import * as jose from 'jose';
import type { DeveloperCredential, AgentCredential, VerifyOptions, VerifiedCredential } from '@belticlabs/kya-core';
/**
 * Verify a signed Beltic credential.
 *
 * Performs the 7-step verification process:
 * 1. Parse JWS/JWT; validate typ header, algorithm, and kid
 * 2. Resolve issuer key via keyResolver
 * 3. Verify signature with allowed algorithms
 * 4. Validate nbf <= now <= exp (with clock skew tolerance)
 * 5. Check aud if expectedAudience provided
 * 6. Validate credential against JSON Schema
 * 7. Return VerifiedCredential or throw error
 *
 * @param token - The JWT token to verify
 * @param options - Verification options
 * @returns Verified credential with metadata
 *
 * @example
 * ```typescript
 * const verified = await verifyCredential(token, {
 *   keyResolver: async (header) => {
 *     // Resolve public key from DID or JWKS
 *     return publicKey;
 *   }
 * });
 * ```
 */
export declare function verifyCredential<T = DeveloperCredential | AgentCredential>(token: string, options: VerifyOptions): Promise<VerifiedCredential<T>>;
/**
 * Decode a JWT without verification.
 * Useful for inspecting tokens before verification.
 *
 * @param token - The JWT token to decode
 * @returns Decoded header and payload
 */
export declare function decodeToken(token: string): {
    header: Record<string, unknown>;
    payload: jose.JWTPayload;
};
/**
 * Extract the credential type from a JWT token.
 *
 * @param token - The JWT token
 * @returns 'developer' | 'agent' | 'unknown'
 */
export declare function getCredentialType(token: string): 'developer' | 'agent' | 'unknown';
//# sourceMappingURL=verify.d.ts.map