import type { ActorResolver } from '@atcute/identity-resolver';
import type { ActorIdentifier, Did } from '@atcute/lexicons';
import type { ClientAssertionPrivateJwk, DpopNonceCache } from '@atcute/oauth-crypto';
import { type PublicJwk } from '@atcute/oauth-crypto';
import { Keyset } from '@atcute/oauth-keyset';
import { type ConfidentialClientMetadata, type OAuthClientMetadata, type OAuthPrompt, type OAuthResponseMode, type PublicClientMetadata } from '@atcute/oauth-types';
import { OAuthSession } from './oauth-session.ts';
import { type AuthorizationServerMetadataCache } from './resolvers/authorization-server-metadata.ts';
import { type ProtectedResourceMetadataCache } from './resolvers/protected-resource-metadata.ts';
import { type SessionEventListener } from './session-getter.ts';
import type { SessionStore } from './types/sessions.ts';
import type { StateStore } from './types/states.ts';
import type { LockFunction } from './utils/lock.ts';
export interface OAuthClientStores {
    /** session store, keyed by DID */
    sessions: SessionStore;
    /** authorization state store, keyed by state ID (short-lived) */
    states: StateStore;
    /** DPoP nonce cache, keyed by origin (defaults to in-memory) */
    dpopNonces?: DpopNonceCache;
    /** AS metadata cache, keyed by issuer (defaults to in-memory) */
    asMetadata?: AuthorizationServerMetadataCache;
    /** protected resource metadata cache, keyed by origin (defaults to in-memory) */
    prMetadata?: ProtectedResourceMetadataCache;
}
/** options for a confidential OAuth client (with keyset for private_key_jwt) */
export interface ConfidentialOAuthClientOptions {
    /** client metadata */
    metadata: ConfidentialClientMetadata;
    /** client's signing keys (or an already constructed keyset) */
    keyset: Keyset | ClientAssertionPrivateJwk[];
    /** identity resolver for DID/handle resolution */
    actorResolver: ActorResolver;
    /** storage backends */
    stores: OAuthClientStores;
    /** OAuth response mode for authorization responses */
    responseMode?: OAuthResponseMode;
    /** lock function for coordinating token refresh, defaults to in-memory */
    requestLock?: LockFunction;
    /** custom fetch implementation */
    fetch?: typeof globalThis.fetch;
}
/** options for a public OAuth client (no keyset, uses token_endpoint_auth_method: 'none') */
export interface PublicOAuthClientOptions {
    /** public client metadata */
    metadata: PublicClientMetadata;
    /** identity resolver for DID/handle resolution */
    actorResolver: ActorResolver;
    /** storage backends */
    stores: OAuthClientStores;
    /** OAuth response mode for authorization responses */
    responseMode?: OAuthResponseMode;
    /** lock function for coordinating token refresh, defaults to in-memory */
    requestLock?: LockFunction;
    /** custom fetch implementation */
    fetch?: typeof globalThis.fetch;
}
/**
 * options for creating an OAuth client.
 *
 * - confidential clients provide a `keyset` for private_key_jwt authentication
 * - public clients omit `keyset` and use token_endpoint_auth_method: 'none'
 */
export type OAuthClientOptions = ConfidentialOAuthClientOptions | PublicOAuthClientOptions;
export type AuthorizeTarget = {
    type: 'account';
    identifier: ActorIdentifier;
} | {
    type: 'pds';
    serviceUrl: string;
};
type OAuthPromptInput = OAuthPrompt | (string & {});
export interface AuthorizeOptions {
    /** target account (handle or DID) or PDS URL */
    target: AuthorizeTarget;
    /** requested scopes (defaults to client metadata scope) */
    scope?: string;
    /** which redirect_uri to use (defaults to first in metadata.redirect_uris) */
    redirectUri?: string;
    /** user-provided state to preserve through flow */
    state?: unknown;
    /** oidc prompt parameter (string or fallback list) */
    prompt?: OAuthPromptInput | readonly OAuthPromptInput[];
    /** abort signal */
    signal?: AbortSignal;
}
export interface AuthorizationResult {
    /** URL to redirect user to */
    url: URL;
    /** state ID (the OAuth `state` parameter) */
    stateId: string;
}
export interface CallbackOptions {
    /** override redirect_uri for token exchange */
    redirectUri?: string;
}
export interface CallbackResult {
    /** authenticated session */
    session: OAuthSession;
    /** user-provided state from authorize() */
    state: unknown;
}
export interface RestoreOptions {
    /**
     * 'auto' (default): refresh if token is stale
     * true: force refresh even if not stale
     * false: don't refresh, return session even if stale
     */
    refresh?: boolean | 'auto';
}
/**
 * OAuth client for AT Protocol.
 *
 * supports both confidential clients (with keyset for private_key_jwt) and
 * public clients (no keyset, uses token_endpoint_auth_method: 'none').
 *
 * handles authorization flow, session management, and token lifecycle.
 */
export declare class OAuthClient {
    readonly metadata: OAuthClientMetadata;
    readonly keyset: Keyset | undefined;
    private readonly responseMode;
    private readonly resolver;
    private readonly serverFactory;
    private readonly sessionGetter;
    private readonly stateStore;
    private readonly fetch;
    constructor(options: OAuthClientOptions);
    /**
     * public JWKS for serving at jwks_uri.
     *
     * returns `undefined` for public clients (no keyset).
     */
    get jwks(): {
        keys: readonly PublicJwk[];
    } | undefined;
    /**
     * adds a listener for session events (updated, deleted).
     */
    addEventListener(listener: SessionEventListener): void;
    /**
     * removes a session event listener.
     */
    removeEventListener(listener: SessionEventListener): void;
    /**
     * starts the authorization flow.
     *
     * @param options authorization options
     * @returns URL to redirect user to and state ID
     */
    authorize(options: AuthorizeOptions): Promise<AuthorizationResult>;
    /**
     * handles the OAuth callback.
     *
     * @param params URL search params from callback
     * @param options callback options
     * @returns session and user state
     */
    callback(params: URLSearchParams, options?: CallbackOptions): Promise<CallbackResult>;
    /**
     * restores an existing session.
     *
     * @param sub user's DID
     * @param options restore options
     * @returns authenticated session
     */
    restore(sub: Did, options?: RestoreOptions): Promise<OAuthSession>;
    /**
     * revokes and deletes a session.
     *
     * @param sub user's DID
     */
    revoke(sub: Did): Promise<void>;
    private createSession;
}
export {};
//# sourceMappingURL=oauth-client.d.ts.map