/**
 * OAuth authorization flow functions.
 *
 * Implements login URL generation and callback handling for
 * Mastra Cloud authentication with PKCE.
 *
 * @internal This module is not exported from the main package.
 */
import type { LoginUrlResult, CallbackResult } from '../types.js';
/**
 * Options for generating login URL.
 */
export interface LoginUrlOptions {
    /** Mastra Cloud project ID */
    projectId: string;
    /** Base URL of Mastra Cloud API (e.g., 'https://cloud.mastra.ai') */
    cloudBaseUrl: string;
    /** OAuth callback URL (e.g., 'https://myapp.com/auth/callback') */
    callbackUrl: string;
    /** URL to redirect to after successful login */
    returnTo?: string;
    /** Origin of the current request (e.g., 'https://myapp.com') */
    requestOrigin: string;
    /** Whether running in production (affects cookie Secure flag) */
    isProduction?: boolean;
}
/**
 * Options for handling OAuth callback.
 */
export interface CallbackOptions {
    /** Mastra Cloud project ID */
    projectId: string;
    /** Base URL of Mastra Cloud API */
    cloudBaseUrl: string;
    /** OAuth callback URL (must match what was sent to /auth/oss) */
    redirectUri: string;
    /** Authorization code from OAuth callback */
    code: string;
    /** State parameter from OAuth callback */
    state: string;
    /** Cookie header from request (may be null) */
    cookieHeader: string | null;
}
/**
 * Generate a login URL for Mastra Cloud OAuth flow.
 *
 * Creates a URL with PKCE challenge and state parameter for CSRF protection.
 * Returns a PKCE cookie that must be set on the response.
 *
 * @param options - Login URL options
 * @returns URL to redirect to and cookies to set
 */
export declare function getLoginUrl(options: LoginUrlOptions): LoginUrlResult;
/**
 * Handle OAuth callback from Mastra Cloud.
 *
 * Validates state for CSRF, exchanges code for tokens, and returns user info.
 * Returns a cookie to clear the PKCE state.
 *
 * Note: Session cookie is NOT set here - caller (session module) handles that.
 *
 * @param options - Callback options
 * @returns User info, access token, and redirect URL
 * @throws PKCEError if PKCE cookie is missing or expired
 * @throws AuthError if state validation fails or token exchange fails
 */
export declare function handleCallback(options: CallbackOptions): Promise<CallbackResult>;
//# sourceMappingURL=oauth.d.ts.map