import { Config, AuthResult } from './types.js';

/**
 * JWT validation using jose library + OIDC JWKS discovery.
 *
 * Validates access/ID tokens issued by Hanzo IAM. The JWKS URI is taken
 * from the live OIDC discovery document (which points at the canonical
 * `/v1/iam/.well-known/jwks` endpoint); the issuer is verified.
 *
 * Audience is verified against `config.clientId` by default. A token
 * whose `aud` does not match is REJECTED — unless the caller explicitly
 * opts out with `allowMissingAudience: true` (for IAM deployments that
 * issue access tokens without an `aud` claim). There is no silent
 * fall-through.
 */

/** Clear cached JWKS key sets (useful for testing or key rotation). */
declare function clearJwksCache(): void;
/**
 * Validate a JWT access token against IAM's JWKS.
 *
 * Uses OIDC discovery to find the JWKS URI, then verifies the token
 * signature, issuer, audience, and expiry using the `jose` library.
 *
 * The audience MUST equal `config.clientId`. A mismatch fails with
 * `iam_audience_invalid` unless `config.allowMissingAudience === true`,
 * in which case the audience check is skipped entirely (for IAM
 * deployments that issue access tokens without an `aud` claim). There is
 * no automatic, silent retry.
 */
declare function validateToken(token: string, config: Config): Promise<AuthResult>;

export { clearJwksCache, validateToken };