/**
 * IAM (OIDC) Authentication for the Gateway.
 *
 * Thin wrapper around @hanzo/iam SDK — validates JWTs issued by
 * iam.hanzo.ai using OIDC/JWKS discovery and extracts user identity.
 */
import { IamClient, type IamAuthResult, type IamJwtClaims } from "@hanzo/iam";
import type { GatewayIamConfig } from "../config/types.gateway.js";
export type { IamAuthResult, IamJwtClaims };
/** Gateway-specific auth result that extends the SDK result with org/role info. */
export type GatewayIamAuthResult = {
    ok: true;
    userId: string;
    email?: string;
    name?: string;
    avatar?: string;
    owner: string;
    orgIds: string[];
    currentOrgId?: string;
    roles: string[];
    claims: IamJwtClaims;
} | {
    ok: false;
    reason: string;
};
export declare function getIamClient(config: GatewayIamConfig): IamClient;
/**
 * Validate a JWT access token against IAM JWKS and extract user claims.
 *
 * When `config.jwksUrl` is set, rewrites the JWKS fetch URL to bypass
 * Cloudflare/WAF blocking. Otherwise uses the @hanzo/iam SDK directly.
 *
 * If the SDK rejects the token due to an issuer mismatch (e.g. the OIDC
 * discovery endpoint advertises issuer "https://hanzo.id" but the IAM server
 * stamps JWTs with iss "https://iam.hanzo.ai"), retries verification using
 * jose directly — bypassing SDK OIDC discovery (which would try to reach
 * the unreachable issuer) while using the reachable JWKS endpoint.
 */
export declare function validateIamToken(token: string, config: GatewayIamConfig): Promise<GatewayIamAuthResult>;
/** Force-clear the JWKS cache (for testing or key rotation). */
export declare function clearJwksCache(): void;