import type { Auth0Config, Auth0TokenResponse, ControlPlaneTokenResponse, DataPlaneTokenResponse } from "../../confluent/oauth/types.js";
/** Result of a full initial-login token chain from {@link executeFullTokenChain}. */
export interface TokenChainResult {
    refreshToken: string;
    /** Set once on initial login and preserved across subsequent refreshes. */
    refreshTokenAbsoluteExpiresAt: number;
    /** Set on initial login; subsequent refreshes bump this value in the store directly. */
    refreshTokenIdleExpiresAt: number;
    controlPlaneToken: string;
    controlPlaneExpiresAt: number;
    dataPlaneToken: string;
    dataPlaneExpiresAt: number;
    /**
     * User identity fields lifted from the `/api/sessions` response body
     * (`response.user`). Surface here so callers (the OAuth holder) can
     * attach the user's identity to telemetry without having to parse the
     * raw CP response themselves. Either field is `undefined` when the
     * response omits `user` or the underlying field.
     */
    resourceId: string | undefined;
    email: string | undefined;
}
/**
 * Exchanges an authorization code for Auth0 tokens (ID token + refresh token).
 * This is the first step in the Confluent token chain.
 */
export declare function exchangeAuthCodeForTokens(auth0Config: Auth0Config, authCode: string, codeVerifier: string): Promise<Auth0TokenResponse>;
/**
 * Exchanges an Auth0 ID token for a Confluent Cloud control plane token.
 * POST {apiUrl}/api/sessions with the ID token in the body.
 */
export declare function exchangeIdTokenForControlPlaneToken(apiUrl: string, idToken: string): Promise<ControlPlaneTokenResponse>;
/**
 * Exchanges a control plane token for a Confluent Cloud data plane token.
 * POST {apiUrl}/api/access_tokens with the CP token as Bearer auth.
 */
export declare function exchangeControlPlaneForDataPlaneToken(apiUrl: string, controlPlaneToken: string): Promise<DataPlaneTokenResponse>;
/**
 * Exchanges a refresh token for a new Auth0 token set (ID token + rotated
 * refresh token). This is a single-use destructive operation: on success the
 * old refresh token is invalidated by Auth0. Callers that then derive CP/DP
 * tokens should persist the new refresh token BEFORE the CP/DP calls so a
 * failure there doesn't lose the rotated token.
 */
export declare function exchangeRefreshTokenForAuth0Tokens(auth0Config: Auth0Config, refreshToken: string): Promise<Auth0TokenResponse>;
/**
 * Runs the full token chain from an authorization code.
 * auth code → ID token + refresh token → control plane → data plane
 *
 * Sets both absolute (8hr) and idle (4hr) refresh token expiry.
 */
export declare function executeFullTokenChain(auth0Config: Auth0Config, authCode: string, codeVerifier: string): Promise<TokenChainResult>;
//# sourceMappingURL=token-chain.d.ts.map