import { GoogleAuth } from 'google-auth-library';
import type { Logger } from '../logging/types.js';
type ImpersonatedIdTokenFetcherOptions = {
    logger?: Logger;
    authClient?: GoogleAuth;
    refreshBufferSeconds?: number;
};
/**
 * Retrieves and caches short-lived ID tokens via service account impersonation.
 * Built on Google IAM Service Account Impersonation. Renews the token when its
 * remaining lifetime is below the configured buffer.
 */
export declare class ImpersonatedIdTokenFetcher {
    private readonly logger;
    private readonly auth;
    private readonly refreshBufferSeconds;
    private cachedIdToken;
    private idTokenExpiresAt;
    private idTokenPromise;
    constructor(options?: ImpersonatedIdTokenFetcherOptions);
    /**
     * Returns a valid ID token for the given service account and audience.
     * Uses in-memory cache and a shared promise to avoid parallel refreshes.
     *
     * @param serviceAccountEmail - Email of the service account to impersonate
     * @param targetAudience - Target audience (aud) for the ID token
     * @returns Valid ID token string
     * @throws Error if token generation fails
     */
    getIdToken(serviceAccountEmail: string, targetAudience: string): Promise<string>;
    /**
     * Generates a new ID token via impersonation and updates the cache/expiry.
     * Throws an error with a safe message if generation fails.
     *
     * @param serviceAccountEmail - Email of the service account to impersonate
     * @param targetAudience - Target audience (aud) for the ID token
     * @returns Generated ID token
     * @throws Error if token generation fails
     */
    private fetchAndCacheIdToken;
}
export {};
//# sourceMappingURL=impersonatedIdToken.d.ts.map