/**
 * Generic OAuth flow for MCP servers.
 *
 * Allows users to authenticate with any OAuth-compatible MCP server
 * by providing authorization URL, token URL, and client credentials.
 */
import { OAuthCallbackFlow } from "@oh-my-pi/pi-ai/utils/oauth/callback-server";
import type { OAuthController, OAuthCredentials } from "@oh-my-pi/pi-ai/utils/oauth/types";
export interface MCPOAuthConfig {
    /** Authorization endpoint URL */
    authorizationUrl: string;
    /** Token endpoint URL */
    tokenUrl: string;
    /** Client ID (optional when already embedded in authorization URL) */
    clientId?: string;
    /** Client secret (optional for PKCE flows) */
    clientSecret?: string;
    /** OAuth scopes (space-separated) */
    scopes?: string;
    /** Exact redirect URI to advertise to the provider */
    redirectUri?: string;
    /** Custom callback port (default: 3000) */
    callbackPort?: number;
    /** Custom callback path (default: /callback or redirectUri pathname) */
    callbackPath?: string;
}
/**
 * Generic OAuth flow for MCP servers.
 * Supports standard OAuth 2.0 authorization code flow with PKCE.
 */
export declare class MCPOAuthFlow extends OAuthCallbackFlow {
    #private;
    private config;
    constructor(config: MCPOAuthConfig, ctrl: OAuthController);
    /**
     * Client id used during the authorization request. Returns the value supplied
     * via {@link MCPOAuthConfig.clientId} or, when the server required dynamic
     * client registration, the id issued during registration. `undefined` until
     * {@link generateAuthUrl} (or {@link login}) has run for a server that needs
     * a client id.
     */
    get resolvedClientId(): string | undefined;
    /**
     * Client secret issued by dynamic client registration, if any. Always
     * `undefined` for PKCE-only/public clients and when the caller supplies the
     * client id via config.
     */
    get registeredClientSecret(): string | undefined;
    generateAuthUrl(state: string, redirectUri: string): Promise<{
        url: string;
        instructions?: string;
    }>;
    exchangeToken(code: string, _state: string, redirectUri: string): Promise<OAuthCredentials>;
}
/**
 * Refresh an MCP OAuth token using the standard refresh_token grant.
 * Returns updated credentials; preserves the old refresh token if the server doesn't rotate it.
 */
export declare function refreshMCPOAuthToken(tokenUrl: string, refreshToken: string, clientId?: string, clientSecret?: string): Promise<OAuthCredentials>;