. bind that identifier to the HTTP request being evaluated, including the method, target URI or authority, freshness values, and relevant x401 retry material;
 3. can be verified before or during x401 proof validation;
-4. do not alter the composed request in `presentation_requirements`, the VP Artifact, or the `402 Payment Required` boundary;
-5. allow the Verifier to reject mismatches between the authenticated caller, any VP Artifact `agent_id`, and any Verification Token holder identity.
+4. do not alter the composed request in `credential_requirements`, the Result Artifact, or the `402 Payment Required` boundary;
+5. allow the Verifier to reject mismatches between the authenticated caller, any Result Artifact `agent_id`, and any Verification Token holder identity.
 
 ### Agent Binding Options
 
 Agent binding is OPTIONAL in x401. Some deployments — such as a consumer AI client surfacing a verification link to a user — need no agent binding at all; the proof is bound to the Verifier and that is sufficient. Others — such as service-to-service or enterprise deployments — want to additionally bind the proof and retry to the specific calling Agent. This specification does not select a single mechanism. The subsections below describe options that compose with x401; a deployment that binds the Agent picks one (or more) and defines the accepted [[ref: Agent Identifier]] schemes in its policy.
 
-When an Agent relays the request to a separate wallet, browser, device, or remote service, or acquires a remotely generated [[ref: Presentation Result]], the surface that obtains the result is not necessarily the Agent that retries the route. A deployment that binds the Agent in those topologies MUST choose a binding mechanism that survives the relay — for example, an HTTP-layer or token-layer caller authentication on the retry — rather than relying on the presentation result alone.
+When an Agent relays the request to a separate Credential Manager, browser, device, or remote service, or acquires a remotely generated [[ref: Credential Result]], the surface that obtains the result is not necessarily the Agent that retries the route. A deployment that binds the Agent in those topologies MUST choose a binding mechanism that survives the relay — for example, an HTTP-layer or token-layer caller authentication on the retry — rather than relying on the credential result alone.
 
 ### Web Bot Auth and HTTP Message Signatures
 
-Web Bot Auth is a natural option for adding request-bound identification to x401. A calling Agent can sign the initial protected-route request, the retry request carrying a VP Artifact or Verification Token, and the OAuth token exchange request using HTTP Message Signatures. The Agent can also use the `Signature-Agent` header to point the Verifier to an HTTP Message Signatures key directory.
+Web Bot Auth is a natural option for adding request-bound identification to x401. A calling Agent can sign the initial protected-route request, the retry request carrying a Result Artifact or Verification Token, and the OAuth token exchange request using HTTP Message Signatures. The Agent can also use the `Signature-Agent` header to point the Verifier to an HTTP Message Signatures key directory.
 
-When layered over x401, a Web Bot Auth signature SHOULD cover the method and target, the authority or host, the `Signature-Agent` header when present, the `PROOF-PRESENTATION` header when retrying with direct proof or proof-token material, the `Authorization` header when retrying with application or upgraded token material, and `Content-Digest` when the request has a body. The signature SHOULD include short-lived freshness metadata such as `created`, `expires`, and a replay-resistant `nonce`.
+When layered over x401, a Web Bot Auth signature SHOULD cover the method and target, the authority or host, the `Signature-Agent` header when present, the `PROOF-RESPONSE` header when retrying with direct proof or proof-token material, the `Authorization` header when retrying with application or upgraded token material, and `Content-Digest` when the request has a body. The signature SHOULD include short-lived freshness metadata such as `created`, `expires`, and a replay-resistant `nonce`.
 
-A Verifier MAY use the validated signing key, key directory authority, or derived service identity as the Agent Identifier, or as evidence that maps to an Agent Identifier. The Verifier MUST still validate the Wallet presentation binding for the request mode, the credential query satisfaction, issuer trust, token scope, and payment boundary. Web Bot Auth identifies the calling automation or service; it does not by itself prove the credential subject, satisfy the credential query, or prove end-user delegation.
+A Verifier MAY use the validated signing key, key directory authority, or derived service identity as the Agent Identifier, or as evidence that maps to an Agent Identifier. The Verifier MUST still validate the Credential Manager result binding for the request mode, the credential query satisfaction, issuer trust, token scope, and payment boundary. Web Bot Auth identifies the calling automation or service; it does not by itself prove the credential subject, satisfy the credential query, or prove end-user delegation.
 
 ### OAuth Proof-of-Possession and Client Authentication
 
@@ -1242,9 +1248,9 @@ Workload identity proves the caller's operational identity. It does not prove th
 
 ### Agent Identifier Schemes and HTTP-Layer Binding
 
-In the composed-request model the presentation request never identifies the Agent: for a signed request the `client_id` identifies the Verifier as relying party, and an unsigned request has no `client_id` at all. A deployment that binds the Agent therefore does so at the HTTP or token layer rather than through the presentation request. The [[ref: Agent Identifier]] MAY be a DID, HTTPS origin, domain-bound client identifier, certificate-bound identifier, SPIFFE ID, or other verifier-approved scheme.
+In the composed-request model the proof request never identifies the Agent: for a signed request the `client_id` identifies the Verifier as relying party, and an unsigned request has no `client_id` at all. A deployment that binds the Agent therefore does so at the HTTP or token layer rather than through the proof request. The [[ref: Agent Identifier]] MAY be a DID, HTTPS origin, domain-bound client identifier, certificate-bound identifier, SPIFFE ID, or other verifier-approved scheme.
 
-The Verifier determines that the protected-route caller is the required Agent Identifier using a verifier-recognized mapping across the HTTP Message Signature identity, mutual TLS certificate, DPoP key, workload identity, or Verification Token holder identity used on the retry. Because the presentation is bound to the Verifier, this caller binding is what ties the proof to a specific Agent when a deployment requires it.
+The Verifier determines that the protected-route caller is the required Agent Identifier using a verifier-recognized mapping across the HTTP Message Signature identity, mutual TLS certificate, DPoP key, workload identity, or Verification Token holder identity used on the retry. Because the result is bound to the Verifier, this caller binding is what ties the proof to a specific Agent when a deployment requires it.
 
 ### Delegation and Actor Evidence
 
@@ -1255,20 +1261,20 @@ Delegation evidence composes best when it is scoped, time-limited, replay-resist
 ## Consumer Client Compatibility
 
 ::: note Experimental
-The mechanism in this section is an early experiment in adapting x401 to consumer AI clients and other body-only consumers of HTTP responses. The core x401 protocol — as defined in the preceding sections — is the standard, straightforward way to convey proof requirements: a Verifier returns a `PROOF-REQUIRED` header, and the Agent reads, decodes, and acts on it. The pattern described below is offered as a compatibility supplement for content-bearing responses where header-driven discovery is not viable, and the community is invited to contribute proposals, examples, and reference implementations that improve how x401 reaches these clients.
+The mechanism in this section is an early experiment in adapting x401 to consumer AI clients and other body-only consumers of HTTP responses. The core x401 protocol — as defined in the preceding sections — is the standard, straightforward way to convey proof requirements: a Verifier returns a `PROOF-REQUEST` header, and the Agent reads, decodes, and acts on it. The pattern described below is offered as a compatibility supplement for content-bearing responses where header-driven discovery is not viable, and the community is invited to contribute proposals, examples, and reference implementations that improve how x401 reaches these clients.
 :::
 
-x401 is fundamentally an HTTP header protocol. A conforming Verifier signals proof requirements through `PROOF-REQUIRED`, and a conforming Agent processes that header. There is, however, a meaningful class of consumers that today cannot reliably access HTTP response headers on a successful (`2xx`) response with a body. A Verifier that wants its gating requirements to reach those consumers — most notably consumer-facing AI assistants — MAY emit a body-embedded form of the same x401 payload in addition to whatever it carries in `PROOF-REQUIRED`.
+x401 is fundamentally an HTTP header protocol. A conforming Verifier signals proof requirements through `PROOF-REQUEST`, and a conforming Agent processes that header. There is, however, a meaningful class of consumers that today cannot reliably access HTTP response headers on a successful (`2xx`) response with a body. A Verifier that wants its gating requirements to reach those consumers — most notably consumer-facing AI assistants — MAY emit a body-embedded form of the same x401 payload in addition to whatever it carries in `PROOF-REQUEST`.
 
 ### Motivation
 
-Several common client classes do not surface `PROOF-REQUIRED` on a successful response with a body:
+Several common client classes do not surface `PROOF-REQUEST` on a successful response with a body:
 
-- Consumer-facing AI assistants from major platforms typically fetch web content through summarization or browsing tools that surface the response body to the model but drop, hide, or do not propagate the HTTP headers of `2xx` responses. As a result, a proof requirement carried only in `PROOF-REQUIRED` on a successful HTML response will not reach the model.
+- Consumer-facing AI assistants from major platforms typically fetch web content through summarization or browsing tools that surface the response body to the model but drop, hide, or do not propagate the HTTP headers of `2xx` responses. As a result, a proof requirement carried only in `PROOF-REQUEST` on a successful HTML response will not reach the model.
 - HTML documents rendered in a browser do not expose response headers to inline content unless application code reads them through JavaScript and re-injects them into the DOM.
 - Archival, syndication, and feed-rendering tools often store or render the body without preserving headers.
 
-A Verifier that wants its gating requirements to be discoverable by these consumer AI flows or other body-only clients SHOULD strongly consider embedding the proof requirement in the response body using the form defined below, in addition to setting `PROOF-REQUIRED` on the same response.
+A Verifier that wants its gating requirements to be discoverable by these consumer AI flows or other body-only clients SHOULD strongly consider embedding the proof requirement in the response body using the form defined below, in addition to setting `PROOF-REQUEST` on the same response.
 
 ### Embedded Proof Requirements in HTML Content
 
@@ -1284,15 +1290,17 @@ On a non-`401` HTML response, the Verifier MAY emit each advertised x401 proof r
   "$schema": "https://x401.id/spec/schemas/request.json",
   "scheme": "x401",
   "version": "0.2.0",
-  "presentation_requirements": {
-    "requests": [
-      {
-        "protocol": "openid4vp-v1-signed",
-        "data": {
-          "request": "eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QifQ..."
+  "credential_requirements": {
+    "digital": {
+      "requests": [
+        {
+          "protocol": "openid4vp-v1-signed",
+          "data": {
+            "request": "eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QifQ..."
+          }
         }
-      }
-    ]
+      ]
+    }
   },
   "oauth": {
     "token_endpoint": "https://bank.example.com/oauth/token"
@@ -1300,13 +1308,13 @@ On a non-`401` HTML response, the Verifier MAY emit each advertised x401 proof r
 }</data>
 ```
 
-Unlike the `PROOF-REQUIRED` header value, the embedded form is the unencoded JSON object. The `<data>` element is already a text container, and the `$schema` member is intended to be directly readable by content processors that retain the object.
+Unlike the `PROOF-REQUEST` header value, the embedded form is the unencoded JSON object. The `<data>` element is already a text container, and the `$schema` member is intended to be directly readable by content processors that retain the object.
 
 ### Placement and Scope
 
-A `<data>` element placed at the document level applies to the page as a whole and SHOULD be used as a body-side mirror of the route-scoped `PROOF-REQUIRED` header so that header-blind clients can still discover the requirement. A response MAY include multiple `<data value="application/json;x401=proof-required" hidden>` elements when a page surfaces multiple advertised requirements; each element MUST be a complete, independent x401 payload that can be processed without reference to the others.
+A `<data>` element placed at the document level applies to the page as a whole and SHOULD be used as a body-side mirror of the route-scoped `PROOF-REQUEST` header so that header-blind clients can still discover the requirement. A response MAY include multiple `<data value="application/json;x401=proof-required" hidden>` elements when a page surfaces multiple advertised requirements; each element MUST be a complete, independent x401 payload that can be processed without reference to the others.
 
-The embedded form does not extend `PROOF-REQUIRED` semantics. The header continues to carry the route-scoped requirement for the entire response. A `<data>` element is a body-side disclosure intended for clients that cannot consume the header.
+The embedded form does not extend `PROOF-REQUEST` semantics. The header continues to carry the route-scoped requirement for the entire response. A `<data>` element is a body-side disclosure intended for clients that cannot consume the header.
 
 ### Processing Expectations
 
@@ -1315,63 +1323,63 @@ A client that processes embedded `<data>` elements:
 1. MUST treat the parsed JSON object as an x401 payload subject to the same structural validation and composed-request processing defined elsewhere in this specification.
 2. SHOULD treat the embedded requirement as a disclosure of gating intent for the surrounding content and SHOULD complete the protocol by requesting the appropriate protected resource through normal x401 header-driven mechanisms.
 
-A Verifier that emits embedded `<data>` elements MUST still enforce proof on the protected resource through the normal `PROOF-REQUIRED` / `PROOF-PRESENTATION` exchange. Embedding a requirement in HTML is informational disclosure and does not by itself grant access.
+A Verifier that emits embedded `<data>` elements MUST still enforce proof on the protected resource through the normal `PROOF-REQUEST` / `PROOF-RESPONSE` exchange. Embedding a requirement in HTML is informational disclosure and does not by itself grant access.
 
 The JSON Schema for the embedded request object is included in [Appendix C: x401 Request Object JSON Schema](#appendix-c-x401-request-object-json-schema).
 
 ### Remote and Out-of-Band Fulfillment
 
 ::: note Informative
-This subsection describes, without adding new normative requirements, how the building blocks defined above let an Agent obtain a presentation when its own environment cannot invoke the Digital Credentials API — the common case for consumer AI clients. It uses only mechanisms already defined in this specification: the composed `presentation_requirements`, the [[ref: Presentation Reference]] form of the VP Artifact, and the existing retry. The community is invited to contribute concrete fulfillment and resume patterns.
+This subsection describes, without adding new normative requirements, how the building blocks defined above let an Agent obtain a result when its own environment cannot invoke the Digital Credentials API — the common case for consumer AI clients. It uses only mechanisms already defined in this specification: the composed `credential_requirements`, the [[ref: Credential Reference]] form of the Result Artifact, and the existing retry. The community is invited to contribute concrete fulfillment and resume patterns.
 :::
 
 A consumer AI client may be unable to call `navigator.credentials.get()` itself. Because the composed request is signed and bound to the Verifier rather than to whoever invokes it, the request can be invoked somewhere else and the result returned to the Agent for replay. A common shape is:
 
-1. The Agent receives the x401 proof requirement and cannot invoke `presentation_requirements` directly.
+1. The Agent receives the x401 proof requirement and cannot invoke `credential_requirements` directly.
 2. The Agent surfaces a fulfillment URL — for example, a verifier-hosted page — to the user. Hosting the page on a verifier-controlled origin lets the page's origin match the `expected_origins` of a signed request; an unsigned request avoids the `expected_origins` constraint at the cost described in [Verifier Binding](#verifier-binding).
-3. The page invokes `navigator.credentials.get({ digital: request })` in its own browser context, on a real user activation, and obtains the presentation result.
-4. The page makes the result available for the route retry — for example, by posting it to the Verifier, which holds it at a `presentation_uri`, or by returning a short-lived reference.
-5. The Agent resumes: it acquires the result or its reference and retries the protected route with a VP Artifact carrying the inline result or a [[ref: Presentation Reference]].
+3. The page invokes `navigator.credentials.get(credentialRequirements)` in its own browser context, on a real user activation, and obtains the credential result.
+4. The page makes the result available for the route retry — for example, by posting it to the Verifier, which holds it at a `credential_result_uri`, or by returning a short-lived reference.
+5. The Agent resumes: it acquires the result or its reference and retries the protected route with a Result Artifact carrying the inline result or a [[ref: Credential Reference]].
 
-How the Agent learns that fulfillment is complete and acquires the result or reference — polling a status endpoint, a user-pasted completion code, or a continuation URL — is a deployment choice. None of these resume mechanisms change the wire format defined by this specification; they all converge on the same protected-route retry. Because the presentation is bound to the Verifier, the surface that invokes the request does not need to be the Agent, and the Agent does not need to read the presentation it relays.
+How the Agent learns that fulfillment is complete and acquires the result or reference — polling a status endpoint, a user-pasted completion code, or a continuation URL — is a deployment choice. None of these resume mechanisms change the wire format defined by this specification; they all converge on the same protected-route retry. Because the result is bound to the Verifier, the surface that invokes the request does not need to be the Agent, and the Agent does not need to read the result it relays.
 
 ## Security Considerations
 
 ### Replay Prevention
 
-The freshness and replay properties of a presentation derive from the OpenID4VP `nonce` the Verifier places in the signed request. Verifiers SHOULD use fresh nonce values and short request expiries and SHOULD reject stale or replayed proofs. How a Verifier recognizes a returned nonce as one it issued, and whether it enforces strict one-time use with shared replay state, are deployment decisions; see [Verifier State and Stateless Operation](#verifier-state-and-stateless-operation).
+The freshness and replay properties of a result derive from the OpenID4VP `nonce` the Verifier places in the signed request. Verifiers SHOULD use fresh nonce values and short request expiries and SHOULD reject stale or replayed proofs. How a Verifier recognizes a returned nonce as one it issued, and whether it enforces strict one-time use with shared replay state, are deployment decisions; see [Verifier State and Stateless Operation](#verifier-state-and-stateless-operation).
 
 ### Verifier Binding
 
-x401 binds a presentation to the Verifier in one of two ways, depending on the request mode the Verifier chose.
+x401 binds a result to the Verifier in one of two ways, depending on the request mode the Verifier chose.
 
-**Signed requests (`openid4vp-v1-signed`, RECOMMENDED).** The request signature and `client_id` let the Wallet authenticate the Verifier and bind the presentation's audience to the Verifier's identity, and `expected_origins` lets the Verifier pre-authorize the origin(s) from which the request may be invoked. This resists relay and phishing: a Wallet will not produce a presentation for the Verifier's request unless it is invoked from an origin the Verifier authorized, so an attacker cannot harvest a presentation for the Verifier from an arbitrary origin. The cost is that the Verifier must know the invocation origin in advance — which is why, when the Agent's own origin is not known, the request is invoked from a verifier-controlled fulfillment origin (see [Remote and Out-of-Band Fulfillment](#remote-and-out-of-band-fulfillment)).
+**Signed requests (`openid4vp-v1-signed`, RECOMMENDED).** The request signature and `client_id` let the Credential Manager authenticate the Verifier and bind the result's audience to the Verifier's identity, and `expected_origins` lets the Verifier pre-authorize the origin(s) from which the request may be invoked. This resists relay and phishing: a Credential Manager will not produce a result for the Verifier's request unless it is invoked from an origin the Verifier authorized, so an attacker cannot harvest a result for the Verifier from an arbitrary origin. The cost is that the Verifier must know the invocation origin in advance — which is why, when the Agent's own origin is not known, the request is invoked from a verifier-controlled fulfillment origin (see [Remote and Out-of-Band Fulfillment](#remote-and-out-of-band-fulfillment)).
 
-**Unsigned requests (`openid4vp-v1-unsigned`).** There is no signature and no `client_id`; the Wallet uses the invoking origin as the relying-party identity and binds the presentation to that origin and the Verifier's `nonce`. This lets the request be fulfilled at an origin the Verifier did not declare — the case signed requests cannot serve — at a real cost: the Wallet cannot authenticate the Verifier, and the Verifier cannot pre-authorize the invocation origin. A malicious page or relay that obtains the request can invoke it from its own origin in front of a different holder and relay the resulting presentation back, so a Verifier that accepts an unsigned presentation on the strength of the `nonce` alone is exposed to credential harvesting and relay. A Verifier that uses unsigned requests therefore relies on the freshness and uniqueness of its `nonce` for replay protection and SHOULD compensate for the missing origin pre-authorization — for example by binding the proof to an authenticated Agent (see [Agent Binding Options](#agent-binding-options)), by constraining the observed invocation origin, or by trusting the delivery channel.
+**Unsigned requests (`openid4vp-v1-unsigned`).** There is no signature and no `client_id`; the Credential Manager uses the invoking origin as the relying-party identity and binds the result to that origin and the Verifier's `nonce`. This lets the request be fulfilled at an origin the Verifier did not declare — the case signed requests cannot serve — at a real cost: the Credential Manager cannot authenticate the Verifier, and the Verifier cannot pre-authorize the invocation origin. A malicious page or relay that obtains the request can invoke it from its own origin in front of a different holder and relay the result back, so a Verifier that accepts an unsigned result on the strength of the `nonce` alone is exposed to credential harvesting and relay. A Verifier that uses unsigned requests therefore relies on the freshness and uniqueness of its `nonce` for replay protection and SHOULD compensate for the missing origin pre-authorization — for example by binding the proof to an authenticated Agent (see [Agent Binding Options](#agent-binding-options)), by constraining the observed invocation origin, or by trusting the delivery channel.
 
-**Relayed delivery.** When the request is fulfilled by a remote handler that does not invoke the Digital Credentials API (see [Relayed Delivery to a Remote Handler](#relayed-delivery-to-a-remote-handler)), there is no invoking Web origin, so `expected_origins` is not enforced regardless of request mode. A *signed* request still binds the presentation's audience to the Verifier through its `client_id`, so relayed delivery of a signed request preserves Verifier audience binding and loses only origin pre-authorization — strictly stronger than unsigned. A *unsigned* request relayed this way has no `client_id` and falls back to `nonce`-only binding. Either way the Verifier SHOULD compensate for the absent origin pre-authorization as it would for an unsigned request.
+**Relayed delivery.** When the request is fulfilled by a remote handler that does not invoke the Digital Credentials API (see [Relayed Delivery to a Remote Handler](#relayed-delivery-to-a-remote-handler)), there is no invoking Web origin, so `expected_origins` is not enforced regardless of request mode. A *signed* request still binds the result's audience to the Verifier through its `client_id`, so relayed delivery of a signed request preserves Verifier audience binding and loses only origin pre-authorization — strictly stronger than unsigned. A *unsigned* request relayed this way has no `client_id` and falls back to `nonce`-only binding. Either way the Verifier SHOULD compensate for the absent origin pre-authorization as it would for an unsigned request.
 
-In all modes the Verifier MUST validate the binding its request mode and transport provide and MUST reject a presentation it cannot bind to the request it issued. The `nonce` provides freshness and correlation throughout; it does not, by itself, authenticate the Verifier or constrain the invocation origin.
+In all modes the Verifier MUST validate the binding its request mode and transport provide and MUST reject a result it cannot bind to the request it issued. The `nonce` provides freshness and correlation throughout; it does not, by itself, authenticate the Verifier or constrain the invocation origin.
 
 ### Agent Binding
 
-Agent binding is OPTIONAL. The presentation is bound to the Verifier, not to the Agent, so a deployment that does not bind the Agent still has a presentation it can trust. A deployment that additionally wants to tie the proof and retry to a specific Agent layers an HTTP-layer or token-layer caller authentication over x401; see [Agent Binding Options](#agent-binding-options). When a deployment binds the Agent, it MUST reject a retry whose caller cannot be bound to the required [[ref: Agent Identifier]]. Because the surface that invokes the request may differ from the Agent that retries the route, a binding mechanism that depends only on the presentation result is insufficient in relay and remote-fulfillment topologies.
+Agent binding is OPTIONAL. The result is bound to the Verifier, not to the Agent, so a deployment that does not bind the Agent still has a result it can trust. A deployment that additionally wants to tie the proof and retry to a specific Agent layers an HTTP-layer or token-layer caller authentication over x401; see [Agent Binding Options](#agent-binding-options). When a deployment binds the Agent, it MUST reject a retry whose caller cannot be bound to the required [[ref: Agent Identifier]]. Because the surface that invokes the request may differ from the Agent that retries the route, a binding mechanism that depends only on the credential result is insufficient in relay and remote-fulfillment topologies.
 
-### Presentation by Reference
+### Result by Reference
 
-A `presentation_uri` is a capability-style reference: possession of the URL is enough to retrieve the presentation. The Verifier MUST issue a unique URI per presentation, and SHOULD make it `https`, unguessable, short-lived, single-use, and scoped to the route and retry it serves; the URL SHOULD be treated as sensitive because it can leak through logs, history, and intermediaries. Because the Verifier issues these references, it SHOULD dereference only URIs it recognizes as its own, which also guards against being pointed at arbitrary locations; it SHOULD bound the response size and time of the fetch. A reference that is reused, expired, or unrecognized MUST be rejected. Integrity and authenticity of the fetched bytes do not depend on a separate digest: the presentation is validated against the issued request's `nonce` and the binding its request mode provides, so a substituted or tampered result fails normal proof validation.
+A `credential_result_uri` is a capability-style reference: possession of the URL is enough to retrieve the result. The Verifier MUST issue a unique URI per result, and SHOULD make it `https`, unguessable, short-lived, single-use, and scoped to the route and retry it serves; the URL SHOULD be treated as sensitive because it can leak through logs, history, and intermediaries. Because the Verifier issues these references, it SHOULD dereference only URIs it recognizes as its own, which also guards against being pointed at arbitrary locations; it SHOULD bound the response size and time of the fetch. A reference that is reused, expired, or unrecognized MUST be rejected. Integrity and authenticity of the fetched bytes do not depend on a separate digest: the result is validated against the issued request's `nonce` and the binding its request mode provides, so a substituted or tampered result fails normal proof validation.
 
 ### Issuer Trust
 
 Acquisition hints MUST NOT be treated as sufficient trust material. Verifiers MUST apply their own trusted issuer policy and validation logic.
 
-When a x401 payload includes `trust_establishment`, that URL identifies the DIF Credential Trust Establishment document for the proof requirement. The document is an acquisition and discovery hint; it does not decide validity. Issuer constraints that must hold at presentation time belong in the request's DCQL `trusted_authorities`, and the Verifier MUST independently validate that presented credentials were issued by parties approved under that request and its own issuer policy. The Verifier MUST NOT rely on the Agent's interpretation of the Issuer Trust List.
+The issuer constraints that must hold at proof time belong in the request's DCQL `trusted_authorities`. An Agent MAY follow the dereferenceable entries (`openid_federation`, `etsi_tl`) to discover where to acquire a qualifying credential, but that resolution is an acquisition and discovery aid; it does not decide validity. The Verifier MUST independently validate that presented credentials were issued by parties approved under the request it issued and its own issuer policy, and MUST NOT rely on the Agent's interpretation of `trusted_authorities`. Because an `aki` entry is not dereferenceable, a request constrained only by `aki` offers no acquisition path; this does not weaken enforcement, which depends on the constraint, not on its resolvability.
 
-### Proof Presentation and Token Retry
+### Proof Result and Token Retry
 
-Verifiers SHOULD prefer Verification Token retry in multi-step flows to avoid repeatedly transmitting large VP Artifacts. Verifiers that accept direct VP retry SHOULD consider header size limits and SHOULD use compact or referenced proof formats where possible.
+Verifiers SHOULD prefer Verification Token retry in multi-step flows to avoid repeatedly transmitting large Result Artifacts. Verifiers that accept direct Result Artifact retry SHOULD consider header size limits and SHOULD use compact or referenced proof formats where possible.
 
-Responses carrying fresh `PROOF-REQUIRED` challenge material or `PROOF-RESPONSE` diagnostics SHOULD use `Cache-Control: no-store` unless the deployment has explicitly made the x401 payload safe to cache. Responses whose selected representation varies based on a `PROOF-PRESENTATION` request header SHOULD use `Vary: PROOF-PRESENTATION` or stronger cache controls.
+Responses carrying fresh `PROOF-REQUEST` challenge material or `PROOF-RESULT` diagnostics SHOULD use `Cache-Control: no-store` unless the deployment has explicitly made the x401 payload safe to cache. Responses whose selected representation varies based on a `PROOF-RESPONSE` request header SHOULD use `Vary: PROOF-RESPONSE` or stronger cache controls.
 
 The x401 payload is visible to the Agent and to intermediaries that can observe decrypted HTTP traffic. A Verifier that encodes state in the request `nonce` to operate statelessly SHOULD protect that state with a signature, MAC, or authenticated encryption so it cannot be forged or read.
 
@@ -1405,37 +1413,43 @@ This draft does not yet request any IANA registrations.
 
 A conforming x401 Verifier:
 
-- includes `PROOF-REQUIRED: <base64url-x401-payload>` when proof is required or advertised
+- includes `PROOF-REQUEST: <base64url-x401-payload>` when proof is required or advertised
 - treats the HTTP status code as the overall response status, not as the x401 protocol carrier
-- returns a valid base64url-encoded x401 payload in `PROOF-REQUIRED`
-- includes a composed Digital Credentials request at `presentation_requirements` whose every entry is a valid OpenID4VP request for the DC API, using `openid4vp-v1-signed` (RECOMMENDED) or `openid4vp-v1-unsigned`
+- returns a valid base64url-encoded x401 payload in `PROOF-REQUEST`
+- includes a `credential_requirements` whose `digital` member carries a composed Digital Credentials request whose every entry is a valid OpenID4VP request for the DC API, using `openid4vp-v1-signed` (RECOMMENDED) or `openid4vp-v1-unsigned`
 - for signed requests, sets the `client_id` and `expected_origins` that make the Verifier the relying party; for unsigned requests, accounts for the weaker binding per [Verifier Binding](#verifier-binding)
-- includes an OAuth token endpoint for VP Artifact token exchange
-- validates presentations for the binding the request mode provides, credential query satisfaction, nonce freshness, issuer trust, status, revocation, and route policy
-- accepts VP Artifacts in `PROOF-PRESENTATION: <base64url-vp-artifact-json>` in both inline and by-reference forms, dereferencing a Presentation Reference when supplied
-- accepts Verification Tokens as x401 Token Objects in `PROOF-PRESENTATION: <base64url-x401-token-object>` when x401 proof satisfaction is separate from existing application authorization
+- includes an OAuth token endpoint for Result Artifact token exchange
+- validates credential results for the binding the request mode provides, credential query satisfaction, nonce freshness, issuer trust, status, revocation, and route policy
+- accepts Result Artifacts in `PROOF-RESPONSE: <base64url-result-artifact-json>` in both inline and by-reference forms, dereferencing a Credential Reference when supplied
+- accepts Verification Tokens as x401 Token Objects in `PROOF-RESPONSE: <base64url-x401-token-object>` when x401 proof satisfaction is separate from existing application authorization
 - binds x401 Verification Tokens to the same caller context as any existing application authorization credential present on the request
-- returns `PROOF-RESPONSE: <base64url-x401-error-object>` when reporting x401 proof presentation or token errors
-- optionally includes a DIF Credential Trust Establishment URL for issuer trust and acquisition guidance
+- returns `PROOF-RESULT: <base64url-x401-error-object>` when reporting x401 proof or token errors
+- expresses accepted issuers as DCQL `trusted_authorities` inside the request, rather than as an x401-specific issuer list
 - keeps payment separate under `402 Payment Required`
 
 A conforming x401 Agent:
 
-- recognizes `PROOF-REQUIRED`
-- decodes and processes the x401 payload from the `PROOF-REQUIRED` field value
-- treats `presentation_requirements` as the Verifier-composed Digital Credentials request and does not modify it
-- obtains a presentation result for `presentation_requirements` by invoking it through a native credential method, relaying it to a Wallet or remote service, or acquiring a remotely generated result
-- packages the presentation result as a VP Artifact, inline or as a Presentation Reference
-- retries the same protected route that produced the x401 proof requirement with `PROOF-PRESENTATION` carrying a VP Artifact, `PROOF-PRESENTATION` carrying an x401 Token Object, or a deployment-defined upgraded `Authorization` token
-- preserves existing application `Authorization` credentials when carrying a separate x401 Verification Token as an x401 Token Object in `PROOF-PRESENTATION`
-- recognizes x401 Error Objects in `PROOF-RESPONSE` as x401 proof failures regardless of the HTTP status code
-- treats Issuer Trust List interpretation as advisory until the Verifier validates the presentation
+- recognizes `PROOF-REQUEST`
+- decodes and processes the x401 payload from the `PROOF-REQUEST` field value
+- treats `credential_requirements` as the Verifier-composed credential request and does not modify it
+- obtains a credential result for `credential_requirements` by invoking it through a native credential method, relaying it to a Credential Manager or remote service, or acquiring a remotely generated result
+- packages the credential result as a Result Artifact, inline or as a Credential Reference
+- retries the same protected route that produced the x401 proof requirement with `PROOF-RESPONSE` carrying a Result Artifact, `PROOF-RESPONSE` carrying an x401 Token Object, or a deployment-defined upgraded `Authorization` token
+- preserves existing application `Authorization` credentials when carrying a separate x401 Verification Token as an x401 Token Object in `PROOF-RESPONSE`
+- recognizes x401 Error Objects in `PROOF-RESULT` as x401 proof failures regardless of the HTTP status code
+- treats its own interpretation of the request's `trusted_authorities` as advisory acquisition guidance until the Verifier validates the result
 - supports separate handling of `402 Payment Required`
 
 ## Open Questions & Future Additions
 
 The items below are questions intentionally left open at the time of the initial release of this specification. The community is invited to contribute concrete proposals, start discussions, provide examples, create interop profiles, add test vectors, and submit reference implementations so future versions of x401 can turn the right patterns into a robust protocol that accounts for all necessary concerns.
 
+### Additional Credential Request Types
+
+The `credential_requirements` member is a `CredentialRequestOptions` value — the argument to `navigator.credentials.get()` — so it is structurally able to carry request types beyond the Digital Credentials API, such as the `publicKey` member used for WebAuthn / passkey assertions or other `navigator.credentials.get()` members. This version of x401 intentionally specifies processing for the `digital` member only. The container was named and shaped to make this broadening additive rather than breaking: a future version can define a new member without renaming `credential_requirements` or restructuring the payload.
+
+What this version does **not** specify, and what future work should define, includes: how the [[ref: Credential Result]], [[ref: Result Artifact]], and delivery in `PROOF-RESPONSE` generalize to non-presentation results such as a WebAuthn assertion; how [Verifier Binding](#verifier-binding) is expressed for request types with their own binding model (for example WebAuthn's `rpId`, `challenge`, and origin in `clientDataJSON`); how the OAuth token exchange represents a non-VP proof as the subject token; and how a Verifier signs or otherwise authors each additional request type. Until a future version specifies a given member, a Verifier MUST NOT rely on it and an Agent MUST treat only the `digital` member as defined by this specification.
+
 ### Machine Payments and 402
 
 How should x401 compose with machine-payment protocols that use `402 Payment Required`? Future work should define recommended sequencing for proof-first, payment-first, and parallel proof/payment flows while preserving the current boundary that x401 handles proof and `402` handles payment.
@@ -1444,15 +1458,15 @@ Open design questions include how a payment artifact should be bound to the x401
 
 ### Fully Autonomous Delegation
 
-How can a Holder fully delegate identity or proof capability to an Agent so the Agent can satisfy x401 proof requirements without per-request human or Wallet interaction? The current working assumption is that this could be addressed by Verifiable Intent or a similar signed delegation artifact that gives an Agent Identifier bounded authority to act within a user-approved scope.
+How can a Holder fully delegate identity or proof capability to an Agent so the Agent can satisfy x401 proof requirements without per-request human or Credential Manager interaction? The current working assumption is that this could be addressed by Verifiable Intent or a similar signed delegation artifact that gives an Agent Identifier bounded authority to act within a user-approved scope.
 
-Future work should specify how such a delegation is created, presented, constrained, revoked, audited, and bound to the Agent's request-signing key. It should also answer whether delegated proof is represented as a credential requested by DCQL, as a companion artifact to the VP Artifact, as OAuth or GNAP delegation state, or as a separate profile layered above x401.
+Future work should specify how such a delegation is created, presented, constrained, revoked, audited, and bound to the Agent's request-signing key. It should also answer whether delegated proof is represented as a credential requested by DCQL, as a companion artifact to the Result Artifact, as OAuth or GNAP delegation state, or as a separate profile layered above x401.
 
 ### Adding Agent Authentication
 
-When is agent binding necessary on top of x401? The base protocol binds the returned presentation to the Verifier as relying party and makes Agent binding OPTIONAL; see [Agent Binding Options](#agent-binding-options). Some deployments need no Agent binding at all; others may bind pairwise, ephemeral, enterprise-local, or token-bound Agent Identifiers, or require Web Bot Auth, HTTP Message Signatures, mutual TLS, DPoP, SPIFFE, WIMSE, DID-based authentication, or another caller-authentication profile.
+When is agent binding necessary on top of x401? The base protocol binds the returned result to the Verifier as relying party and makes Agent binding OPTIONAL; see [Agent Binding Options](#agent-binding-options). Some deployments need no Agent binding at all; others may bind pairwise, ephemeral, enterprise-local, or token-bound Agent Identifiers, or require Web Bot Auth, HTTP Message Signatures, mutual TLS, DPoP, SPIFFE, WIMSE, DID-based authentication, or another caller-authentication profile.
 
-Future work should define when Agent binding is mandatory, how a Verifier advertises acceptable caller-authentication mechanisms in or near the x401 proof requirement, which status codes and headers are used when caller authentication is missing, and how mismatches are reported across HTTP caller identity, VP Artifact `agent_id`, Verification Token holder identity, and delegation evidence.
+Future work should define when Agent binding is mandatory, how a Verifier advertises acceptable caller-authentication mechanisms in or near the x401 proof requirement, which status codes and headers are used when caller authentication is missing, and how mismatches are reported across HTTP caller identity, Result Artifact `agent_id`, Verification Token holder identity, and delegation evidence.
 
 ## References
 
@@ -1471,7 +1485,8 @@ Future work should define when Agent binding is mandatory, how a Verifier advert
 - [OpenID for Verifiable Presentations 1.0](https://openid.net/specs/openid-4-verifiable-presentations-1_0-final.html), including its profile for use over the W3C Digital Credentials API
 - [OpenID for Verifiable Credential Issuance 1.0](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-final.html)
 - [W3C Digital Credentials API](https://www.w3.org/TR/digital-credentials/)
-- [DIF Credential Trust Establishment 1.0](https://identity.foundation/credential-trust-establishment/)
+- [OpenID Federation 1.0](https://openid.net/specs/openid-federation-1_0.html)
+- [ETSI TS 119 612: Trusted Lists](https://www.etsi.org/deliver/etsi_ts/119600_119699/119612/)
 
 ### Informative
 
@@ -1494,15 +1509,17 @@ Future work should define when Agent binding is mandatory, how a Verifier advert
 {
   "scheme": "x401",
   "version": "0.2.0",
-  "presentation_requirements": {
-    "requests": [
-      {
-        "protocol": "openid4vp-v1-signed",
-        "data": {
-          "request": "eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QifQ..."
+  "credential_requirements": {
+    "digital": {
+      "requests": [
+        {
+          "protocol": "openid4vp-v1-signed",
+          "data": {
+            "request": "eyJhbGciOiJFUzI1NiIsInR5cCI6Im9hdXRoLWF1dGh6LXJlcStqd3QifQ..."
+          }
         }
-      }
-    ]
+      ]
+    }
   },
   "oauth": {
     "token_endpoint": "https://bank.example.com/oauth/token"
@@ -1510,10 +1527,10 @@ Future work should define when Agent binding is mandatory, how a Verifier advert
 }
 ```
 
-The example uses the RECOMMENDED signed form; the OpenID4VP request inside `presentation_requirements` carries the credential query (`dcql_query`), the `nonce`, and — for a signed request — the `client_id` and `expected_origins`. The JSON object is carried in the `PROOF-REQUIRED` header as:
+The example uses the RECOMMENDED signed form; the OpenID4VP request inside `credential_requirements.digital` carries the credential query (`dcql_query`), the `nonce`, and — for a signed request — the `client_id` and `expected_origins`. The JSON object is carried in the `PROOF-REQUEST` header as:
 
 ```http
-PROOF-REQUIRED: <base64url-minimal-x401-payload>
+PROOF-REQUEST: <base64url-minimal-x401-payload>
 ```
 :::
 
@@ -1522,21 +1539,21 @@ PROOF-REQUIRED: <base64url-minimal-x401-payload>
 x401 is best understood as:
 
 - an HTTP route proof requirement protocol
-- carrying a composed, Verifier-authored Digital Credentials request at `presentation_requirements` rather than a decomposed set of values for the Agent to assemble
+- carrying a composed, Verifier-authored Digital Credentials request at `credential_requirements.digital` rather than a decomposed set of values for the Agent to assemble
 - making the Verifier the relying party through a signed request (RECOMMENDED), bound via the request signature, `client_id`, and `expected_origins`, or allowing an unsigned request bound to the invoking origin and nonce when the invocation origin cannot be declared in advance
-- letting the Agent execute the request natively, relay it to a wallet or remote service, or acquire a remotely generated result and replay the route
+- letting the Agent execute the request natively, relay it to a Credential Manager or remote service, or acquire a remotely generated result and replay the route
 - reserving the top level of the payload, alongside the native request, for x401-specific values not yet expressible inside a native Digital Credentials request
-- carrying the presentation result inline or by reference on retry
+- carrying the credential result inline or by reference on retry
 - treating VP response encryption and Agent binding as OPTIONAL
 - allowing caller authentication, request signing, workload identity, and delegation evidence to layer over the protected-route request
-- optionally exchanging verified VP Artifacts for OAuth access tokens
+- optionally exchanging verified Result Artifacts for OAuth access tokens
 - optionally pointing to OpenID4VCI issuance sources
 - remaining orthogonal to payment protocols
 - composing with `402 Payment Required` rather than absorbing it
 
 ## Appendix C: x401 Request Object JSON Schema
 
-The JSON Schema below describes the x401 proof requirement payload. The same schema applies whether the payload is carried as a base64url-encoded value in the `PROOF-REQUIRED` header or embedded in HTML inside a `<data value="application/json;x401=proof-required" hidden>` element. The schema is published at the URL referenced by the `$schema` member of an embedded `<data>` element: `https://x401.id/spec/schemas/request.json`.
+The JSON Schema below describes the x401 proof requirement payload. The same schema applies whether the payload is carried as a base64url-encoded value in the `PROOF-REQUEST` header or embedded in HTML inside a `<data value="application/json;x401=proof-required" hidden>` element. The schema is published at the URL referenced by the `$schema` member of an embedded `<data>` element: `https://x401.id/spec/schemas/request.json`.
 
 ```json
 {
@@ -1545,7 +1562,7 @@ The JSON Schema below describes the x401 proof requirement payload. The same sch
   "title": "x401 Proof Requirement Payload",
   "description": "Schema for an x401 proof requirement payload as defined by the x401 specification.",
   "type": "object",
-  "required": ["scheme", "version", "presentation_requirements", "oauth"],
+  "required": ["scheme", "version", "credential_requirements", "oauth"],
   "properties": {
     "$schema": {
       "type": "string",
@@ -1561,31 +1578,38 @@ The JSON Schema below describes the x401 proof requirement payload. The same sch
       "type": "string",
       "description": "The x401 payload version."
     },
-    "presentation_requirements": {
+    "credential_requirements": {
       "type": "object",
-      "required": ["requests"],
-      "description": "The composed Digital Credentials request (a DigitalCredentialRequestOptions value), usable as the digital member of navigator.credentials.get().",
+      "required": ["digital"],
+      "description": "The Verifier-composed credential request, a CredentialRequestOptions value usable as the argument to navigator.credentials.get(). This version of x401 specifies the digital member; additional navigator.credentials.get() request types (e.g. publicKey) may be specified in future versions.",
       "properties": {
-        "requests": {
-          "type": "array",
-          "minItems": 1,
-          "description": "Digital Credentials request entries. Every entry MUST be a valid OpenID4VP request for the DC API.",
-          "items": {
-            "type": "object",
-            "required": ["protocol", "data"],
-            "properties": {
-              "protocol": {
-                "type": "string",
-                "enum": ["openid4vp-v1-signed", "openid4vp-v1-unsigned"],
-                "description": "The DC API protocol identifier. openid4vp-v1-signed is RECOMMENDED; openid4vp-v1-unsigned is permitted. See Verifier Binding."
-              },
-              "data": {
+        "digital": {
+          "type": "object",
+          "required": ["requests"],
+          "description": "The composed Digital Credentials request, a DigitalCredentialRequestOptions value (the value the digital member of navigator.credentials.get() takes).",
+          "properties": {
+            "requests": {
+              "type": "array",
+              "minItems": 1,
+              "description": "Digital Credentials request entries. Every entry MUST be a valid OpenID4VP request for the DC API.",
+              "items": {
                 "type": "object",
-                "description": "Protocol-specific request data. For openid4vp-v1-signed, an object carrying the signed OpenID4VP request (e.g. { \"request\": \"<JWT>\" }); for openid4vp-v1-unsigned, the OpenID4VP request parameters directly.",
+                "required": ["protocol", "data"],
                 "properties": {
-                  "request": {
+                  "protocol": {
                     "type": "string",
-                    "description": "The signed OpenID4VP request (a JWT-Secured Authorization Request); present for openid4vp-v1-signed."
+                    "enum": ["openid4vp-v1-signed", "openid4vp-v1-unsigned"],
+                    "description": "The DC API protocol identifier. openid4vp-v1-signed is RECOMMENDED; openid4vp-v1-unsigned is permitted. See Verifier Binding."
+                  },
+                  "data": {
+                    "type": "object",
+                    "description": "Protocol-specific request data. For openid4vp-v1-signed, an object carrying the signed OpenID4VP request (e.g. { \"request\": \"<JWT>\" }); for openid4vp-v1-unsigned, the OpenID4VP request parameters directly.",
+                    "properties": {
+                      "request": {
+                        "type": "string",
+                        "description": "The signed OpenID4VP request (a JWT-Secured Authorization Request); present for openid4vp-v1-signed."
+                      }
+                    }
                   }
                 }
               }
@@ -1601,7 +1625,7 @@ The JSON Schema below describes the x401 proof requirement payload. The same sch
         "token_endpoint": {
           "type": "string",
           "format": "uri",
-          "description": "OAuth 2.0 token endpoint where the Agent can exchange a VP Artifact for a Verification Token."
+          "description": "OAuth 2.0 token endpoint where the Agent can exchange a Result Artifact for a Verification Token."
         },
         "audience": {
           "type": "string",
@@ -1615,11 +1639,6 @@ The JSON Schema below describes the x401 proof requirement payload. The same sch
       },
       "additionalProperties": false
     },
-    "trust_establishment": {
-      "type": "string",
-      "format": "uri",
-      "description": "Optional acquisition and discovery hint: HTTPS URL for a DIF Credential Trust Establishment document. Issuer enforcement is governed by the signed request (DCQL trusted_authorities), not by this member."
-    },
     "request_id": {
       "type": "string",
       "description": "Optional Agent-visible hint: a stable verifier-defined identifier for the proof template."
@@ -1632,7 +1651,7 @@ The JSON Schema below describes the x401 proof requirement payload. The same sch
     "return_uri": {
       "type": "string",
       "format": "uri",
-      "description": "Optional. Added by a relaying intermediary (never by the Verifier) to tell a remote handler where to POST the presentation result. See Relayed Delivery to a Remote Handler."
+      "description": "Optional. Added by a relaying intermediary (never by the Verifier) to tell a remote handler where to POST the credential result. See Relayed Delivery to a Remote Handler."
     },
     "payment": {
       "type": "object",
diff --git a/src/agent.ts b/src/agent.ts
index 0afcb80..a89d0f7 100644
--- a/src/agent.ts
+++ b/src/agent.ts
@@ -1,7 +1,8 @@
 import {
   EMBEDDED_DATA_VALUE,
+  HEADER,
+  RESULT_ARTIFACT_SUBJECT_TOKEN_TYPE,
   TOKEN_EXCHANGE_GRANT_TYPE,
-  VP_ARTIFACT_SUBJECT_TOKEN_TYPE,
   X401_SCHEME,
   X401_VERSION,
 } from "./constants.ts";
@@ -12,11 +13,12 @@ import {
   X401ValidationError,
 } from "./validate.ts";
 import type {
+  CredentialRequestOptions,
+  CredentialResult,
   DigitalCredentialRequest,
-  PresentationResult,
+  ResultArtifact,
   TokenExchangeRequest,
   TokenExchangeResponse,
-  VPArtifact,
   X401ErrorObject,
   X401Payload,
   X401TokenObject,
@@ -79,7 +81,7 @@ export function detectProofRequirement(
   input: DetectInput,
 ): ProofRequirement | null {
   if (input.headers !== undefined) {
-    const headerValue = getHeader(input.headers, "PROOF-REQUIRED");
+    const headerValue = getHeader(input.headers, HEADER.PROOF_REQUEST);
     if (headerValue) {
       return { source: "header", payload: decodePayload(headerValue) };
     }
@@ -108,20 +110,29 @@ function decodeHtmlEntities(value: string): string {
 }
 
 /**
- * Returns the Verifier-composed Digital Credentials request, usable directly as the
- * `digital` member of `navigator.credentials.get()`. x401 treats it as opaque; the
+ * Returns the Verifier-composed credential request, usable directly as the
+ * argument to `navigator.credentials.get()`. x401 treats it as opaque; the
  * Agent MUST NOT modify it.
  */
+export function getCredentialRequestOptions(
+  payload: X401Payload,
+): CredentialRequestOptions {
+  return payload.credential_requirements;
+}
+
+/**
+ * Returns the `digital` member of the Verifier-composed credential request.
+ */
 export function getDigitalCredentialRequest(
   payload: X401Payload,
 ): DigitalCredentialRequest {
-  return payload.presentation_requirements;
+  return payload.credential_requirements.digital;
 }
 
 /**
  * Returns a copy of the payload with `return_uri` added, for an intermediary relaying the
- * request to a remote handler that POSTs the presentation result back. Only a relaying
- * intermediary sets this — never the Verifier. The URL must be https.
+ * request to a remote handler that POSTs the credential result back. Only a relaying
+ * intermediary sets this; never the Verifier. The URL must be https.
  */
 export function addReturnUri(
   payload: X401Payload,
@@ -133,27 +144,29 @@ export function addReturnUri(
   return { ...payload, return_uri: returnUri };
 }
 
-interface BuildVPArtifactInput {
-  /** The `{ protocol, data }` presentation result returned by the Wallet. */
-  response: PresentationResult;
+interface BuildResultArtifactInput {
+  /** The `{ protocol, data }` credential result returned by the Credential Manager. */
+  credentialResult: CredentialResult;
   /** Stable verifier-defined identifier for the proof template, when correlating. */
   requestId?: string;
   /** Agent Identifier, when the deployment binds the Agent to the retry. */
   agentId?: string;
 }
 
-/** Packages an inline presentation result as a VP Artifact for protected-route retry. */
-export function buildVPArtifact(input: BuildVPArtifactInput): VPArtifact {
+/** Packages an inline credential result as a Result Artifact for protected-route retry. */
+export function buildResultArtifact(
+  input: BuildResultArtifactInput,
+): ResultArtifact {
   return {
-    response: input.response,
+    credential_result: input.credentialResult,
     ...(input.requestId !== undefined && { request_id: input.requestId }),
     ...(input.agentId !== undefined && { agent_id: input.agentId }),
   };
 }
 
-interface BuildVPArtifactReferenceInput {
-  /** HTTPS URL the Verifier dereferences to fetch the presentation result. */
-  presentationUri: string;
+interface BuildResultArtifactReferenceInput {
+  /** HTTPS URL the Verifier dereferences to fetch the credential result. */
+  credentialResultUri: string;
   /** RFC 3339 time after which the reference is no longer valid. */
   expiresAt?: string;
   /** Stable verifier-defined identifier for the proof template, when correlating. */
@@ -162,19 +175,19 @@ interface BuildVPArtifactReferenceInput {
   agentId?: string;
 }
 
-/** Packages a by-reference presentation as a VP Artifact for protected-route retry. */
-export function buildVPArtifactReference(
-  input: BuildVPArtifactReferenceInput,
-): VPArtifact {
+/** Packages a by-reference credential result as a Result Artifact for protected-route retry. */
+export function buildResultArtifactReference(
+  input: BuildResultArtifactReferenceInput,
+): ResultArtifact {
   return {
-    presentation_uri: input.presentationUri,
+    credential_result_uri: input.credentialResultUri,
     ...(input.expiresAt !== undefined && { expires_at: input.expiresAt }),
     ...(input.requestId !== undefined && { request_id: input.requestId }),
     ...(input.agentId !== undefined && { agent_id: input.agentId }),
   };
 }
 
-export function encodeVPArtifact(artifact: VPArtifact): string {
+export function encodeResultArtifact(artifact: ResultArtifact): string {
   return encodeJson(artifact);
 }
 
@@ -199,13 +212,13 @@ interface TokenExchangeOptions {
 }
 
 export function buildTokenExchangeForm(
-  artifact: VPArtifact,
+  artifact: ResultArtifact,
   options: TokenExchangeOptions = {},
 ): URLSearchParams {
   const request: TokenExchangeRequest = {
     grant_type: TOKEN_EXCHANGE_GRANT_TYPE,
-    subject_token_type: VP_ARTIFACT_SUBJECT_TOKEN_TYPE,
-    subject_token: encodeVPArtifact(artifact),
+    subject_token_type: RESULT_ARTIFACT_SUBJECT_TOKEN_TYPE,
+    subject_token: encodeResultArtifact(artifact),
     ...(options.resource !== undefined && { resource: options.resource }),
     ...(options.audience !== undefined && { audience: options.audience }),
   };
diff --git a/src/constants.ts b/src/constants.ts
index 10f139d..4da67c6 100644
--- a/src/constants.ts
+++ b/src/constants.ts
@@ -4,7 +4,7 @@ export const X401_VERSION = "0.2.0" as const;
 
 /**
  * W3C Digital Credentials API protocol identifiers for an entry in
- * `presentation_requirements.requests`. `SIGNED` is RECOMMENDED.
+ * `credential_requirements.digital.requests`. `SIGNED` is RECOMMENDED.
  */
 export const DC_API_PROTOCOL = {
   SIGNED: "openid4vp-v1-signed",
@@ -12,9 +12,9 @@ export const DC_API_PROTOCOL = {
 } as const;
 
 export const HEADER = {
-  PROOF_REQUIRED: "PROOF-REQUIRED",
-  PROOF_PRESENTATION: "PROOF-PRESENTATION",
+  PROOF_REQUEST: "PROOF-REQUEST",
   PROOF_RESPONSE: "PROOF-RESPONSE",
+  PROOF_RESULT: "PROOF-RESULT",
 } as const;
 
 export const REQUEST_SCHEMA_URL = "https://x401.id/spec/schemas/request.json";
@@ -24,8 +24,8 @@ export const EMBEDDED_DATA_VALUE = "application/json;x401=proof-required";
 export const TOKEN_EXCHANGE_GRANT_TYPE =
   "urn:ietf:params:oauth:grant-type:token-exchange";
 
-export const VP_ARTIFACT_SUBJECT_TOKEN_TYPE =
-  "urn:x401:params:oauth:token-type:vp_artifact";
+export const RESULT_ARTIFACT_SUBJECT_TOKEN_TYPE =
+  "urn:x401:params:oauth:token-type:result_artifact";
 
 /** RECOMMENDED `issued_token_type` value for a Bearer Verification Token (RFC 8693). */
 export const ACCESS_TOKEN_TYPE =
diff --git a/src/index.ts b/src/index.ts
index fb0d969..77c5b9d 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -7,12 +7,14 @@ export {
   ACCESS_TOKEN_TYPE,
   DC_API_PROTOCOL,
   HEADER,
+  RESULT_ARTIFACT_SUBJECT_TOKEN_TYPE,
   TOKEN_EXCHANGE_GRANT_TYPE,
-  VP_ARTIFACT_SUBJECT_TOKEN_TYPE,
   X401_VERSION,
 } from "./constants.ts";
 
 export type {
+  CredentialRequestOptions,
+  CredentialResult,
   DCApiProtocol,
   DigitalCredentialRequest,
   DigitalCredentialRequestEntry,
@@ -20,10 +22,9 @@ export type {
   JsonValue,
   OAuthMetadata,
   PaymentObject,
-  PresentationResult,
+  ResultArtifact,
   TokenExchangeRequest,
   TokenExchangeResponse,
-  VPArtifact,
   X401ErrorObject,
   X401Payload,
   X401TokenObject,
diff --git a/src/types.ts b/src/types.ts
index 8b48e2f..d1af655 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -1,7 +1,7 @@
 import type {
   DC_API_PROTOCOL,
+  RESULT_ARTIFACT_SUBJECT_TOKEN_TYPE,
   TOKEN_EXCHANGE_GRANT_TYPE,
-  VP_ARTIFACT_SUBJECT_TOKEN_TYPE,
   X401_SCHEME,
 } from "./constants.ts";
 
@@ -27,18 +27,26 @@ export interface DigitalCredentialRequestEntry {
 }
 
 /**
- * The Verifier-composed Digital Credentials request carried in `presentation_requirements`.
- * A `DigitalCredentialRequestOptions` value, usable directly as the `digital` member of
- * `navigator.credentials.get()`.
+ * The Verifier-composed Digital Credentials request carried in
+ * `credential_requirements.digital`. It is the value for the `digital` member
+ * of `navigator.credentials.get()`.
  */
 export interface DigitalCredentialRequest {
   requests: DigitalCredentialRequestEntry[];
 }
 
-/** The `{ protocol, data }` result a Wallet returns through the Digital Credentials API. */
-export interface PresentationResult {
+/**
+ * The CredentialRequestOptions object carried in `credential_requirements`.
+ * This version of x401 specifies the `digital` member.
+ */
+export interface CredentialRequestOptions {
+  digital: DigitalCredentialRequest;
+}
+
+/** The `{ protocol, data }` result a Credential Manager returns. */
+export interface CredentialResult {
   protocol: string;
-  /** Wallet-returned presentation material. Opaque to x401. */
+  /** Credential Manager-returned result material. Opaque to x401. */
   data: JsonValue;
 }
 
@@ -56,46 +64,44 @@ export interface PaymentObject {
   notes?: string;
 }
 
-/** The flat x401 payload carried (base64url-encoded) in the PROOF-REQUIRED header. */
+/** The flat x401 payload carried in the PROOF-REQUEST header. */
 export interface X401Payload {
   scheme: typeof X401_SCHEME;
   version: string;
-  /** The composed Digital Credentials request. Required. */
-  presentation_requirements: DigitalCredentialRequest;
+  /** The composed credential request. Required. */
+  credential_requirements: CredentialRequestOptions;
   /** OAuth token-exchange metadata. Required. */
   oauth: OAuthMetadata;
-  /** HTTPS URL of a DIF Credential Trust Establishment document. Optional hint. */
-  trust_establishment?: string;
   /** Stable verifier-defined identifier for the proof template. Optional hint. */
   request_id?: string;
   /** Stable identifiers for reusable proof requirements this proof would satisfy. Optional hint. */
   satisfied_requirements?: string[];
   /**
-   * HTTPS URL a remote handler POSTs the presentation result to. Added by a relaying
-   * intermediary (never by the Verifier) when relaying to a remote handler.
+   * HTTPS URL a remote handler POSTs the credential result to. Added by a relaying
+   * intermediary, never by the Verifier, when relaying to a remote handler.
    */
   return_uri?: string;
   payment?: PaymentObject;
 }
 
 /**
- * The VP Artifact carried (base64url-encoded) in PROOF-PRESENTATION for a direct retry.
- * Carries the presentation result inline (`response`) or by reference (`presentation_uri`);
- * exactly one MUST be present.
+ * The Result Artifact carried in PROOF-RESPONSE for a direct retry. Carries the
+ * credential result inline (`credential_result`) or by reference
+ * (`credential_result_uri`); exactly one MUST be present.
  */
-export interface VPArtifact {
-  /** Inline presentation result. Mutually exclusive with `presentation_uri`. */
-  response?: PresentationResult;
-  /** HTTPS URL the Verifier dereferences to fetch the presentation result. */
-  presentation_uri?: string;
-  /** RFC 3339 time after which `presentation_uri` is no longer valid. */
+export interface ResultArtifact {
+  /** Inline credential result. Mutually exclusive with `credential_result_uri`. */
+  credential_result?: CredentialResult;
+  /** HTTPS URL the Verifier dereferences to fetch the credential result. */
+  credential_result_uri?: string;
+  /** RFC 3339 time after which `credential_result_uri` is no longer valid. */
   expires_at?: string;
   request_id?: string;
   /** Optional Agent Identifier, when the deployment binds the Agent to the retry. */
   agent_id?: string;
 }
 
-/** A reusable proof-satisfaction token carried in PROOF-PRESENTATION. */
+/** A reusable proof-satisfaction token carried in PROOF-RESPONSE. */
 export interface X401TokenObject {
   scheme: typeof X401_SCHEME;
   version: string;
@@ -103,7 +109,7 @@ export interface X401TokenObject {
   access_token: string;
 }
 
-/** The x401 Error Object carried (base64url-encoded) in the PROOF-RESPONSE header. */
+/** The x401 Error Object carried in the PROOF-RESULT header. */
 export interface X401ErrorObject {
   scheme: typeof X401_SCHEME;
   version: string;
@@ -126,7 +132,7 @@ export interface TokenExchangeResponse {
 /** The fixed parameters of an x401 OAuth Token Exchange request. */
 export interface TokenExchangeRequest {
   grant_type: typeof TOKEN_EXCHANGE_GRANT_TYPE;
-  subject_token_type: typeof VP_ARTIFACT_SUBJECT_TOKEN_TYPE;
+  subject_token_type: typeof RESULT_ARTIFACT_SUBJECT_TOKEN_TYPE;
   subject_token: string;
   resource?: string;
   audience?: string;
diff --git a/src/validate.ts b/src/validate.ts
index 34af383..6f7ea2c 100644
--- a/src/validate.ts
+++ b/src/validate.ts
@@ -1,7 +1,7 @@
 import { DC_API_PROTOCOL, X401_SCHEME } from "./constants.ts";
 import type {
   JsonObject,
-  VPArtifact,
+  ResultArtifact,
   X401ErrorObject,
   X401Payload,
   X401TokenObject,
@@ -34,20 +34,23 @@ export function parseX401Payload(value: unknown): X401Payload {
   if (!isString(value.version)) {
     throw new X401ValidationError('x401 payload "version" is required.');
   }
-  const pr = value.presentation_requirements;
+  const credentialRequirements = value.credential_requirements;
+  const digital = isObject(credentialRequirements)
+    ? credentialRequirements.digital
+    : undefined;
   if (
-    !isObject(pr) ||
-    !Array.isArray(pr.requests) ||
-    pr.requests.length === 0
+    !isObject(digital) ||
+    !Array.isArray(digital.requests) ||
+    digital.requests.length === 0
   ) {
     throw new X401ValidationError(
-      "presentation_requirements.requests must be a non-empty array.",
+      "credential_requirements.digital.requests must be a non-empty array.",
     );
   }
-  for (const entry of pr.requests) {
+  for (const entry of digital.requests) {
     if (!isObject(entry)) {
       throw new X401ValidationError(
-        "each presentation_requirements.requests entry must be an object.",
+        "each credential_requirements.digital.requests entry must be an object.",
       );
     }
     if (
@@ -75,39 +78,39 @@ export function parseX401Payload(value: unknown): X401Payload {
   return value as unknown as X401Payload;
 }
 
-export function parseVPArtifact(value: unknown): VPArtifact {
+export function parseResultArtifact(value: unknown): ResultArtifact {
   if (!isObject(value)) {
-    throw new X401ValidationError("VP Artifact must be a JSON object.");
+    throw new X401ValidationError("Result Artifact must be a JSON object.");
   }
-  const hasResponse = value.response !== undefined;
-  const hasUri = value.presentation_uri !== undefined;
-  if (hasResponse === hasUri) {
+  const hasResult = value.credential_result !== undefined;
+  const hasUri = value.credential_result_uri !== undefined;
+  if (hasResult === hasUri) {
     throw new X401ValidationError(
-      "VP Artifact must contain exactly one of response or presentation_uri.",
+      "Result Artifact must contain exactly one of credential_result or credential_result_uri.",
     );
   }
-  if (hasResponse) {
-    const response = value.response;
+  if (hasResult) {
+    const result = value.credential_result;
     if (
-      !isObject(response) ||
-      !isString(response.protocol) ||
-      response.data === undefined
+      !isObject(result) ||
+      !isString(result.protocol) ||
+      result.data === undefined
     ) {
       throw new X401ValidationError(
-        "VP Artifact response must be a { protocol, data } object.",
+        "Result Artifact credential_result must be a { protocol, data } object.",
       );
     }
   }
   if (
     hasUri &&
-    (!isString(value.presentation_uri) ||
-      !value.presentation_uri.startsWith("https://"))
+    (!isString(value.credential_result_uri) ||
+      !value.credential_result_uri.startsWith("https://"))
   ) {
     throw new X401ValidationError(
-      "VP Artifact presentation_uri must be an https URL.",
+      "Result Artifact credential_result_uri must be an https URL.",
     );
   }
-  return value as unknown as VPArtifact;
+  return value as unknown as ResultArtifact;
 }
 
 export function parseX401TokenObject(value: unknown): X401TokenObject {
diff --git a/src/verifier.ts b/src/verifier.ts
index 92d31e4..25685fb 100644
--- a/src/verifier.ts
+++ b/src/verifier.ts
@@ -2,22 +2,22 @@ import {
   DC_API_PROTOCOL,
   EMBEDDED_DATA_VALUE,
   REQUEST_SCHEMA_URL,
+  RESULT_ARTIFACT_SUBJECT_TOKEN_TYPE,
   TOKEN_EXCHANGE_GRANT_TYPE,
-  VP_ARTIFACT_SUBJECT_TOKEN_TYPE,
   X401_SCHEME,
   X401_VERSION,
 } from "./constants.ts";
 import { decodeProofHeader, encodeJson } from "./encoding.ts";
 import {
-  parseVPArtifact,
+  parseResultArtifact,
   parseX401TokenObject,
   X401ValidationError,
 } from "./validate.ts";
 import type {
-  DigitalCredentialRequest,
+  CredentialRequestOptions,
   OAuthMetadata,
   PaymentObject,
-  VPArtifact,
+  ResultArtifact,
   X401ErrorObject,
   X401Payload,
   X401TokenObject,
@@ -27,14 +27,13 @@ const DC_API_PROTOCOLS: readonly string[] = Object.values(DC_API_PROTOCOL);
 
 interface BuildPayloadInput {
   /**
-   * The Verifier-composed Digital Credentials request (a `DigitalCredentialRequestOptions`
-   * value). The caller authors and, for signed requests, signs it; x401 carries it opaque.
+   * The Verifier-composed credential request, usable directly as the argument
+   * to `navigator.credentials.get()`. This version of x401 specifies its
+   * `digital` member.
    */
-  presentationRequirements: DigitalCredentialRequest;
+  credentialRequirements: CredentialRequestOptions;
   /** OAuth token-exchange metadata for the Agent. */
   oauth: OAuthMetadata;
-  /** HTTPS URL of a DIF Credential Trust Establishment document. Optional hint. */
-  trustEstablishment?: string;
   /** Stable verifier-defined identifier for the proof template. Optional hint. */
   requestId?: string;
   /** Reusable proof-requirement identifiers this proof would satisfy. Optional hint. */
@@ -44,10 +43,10 @@ interface BuildPayloadInput {
 }
 
 export function buildPayload(input: BuildPayloadInput): X401Payload {
-  const requests = input.presentationRequirements.requests;
+  const requests = input.credentialRequirements.digital.requests;
   if (!Array.isArray(requests) || requests.length === 0) {
     throw new X401ValidationError(
-      "presentation_requirements.requests must be a non-empty array.",
+      "credential_requirements.digital.requests must be a non-empty array.",
     );
   }
   for (const entry of requests) {
@@ -60,11 +59,8 @@ export function buildPayload(input: BuildPayloadInput): X401Payload {
   return {
     scheme: X401_SCHEME,
     version: X401_VERSION,
-    presentation_requirements: input.presentationRequirements,
+    credential_requirements: input.credentialRequirements,
     oauth: input.oauth,
-    ...(input.trustEstablishment !== undefined && {
-      trust_establishment: input.trustEstablishment,
-    }),
     ...(input.requestId !== undefined && { request_id: input.requestId }),
     ...(input.satisfiedRequirements !== undefined && {
       satisfied_requirements: input.satisfiedRequirements,
@@ -92,8 +88,8 @@ function escapeHtml(value: string): string {
   return value.replace(/&/g, "&amp;").replace(/</g, "&lt;");
 }
 
-export function decodeVPArtifact(headerValue: string): VPArtifact {
-  return parseVPArtifact(decodeProofHeader(headerValue));
+export function decodeResultArtifact(headerValue: string): ResultArtifact {
+  return parseResultArtifact(decodeProofHeader(headerValue));
 }
 
 export function decodeTokenObject(headerValue: string): X401TokenObject {
@@ -116,7 +112,7 @@ export function parseTokenExchange(
       "unsupported grant_type for x401 token exchange.",
     );
   }
-  if (get("subject_token_type") !== VP_ARTIFACT_SUBJECT_TOKEN_TYPE) {
+  if (get("subject_token_type") !== RESULT_ARTIFACT_SUBJECT_TOKEN_TYPE) {
     throw new X401ValidationError(
       "unsupported subject_token_type for x401 token exchange.",
     );
diff --git a/tests/spec-fixtures.test.ts b/tests/spec-fixtures.test.ts
index b8e8e28..9877ad7 100644
--- a/tests/spec-fixtures.test.ts
+++ b/tests/spec-fixtures.test.ts
@@ -25,9 +25,12 @@ function names(re: RegExp): string[] {
 }
 
 function hasRequests(p: unknown): boolean {
-  const pr = (p as { presentation_requirements?: { requests?: unknown[] } })
-    .presentation_requirements;
-  return Array.isArray(pr?.requests) && pr.requests.length > 0;
+  const digital = (
+    p as {
+      credential_requirements?: { digital?: { requests?: unknown[] } };
+    }
+  ).credential_requirements?.digital;
+  return Array.isArray(digital?.requests) && digital.requests.length > 0;
 }
 
 test("complete spec payload fixtures parse and survive an encode round-trip", () => {
@@ -51,28 +54,28 @@ test("the spec envelope skeleton is rejected by the parser", () => {
   }
 });
 
-test("spec VP Artifact fixtures (inline and by-reference) decode and round-trip", () => {
-  const arts = names(/^vp-artifact-\d+\.json$/);
+test("spec Result Artifact fixtures (inline and by-reference) decode and round-trip", () => {
+  const arts = names(/^result-artifact-\d+\.json$/);
   assert.ok(
     arts.length >= 2,
-    "expected inline and by-reference VP artifact fixtures",
+    "expected inline and by-reference Result Artifact fixtures",
   );
   let sawInline = false;
   let sawReference = false;
   for (const name of arts) {
     const raw = fixture(name) as Record<string, unknown>;
-    if (raw["response"] !== undefined) sawInline = true;
-    if (raw["presentation_uri"] !== undefined) sawReference = true;
-    const decoded = verifier.decodeVPArtifact(
-      agent.encodeVPArtifact(raw as never),
+    if (raw["credential_result"] !== undefined) sawInline = true;
+    if (raw["credential_result_uri"] !== undefined) sawReference = true;
+    const decoded = verifier.decodeResultArtifact(
+      agent.encodeResultArtifact(raw as never),
     );
     assert.deepEqual(decoded, raw, name);
   }
-  assert.ok(sawInline, "no inline VP artifact fixture found");
-  assert.ok(sawReference, "no by-reference VP artifact fixture found");
+  assert.ok(sawInline, "no inline Result Artifact fixture found");
+  assert.ok(sawReference, "no by-reference Result Artifact fixture found");
 });
 
-test("spec error object fixture decodes through PROOF-RESPONSE", () => {
+test("spec error object fixture decodes through PROOF-RESULT", () => {
   const raw = fixture("error-object.json") as Record<string, unknown>;
   const decoded = agent.decodeErrorObject(
     verifier.encodeErrorObject(raw as never),
@@ -82,7 +85,7 @@ test("spec error object fixture decodes through PROOF-RESPONSE", () => {
   assert.equal("challenge" in decoded, false);
 });
 
-test("spec token object fixture decodes through PROOF-PRESENTATION", () => {
+test("spec token object fixture decodes through PROOF-RESPONSE", () => {
   const raw = fixture("token-object.json") as Record<string, unknown>;
   const decoded = verifier.decodeTokenObject(
     agent.encodeTokenObject(raw as never),
diff --git a/tests/spec-schema.test.ts b/tests/spec-schema.test.ts
index 96ecc86..1d9a685 100644
--- a/tests/spec-schema.test.ts
+++ b/tests/spec-schema.test.ts
@@ -29,9 +29,12 @@ function payloadFixtureNames(): string[] {
 /** A "complete" payload example carries at least one request entry; the spec also
  * shows an envelope skeleton (empty objects) that is illustrative, not valid. */
 function isComplete(p: unknown): boolean {
-  const pr = (p as { presentation_requirements?: { requests?: unknown[] } })
-    .presentation_requirements;
-  return Array.isArray(pr?.requests) && pr.requests.length > 0;
+  const digital = (
+    p as {
+      credential_requirements?: { digital?: { requests?: unknown[] } };
+    }
+  ).credential_requirements?.digital;
+  return Array.isArray(digital?.requests) && digital.requests.length > 0;
 }
 
 const ajv = addFormats(new Ajv2020({ allErrors: true }));
@@ -64,21 +67,26 @@ test("the spec envelope skeleton is not a complete payload (sanity check on the
 
 test("payloads produced by verifier.buildPayload validate against the schema", () => {
   const signed = verifier.buildPayload({
-    presentationRequirements: {
-      requests: [
-        { protocol: "openid4vp-v1-signed", data: { request: "eyJ..." } },
-      ],
+    credentialRequirements: {
+      digital: {
+        requests: [
+          { protocol: "openid4vp-v1-signed", data: { request: "eyJ..." } },
+        ],
+      },
     },
     oauth: { token_endpoint: "https://bank.example.com/oauth/token" },
-    trustEstablishment: "https://bank.example.com/.well-known/x401/trust/v1",
     requestId: "proof-template-v1",
     satisfiedRequirements: ["urn:example:x401:satisfaction:v1"],
   });
   assert.ok(validate(signed), `signed: ${ajv.errorsText(validate.errors)}`);
 
   const unsigned = verifier.buildPayload({
-    presentationRequirements: {
-      requests: [{ protocol: "openid4vp-v1-unsigned", data: { nonce: "abc" } }],
+    credentialRequirements: {
+      digital: {
+        requests: [
+          { protocol: "openid4vp-v1-unsigned", data: { nonce: "abc" } },
+        ],
+      },
     },
     oauth: { token_endpoint: "https://bank.example.com/oauth/token" },
   });
@@ -89,8 +97,10 @@ test("schema rejects structurally invalid payloads", () => {
   const base = {
     scheme: "x401",
     version: "0.2.0",
-    presentation_requirements: {
-      requests: [{ protocol: "openid4vp-v1-signed", data: {} }],
+    credential_requirements: {
+      digital: {
+        requests: [{ protocol: "openid4vp-v1-signed", data: {} }],
+      },
     },
     oauth: { token_endpoint: "https://bank.example.com/oauth/token" },
   };
@@ -99,8 +109,10 @@ test("schema rejects structurally invalid payloads", () => {
     validate({
       scheme: "x401",
       version: "0.2.0",
-      presentation_requirements: {
-        requests: [{ protocol: "openid4vp-v1-signed", data: {} }],
+      credential_requirements: {
+        digital: {
+          requests: [{ protocol: "openid4vp-v1-signed", data: {} }],
+        },
       },
     }),
     false,
@@ -109,15 +121,20 @@ test("schema rejects structurally invalid payloads", () => {
   assert.equal(
     validate({
       ...base,
-      presentation_requirements: {
-        requests: [{ protocol: "openid4vp-signed", data: {} }],
+      credential_requirements: {
+        digital: {
+          requests: [{ protocol: "openid4vp-signed", data: {} }],
+        },
       },
     }),
     false,
   );
   // empty requests
   assert.equal(
-    validate({ ...base, presentation_requirements: { requests: [] } }),
+    validate({
+      ...base,
+      credential_requirements: { digital: { requests: [] } },
+    }),
     false,
   );
   // leftover 0.1.0 proof wrapper (additionalProperties: false)
diff --git a/tests/x401.test.ts b/tests/x401.test.ts
index 494082d..e4d35ff 100644
--- a/tests/x401.test.ts
+++ b/tests/x401.test.ts
@@ -6,44 +6,43 @@ import {
   verifier,
   ACCESS_TOKEN_TYPE,
   HEADER,
+  RESULT_ARTIFACT_SUBJECT_TOKEN_TYPE,
   TOKEN_EXCHANGE_GRANT_TYPE,
-  VP_ARTIFACT_SUBJECT_TOKEN_TYPE,
   X401ValidationError,
 } from "../src/index.ts";
-import type { DigitalCredentialRequest } from "../src/index.ts";
+import type { CredentialRequestOptions } from "../src/index.ts";
 
 const TOKEN_ENDPOINT = "https://research.example.com/oauth/token";
 const RESOURCE = "https://research.example.com/papers/medical-study-123";
 
-const SIGNED_REQUEST: DigitalCredentialRequest = {
-  requests: [
-    {
-      protocol: "openid4vp-v1-signed",
-      data: { request: "eyJhbGciOiJFUzI1NiJ9.signed-jar" },
-    },
-  ],
+const SIGNED_REQUEST: CredentialRequestOptions = {
+  digital: {
+    requests: [
+      {
+        protocol: "openid4vp-v1-signed",
+        data: { request: "eyJhbGciOiJFUzI1NiJ9.signed-jar" },
+      },
+    ],
+  },
 };
 
 function buildRequirement() {
   return verifier.buildPayload({
-    presentationRequirements: SIGNED_REQUEST,
+    credentialRequirements: SIGNED_REQUEST,
     oauth: { token_endpoint: TOKEN_ENDPOINT },
-    trustEstablishment:
-      "https://research.example.com/.well-known/x401/trust/v1",
     requestId: "proof-template-age-over-21-v1",
     satisfiedRequirements: ["urn:example:x401:satisfaction:age-over-21:v1"],
   });
 }
 
-test("buildPayload emits a flat 0.2.0 payload with presentation_requirements", () => {
+test("buildPayload emits a flat payload with credential_requirements", () => {
   const payload = buildRequirement();
   assert.equal(payload.version, "0.2.0");
   assert.equal(
-    payload.presentation_requirements.requests[0]?.protocol,
+    payload.credential_requirements.digital.requests[0]?.protocol,
     "openid4vp-v1-signed",
   );
   assert.equal(payload.oauth.token_endpoint, TOKEN_ENDPOINT);
-  // No 0.1.0 proof wrapper.
   assert.equal("proof" in payload, false);
 });
 
@@ -51,7 +50,7 @@ test("buildPayload rejects an empty requests array", () => {
   assert.throws(
     () =>
       verifier.buildPayload({
-        presentationRequirements: { requests: [] },
+        credentialRequirements: { digital: { requests: [] } },
         oauth: { token_endpoint: TOKEN_ENDPOINT },
       }),
     X401ValidationError,
@@ -62,8 +61,10 @@ test("buildPayload rejects an unknown DC API protocol", () => {
   assert.throws(
     () =>
       verifier.buildPayload({
-        presentationRequirements: {
-          requests: [{ protocol: "openid4vp-signed" as never, data: {} }],
+        credentialRequirements: {
+          digital: {
+            requests: [{ protocol: "openid4vp-signed" as never, data: {} }],
+          },
         },
         oauth: { token_endpoint: TOKEN_ENDPOINT },
       }),
@@ -71,17 +72,21 @@ test("buildPayload rejects an unknown DC API protocol", () => {
   );
 });
 
-test("agent decodes the PROOF-REQUIRED header and exposes the composed request", () => {
+test("agent decodes the PROOF-REQUEST header and exposes the credential request", () => {
   const payload = buildRequirement();
   const detected = agent.detectProofRequirement({
-    headers: { [HEADER.PROOF_REQUIRED]: verifier.encodePayload(payload) },
+    headers: { [HEADER.PROOF_REQUEST]: verifier.encodePayload(payload) },
   });
   assert.ok(detected);
   assert.equal(detected.source, "header");
   assert.deepEqual(
-    agent.getDigitalCredentialRequest(detected.payload),
+    agent.getCredentialRequestOptions(detected.payload),
     SIGNED_REQUEST,
   );
+  assert.deepEqual(
+    agent.getDigitalCredentialRequest(detected.payload),
+    SIGNED_REQUEST.digital,
+  );
 });
 
 test("agent detects the embedded <data> requirement and it round-trips", () => {
@@ -96,7 +101,7 @@ test("agent detects the embedded <data> requirement and it round-trips", () => {
 
 test("addReturnUri attaches an https return_uri that survives a round-trip", () => {
   const payload = buildRequirement();
-  assert.equal("return_uri" in payload, false); // verifier never sets it
+  assert.equal("return_uri" in payload, false);
   const relayed = agent.addReturnUri(
     payload,
     "https://mcp.example/x401/return/9f1c2a",
@@ -118,8 +123,10 @@ test("parseX401Payload rejects a non-https return_uri", () => {
     JSON.stringify({
       scheme: "x401",
       version: "0.2.0",
-      presentation_requirements: {
-        requests: [{ protocol: "openid4vp-v1-signed", data: {} }],
+      credential_requirements: {
+        digital: {
+          requests: [{ protocol: "openid4vp-v1-signed", data: {} }],
+        },
       },
       oauth: { token_endpoint: "https://bank.example.com/oauth/token" },
       return_uri: "http://mcp.example/return",
@@ -128,7 +135,7 @@ test("parseX401Payload rejects a non-https return_uri", () => {
   assert.throws(() => agent.decodePayload(bad), X401ValidationError);
 });
 
-test("parseX401Payload rejects a leftover 0.1.0 proof wrapper", () => {
+test("parseX401Payload rejects a leftover wrapper", () => {
   assert.throws(
     () =>
       agent.decodePayload(
@@ -136,7 +143,7 @@ test("parseX401Payload rejects a leftover 0.1.0 proof wrapper", () => {
           JSON.stringify({
             scheme: "x401",
             version: "0.1.0",
-            proof: { presentation_protocol: "openid4vp" },
+            proof: { request_protocol: "openid4vp" },
           }),
         ).toString("base64url"),
       ),
@@ -148,76 +155,86 @@ test("a comma-list proof header value is rejected as invalid", () => {
   assert.throws(() => agent.decodePayload("AAAA,BBBB"), X401ValidationError);
 });
 
-test("inline VP Artifact round-trips through PROOF-PRESENTATION", () => {
+test("inline Result Artifact round-trips through PROOF-RESPONSE", () => {
   const payload = buildRequirement();
-  const artifact = agent.buildVPArtifact({
-    response: {
+  const artifact = agent.buildResultArtifact({
+    credentialResult: {
       protocol: "openid4vp-v1-signed",
-      data: "<wallet-returned-presentation-result>",
+      data: "<credential-manager-returned-result>",
     },
     requestId: payload.request_id,
   });
-  const decoded = verifier.decodeVPArtifact(agent.encodeVPArtifact(artifact));
-  assert.equal(decoded.response?.protocol, "openid4vp-v1-signed");
-  assert.equal(decoded.presentation_uri, undefined);
+  const decoded = verifier.decodeResultArtifact(
+    agent.encodeResultArtifact(artifact),
+  );
+  assert.equal(decoded.credential_result?.protocol, "openid4vp-v1-signed");
+  assert.equal(decoded.credential_result_uri, undefined);
   assert.equal(decoded.request_id, "proof-template-age-over-21-v1");
 });
 
-test("by-reference VP Artifact round-trips through PROOF-PRESENTATION", () => {
-  const artifact = agent.buildVPArtifactReference({
-    presentationUri:
-      "https://research.example.com/.well-known/x401/presentations/abc",
+test("by-reference Result Artifact round-trips through PROOF-RESPONSE", () => {
+  const artifact = agent.buildResultArtifactReference({
+    credentialResultUri:
+      "https://research.example.com/.well-known/x401/results/abc",
     expiresAt: "2026-05-06T18:50:00Z",
     agentId: "did:web:agent.example",
   });
-  const decoded = verifier.decodeVPArtifact(agent.encodeVPArtifact(artifact));
+  const decoded = verifier.decodeResultArtifact(
+    agent.encodeResultArtifact(artifact),
+  );
   assert.equal(
-    decoded.presentation_uri,
-    "https://research.example.com/.well-known/x401/presentations/abc",
+    decoded.credential_result_uri,
+    "https://research.example.com/.well-known/x401/results/abc",
   );
-  assert.equal(decoded.response, undefined);
+  assert.equal(decoded.credential_result, undefined);
   assert.equal(decoded.agent_id, "did:web:agent.example");
 });
 
-test("VP Artifact with neither response nor presentation_uri is rejected", () => {
+test("Result Artifact with neither result nor uri is rejected", () => {
   assert.throws(
     () =>
-      verifier.decodeVPArtifact(
+      verifier.decodeResultArtifact(
         Buffer.from(JSON.stringify({})).toString("base64url"),
       ),
     X401ValidationError,
   );
 });
 
-test("VP Artifact with a non-https presentation_uri is rejected", () => {
+test("Result Artifact with a non-https result uri is rejected", () => {
   const insecure = Buffer.from(
-    JSON.stringify({ presentation_uri: "http://example.com/p/1" }),
+    JSON.stringify({ credential_result_uri: "http://example.com/r/1" }),
   ).toString("base64url");
-  assert.throws(() => verifier.decodeVPArtifact(insecure), X401ValidationError);
+  assert.throws(
+    () => verifier.decodeResultArtifact(insecure),
+    X401ValidationError,
+  );
 });
 
-test("VP Artifact with both response and presentation_uri is rejected", () => {
+test("Result Artifact with both result and uri is rejected", () => {
   const both = Buffer.from(
     JSON.stringify({
-      response: { protocol: "openid4vp-v1-signed", data: "x" },
-      presentation_uri: "https://example.com/p/1",
+      credential_result: { protocol: "openid4vp-v1-signed", data: "x" },
+      credential_result_uri: "https://example.com/r/1",
     }),
   ).toString("base64url");
-  assert.throws(() => verifier.decodeVPArtifact(both), X401ValidationError);
+  assert.throws(() => verifier.decodeResultArtifact(both), X401ValidationError);
 });
 
 test("token-exchange request build and verifier parse agree on fixed parameters", () => {
-  const artifact = agent.buildVPArtifact({
-    response: { protocol: "openid4vp-v1-signed", data: "opaque" },
+  const artifact = agent.buildResultArtifact({
+    credentialResult: { protocol: "openid4vp-v1-signed", data: "opaque" },
   });
   const form = agent.buildTokenExchangeForm(artifact, { resource: RESOURCE });
   assert.equal(form.get("grant_type"), TOKEN_EXCHANGE_GRANT_TYPE);
-  assert.equal(form.get("subject_token_type"), VP_ARTIFACT_SUBJECT_TOKEN_TYPE);
+  assert.equal(
+    form.get("subject_token_type"),
+    RESULT_ARTIFACT_SUBJECT_TOKEN_TYPE,
+  );
 
   const parsed = verifier.parseTokenExchange(form);
   assert.equal(parsed.resource, RESOURCE);
-  const reDecoded = verifier.decodeVPArtifact(parsed.subject_token);
-  assert.equal(reDecoded.response?.data, "opaque");
+  const reDecoded = verifier.decodeResultArtifact(parsed.subject_token);
+  assert.equal(reDecoded.credential_result?.data, "opaque");
 });
 
 test("token-exchange response carrying ACCESS_TOKEN_TYPE parses", () => {
@@ -245,7 +262,7 @@ test("parseTokenExchange rejects a wrong grant_type", () => {
   );
 });
 
-test("token object round-trips through PROOF-PRESENTATION", () => {
+test("token object round-trips through PROOF-RESPONSE", () => {
   const decoded = verifier.decodeTokenObject(
     agent.encodeTokenObject(agent.buildTokenObject("verification-token-123")),
   );
@@ -270,7 +287,7 @@ test("error object without a version is rejected", () => {
   assert.throws(() => agent.decodeErrorObject(noVersion), X401ValidationError);
 });
 
-test("embedHtmlData content is directly parseable JSON (quotes not entity-escaped)", () => {
+test("embedHtmlData content is directly parseable JSON", () => {
   const payload = buildRequirement();
   const html = verifier.embedHtmlData(payload);
   const inner = html.replace(/^<data[^>]*>/, "").replace(/<\/data>$/, "");
@@ -279,12 +296,12 @@ test("embedHtmlData content is directly parseable JSON (quotes not entity-escape
   assert.equal(parsed.$schema, "https://x401.id/spec/schemas/request.json");
   assert.equal(parsed.scheme, "x401");
   assert.deepEqual(
-    parsed.presentation_requirements,
-    payload.presentation_requirements,
+    parsed.credential_requirements,
+    payload.credential_requirements,
   );
 });
 
-test("error object round-trips through PROOF-RESPONSE without a challenge field", () => {
+test("error object round-trips through PROOF-RESULT without a challenge field", () => {
   const decoded = agent.decodeErrorObject(
     verifier.encodeErrorObject(
       verifier.buildErrorObject({