diff --git a/lib/src/nanotdf/Client.ts b/lib/src/nanotdf/Client.ts
index 9617f028..d90fab3e 100644
--- a/lib/src/nanotdf/Client.ts
+++ b/lib/src/nanotdf/Client.ts
@@ -1,4 +1,8 @@
-import * as base64 from '../encodings/base64.js';
+import { create, toJsonString } from '@bufbuild/protobuf';
+import {
+  UnsignedRewrapRequest_WithPolicyRequestSchema,
+  UnsignedRewrapRequestSchema,
+} from '../platform/kas/kas_pb.js';
 import { generateKeyPair, keyAgreement } from '../nanotdf-crypto/index.js';
 import getHkdfSalt from './helpers/getHkdfSalt.js';
 import DefaultParams from './models/DefaultParams.js';
@@ -246,18 +250,29 @@ export default class Client {
       throw new ConfigurationError('Signer key has not been set or generated');
     }
 
-    const requestBodyStr = JSON.stringify({
-      algorithm: DefaultParams.defaultECAlgorithm,
-      // nano keyAccess minimum, header is used for nano
-      keyAccess: {
-        type: Client.KEY_ACCESS_REMOTE,
-        url: '',
-        protocol: Client.KAS_PROTOCOL,
-        header: base64.encodeArrayBuffer(nanoTdfHeader),
-      },
+    const unsignedRequest = create(UnsignedRewrapRequestSchema, {
       clientPublicKey: await cryptoPublicToPem(ephemeralKeyPair.publicKey),
+      requests: [
+        create(UnsignedRewrapRequest_WithPolicyRequestSchema, {
+          keyAccessObjects: [
+            {
+              keyAccessObjectId: 'kao-0',
+              keyAccessObject: {
+                header: new Uint8Array(nanoTdfHeader),
+                kasUrl: '',
+                protocol: Client.KAS_PROTOCOL,
+                // type: Client.KEY_ACCESS_REMOTE,
+              },
+            },
+          ],
+          algorithm: DefaultParams.defaultECAlgorithm,
+          // policy in nano is present within the header?
+        }),
+      ],
     });
 
+    const requestBodyStr = toJsonString(UnsignedRewrapRequestSchema, unsignedRequest);
+
     const jwtPayload = { requestBody: requestBodyStr };
 
     const signedRequestToken = await reqSignature(jwtPayload, requestSignerKeyPair.privateKey, {
diff --git a/lib/tdf3/src/tdf.ts b/lib/tdf3/src/tdf.ts
index 73cd01a0..ef78cf0d 100644
--- a/lib/tdf3/src/tdf.ts
+++ b/lib/tdf3/src/tdf.ts
@@ -8,6 +8,14 @@ import {
   fetchWrappedKey,
   publicKeyAlgorithmToJwa,
 } from '../../src/access.js';
+import { create, toJsonString } from '@bufbuild/protobuf';
+import {
+  KeyAccessSchema,
+  UnsignedRewrapRequestSchema,
+  UnsignedRewrapRequest_WithPolicyRequestSchema,
+  UnsignedRewrapRequest_WithPolicySchema,
+  UnsignedRewrapRequest_WithKeyAccessObjectSchema,
+} from '../../src/platform/kas/kas_pb.js';
 import { type AuthProvider, reqSignature } from '../../src/auth/auth.js';
 import { allPool, anyPool } from '../../src/concurrency.js';
 import { base64, hex } from '../../src/encodings/index.js';
@@ -778,13 +786,43 @@ async function unwrapKey({
 
     const clientPublicKey = ephemeralEncryptionKeys.publicKey;
 
-    const requestBodyStr = JSON.stringify({
-      algorithm: 'RS256',
-      keyAccess: keySplitInfo,
-      policy: manifest.encryptionInformation.policy,
+    // TODO: how to handle defaults here?
+    // Convert keySplitInfo to protobuf KeyAccess
+    const keyAccessProto = create(KeyAccessSchema, {
+      keyType: keySplitInfo.type || '',
+      kasUrl: keySplitInfo.url || '',
+      protocol: keySplitInfo.protocol || '',
+      wrappedKey: keySplitInfo.wrappedKey
+        ? new Uint8Array(base64.decodeArrayBuffer(keySplitInfo.wrappedKey))
+        : new Uint8Array(),
+      policyBinding: keySplitInfo.policyBinding,
+      kid: keySplitInfo.kid || '',
+      splitId: keySplitInfo.sid || '',
+      encryptedMetadata: keySplitInfo.encryptedMetadata || '',
+    });
+
+    // Create the protobuf request
+    const unsignedRequest = create(UnsignedRewrapRequestSchema, {
       clientPublicKey,
+      requests: [
+        create(UnsignedRewrapRequest_WithPolicyRequestSchema, {
+          keyAccessObjects: [
+            create(UnsignedRewrapRequest_WithKeyAccessObjectSchema, {
+              keyAccessObjectId: 'kao-0',
+              keyAccessObject: keyAccessProto,
+            }),
+          ],
+          policy: create(UnsignedRewrapRequest_WithPolicySchema, {
+            id: 'policy-0',
+            body: manifest.encryptionInformation.policy,
+          }),
+          algorithm: 'RS256',
+        }),
+      ],
     });
 
+    const requestBodyStr = toJsonString(UnsignedRewrapRequestSchema, unsignedRequest);
+
     const jwtPayload = { requestBody: requestBodyStr };
     const signedRequestToken = await reqSignature(jwtPayload, dpopKeys.privateKey);
 
diff --git a/web-app/src/App.tsx b/web-app/src/App.tsx
index 9d1c9fa6..3a801874 100644
--- a/web-app/src/App.tsx
+++ b/web-app/src/App.tsx
@@ -353,6 +353,7 @@ function App() {
     const client = new OpenTDF({
       authProvider: oidcClient,
       defaultCreateOptions: {
+        attributes: ['https://demo.com/attr/classification/value/secret'],
         defaultKASEndpoint: c.kas,
       },
       dpopKeys: oidcClient.getSigningKey(),
@@ -432,6 +433,7 @@ function App() {
     const client = new OpenTDF({
       authProvider: oidcClient,
       defaultReadOptions: {
+        // fulfillableObligationFQNs: ['https://demo.com/obl/drm/value/watermark'],
         allowedKASEndpoints: [c.kas],
       },
       dpopKeys: oidcClient.getSigningKey(),