import type { User } from '../api/generated/default';
import { type LoggerService } from '../services/Logger';
import type { OAuthTokenStore } from './tokenStore';
import { OAuthScope } from './types';
type OAuthConfig = {
    appName?: string;
    apiKey?: string;
    logger?: LoggerService;
    tokenStore: OAuthTokenStore;
    basePath: string;
    redirectUri?: string;
    openUrl?: (url: string) => void | Promise<void>;
};
export declare class OAuth {
    private readonly config;
    activePopupWindow: null | Window;
    popupCheckInterval: any | null;
    apiKey: string | null;
    logger: LoggerService;
    private _currentLoginResolve;
    private _currentLoginReject;
    private _boundMessageHandler;
    private _redirectResult;
    private _redirectChecked;
    private _csrfToken;
    private _pkceVerifier;
    private _pkceRedirectUri;
    constructor(config: OAuthConfig);
    /**
     * Opens the Audius consent screen to authorize your app using the
     * OAuth 2.0 Authorization Code Flow with PKCE.
     *
     * - **Popup** (default): opens a small window. The popup redirects to
     *   `redirectUri`, where `handleRedirect()` forwards the authorization
     *   code back to this window and closes the popup. The returned promise
     *   resolves when the token exchange is complete.
     * - **Full-page redirect**: navigates the current page to Audius. After
     *   the user approves, Audius redirects back to `redirectUri`. Call
     *   `handleRedirect()` on the next mount to complete the exchange.
     *
     * After a successful login, call `getUser()` to retrieve the user profile.
     * Subsequent SDK calls that require authentication use the stored access
     * token automatically.
     *
     * Throws if the login fails or the popup is closed prematurely.
     */
    login({ scope, redirectUri, display, responseMode, openUrl }: {
        scope?: OAuthScope;
        /**
         * The registered redirect URI where Audius sends the user after consent.
         * Falls back to the `redirectUri` set in the top-level SDK config.
         */
        redirectUri?: string;
        display?: 'popup' | 'fullScreen';
        responseMode?: 'fragment' | 'query';
        /**
         * Called with the OAuth URL to open it. Defaults to `window.open` (popup)
         * or `window.location.href` (fullScreen) on web.
         */
        openUrl?: (url: string) => void | Promise<void>;
    }): Promise<void>;
    private get csrfToken();
    private get pkceVerifier();
    private get pkceRedirectUri();
    /**
     * Returns true if the given URL (or the current page URL on web) contains
     * OAuth redirect params (`code` + `state`) that haven't been consumed via
     * `handleRedirect()` yet.
     *
     * Once `handleRedirect()` is called, this returns `false` for the lifetime
     * of the instance — the result can only be consumed once.
     */
    hasRedirectResult(url?: string): boolean;
    /**
     * Completes an OAuth flow by processing the redirect URL.
     *
     * Pass the redirect URL explicitly (mobile deep link) or omit to use the
     * current page URL (web). Is a no-op when no redirect params are present.
     * The result can only be consumed once — subsequent calls are no-ops.
     *
     * - **Web popup**: detects `window.opener`, forwards the code to the parent
     *   window, and closes the popup. The parent's `login()` promise resolves.
     * - **Web full-page redirect / mobile**: performs the PKCE token exchange
     *   and stores the tokens. Call `getUser()` afterwards.
     */
    handleRedirect(url?: string): Promise<void>;
    /**
     * Returns true if the user is currently authenticated (i.e. an access
     * token is present in the token store).
     */
    isAuthenticated(): Promise<boolean>;
    /**
     * Returns true if a refresh token is currently stored and a refresh
     * exchange could be attempted.
     */
    hasRefreshToken(): Promise<boolean>;
    /**
     * Fetches the authenticated user's profile from the server using the stored
     * access token. Always makes a network request, so the result reflects
     * current server-side state (useful for detecting revoked sessions or
     * refreshing stale profile data on page load).
     *
     * Throws `ResponseError` if the server returns a non-2xx response (e.g. 401
     * if no token is stored or the token has expired), or `FetchError` if the
     * request fails at the network level.
     */
    getUser(): Promise<User>;
    /**
     * Refreshes the access token using the stored refresh token.
     * Updates the token store on success.
     * Returns the new access token, or `null` if the refresh failed.
     */
    refreshAccessToken(): Promise<string | null>;
    /**
     * Revokes the current refresh token server-side and clears all stored
     * tokens and PKCE session state. After this call, all SDK API calls revert
     * to unauthenticated.
     */
    logout(): Promise<void>;
    /**
     * Exchange an authorization code + PKCE verifier for tokens and store them.
     * Shared by the popup `_receiveMessage` handler and `_handleRedirectResult`.
     */
    private _exchangeCodeForTokens;
    private _handleRedirectResult;
    private _settleLogin;
    private _clearPkceState;
    private _clearPopupCheckInterval;
    _receiveMessage(event: MessageEvent): Promise<void>;
}
export {};