import { type JsonWebKey } from 'node:crypto'; export interface PhotonAuthIssuer { issuer: string; algorithm: 'ES256'; kid: string; defaultTtlSeconds: number; } export interface PhotonAuthTokenOptions { agent: string; audience: string; tenant?: string; scopes?: string[]; ttlSeconds?: number; now?: Date; jti?: string; } export interface PhotonAuthVerifyOptions { issuer: string; audience: string; jwks: { keys: JsonWebKey[]; }; now?: Date; clockSkewSeconds?: number; requiredScopes?: string[]; } export type PhotonJwtVerifyReason = 'missing_token' | 'malformed_token' | 'unsupported_alg' | 'unknown_kid' | 'bad_signature' | 'expired_token' | 'token_not_yet_valid' | 'wrong_issuer' | 'wrong_audience' | 'insufficient_scope' | 'tenant_mismatch'; export interface PhotonJwtClaims { iss: string; sub: string; aud: string | string[]; tenant_id: string; client_id: string; scope?: string; iat: number; nbf: number; exp: number; jti: string; [key: string]: unknown; } export type PhotonJwtVerifyResult = { ok: true; claims: PhotonJwtClaims; } | { ok: false; reason: PhotonJwtVerifyReason; }; export declare function createPhotonAuthKeypair(name: string, now?: Date): { issuer: PhotonAuthIssuer; privateJwk: JsonWebKey; publicJwk: JsonWebKey; jwks: { keys: JsonWebKey[]; }; }; export declare function signPhotonAuthToken(issuer: PhotonAuthIssuer, privateJwk: JsonWebKey, options: PhotonAuthTokenOptions): string; export declare function verifyPhotonAuthToken(token: string | null | undefined, options: PhotonAuthVerifyOptions): PhotonJwtVerifyResult; export declare function normalizeScopes(scopes: string[]): string[]; //# sourceMappingURL=mcp-jwt.d.ts.map