/**
 * Default OAuth authorization-server host. Shared with config-manager so the
 * session-key scope matches the host that actually minted the tokens. Kept
 * distinct from the Control API host (control.ably.net) — they are separate
 * services that happen to share the ably.com brand.
 */
export declare const DEFAULT_OAUTH_HOST = "ably.com";
/**
 * Thrown by refreshAccessToken when the server rejects the refresh token
 * (OAuth error "invalid_grant"). This happens when:
 *   - the refresh token was revoked (e.g. by logout)
 *   - it was rotated by a concurrent refresh (single-use refresh tokens)
 *   - the session has otherwise expired server-side
 * Callers should treat this as "session ended, re-login required" rather
 * than a transient network failure.
 */
export declare class OAuthRefreshExpiredError extends Error {
    constructor(message: string);
}
export interface OAuthTokens {
    accessToken: string;
    expiresAt: number;
    refreshToken: string;
    scope?: string;
    tokenType: string;
}
export interface OAuthConfig {
    clientId: string;
    deviceCodeEndpoint: string;
    revocationEndpoint: string;
    scopes: string[];
    tokenEndpoint: string;
}
export interface OAuthClientOptions {
    oauthHost?: string;
}
export interface DeviceCodeResponse {
    deviceCode: string;
    expiresIn: number;
    interval: number;
    userCode: string;
    verificationUri: string;
    verificationUriComplete: string;
}
export declare class OAuthClient {
    private config;
    constructor(options?: OAuthClientOptions);
    /**
     * Request a device code from the OAuth server (RFC 8628 step 1).
     * A 15s abort timeout prevents a silently hung endpoint from blocking
     * `ably login` indefinitely.
     */
    requestDeviceCode(): Promise<DeviceCodeResponse>;
    /**
     * Poll for token completion (RFC 8628 step 2).
     * Sleeps between requests, respects slow_down, and throws on expiry/denial.
     * Accepts an optional AbortSignal for prompt cancellation.
     */
    pollForToken(deviceCode: string, interval: number, expiresIn: number, signal?: AbortSignal): Promise<OAuthTokens>;
    /**
     * Refresh an access token using a refresh token
     */
    refreshAccessToken(refreshToken: string): Promise<OAuthTokens>;
    /**
     * Revoke a token (access or refresh).
     *
     * Rejects on network failure, timeout, or non-2xx response. Callers that
     * want best-effort behaviour (e.g. accounts logout) must catch the rejection
     * themselves — surfacing it lets the caller distinguish a successful revoke
     * from a timed-out one so it can warn the user.
     *
     * Pass an external `signal` to abort the in-flight fetch from the outside
     * (the internal 10s timeout is still applied as a safety net).
     */
    revokeToken(token: string, options?: {
        signal?: AbortSignal;
        timeoutMs?: number;
    }): Promise<void>;
    getClientId(): string;
    private getOAuthConfig;
    private postForTokens;
    private parseTokenResponse;
    private sleep;
}