import type { DpopNonceCache, DpopPrivateJwk } from '@atcute/oauth-crypto';
import type { Keyset } from '@atcute/oauth-keyset';
import { type AtprotoAuthorizationServerMetadata, type OAuthClientMetadata, type OAuthParResponse } from '@atcute/oauth-types';
import { type ClientAuthMethod } from './oauth-client-auth.ts';
import { OAuthResolver } from './resolvers/index.ts';
import type { TokenSet } from './types/token-set.ts';
export interface OAuthServerAgentOptions {
    /** negotiated client authentication method */
    authMethod: ClientAuthMethod;
    /** DPoP private key */
    dpopKey: DpopPrivateJwk;
    /** authorization server metadata */
    serverMetadata: AtprotoAuthorizationServerMetadata;
    /** client metadata */
    clientMetadata: OAuthClientMetadata;
    /** DPoP nonce cache, keyed by origin */
    dpopNonces: DpopNonceCache;
    /** OAuth resolver for identity verification */
    oauthResolver: OAuthResolver;
    /** client's private keyset, or undefined for public clients */
    keyset: Keyset | undefined;
    /** custom fetch implementation */
    fetch?: typeof globalThis.fetch;
}
/**
 * handles OAuth operations with an authorization server.
 *
 * manages token exchange, refresh, and revocation with DPoP support.
 */
export declare class OAuthServerAgent {
    readonly authMethod: ClientAuthMethod;
    readonly dpopKey: DpopPrivateJwk;
    readonly serverMetadata: AtprotoAuthorizationServerMetadata;
    readonly clientMetadata: OAuthClientMetadata;
    readonly oauthResolver: OAuthResolver;
    readonly keyset: Keyset | undefined;
    readonly dpopNonces: DpopNonceCache;
    private readonly dpopFetch;
    private readonly clientCredentialsFactory;
    constructor(options: OAuthServerAgentOptions);
    get issuer(): string;
    /**
     * revokes a token (access or refresh).
     *
     * @param token token to revoke
     */
    revoke(token: string): Promise<void>;
    /**
     * exchanges an authorization code for tokens.
     *
     * @param code authorization code from callback
     * @param codeVerifier PKCE code verifier
     * @param redirectUri redirect URI used in authorization request
     * @returns token set with verified subject
     */
    exchangeCode(code: string, codeVerifier: string, redirectUri: string): Promise<TokenSet>;
    /**
     * refreshes an existing token set.
     *
     * @param tokenSet current token set
     * @returns new token set
     * @throws {TokenRefreshError} if no refresh token or refresh fails
     */
    refresh(tokenSet: TokenSet): Promise<TokenSet>;
    /**
     * sends a pushed authorization request (PAR).
     *
     * @param params authorization request parameters
     * @returns PAR response with request_uri
     */
    pushAuthorizationRequest(params: Record<string, string>): Promise<OAuthParResponse>;
    private verifyIssuer;
    private requestToken;
    private request;
}
//# sourceMappingURL=oauth-server-agent.d.ts.map