/**
 * @dotdo/oauth - JWT Signing Key Management
 *
 * Manages RSA-2048 signing keys for JWT token issuance.
 * Supports key generation, storage/retrieval, and JWKS export.
 */
/**
 * JWT Signing Key with public/private key pair
 */
export interface SigningKey {
    /** Key identifier */
    kid: string;
    /** Algorithm (always RS256) */
    alg: 'RS256';
    /** Private key for signing */
    privateKey: CryptoKey;
    /** Public key for verification */
    publicKey: CryptoKey;
    /** When the key was created */
    createdAt: number;
}
/**
 * JWKS format for public key exposure
 */
export interface JWKSPublicKey {
    kty: 'RSA';
    kid: string;
    use: 'sig';
    alg: 'RS256';
    n: string;
    e: string;
}
/**
 * JWKS document format
 */
export interface JWKS {
    keys: JWKSPublicKey[];
}
/**
 * Serialized key for storage
 */
export interface SerializedSigningKey {
    kid: string;
    alg: 'RS256';
    privateKeyJwk: JsonWebKey;
    publicKeyJwk: JsonWebKey;
    createdAt: number;
}
/**
 * JWT Claims for access tokens
 */
export interface AccessTokenClaims {
    /** Subject (user ID) */
    sub: string;
    /** Client ID */
    client_id: string;
    /** Scopes */
    scope?: string;
    /** Additional claims */
    [key: string]: unknown;
}
/**
 * Generate a new RSA-2048 signing key pair
 */
export declare function generateSigningKey(kid?: string): Promise<SigningKey>;
/**
 * Export a signing key to serializable format for storage
 */
export declare function serializeSigningKey(key: SigningKey): Promise<SerializedSigningKey>;
/**
 * Import a signing key from serialized format
 */
export declare function deserializeSigningKey(serialized: SerializedSigningKey): Promise<SigningKey>;
/**
 * Export public key to JWKS format
 */
export declare function exportPublicKeyToJWKS(key: SigningKey): Promise<JWKSPublicKey>;
/**
 * Export multiple keys to JWKS document
 */
export declare function exportKeysToJWKS(keys: SigningKey[]): Promise<JWKS>;
/**
 * Sign a JWT with the given claims
 */
export declare function signAccessToken(key: SigningKey, claims: AccessTokenClaims, options: {
    issuer: string;
    audience?: string;
    expiresIn?: number;
}): Promise<string>;
/**
 * Signing Key Manager - handles key storage and rotation
 */
export declare class SigningKeyManager {
    private options;
    private keys;
    private currentKeyIndex;
    constructor(options?: {
        maxKeys?: number;
    });
    /**
     * Get the current signing key, generating one if needed
     */
    getCurrentKey(): Promise<SigningKey>;
    /**
     * Get all keys (for JWKS endpoint)
     */
    getAllKeys(): SigningKey[];
    /**
     * Rotate to a new key
     */
    rotateKey(): Promise<SigningKey>;
    /**
     * Load keys from serialized format
     */
    loadKeys(serializedKeys: SerializedSigningKey[]): Promise<void>;
    /**
     * Export keys to serializable format
     */
    exportKeys(): Promise<SerializedSigningKey[]>;
    /**
     * Export to JWKS format
     */
    toJWKS(): Promise<JWKS>;
    /**
     * Sign an access token with the current key
     */
    signAccessToken(claims: AccessTokenClaims, options: {
        issuer: string;
        audience?: string;
        expiresIn?: number;
    }): Promise<string>;
}
//# sourceMappingURL=jwt-signing.d.ts.map