diff --git a/src/AppProvider.tsx b/src/AppProvider.tsx
index f15693326..ed152d413 100644
--- a/src/AppProvider.tsx
+++ b/src/AppProvider.tsx
@@ -13,6 +13,7 @@ import { OpenID4VPContextProvider } from './context/OpenID4VPContextProvider';
 import { OpenID4VCIContextProvider } from './context/OpenID4VCIContextProvider';
 import { AppSettingsProvider } from './context/AppSettingsProvider';
 import { NotificationProvider } from './context/NotificationProvider';
+import { ApiVersionProvider } from './context/ApiVersionContext';
 
 // Hocs
 import { UriHandlerProvider } from './hocs/UriHandlerProvider';
@@ -25,25 +26,27 @@ type RootProviderProps = {
 const AppProvider: React.FC<RootProviderProps> = ({ children }) => {
 	return (
 		<StatusContextProvider>
-			<SessionContextProvider>
-				<CredentialsContextProvider>
-					<I18nextProvider i18n={i18n}>
-						<OpenID4VPContextProvider>
-							<OpenID4VCIContextProvider>
-								<UriHandlerProvider>
-									<AppSettingsProvider>
-										<NotificationProvider>
-											<NativeWrapperProvider>
-												{children}
-											</NativeWrapperProvider>
-										</NotificationProvider>
-									</AppSettingsProvider>
-								</UriHandlerProvider>
-							</OpenID4VCIContextProvider>
-						</OpenID4VPContextProvider>
-					</I18nextProvider>
-				</CredentialsContextProvider>
-			</SessionContextProvider>
+			<ApiVersionProvider>
+				<SessionContextProvider>
+					<CredentialsContextProvider>
+						<I18nextProvider i18n={i18n}>
+							<OpenID4VPContextProvider>
+								<OpenID4VCIContextProvider>
+									<UriHandlerProvider>
+										<AppSettingsProvider>
+											<NotificationProvider>
+												<NativeWrapperProvider>
+													{children}
+												</NativeWrapperProvider>
+											</NotificationProvider>
+										</AppSettingsProvider>
+									</UriHandlerProvider>
+								</OpenID4VCIContextProvider>
+							</OpenID4VPContextProvider>
+						</I18nextProvider>
+					</CredentialsContextProvider>
+				</SessionContextProvider>
+			</ApiVersionProvider>
 		</StatusContextProvider>
 	);
 };
diff --git a/src/context/ApiVersionContext.tsx b/src/context/ApiVersionContext.tsx
new file mode 100644
index 000000000..f44ad7e78
--- /dev/null
+++ b/src/context/ApiVersionContext.tsx
@@ -0,0 +1,127 @@
+/**
+ * ApiVersionContext - React context for API version management.
+ *
+ * This context provides:
+ * - The detected backend API version
+ * - Feature availability checks
+ * - Loading state during initial detection
+ *
+ * The API version is auto-detected from the backend's /status endpoint
+ * and cached for the session. Components can check feature availability
+ * without making additional network requests.
+ */
+
+import React, { createContext, useContext, useEffect, useState, useMemo, useCallback } from 'react';
+import {
+	getApiVersion,
+	refreshApiVersion,
+	getApiFeatures,
+	ApiVersionInfo,
+	DEFAULT_API_VERSION,
+	API_VERSION_DISCOVER_AND_TRUST,
+} from '@/lib/services/ApiVersionService';
+
+interface ApiVersionContextValue {
+	/** The detected API version (or default if not yet loaded) */
+	apiVersion: number;
+	/** Whether the API version is still being loaded */
+	isLoading: boolean;
+	/** Feature availability flags */
+	features: ApiVersionInfo['features'];
+	/** Force refresh the API version from the backend */
+	refresh: () => Promise<void>;
+	/** Check if a specific API version is supported */
+	supportsVersion: (version: number) => boolean;
+}
+
+const ApiVersionContext = createContext<ApiVersionContextValue>({
+	apiVersion: DEFAULT_API_VERSION,
+	isLoading: true,
+	features: {
+		discoverAndTrust: false,
+	},
+	refresh: async () => {},
+	supportsVersion: () => false,
+});
+
+export function ApiVersionProvider({ children }: React.PropsWithChildren) {
+	const [apiVersion, setApiVersion] = useState<number>(DEFAULT_API_VERSION);
+	const [isLoading, setIsLoading] = useState(true);
+
+	const loadApiVersion = useCallback(async () => {
+		setIsLoading(true);
+		try {
+			const version = await getApiVersion();
+			setApiVersion(version);
+		} catch (error) {
+			console.error('Failed to load API version:', error);
+			setApiVersion(DEFAULT_API_VERSION);
+		} finally {
+			setIsLoading(false);
+		}
+	}, []);
+
+	const refresh = useCallback(async () => {
+		setIsLoading(true);
+		try {
+			const version = await refreshApiVersion();
+			setApiVersion(version);
+		} finally {
+			setIsLoading(false);
+		}
+	}, []);
+
+	useEffect(() => {
+		loadApiVersion();
+	}, [loadApiVersion]);
+
+	const features = useMemo(() => getApiFeatures(apiVersion).features, [apiVersion]);
+
+	const supportsVersion = useCallback(
+		(version: number) => apiVersion >= version,
+		[apiVersion]
+	);
+
+	const value = useMemo<ApiVersionContextValue>(
+		() => ({
+			apiVersion,
+			isLoading,
+			features,
+			refresh,
+			supportsVersion,
+		}),
+		[apiVersion, isLoading, features, refresh, supportsVersion]
+	);
+
+	return (
+		<ApiVersionContext.Provider value={value}>
+			{children}
+		</ApiVersionContext.Provider>
+	);
+}
+
+/**
+ * Hook to access the API version context.
+ */
+export function useApiVersion(): ApiVersionContextValue {
+	const context = useContext(ApiVersionContext);
+	if (!context) {
+		throw new Error('useApiVersion must be used within an ApiVersionProvider');
+	}
+	return context;
+}
+
+/**
+ * Hook to check if discover-and-trust is available.
+ * Returns { available, isLoading } for convenient checks.
+ */
+export function useDiscoverAndTrust(): { available: boolean; isLoading: boolean } {
+	const { features, isLoading } = useApiVersion();
+	return {
+		available: features.discoverAndTrust,
+		isLoading,
+	};
+}
+
+// Export the context for direct access if needed
+export default ApiVersionContext;
diff --git a/src/lib/services/ApiVersionService.test.ts b/src/lib/services/ApiVersionService.test.ts
new file mode 100644
index 000000000..084aa2927
--- /dev/null
+++ b/src/lib/services/ApiVersionService.test.ts
@@ -0,0 +1,146 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import axios from 'axios';
+
+import {
+	fetchApiVersion,
+	getApiVersion,
+	refreshApiVersion,
+	getApiFeatures,
+	supportsApiVersion,
+	getCachedApiVersion,
+	DEFAULT_API_VERSION,
+	API_VERSION_DISCOVER_AND_TRUST,
+} from './ApiVersionService';
+
+// Mock axios
+vi.mock('axios');
+const mockedAxios = vi.mocked(axios);
+
+describe('ApiVersionService', () => {
+	beforeEach(() => {
+		vi.clearAllMocks();
+		// Reset cached version by calling the module fresh
+		// We'll need to test the caching behavior separately
+	});
+
+	afterEach(() => {
+		vi.restoreAllMocks();
+	});
+
+	describe('fetchApiVersion', () => {
+		it('should return api_version from backend when present as number', async () => {
+			mockedAxios.get.mockResolvedValueOnce({
+				data: { status: 'ok', api_version: 2 },
+			});
+
+			const version = await fetchApiVersion();
+			expect(version).toBe(2);
+		});
+
+		it('should return api_version from backend when present as string', async () => {
+			mockedAxios.get.mockResolvedValueOnce({
+				data: { status: 'ok', api_version: '2' },
+			});
+
+			const version = await fetchApiVersion();
+			expect(version).toBe(2);
+		});
+
+		it('should return DEFAULT_API_VERSION when api_version is not present', async () => {
+			mockedAxios.get.mockResolvedValueOnce({
+				data: { status: 'ok' },
+			});
+
+			const version = await fetchApiVersion();
+			expect(version).toBe(DEFAULT_API_VERSION);
+		});
+
+		it('should return DEFAULT_API_VERSION when request fails', async () => {
+			mockedAxios.get.mockRejectedValueOnce(new Error('Network error'));
+
+			const version = await fetchApiVersion();
+			expect(version).toBe(DEFAULT_API_VERSION);
+		});
+
+		it('should return DEFAULT_API_VERSION for invalid api_version string', async () => {
+			mockedAxios.get.mockResolvedValueOnce({
+				data: { status: 'ok', api_version: 'invalid' },
+			});
+
+			const version = await fetchApiVersion();
+			expect(version).toBe(DEFAULT_API_VERSION);
+		});
+	});
+
+	describe('getApiFeatures', () => {
+		it('should indicate discoverAndTrust is available for version >= 2', () => {
+			const features = getApiFeatures(2);
+			expect(features.features.discoverAndTrust).toBe(true);
+
+			const features3 = getApiFeatures(3);
+			expect(features3.features.discoverAndTrust).toBe(true);
+		});
+
+		it('should indicate discoverAndTrust is not available for version < 2', () => {
+			const features = getApiFeatures(1);
+			expect(features.features.discoverAndTrust).toBe(false);
+
+			const features0 = getApiFeatures(0);
+			expect(features0.features.discoverAndTrust).toBe(false);
+		});
+
+		it('should include the version in the result', () => {
+			const features = getApiFeatures(2);
+			expect(features.version).toBe(2);
+		});
+	});
+
+	describe('constants', () => {
+		it('should have DEFAULT_API_VERSION set to 1', () => {
+			expect(DEFAULT_API_VERSION).toBe(1);
+		});
+
+		it('should have API_VERSION_DISCOVER_AND_TRUST set to 2', () => {
+			expect(API_VERSION_DISCOVER_AND_TRUST).toBe(2);
+		});
+	});
+
+	describe('getCachedApiVersion', () => {
+		it('should return DEFAULT_API_VERSION when cache is empty', () => {
+			// Note: This test might be flaky if run after other tests that populate the cache
+			// In a real scenario, we'd need to reset the module state between tests
+			const version = getCachedApiVersion();
+			expect(typeof version).toBe('number');
+		});
+	});
+
+	describe('supportsApiVersion', () => {
+		it('should return true when cached version meets minimum', () => {
+			// This depends on cached state, so we test the function signature
+			const result = supportsApiVersion(1);
+			expect(typeof result).toBe('boolean');
+		});
+	});
+});
+
+describe('ApiVersionService integration', () => {
+	beforeEach(() => {
+		vi.clearAllMocks();
+	});
+
+	it('should call /status endpoint with correct parameters', async () => {
+		mockedAxios.get.mockResolvedValueOnce({
+			data: { status: 'ok', api_version: 2 },
+		});
+
+		await fetchApiVersion();
+
+		expect(mockedAxios.get).toHaveBeenCalledWith(
+			expect.stringContaining('/status'),
+			expect.objectContaining({
+				timeout: 5000,
+				headers: { 'Content-Type': 'application/json' },
+			})
+		);
+	});
+});
diff --git a/src/lib/services/ApiVersionService.ts b/src/lib/services/ApiVersionService.ts
new file mode 100644
index 000000000..f4bbecc69
--- /dev/null
+++ b/src/lib/services/ApiVersionService.ts
@@ -0,0 +1,108 @@
+/**
+ * API Version Service
+ *
+ * Handles discovery and management of the backend API version.
+ * The backend exposes an api_version field in the /status response
+ * that indicates which API features are available.
+ *
+ * API Version History:
+ * - Version 1: Original API (implicit, for backends that don't report api_version)
+ * - Version 2: Adds /api/discover-and-trust endpoint for combined discovery + trust evaluation
+ */
+
+import axios from 'axios';
+import { BACKEND_URL } from '@/config';
+
+// Minimum version for specific features
+export const API_VERSION_DISCOVER_AND_TRUST = 2;
+
+// Default version when backend doesn't report one (backwards compatibility)
+export const DEFAULT_API_VERSION = 1;
+
+export interface ApiVersionInfo {
+	version: number;
+	features: {
+		discoverAndTrust: boolean;
+	};
+}
+
+/**
+ * Fetches the API version from the backend status endpoint.
+ * Returns DEFAULT_API_VERSION if the backend doesn't support api_version.
+ */
+export async function fetchApiVersion(): Promise<number> {
+	try {
+		const response = await axios.get(`${BACKEND_URL}/status`, {
+			timeout: 5000,
+			headers: {
+				'Content-Type': 'application/json',
+			},
+		});
+
+		// Extract api_version from response, default to 1 if not present
+		const apiVersion = Number(response.data?.api_version);
+
+		return isNaN(apiVersion) ? DEFAULT_API_VERSION : apiVersion;
+	} catch (error) {
+		console.warn('Failed to fetch API version from backend:', error);
+		return DEFAULT_API_VERSION;
+	}
+}
+
+/**
+ * Determines available features based on the API version.
+ */
+export function getApiFeatures(version: number): ApiVersionInfo {
+	return {
+		version,
+		features: {
+			discoverAndTrust: version >= API_VERSION_DISCOVER_AND_TRUST,
+		},
+	};
+}
+
+/**
+ * Cache for the discovered API version to avoid repeated calls.
+ */
+let cachedApiVersion: number | null = null;
+let cacheTimestamp: number = 0;
+const CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
+
+/**
+ * Gets the API version, using cache when available.
+ * Call refreshApiVersion() to force a fresh fetch.
+ */
+export async function getApiVersion(): Promise<number> {
+	const now = Date.now();
+	if (cachedApiVersion !== null && now - cacheTimestamp < CACHE_TTL_MS) {
+		return cachedApiVersion;
+	}
+
+	return refreshApiVersion(now);
+}
+
+/**
+ * Forces a fresh fetch of the API version, updating the cache.
+ * @param timestamp - Optional timestamp for cache; defaults to Date.now()
+ */
+export async function refreshApiVersion(timestamp?: number): Promise<number> {
+	cachedApiVersion = await fetchApiVersion();
+	cacheTimestamp = timestamp ?? Date.now();
+	return cachedApiVersion;
+}
+
+/**
+ * Checks if the cached API version meets or exceeds the specified minimum.
+ * If the version hasn't been fetched yet, assumes DEFAULT_API_VERSION.
+ */
+export function supportsApiVersion(minVersion: number): boolean {
+	return getCachedApiVersion() >= minVersion;
+}
+
+/**
+ * Gets the current cached version (or default if not yet fetched).
+ * Use this for synchronous checks when you've already called getApiVersion().
+ */
+export function getCachedApiVersion(): number {
+	return cachedApiVersion ?? DEFAULT_API_VERSION;
+}
diff --git a/src/lib/services/DiscoverAndTrustService.test.ts b/src/lib/services/DiscoverAndTrustService.test.ts
new file mode 100644
index 000000000..23120cefd
--- /dev/null
+++ b/src/lib/services/DiscoverAndTrustService.test.ts
@@ -0,0 +1,240 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import axios from 'axios';
+
+import {
+	discoverAndTrust,
+	discoverAndTrustIssuer,
+	discoverAndTrustVerifier,
+	isDiscoverAndTrustAvailable,
+	DiscoverAndTrustRequest,
+	DiscoverAndTrustResponse,
+} from './DiscoverAndTrustService';
+import * as ApiVersionService from './ApiVersionService';
+
+// Mock axios
+vi.mock('axios');
+const mockedAxios = vi.mocked(axios);
+
+// Mock ApiVersionService
+vi.mock('./ApiVersionService', async () => {
+	const actual = await vi.importActual('./ApiVersionService');
+	return {
+		...actual,
+		getApiVersion: vi.fn(),
+		supportsApiVersion: vi.fn(),
+	};
+});
+
+const mockedApiVersionService = vi.mocked(ApiVersionService);
+
+describe('DiscoverAndTrustService', () => {
+	const mockAuthToken = 'test-auth-token';
+	const mockSuccessResponse: DiscoverAndTrustResponse = {
+		trusted: true,
+		reason: 'Found in trust list',
+		discovery_status: 'success',
+		trust_framework: 'eudi',
+		trusted_certificates: ['-----BEGIN CERTIFICATE-----\nMIIB...'],
+	};
+
+	beforeEach(() => {
+		vi.clearAllMocks();
+	});
+
+	afterEach(() => {
+		vi.restoreAllMocks();
+	});
+
+	describe('isDiscoverAndTrustAvailable', () => {
+		it('should return true when cached version >= 2', () => {
+			mockedApiVersionService.supportsApiVersion.mockReturnValue(true);
+			expect(isDiscoverAndTrustAvailable()).toBe(true);
+		});
+
+		it('should return false when cached version < 2', () => {
+			mockedApiVersionService.supportsApiVersion.mockReturnValue(false);
+			expect(isDiscoverAndTrustAvailable()).toBe(false);
+		});
+
+		it('should return true when cached version > 2', () => {
+			mockedApiVersionService.supportsApiVersion.mockReturnValue(true);
+			expect(isDiscoverAndTrustAvailable()).toBe(true);
+		});
+	});
+
+	describe('discoverAndTrust', () => {
+		it('should throw error when API version < 2', async () => {
+			mockedApiVersionService.getApiVersion.mockResolvedValue(1);
+			mockedApiVersionService.supportsApiVersion.mockReturnValue(false);
+
+			const request: DiscoverAndTrustRequest = {
+				entity_identifier: 'https://issuer.example.com',
+				role: 'issuer',
+			};
+
+			await expect(discoverAndTrust(request, mockAuthToken)).rejects.toThrow(
+				'discover-and-trust requires API version 2 or higher'
+			);
+		});
+
+		it('should make POST request when API version >= 2', async () => {
+			mockedApiVersionService.getApiVersion.mockResolvedValue(2);
+			mockedApiVersionService.supportsApiVersion.mockReturnValue(true);
+			mockedAxios.post.mockResolvedValueOnce({ data: mockSuccessResponse });
+
+			const request: DiscoverAndTrustRequest = {
+				entity_identifier: 'https://issuer.example.com',
+				role: 'issuer',
+			};
+
+			const result = await discoverAndTrust(request, mockAuthToken);
+
+			expect(mockedAxios.post).toHaveBeenCalledWith(
+				expect.stringContaining('/api/discover-and-trust'),
+				request,
+				expect.objectContaining({
+					headers: expect.objectContaining({
+						'Content-Type': 'application/json',
+						Authorization: `Bearer ${mockAuthToken}`,
+					}),
+					timeout: 30000,
+				})
+			);
+			expect(result).toEqual(mockSuccessResponse);
+		});
+
+		it('should include credential_type when provided', async () => {
+			mockedApiVersionService.getApiVersion.mockResolvedValue(2);
+			mockedApiVersionService.supportsApiVersion.mockReturnValue(true);
+			mockedAxios.post.mockResolvedValueOnce({ data: mockSuccessResponse });
+
+			const request: DiscoverAndTrustRequest = {
+				entity_identifier: 'https://issuer.example.com',
+				role: 'issuer',
+				credential_type: 'eu.europa.ec.eudi.pid.1',
+			};
+
+			await discoverAndTrust(request, mockAuthToken);
+
+			expect(mockedAxios.post).toHaveBeenCalledWith(
+				expect.any(String),
+				expect.objectContaining({
+					credential_type: 'eu.europa.ec.eudi.pid.1',
+				}),
+				expect.any(Object)
+			);
+		});
+	});
+
+	describe('discoverAndTrustIssuer', () => {
+		it('should call discoverAndTrust with role=issuer', async () => {
+			mockedApiVersionService.getApiVersion.mockResolvedValue(2);
+			mockedApiVersionService.supportsApiVersion.mockReturnValue(true);
+			mockedAxios.post.mockResolvedValueOnce({ data: mockSuccessResponse });
+
+			await discoverAndTrustIssuer('https://issuer.example.com', mockAuthToken);
+
+			expect(mockedAxios.post).toHaveBeenCalledWith(
+				expect.any(String),
+				expect.objectContaining({
+					entity_identifier: 'https://issuer.example.com',
+					role: 'issuer',
+				}),
+				expect.any(Object)
+			);
+		});
+
+		it('should include credential_type when provided', async () => {
+			mockedApiVersionService.getApiVersion.mockResolvedValue(2);
+			mockedApiVersionService.supportsApiVersion.mockReturnValue(true);
+			mockedAxios.post.mockResolvedValueOnce({ data: mockSuccessResponse });
+
+			await discoverAndTrustIssuer(
+				'https://issuer.example.com',
+				mockAuthToken,
+				'eu.europa.ec.eudi.pid.1'
+			);
+
+			expect(mockedAxios.post).toHaveBeenCalledWith(
+				expect.any(String),
+				expect.objectContaining({
+					credential_type: 'eu.europa.ec.eudi.pid.1',
+				}),
+				expect.any(Object)
+			);
+		});
+	});
+
+	describe('discoverAndTrustVerifier', () => {
+		it('should call discoverAndTrust with role=verifier', async () => {
+			mockedApiVersionService.getApiVersion.mockResolvedValue(2);
+			mockedApiVersionService.supportsApiVersion.mockReturnValue(true);
+			mockedAxios.post.mockResolvedValueOnce({ data: mockSuccessResponse });
+
+			await discoverAndTrustVerifier('https://verifier.example.com', mockAuthToken);
+
+			expect(mockedAxios.post).toHaveBeenCalledWith(
+				expect.any(String),
+				expect.objectContaining({
+					entity_identifier: 'https://verifier.example.com',
+					role: 'verifier',
+				}),
+				expect.any(Object)
+			);
+		});
+	});
+
+	describe('error handling', () => {
+		it('should propagate axios errors', async () => {
+			mockedApiVersionService.getApiVersion.mockResolvedValue(2);
+			mockedApiVersionService.supportsApiVersion.mockReturnValue(true);
+			mockedAxios.post.mockRejectedValueOnce(new Error('Network error'));
+
+			const request: DiscoverAndTrustRequest = {
+				entity_identifier: 'https://issuer.example.com',
+				role: 'issuer',
+			};
+
+			await expect(discoverAndTrust(request, mockAuthToken)).rejects.toThrow('Network error');
+		});
+	});
+});
+
+describe('DiscoverAndTrustResponse types', () => {
+	it('should accept valid response with all fields', () => {
+		const response: DiscoverAndTrustResponse = {
+			issuer_metadata: { credential_issuer: 'https://issuer.example.com' },
+			trusted: true,
+			reason: 'Trust established',
+			trusted_certificates: ['-----BEGIN CERTIFICATE-----\n...'],
+			trust_framework: 'eudi',
+			discovery_status: 'success',
+		};
+
+		expect(response.trusted).toBe(true);
+		expect(response.discovery_status).toBe('success');
+	});
+
+	it('should accept valid response with minimal fields', () => {
+		const response: DiscoverAndTrustResponse = {
+			trusted: false,
+			reason: 'Not in trust list',
+			discovery_status: 'failed',
+			discovery_error: 'Connection refused',
+		};
+
+		expect(response.trusted).toBe(false);
+		expect(response.discovery_status).toBe('failed');
+	});
+
+	it('should accept verifier response', () => {
+		const response: DiscoverAndTrustResponse = {
+			verifier_metadata: { client_id: 'verifier-123' },
+			trusted: true,
+			reason: 'Verified',
+			discovery_status: 'success',
+		};
+
+		expect(response.verifier_metadata).toBeDefined();
+	});
+});
diff --git a/src/lib/services/DiscoverAndTrustService.ts b/src/lib/services/DiscoverAndTrustService.ts
new file mode 100644
index 000000000..a68d854fa
--- /dev/null
+++ b/src/lib/services/DiscoverAndTrustService.ts
@@ -0,0 +1,139 @@
+/**
+ * Discover and Trust Service
+ *
+ * This service provides combined entity discovery and trust evaluation.
+ * It's used when the backend supports API version 2+ (with /api/discover-and-trust endpoint).
+ *
+ * For older backends (API version 1), the frontend falls back to the legacy
+ * behavior where discovery and trust evaluation are handled separately.
+ */
+
+import axios from 'axios';
+import { BACKEND_URL } from '@/config';
+import {
+	getApiVersion,
+	API_VERSION_DISCOVER_AND_TRUST,
+	supportsApiVersion,
+} from './ApiVersionService';
+
+/**
+ * Request payload for the discover-and-trust endpoint.
+ */
+export interface DiscoverAndTrustRequest {
+	/** The issuer or verifier identifier (URL) */
+	entity_identifier: string;
+	/** Role: "issuer" or "verifier" */
+	role: 'issuer' | 'verifier';
+	/** Optional credential type (docType for mDOC, vct for SD-JWT) */
+	credential_type?: string;
+}
+
+/**
+ * Response from the discover-and-trust endpoint.
+ */
+export interface DiscoverAndTrustResponse {
+	/** Discovered issuer metadata (if role=issuer) */
+	issuer_metadata?: Record<string, unknown>;
+	/** Discovered verifier metadata (if role=verifier) */
+	verifier_metadata?: Record<string, unknown>;
+	/** Whether the entity is trusted */
+	trusted: boolean;
+	/** Reason for the trust decision */
+	reason: string;
+	/** Trusted certificates in PEM format (if any) */
+	trusted_certificates?: string[];
+	/** Trust framework that authorized the entity */
+	trust_framework?: string;
+	/** Discovery status: "success", "partial", or "failed" */
+	discovery_status: 'success' | 'partial' | 'failed';
+	/** Error message if discovery failed */
+	discovery_error?: string;
+}
+
+/**
+ * Checks if the discover-and-trust feature is available.
+ * This uses the cached API version for synchronous checks.
+ * Call ensureApiVersionLoaded() first if you need a guaranteed check.
+ */
+export function isDiscoverAndTrustAvailable(): boolean {
+	return supportsApiVersion(API_VERSION_DISCOVER_AND_TRUST);
+}
+
+/**
+ * Ensures the API version has been loaded from the backend.
+ * Call this during app initialization or before making feature availability checks.
+ */
+export async function ensureApiVersionLoaded(): Promise<number> {
+	return await getApiVersion();
+}
+
+/**
+ * Performs combined discovery and trust evaluation via the backend.
+ * Only available when API version >= 2.
+ *
+ * @throws Error if the feature is not available or if the request fails
+ */
+export async function discoverAndTrust(
+	request: DiscoverAndTrustRequest,
+	authToken: string
+): Promise<DiscoverAndTrustResponse> {
+	await ensureApiVersionLoaded();
+
+	if (!supportsApiVersion(API_VERSION_DISCOVER_AND_TRUST)) {
+		throw new Error(
+			`discover-and-trust requires API version ${API_VERSION_DISCOVER_AND_TRUST} or higher`
+		);
+	}
+
+	const response = await axios.post<DiscoverAndTrustResponse>(
+		`${BACKEND_URL}/api/discover-and-trust`,
+		request,
+		{
+			headers: {
+				'Content-Type': 'application/json',
+				Authorization: `Bearer ${authToken}`,
+			},
+			timeout: 30000, // 30 second timeout for discovery + trust evaluation
+		}
+	);
+
+	return response.data;
+}
+
+/**
+ * Discovers and evaluates trust for an issuer.
+ * Convenience wrapper around discoverAndTrust.
+ */
+export async function discoverAndTrustIssuer(
+	issuerIdentifier: string,
+	authToken: string,
+	credentialType?: string
+): Promise<DiscoverAndTrustResponse> {
+	return discoverAndTrust(
+		{
+			entity_identifier: issuerIdentifier,
+			role: 'issuer',
+			credential_type: credentialType,
+		},
+		authToken
+	);
+}
+
+/**
+ * Discovers and evaluates trust for a verifier.
+ * Convenience wrapper around discoverAndTrust.
+ */
+export async function discoverAndTrustVerifier(
+	verifierIdentifier: string,
+	authToken: string,
+	credentialType?: string
+): Promise<DiscoverAndTrustResponse> {
+	return discoverAndTrust(
+		{
+			entity_identifier: verifierIdentifier,
+			role: 'verifier',
+			credential_type: credentialType,
+		},
+		authToken
+	);
+}
diff --git a/src/lib/services/OpenID4VCIHelper.ts b/src/lib/services/OpenID4VCIHelper.ts
index 359497596..13d454d44 100644
--- a/src/lib/services/OpenID4VCIHelper.ts
+++ b/src/lib/services/OpenID4VCIHelper.ts
@@ -7,6 +7,62 @@ import SessionContext from "@/context/SessionContext";
 import { MdocIacasResponse, MdocIacasResponseSchema } from "../schemas/MdocIacasResponseSchema";
 import { OpenidAuthorizationServerMetadataSchema, OpenidCredentialIssuerMetadataSchema } from 'wallet-common';
 import type { OpenidAuthorizationServerMetadata, OpenidCredentialIssuerMetadata } from 'wallet-common'
+import { isDiscoverAndTrustAvailable, discoverAndTrustIssuer } from './DiscoverAndTrustService';
+
+/**
+ * Verifies and extracts metadata from signed_metadata JWT if present.
+ * Returns the verified payload as metadata, or null if verification fails.
+ */
+async function verifySignedMetadata(
+	metadata: OpenidCredentialIssuerMetadata
+): Promise<{ metadata: OpenidCredentialIssuerMetadata } | null> {
+	if (!metadata.signed_metadata) {
+		return { metadata };
+	}
+
+	try {
+		const headerB64 = metadata.signed_metadata.split('.')[0];
+		const parsedHeader = JSON.parse(new TextDecoder().decode(base64url.decode(headerB64)));
+
+		if (!parsedHeader.x5c) {
+			return null;
+		}
+
+		const publicKey = await importX509(getPublicKeyFromB64Cert(parsedHeader.x5c[0]), parsedHeader.alg);
+		const { payload } = await jwtVerify(metadata.signed_metadata, publicKey);
+		return { metadata: payload as OpenidCredentialIssuerMetadata };
+	} catch (err) {
+		console.error('Failed to verify signed_metadata:', err);
+		return null;
+	}
+}
+
+/**
+ * Attempts to fetch issuer metadata via the discover-and-trust API.
+ * Returns null if the API is unavailable or if discovery fails.
+ */
+async function tryDiscoverAndTrust(
+	credentialIssuerIdentifier: string,
+	appToken: string | null
+): Promise<{ metadata: OpenidCredentialIssuerMetadata } | null | 'fallback'> {
+	if (!isDiscoverAndTrustAvailable() || !appToken) {
+		return 'fallback';
+	}
+
+	try {
+		const result = await discoverAndTrustIssuer(credentialIssuerIdentifier, appToken);
+
+		if (result.discovery_status !== 'success' || !result.issuer_metadata) {
+			console.warn('discover-and-trust returned non-success status:', result.discovery_status);
+			return 'fallback';
+		}
+
+		return verifySignedMetadata(result.issuer_metadata as OpenidCredentialIssuerMetadata);
+	} catch (err) {
+		console.warn('discover-and-trust failed, falling back to proxy:', err);
+		return 'fallback';
+	}
+}
 
 export function useOpenID4VCIHelper(): IOpenID4VCIHelper {
 	const httpProxy = useHttpProxy();
@@ -29,6 +85,13 @@ export function useOpenID4VCIHelper(): IOpenID4VCIHelper {
 
 	const getCredentialIssuerMetadata = useCallback(
 		async (credentialIssuerIdentifier: string, useCache?: boolean): Promise<{ metadata: OpenidCredentialIssuerMetadata } | null> => {
+			// Try the new discover-and-trust API first if available
+			const discoverResult = await tryDiscoverAndTrust(credentialIssuerIdentifier, api.getAppToken());
+			if (discoverResult !== 'fallback') {
+				return discoverResult;
+			}
+
+			// Legacy approach using HTTP proxy
 			const pathCredentialIssuer = `${credentialIssuerIdentifier}/.well-known/openid-credential-issuer`;
 			try {
 				const metadata = await fetchAndParseWithSchema<OpenidCredentialIssuerMetadata>(
@@ -36,29 +99,14 @@ export function useOpenID4VCIHelper(): IOpenID4VCIHelper {
 					OpenidCredentialIssuerMetadataSchema,
 					useCache,
 				);
-				if (metadata.signed_metadata) {
-					try {
-						const parsedHeader = JSON.parse(new TextDecoder().decode(base64url.decode(metadata.signed_metadata.split('.')[0])));
-						if (parsedHeader.x5c) {
-							const publicKey = await importX509(getPublicKeyFromB64Cert(parsedHeader.x5c[0]), parsedHeader.alg);
-							const { payload } = await jwtVerify(metadata.signed_metadata, publicKey);
-							return { metadata: payload as OpenidCredentialIssuerMetadata };
-						}
-						return null;
-					}
-					catch (err) {
-						console.error(err);
-						return null;
-					}
-				}
-				return { metadata };
+				return verifySignedMetadata(metadata);
 			}
 			catch (err) {
 				console.error(err);
 				return null;
 			}
 		},
-		[fetchAndParseWithSchema]
+		[api, fetchAndParseWithSchema]
 	);
 
 	// Fetches authorization server metadata with fallback
diff --git a/src/lib/services/OpenID4VP/OpenID4VP.ts b/src/lib/services/OpenID4VP/OpenID4VP.ts
index 43cdbaba4..40e359c46 100644
--- a/src/lib/services/OpenID4VP/OpenID4VP.ts
+++ b/src/lib/services/OpenID4VP/OpenID4VP.ts
@@ -9,6 +9,7 @@ import { extractSAN, getPublicKeyFromB64Cert } from "../../utils/pki";
 import axios from "axios";
 import { BACKEND_URL, OPENID4VP_SAN_DNS_CHECK_SSL_CERTS, OPENID4VP_SAN_DNS_CHECK } from "../../../config";
 import { useHttpProxy } from "../HttpProxy/HttpProxy";
+import { isDiscoverAndTrustAvailable, discoverAndTrustVerifier } from '../DiscoverAndTrustService';
 import { useCallback, useContext, useMemo } from "react";
 import SessionContext from "@/context/SessionContext";
 import CredentialsContext from "@/context/CredentialsContext";
@@ -599,6 +600,35 @@ export function useOpenID4VP({
 			}
 		}
 
+		// Evaluate verifier trust via discover-and-trust API if available
+		// Returns: true (trusted), false (explicitly not trusted), undefined (check unavailable/failed)
+		async function evaluateVerifierTrust(): Promise<boolean | undefined> {
+			if (!isDiscoverAndTrustAvailable()) return;
+
+			const appToken = api.getAppToken();
+			if (!appToken) return;
+
+			try {
+				const verifierUrl = response_uri ? new URL(response_uri).origin : client_id;
+				const trustResult = await discoverAndTrustVerifier(verifierUrl, appToken);
+				if (trustResult.trusted) {
+					console.log('Verifier trust verified:', trustResult.reason);
+					return true;
+				}
+				console.warn('Verifier not trusted:', trustResult.reason);
+				return false;
+			} catch (err) {
+				// Log but don't fail - fall back to certificate-based trust
+				console.warn('discover-and-trust verifier check failed, using certificate-based trust:', err);
+				return;
+			}
+		}
+
+		const isVerifierTrusted = await evaluateVerifierTrust();
+		if (isVerifierTrusted === false) {
+			return { error: HandleAuthorizationRequestError.NONTRUSTED_VERIFIER };
+		}
+
 		if (sessionStorage.getItem('last_used_nonce') === nonce) {
 			return { error: HandleAuthorizationRequestError.OLD_STATE };
 		}
@@ -652,6 +682,7 @@ export function useOpenID4VP({
 			parsedTransactionData,
 		};
 	}, [
+		api,
 		httpProxy,
 		openID4VPRelyingPartyStateRepository,
 		matchCredentialsToDCQL,