/**
 * Service for handling OAuth2 client credentials flow and JWT client assertions.
 * Used for obtaining bearer tokens to access LTI Advantage services (AGS, NRPS, etc.).
 *
 * Implements RFC 7523 (JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants)
 * as required by LTI 1.3 security framework.
 *
 * @see https://www.rfc-editor.org/rfc/rfc7523
 */
export declare class TokenService {
    private keyPair;
    private keyId;
    /**
     * Creates a new TokenService instance.
     *
     * @param keyPair - RSA key pair for signing client assertion JWTs (must be RS256 compatible)
     * @param keyId - Key identifier for JWT header, should match JWKS key ID (defaults to 'main')
     */
    constructor(keyPair: CryptoKeyPair, keyId?: string);
    /**
     * Creates a JWT client assertion for OAuth2 client credentials flow.
     *
     * @param clientId - OAuth2 client identifier
     * @param tokenUrl - Platform's token endpoint URL
     * @returns Promise resolving to a signed JWT client assertion string
     */
    createClientAssertion(clientId: string, tokenUrl: string): Promise<string>;
    /**
     * Obtains an OAuth2 bearer token using client credentials flow with JWT assertion.
     *
     * @param clientId - OAuth2 client identifier
     * @param tokenUrl - Platform's token endpoint URL
     * @param scope - Requested OAuth2 scope (e.g., AGS score scope)
     * @returns Promise resolving to a bearer access token string for API calls
     * @throws {Error} When the token request fails or response is missing access_token
     */
    getBearerToken(clientId: string, tokenUrl: string, scope: string): Promise<string>;
}
//# sourceMappingURL=token.service.d.ts.map