import type { Keyset } from '@atcute/oauth-keyset';
import { CLIENT_ASSERTION_TYPE_JWT_BEARER, type OAuthAuthorizationServerMetadata } from '@atcute/oauth-types';
/**
 * client authentication method for confidential clients using `private_key_jwt`.
 */
export interface ConfidentialClientAuthMethod {
    method: 'private_key_jwt';
    /** key ID used for signing */
    kid: string;
}
/**
 * client authentication method for public clients using `none`.
 */
export interface PublicClientAuthMethod {
    method: 'none';
}
/**
 * client authentication method.
 *
 * - `private_key_jwt`: confidential clients that authenticate with a JWT assertion
 * - `none`: public clients that don't authenticate at the token endpoint
 */
export type ClientAuthMethod = ConfidentialClientAuthMethod | PublicClientAuthMethod;
/**
 * client credentials for a token endpoint request.
 */
export interface ClientCredentials {
    client_id: string;
    client_assertion_type: typeof CLIENT_ASSERTION_TYPE_JWT_BEARER;
    client_assertion: string;
}
/**
 * factory function that produces client credentials for each request.
 *
 * returns `undefined` for public clients (no authentication).
 */
export type ClientCredentialsFactory = () => Promise<ClientCredentials | undefined>;
/**
 * negotiates the client authentication method with the authorization server.
 *
 * @param serverMetadata authorization server metadata
 * @param keyset client's private keyset, or undefined for public clients
 * @returns negotiated auth method
 * @throws if server doesn't support the required authentication method
 */
export declare const negotiateClientAuth: (serverMetadata: OAuthAuthorizationServerMetadata, keyset: Keyset | undefined) => ClientAuthMethod;
export interface CreateClientAssertionFactoryOptions {
    /** negotiated auth method */
    authMethod: ClientAuthMethod;
    /** authorization server metadata */
    serverMetadata: OAuthAuthorizationServerMetadata;
    /** client ID */
    clientId: string;
    /** client's private keyset, or undefined for public clients */
    keyset: Keyset | undefined;
}
/**
 * creates a factory that produces client credentials (JWT assertions) for token requests.
 *
 * for public clients (authMethod.method === 'none'), returns a factory that produces `undefined`.
 *
 * @param options factory configuration
 * @returns async function that creates fresh credentials for each request, or undefined for public clients
 * @throws if the key is no longer available in the keyset (confidential clients only)
 */
export declare const createClientAssertionFactory: (options: CreateClientAssertionFactoryOptions) => ClientCredentialsFactory;
//# sourceMappingURL=oauth-client-auth.d.ts.map