import { UserClaim } from '@frontmcp/sdk';
export declare function isJwt(token: string | undefined): boolean;
/**
 * If the token is a JWT, returns the raw signature segment (3rd part) as base64url.
 * Otherwise, returns a stable SHA-256(base64url) fingerprint of the whole token,
 * so we can still bind a session id to "this Authorization" deterministically.
 */
export declare function getTokenSignatureFingerprint(token: string): string;
/** Best-effort typed user derivation from claims */
export declare function deriveTypedUser(claims: Record<string, any>): UserClaim;
export declare function extractBearerToken(header?: string): string | undefined;