diff --git a/presexch/api.go b/presexch/api.go
index 72db5c8..3a5e043 100644
--- a/presexch/api.go
+++ b/presexch/api.go
@@ -245,11 +245,19 @@ func getMatchedCreds( //nolint:gocyclo,funlen
 					inputDescriptor.ID, inputDescriptor.Schema, vcc.Context, vcc.Types, mapping.Path)
 			}
 
-			// TODO add support for constraints: https://github.com/hyperledger/aries-framework-go/issues/2108
+			filtered, _, filterErr := filterConstraints(inputDescriptor.Constraints, []*verifiable.Credential{vc})
+			if filterErr != nil {
+				return nil, filterErr
+			}
+
+			if len(filtered) != 1 {
+				return nil, fmt.Errorf("input descriptor id [%s] requires exactly 1 credential, but found %d",
+					inputDescriptor.ID, len(filtered))
+			}
 
 			result = append(result, &MatchValue{
 				PresentationID: vp.ID,
-				Credential:     vc,
+				Credential:     filtered[0].credential,
 				DescriptorID:   mapping.ID,
 			})
 		}
diff --git a/presexch/definition.go b/presexch/definition.go
index e7b0e3c..23a924c 100644
--- a/presexch/definition.go
+++ b/presexch/definition.go
@@ -834,7 +834,7 @@ func (pd *PresentationDefinition) filterCredentialsThatMatchDescriptor(creds []*
 		}
 	}
 
-	filteredByConstraints, err := filterConstraints(descriptor.Constraints, filtered)
+	filteredByConstraints, _, err := filterConstraints(descriptor.Constraints, filtered)
 	if err != nil {
 		return "", nil, err
 	}
@@ -905,10 +905,16 @@ func subjectIsIssuer(contents *verifiable.CredentialContents) bool {
 	return false
 }
 
-// nolint: gocyclo,funlen,gocognit
-func filterConstraints(constraints *Constraints, creds []*verifiable.Credential) ([]constraintsFilterResult, error) {
+// nolint: gocyclo,funlen,gocognit,unparam
+func filterConstraints(constraints *Constraints, creds []*verifiable.Credential) (
+	[]constraintsFilterResult,
+	[]map[string]interface{},
+	error,
+) {
 	var result []constraintsFilterResult
 
+	var debugCred []map[string]interface{}
+
 	if constraints == nil {
 		for _, credential := range creds {
 			result = append(result, constraintsFilterResult{
@@ -916,7 +922,7 @@ func filterConstraints(constraints *Constraints, creds []*verifiable.Credential)
 			})
 		}
 
-		return result, nil
+		return result, debugCred, nil
 	}
 
 	for _, credential := range creds {
@@ -948,9 +954,11 @@ func filterConstraints(constraints *Constraints, creds []*verifiable.Credential)
 
 		err = json.Unmarshal(credentialSrc, &credentialMap)
 		if err != nil {
-			return nil, err
+			return nil, debugCred, err
 		}
 
+		debugCred = append(debugCred, credentialMap)
+
 		for i, field := range constraints.Fields {
 			err = filterField(field, credentialMap)
 			if errors.Is(err, errPathNotApplicable) {
@@ -960,7 +968,7 @@ func filterConstraints(constraints *Constraints, creds []*verifiable.Credential)
 			}
 
 			if err != nil {
-				return nil, fmt.Errorf("filter field.%d: %w", i, err)
+				return nil, debugCred, fmt.Errorf("filter field.%d: %w", i, err)
 			}
 
 			applicable = true
@@ -979,7 +987,7 @@ func filterConstraints(constraints *Constraints, creds []*verifiable.Credential)
 		result = append(result, filterRes)
 	}
 
-	return result, nil
+	return result, debugCred, nil
 }
 
 // nolint: gocyclo, funlen