/**
 * @dotdo/oauth - JWT Verification
 *
 * Server-side JWT token validation with JWKS support.
 * Validates standard JWT claims (exp, iat, iss, aud) and
 * fetches public keys from JWKS endpoints.
 */
/**
 * Result of JWT verification - discriminated union based on validity
 */
export type JWTVerifyResult = {
    valid: true;
    payload: JWTPayload;
    header: JWTHeader;
    error?: undefined;
} | {
    valid: false;
    error: string;
    payload?: undefined;
    header?: undefined;
} | {
    valid: false;
    error: string;
    payload: JWTPayload;
    header: JWTHeader;
};
/**
 * JWT Header
 */
export interface JWTHeader {
    /** Algorithm used for signing */
    alg: string;
    /** Token type (typically 'JWT') */
    typ?: string;
    /** Key ID for JWKS lookup */
    kid?: string;
}
/**
 * Standard JWT Payload claims
 */
export interface JWTPayload {
    /** Issuer */
    iss?: string;
    /** Subject */
    sub?: string;
    /** Audience (can be string or array) */
    aud?: string | string[];
    /** Expiration time (Unix timestamp) */
    exp?: number;
    /** Not before (Unix timestamp) */
    nbf?: number;
    /** Issued at (Unix timestamp) */
    iat?: number;
    /** JWT ID */
    jti?: string;
    /** Additional claims */
    [key: string]: unknown;
}
/**
 * Options for JWT verification
 */
export interface JWTVerifyOptions {
    /** JWKS URL for fetching public keys */
    jwksUrl?: string;
    /** Expected issuer */
    issuer?: string;
    /** Expected audience (can be string or array) */
    audience?: string | string[];
    /** Pre-loaded public key (alternative to jwksUrl) */
    publicKey?: CryptoKey;
    /** Clock tolerance in seconds for exp/nbf/iat checks (default: 60) */
    clockTolerance?: number;
    /** Skip expiration check */
    ignoreExpiration?: boolean;
}
/**
 * Verify a JWT token
 *
 * @param token - The JWT token to verify
 * @param options - Verification options
 * @returns Verification result with payload if valid
 *
 * @example With JWKS URL
 * ```typescript
 * const result = await verifyJWT(token, {
 *   jwksUrl: 'https://issuer.com/.well-known/jwks.json',
 *   issuer: 'https://issuer.com',
 *   audience: 'my-api'
 * })
 *
 * if (result.valid) {
 *   console.log('User ID:', result.payload?.sub)
 * } else {
 *   console.error('Invalid token:', result.error)
 * }
 * ```
 *
 * @example With pre-loaded public key
 * ```typescript
 * const result = await verifyJWT(token, {
 *   publicKey: await crypto.subtle.importKey(...),
 *   issuer: 'https://issuer.com'
 * })
 * ```
 */
export declare function verifyJWT(token: string, options?: JWTVerifyOptions): Promise<JWTVerifyResult>;
/**
 * Decode a JWT without verifying the signature
 * Useful for inspecting tokens before verification
 *
 * @param token - The JWT token to decode
 * @returns Decoded header and payload, or null if invalid format
 */
export declare function decodeJWT(token: string): {
    header: JWTHeader;
    payload: JWTPayload;
} | null;
/**
 * Check if a JWT is expired (without full verification)
 *
 * @param token - The JWT token to check
 * @param clockTolerance - Tolerance in seconds (default: 0)
 * @returns true if expired, false if valid or no exp claim
 */
export declare function isJWTExpired(token: string, clockTolerance?: number): boolean;
/**
 * Clear the JWKS cache (useful for testing)
 */
export declare function clearJWKSCache(): void;
//# sourceMappingURL=jwt.d.ts.map