import { type IdTokenClaims, type UserInfoResponse, type AccessTokenClaims, type OidcConfigResponse, type SignInUriParameters } from '@logto/js';
import { type Nullable } from '@silverhand/essentials';
import { ClientAdapterInstance, type ClientAdapter, type JwtVerifier } from './adapter/index.js';
import type { AccessToken, LogtoConfig, LogtoSignInSessionItem } from './types/index.js';
export type SignInOptions = {
    /**
     * The redirect URI that the user will be redirected to after the sign-in flow is completed.
     */
    redirectUri: string | URL;
    /**
     * The URI that the user will be redirected to after `redirectUri` successfully handled the
     * sign-in callback. If not specified, the user will stay on the `redirectUri` page.
     */
    postRedirectUri?: string | URL;
    /**
     * The prompt parameter to be used for the authorization request.
     * Note: If specified, it will override the prompt value in Logto configs.
     */
    prompt?: SignInUriParameters['prompt'];
    /**
     * Clear cached tokens from storage before sign-in. Defaults to: `true`
     */
    clearTokens?: boolean;
} & Pick<SignInUriParameters, 'interactionMode' | 'firstScreen' | 'identifiers' | 'loginHint' | 'directSignIn' | 'extraParams'>;
/**
 * The Logto base client class that provides the essential methods for
 * interacting with the Logto server.
 *
 * It also provides an adapter object that allows the customizations of the
 * client behavior for different environments.
 *
 * NOTE: Usually, you would use the `LogtoClient` class instead of `StandardLogtoClient` since it
 * provides the default JWT verifier. However, if you want to avoid the use of `jose` package
 * which is useful for certain environments that don't support native modules like `crypto`, you
 * can use `StandardLogtoClient` and provide your own JWT verifier.
 */
export declare class StandardLogtoClient {
    #private;
    readonly logtoConfig: LogtoConfig;
    /**
     * Get the OIDC configuration from the discovery endpoint. This method will
     * only fetch the configuration once and cache the result.
     */
    readonly getOidcConfig: () => Promise<OidcConfigResponse>;
    /**
     * Get the access token from the storage with refresh strategy.
     *
     * - If the access token has expired, it will try to fetch a new one using the Refresh Token.
     * - If there's an ongoing Promise to fetch the access token, it will return the Promise.
     *
     * If you want to get the access token claims, use {@link getAccessTokenClaims} instead.
     *
     * @param resource The resource that the access token is granted for. If not
     * specified, the access token will be used for OpenID Connect or the default
     * resource, as specified in the Logto Console.
     * @returns The access token string.
     * @throws LogtoClientError if the user is not authenticated.
     */
    readonly getAccessToken: (this: unknown, resource?: string | undefined, organizationId?: string | undefined) => Promise<string>;
    /**
     * Get the access token for the specified organization from the storage with refresh strategy.
     *
     * Scope {@link UserScope.Organizations} is required in the config to use organization-related
     * methods.
     *
     * @param organizationId The ID of the organization that the access token is granted for.
     * @returns The access token string.
     * @throws LogtoClientError if the user is not authenticated.
     * @remarks
     * It uses the same refresh strategy as {@link getAccessToken}.
     */
    readonly getOrganizationToken: (this: unknown, organizationId: string) => Promise<string>;
    /**
     * Clear the access token from the cache storage.
     */
    readonly clearAccessToken: (this: unknown) => Promise<void>;
    /**
     * Clear all cached tokens from storage.
     */
    readonly clearAllTokens: (this: unknown) => Promise<void>;
    /**
     * Handle the sign-in callback by parsing the authorization code from the
     * callback URI and exchanging it for the tokens.
     *
     * @param callbackUri The callback URI, including the search params, that the user is redirected to after the sign-in flow is completed.
     * The origin and pathname of this URI must match the origin and pathname of the redirect URI specified in {@link signIn}.
     * In many cases you'll probably end up passing `window.location.href` as the argument to this function.
     * @throws LogtoClientError if the sign-in session is not found.
     */
    readonly handleSignInCallback: (this: unknown, callbackUri: string) => Promise<void>;
    readonly adapter: ClientAdapterInstance;
    protected jwtVerifierInstance: JwtVerifier;
    protected readonly accessTokenMap: Map<string, AccessToken>;
    get jwtVerifier(): JwtVerifier;
    constructor(logtoConfig: LogtoConfig, adapter: ClientAdapter, buildJwtVerifier: (client: StandardLogtoClient) => JwtVerifier);
    /**
     * Set the JWT verifier for the client.
     * @param buildJwtVerifier The JWT verifier instance or a function that returns the JWT verifier instance.
     */
    setJwtVerifier(buildJwtVerifier: JwtVerifier | ((client: StandardLogtoClient) => JwtVerifier)): void;
    /**
     * Check if the user is authenticated by checking if the ID token exists.
     */
    isAuthenticated(): Promise<boolean>;
    /**
     * Get the Refresh Token from the storage.
     */
    getRefreshToken(): Promise<Nullable<string>>;
    /**
     * Get the ID Token from the storage. If you want to get the ID Token claims,
     * use {@link getIdTokenClaims} instead.
     */
    getIdToken(): Promise<Nullable<string>>;
    /**
     * Get the ID Token claims.
     */
    getIdTokenClaims(): Promise<IdTokenClaims>;
    /**
     * Get the access token claims for the specified resource.
     *
     * @param resource The resource that the access token is granted for. If not
     * specified, the access token will be used for OpenID Connect or the default
     * resource, as specified in the Logto Console.
     */
    getAccessTokenClaims(resource?: string): Promise<AccessTokenClaims>;
    /**
     * Get the organization token claims for the specified organization.
     *
     * @param organizationId The ID of the organization that the access token is granted for.
     */
    getOrganizationTokenClaims(organizationId: string): Promise<AccessTokenClaims>;
    /**
     * Get the user information from the Userinfo Endpoint.
     *
     * Note the Userinfo Endpoint will return more claims than the ID Token. See
     * {@link https://docs.logto.io/docs/recipes/integrate-logto/vanilla-js/#fetch-user-information | Fetch user information}
     * for more information.
     *
     * @returns The user information.
     * @throws LogtoClientError if the user is not authenticated.
     */
    fetchUserInfo(): Promise<UserInfoResponse>;
    /**
     * Start the sign-in flow with the specified options.
     *
     * The redirect URI is required and it must be registered in the Logto Console.
     *
     * The user will be redirected to that URI after the sign-in flow is completed,
     * and the client will be able to get the authorization code from the URI.
     * To fetch the tokens from the authorization code, use {@link handleSignInCallback}
     * after the user is redirected in the callback URI.
     *
     * @param options The options for the sign-in flow.
     */
    signIn(options: SignInOptions): Promise<void>;
    /**
     * Start the sign-in flow with the specified options.
     *
     * The redirect URI is required and it must be registered in the Logto Console.
     *
     * The user will be redirected to that URI after the sign-in flow is completed,
     * and the client will be able to get the authorization code from the URI.
     * To fetch the tokens from the authorization code, use {@link handleSignInCallback}
     * after the user is redirected in the callback URI.
     *
     * @param redirectUri See {@link SignInOptions.redirectUri}.
     */
    signIn(redirectUri: SignInOptions['redirectUri']): Promise<void>;
    /**
     *
     * Start the sign-in flow with the specified redirect URI. The URI must be
     * registered in the Logto Console.
     *
     * The user will be redirected to that URI after the sign-in flow is completed,
     * and the client will be able to get the authorization code from the URI.
     * To fetch the tokens from the authorization code, use {@link handleSignInCallback}
     * after the user is redirected in the callback URI.
     *
     * @deprecated Use the object parameter instead.
     * @param redirectUri See {@link SignInOptions.redirectUri}.
     * @param interactionMode See {@link SignInOptions.interactionMode}.
     * @param loginHint See {@link SignInOptions.loginHint}.
     */
    signIn(redirectUri: SignInOptions['redirectUri'], interactionMode?: SignInOptions['interactionMode'], loginHint?: SignInOptions['loginHint']): Promise<void>;
    /**
     * Check if the user is redirected from the sign-in page by checking if the
     * current URL matches the redirect URI in the sign-in session.
     *
     * If there's no sign-in session, it will return `false`.
     *
     * @param url The current URL.
     */
    isSignInRedirected(url: string): Promise<boolean>;
    /**
     * Start the sign-out flow with the specified redirect URI. The URI must be
     * registered in the Logto Console.
     *
     * It will also revoke all the tokens and clean up the storage.
     *
     * The user will be redirected that URI after the sign-out flow is completed.
     * If the `postLogoutRedirectUri` is not specified, the user will be redirected
     * to a default page.
     */
    signOut(postLogoutRedirectUri?: string): Promise<void>;
    protected getSignInSession(): Promise<Nullable<LogtoSignInSessionItem>>;
    protected setSignInSession(value: Nullable<LogtoSignInSessionItem>): Promise<void>;
    private setIdToken;
    private setRefreshToken;
    private getAccessTokenByRefreshToken;
    private saveAccessTokenMap;
    private loadAccessTokenMap;
}