import crypto from 'node:crypto';
import { JSONWebKeySet } from 'jose';
import { JwksServiceOptions, ProviderVerifyRef, VerifyResult } from './jwks.types';
export declare class JwksService {
    private readonly opts;
    private orchestratorKey;
    private providerJwks;
    constructor(opts?: JwksServiceOptions);
    /** Gateway's public JWKS (publish at /.well-known/jwks.json when orchestrated). */
    getPublicJwks(): JSONWebKeySet;
    /** Verify a token issued by the gateway itself (orchestrated mode). */
    verifyGatewayToken(token: string, expectedIssuer: string): Promise<VerifyResult>;
    /**
     * Verify a token against candidate transparent providers.
     * Ensures JWKS are available (cached/TTL/AS discovery) per provider.
     */
    verifyTransparentToken(token: string, candidates: ProviderVerifyRef[]): Promise<VerifyResult>;
    /** Directly set provider JWKS (e.g., inline keys from config). */
    setProviderJwks(providerId: string, jwks: JSONWebKeySet): void;
    /**
     * Ensure JWKS for a provider:
     *   1) inline jwks (if provided) → cache & return
     *   2) cached & fresh (TTL)      → return
     *   3) explicit jwksUri          → fetch, cache, return
     *   4) discover jwks_uri via AS  → fetch AS metadata, then jwks_uri, cache, return
     */
    getJwksForProvider(ref: ProviderVerifyRef): Promise<JSONWebKeySet | undefined>;
    /** Return the orchestrator public JWKS (generates/rotates as needed). */
    getOrchestratorJwks(): JSONWebKeySet;
    /** Return private signing key + kid for issuing orchestrator tokens. */
    getOrchestratorSigningKey(): {
        kid: string;
        key: crypto.KeyObject;
        alg: string;
    };
    private tryFetchJwks;
    private tryFetchAsMeta;
    private fetchJson;
    private ensureOrchestratorKey;
    private generateKey;
}