import { z } from 'zod';
/** Scopes that reserved by Logto, which will be added to the auth request automatically. */
export declare enum ReservedScope {
    OpenId = "openid",
    OfflineAccess = "offline_access"
}
/** Resources that reserved by Logto, which cannot be defined by users. */
export declare enum ReservedResource {
    /**
     * The resource for organization template per RFC 0001.
     *
     * @see {@link https://github.com/logto-io/rfcs | RFC 0001} for more details.
     */
    Organization = "urn:logto:resource:organizations"
}
/**
 * All extended claims for ID token that are controlled by tenant configuration.
 * This is the single source of truth for which claims can be toggled on/off in ID tokens.
 */
export declare const extendedIdTokenClaims: readonly ["custom_data", "identities", "sso_identities", "roles", "organizations", "organization_data", "organization_roles"];
export type ExtendedIdTokenClaim = (typeof extendedIdTokenClaims)[number];
/**
 * A comprehensive list of all available user claims that can be used in SAML applications.
 * This array serves two purposes:
 * 1. Acts as a single source of truth for all possible `UserClaim` values
 * 2. Provides a runtime accessible list of all available claims
 *
 * Previously, `UserClaim` type was defined directly as a union type. Now, we define this array first
 * and derive the `UserClaim` type from it using Zod. This approach maintains type safety while also
 * making the complete list of claims available at runtime.
 *
 * Note: This array must include ALL possible values from `UserClaim` type.
 * TypeScript will throw error if any value is missing.
 */
export declare const userClaimsList: readonly ["name", "given_name", "family_name", "middle_name", "nickname", "preferred_username", "profile", "picture", "website", "email", "email_verified", "gender", "birthdate", "zoneinfo", "locale", "phone_number", "phone_number_verified", "address", "updated_at", "username", "created_at", "custom_data", "identities", "sso_identities", "roles", "organizations", "organization_data", "organization_roles"];
/**
 * Zod guard for `UserClaim` type, using `userClaimsList` as the single source of truth
 */
export declare const userClaimGuard: z.ZodEnum<["name", "given_name", "family_name", "middle_name", "nickname", "preferred_username", "profile", "picture", "website", "email", "email_verified", "gender", "birthdate", "zoneinfo", "locale", "phone_number", "phone_number_verified", "address", "updated_at", "username", "created_at", "custom_data", "identities", "sso_identities", "roles", "organizations", "organization_data", "organization_roles"]>;
export type UserClaim = z.infer<typeof userClaimGuard>;
/**
 * Scopes for ID Token and Userinfo Endpoint.
 */
export declare enum UserScope {
    /**
     * Scope for basic user info.
     *
     * See {@link userClaims} for mapped claims.
     */
    Profile = "profile",
    /**
     * Scope for user email address.
     *
     * See {@link userClaims} for mapped claims.
     */
    Email = "email",
    /**
     * Scope for user phone number.
     *
     * See {@link userClaims} for mapped claims.
     */
    Phone = "phone",
    /**
     * Scope for user address.
     *
     * See {@link userClaims} for mapped claims.
     */
    Address = "address",
    /**
     * Scope for user's custom data.
     *
     * See {@link userClaims} for mapped claims.
     */
    CustomData = "custom_data",
    /**
     * Scope for user's social and SSO identity details.
     *
     * See {@link userClaims} for mapped claims.
     */
    Identities = "identities",
    /**
     * Scope for user's roles.
     *
     * See {@link userClaims} for mapped claims.
     */
    Roles = "roles",
    /**
     * Scope for user's organization IDs and perform organization token grant per [RFC 0001](https://github.com/logto-io/rfcs).
     *
     * See {@link userClaims} for mapped claims.
     */
    Organizations = "urn:logto:scope:organizations",
    /**
     * Scope for user's organization roles per [RFC 0001](https://github.com/logto-io/rfcs).
     *
     * See {@link userClaims} for mapped claims.
     */
    OrganizationRoles = "urn:logto:scope:organization_roles",
    /**
     * Scope for user's sessions.
     *
     * Only used for session management via account API.
     * Not included in user claims, even when the scope is requested, as it's not meant for ID token or userinfo endpoint.
     */
    Sessions = "urn:logto:scope:sessions"
}
/**
 * Mapped claims that ID Token includes.
 *
 * @see {@link https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims | OpenID Connect Core 1.0} for standard scope - claim mapping.
 *
 * Note: For scopes `Roles`, `Organizations`, `OrganizationRoles`, `CustomData`, and `Identities`,
 * the claims are configured via `extendedIdTokenClaimsByScope` and are controlled by tenant settings.
 */
export declare const idTokenClaims: Readonly<Record<UserScope, UserClaim[]>>;
/**
 * Extended claims for ID token grouped by scope, controlled by tenant configuration.
 * These claims can be enabled or disabled in the ID token via tenant settings.
 *
 * @see {@link extendedIdTokenClaims} for the full list of extended claims.
 * @see {@link idTokenClaims} for base claims always included in ID token.
 * @see {@link userClaims} for all possible claims (used by userinfo endpoint).
 */
export declare const extendedIdTokenClaimsByScope: Readonly<Partial<Record<UserScope, ExtendedIdTokenClaim[]>>>;
/**
 * All possible claims for each scope, combining base ID token claims and extended claims.
 *
 * This mapping is used for:
 * - OIDC provider claim configuration (to tell the provider which claims are available for each
 *   scope)
 * - Userinfo endpoint (always returns all claims regardless of tenant configuration)
 * - SAML application attribute mapping (to determine which scope to request based on required
 *   claims)
 *
 * Note: The actual claims returned in ID tokens are controlled by tenant configuration via
 * {@link extendedIdTokenClaimsByScope}. See `getAcceptedUserClaims` in core for the filtering
 * logic.
 */
export declare const userClaims: Readonly<Record<UserScope, UserClaim[]>>;
/**
 * The prefix of the URN (Uniform Resource Name) for the organization in Logto.
 *
 * @example
 * ```
 * urn:logto:organization:123 // organization with ID 123
 * ```
 * @see {@link https://en.wikipedia.org/wiki/Uniform_Resource_Name | Uniform Resource Name}
 */
export declare const organizationUrnPrefix = "urn:logto:organization:";
/**
 * Build the URN (Uniform Resource Name) for the organization in Logto.
 *
 * @param organizationId The ID of the organization.
 * @returns The URN for the organization.
 * @see {@link organizationUrnPrefix} for the prefix of the URN.
 * @example
 * ```ts
 * buildOrganizationUrn('1') // returns 'urn:logto:organization:1'
 * ```
 */
export declare const buildOrganizationUrn: (organizationId: string) => string;
/**
 * Get the organization ID from the URN (Uniform Resource Name) for the organization in Logto.
 *
 * @param urn The URN for the organization. Must start with {@link organizationUrnPrefix}.
 * @returns The ID of the organization.
 * @throws {TypeError} If the URN is invalid.
 * @example
 * ```ts
 * getOrganizationIdFromUrn('1') // throws TypeError
 * getOrganizationIdFromUrn('urn:logto:organization:1') // returns '1'
 * ```
 */
export declare const getOrganizationIdFromUrn: (urn: string) => string;