/**
 * AuthHandler - Multi-method authentication handler.
 *
 * Supports Bearer token, API key, and Basic auth with constant-time comparison.
 * Can be used as Hono middleware or standalone validator.
 */
/** Configuration for one or more authentication methods checked by {@link AuthHandler}. */
export interface AuthConfig {
    /** Bearer token matched against the Authorization header. */
    bearerToken?: string;
    /** API key matched against the X-Api-Key header. */
    apiKey?: string;
    /** Custom header name for API key lookup (default: 'X-Api-Key'). */
    apiKeyHeader?: string;
    /** Basic auth credentials as a [username, password] tuple. */
    basicAuth?: [string, string];
    /** Custom validator function; return true to allow the request. */
    customValidator?: (request: {
        headers: Record<string, string>;
        method: string;
        url: string;
    }) => boolean | Promise<boolean>;
    /** When explicitly set to false, deny requests if no auth methods are configured. */
    allowUnauthenticated?: boolean;
}
/** Multi-method authentication handler with timing-safe credential comparison. */
export declare class AuthHandler {
    /** The authentication configuration for this handler. */
    readonly config: AuthConfig;
    /**
     * Create a new AuthHandler.
     * @param config - Authentication configuration specifying one or more auth methods.
     */
    constructor(config: AuthConfig);
    /**
     * Validate request headers against configured auth methods (Bearer, API Key, Basic, Custom) in order.
     * @param headers - The request headers as a string-keyed record.
     * @returns True if any configured method accepts the request, or if no methods are configured.
     */
    validate(headers: Record<string, string>): Promise<boolean>;
    /**
     * Verify a Basic Auth username/password pair against the configured credentials.
     *
     * Returns false immediately if Basic Auth is not configured.
     * Uses constant-time comparison to prevent timing attacks.
     *
     * @param username - The username to verify.
     * @param password - The password to verify.
     * @returns True if the credentials match the configured Basic Auth credentials.
     */
    verifyBasicAuth(username: string, password: string): boolean;
    /**
     * Verify a Bearer token against the configured token.
     *
     * Returns false immediately if Bearer token auth is not configured.
     * Uses constant-time comparison to prevent timing attacks.
     *
     * @param token - The Bearer token string to verify (without the "Bearer " prefix).
     * @returns True if the token matches the configured Bearer token.
     */
    verifyBearerToken(token: string): boolean;
    /**
     * Verify an API key against the configured key.
     *
     * Returns false immediately if API key auth is not configured.
     * Uses constant-time comparison to prevent timing attacks.
     *
     * @param key - The API key string to verify.
     * @returns True if the key matches the configured API key.
     */
    verifyApiKey(key: string): boolean;
    /**
     * Create a Hono-compatible middleware that rejects unauthorized requests with a 401 response.
     * @param optional - When true, unauthenticated requests are allowed through instead of being rejected (default: false).
     * @returns A middleware function suitable for use with Hono's `app.use()`.
     */
    middleware(optional?: boolean): (c: any, next: () => Promise<void>) => Promise<Response | void>;
    /**
     * Create an Express/Connect-compatible middleware adapter.
     *
     * This serves as the framework-agnostic equivalent of Python's
     * `get_fastapi_dependency`. For standalone validation without a
     * framework, use {@link validate} directly.
     *
     * @param optional - When true, unauthenticated requests are allowed through (default: false).
     * @returns An Express-compatible middleware function.
     */
    expressMiddleware(optional?: boolean): (req: any, res: any, next: () => void) => Promise<void>;
    /**
     * Get information about configured authentication methods.
     *
     * Returns structured metadata describing each enabled auth method,
     * including usernames, header names, and usage hints.
     *
     * @returns An object describing the enabled auth methods and their configuration.
     */
    getAuthInfo(): {
        basic?: {
            enabled: true;
            username: string;
        };
        bearer?: {
            enabled: true;
            hint: string;
        };
        apiKey?: {
            enabled: true;
            header: string;
            hint: string;
        };
    };
    /**
     * Check whether Bearer token authentication is configured.
     * @returns True if a bearer token has been set.
     */
    hasBearerAuth(): boolean;
    /**
     * Check whether API key authentication is configured.
     * @returns True if an API key has been set.
     */
    hasApiKeyAuth(): boolean;
    /**
     * Check whether Basic authentication is configured.
     * @returns True if basic auth credentials have been set.
     */
    hasBasicAuth(): boolean;
}