[Feat]: enforce `iss` payload for SD-JWT

[yunlong-song-awx]

Is your feature request related to a problem? Please describe.

It's good to see the v0.2 release incorporate Verifiable Intent and provide a solid SDK. I noticed that SDJWTIssuer includes cnf but not iss, which is recommended by Verifiable Intent - JWKS Endpoint Security.

Please confirm whether we can update the SDK, or if I missed something.

Describe the solution you'd like

• types: include iss as a required claim for JWT along with cnf.
• SDK: include verify iss or some comments to suggest how to verify.

Describe alternatives you've considered

No response

Additional context

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[chopmob-cloud]

Confirmed — iss is absent from the current SDJWTIssuer and should be required. The fix is straightforward and worth landing now before downstream implementations lock in the absence.

The iss claim serves two functions in the AP2 context that cnf alone cannot:

1. Verifier trust anchor — a verifier receiving a mandate needs to know which issuer to validate the key material against. Without iss, the verifier must infer the issuer out-of-band or trust the cnf JWK blindly.
2. Cross-merchant deduplication — in multi-merchant flows, iss + sub together form the stable agent identity across mandate presentations. cnf alone is per-session.

Happy to open a PR adding iss as a required claim in both the TypeScript SDK types and the Python SDK models, with a matching spec update to mark it MUST in the SD-JWT payload. Should take a single commit. Does that direction work for the maintainers?

AlgoVoi (chopmob-cloud)