import { RequireExactlyOne } from 'type-fest';
import { AxiosError } from 'axios';

/** Authorization scopes for grantless Selling Partner API operations. */
declare enum AuthorizationScope {
    /** Scope for the Notifications API. */
    NOTIFICATIONS = "sellingpartnerapi::notifications",
    /** Scope for rotating application client credentials. */
    CLIENT_CREDENTIAL_ROTATION = "sellingpartnerapi::client_credential:rotation"
}

interface BaseAccessTokenQuery {
    client_id: string;
    client_secret: string;
}
type RefreshTokenAccessTokenQuery = {
    grant_type: 'refresh_token';
    refresh_token: string;
} & BaseAccessTokenQuery;
type ClientCredentialsAccessTokenQuery = {
    grant_type: 'client_credentials';
    scope: string;
} & BaseAccessTokenQuery;
/** Request body for the LWA token endpoint. */
type AccessTokenQuery = RefreshTokenAccessTokenQuery | ClientCredentialsAccessTokenQuery;
/** Response body from the LWA token endpoint. */
interface AccessTokenData {
    access_token: string;
    refresh_token?: string;
    token_type: string;
    expires_in: number;
}

/**
 * Error thrown when an LWA token request fails.
 *
 * Wraps the underlying Axios error with a human-readable message that includes
 * the HTTP status code (or "No response" for network errors).
 */
declare class SellingPartnerApiAuthError extends AxiosError<AccessTokenData, AccessTokenQuery> {
    /** The original error message from the failed HTTP request. */
    readonly innerMessage: string;
    constructor(error: AxiosError<AccessTokenData, AccessTokenQuery>);
}

/**
 * Configuration parameters for Selling Partner API authentication.
 *
 * Both `clientId` and `clientSecret` fall back to the `LWA_CLIENT_ID` and
 * `LWA_CLIENT_SECRET` environment variables when omitted.
 * `refreshToken` falls back to `LWA_REFRESH_TOKEN`.
 */
interface SellingPartnerAuthParameters {
    /** LWA client identifier. Defaults to the `LWA_CLIENT_ID` environment variable. */
    clientId?: string;
    /** LWA client secret. Defaults to the `LWA_CLIENT_SECRET` environment variable. */
    clientSecret?: string;
    /** LWA refresh token. Defaults to the `LWA_REFRESH_TOKEN` environment variable. Mutually exclusive with `scopes`. */
    refreshToken?: string;
    /** Authorization scopes for grantless operations. Mutually exclusive with `refreshToken`. */
    scopes?: AuthorizationScope[];
}
/**
 * Handles Login with Amazon (LWA) OAuth token management for the Selling Partner API.
 *
 * Supports both refresh-token and grantless (scope-based) authentication flows.
 * Tokens are cached and automatically refreshed when expired. Concurrent calls
 * to {@link getAccessToken} are deduplicated into a single request.
 */
declare class SellingPartnerApiAuth {
    #private;
    private readonly clientId;
    private readonly clientSecret;
    private readonly refreshToken?;
    private readonly scopes?;
    constructor(parameters: RequireExactlyOne<SellingPartnerAuthParameters, 'refreshToken' | 'scopes'>);
    /**
     * Returns a valid LWA access token, refreshing it if expired.
     *
     * Concurrent calls while a refresh is in progress share the same request.
     *
     * @returns The access token string.
     */
    getAccessToken(): Promise<string>;
    /**
     * Expiration date of the currently cached access token, or `undefined` if no token has been fetched yet.
     */
    protected get accessTokenExpiration(): Date | undefined;
}

export { AuthorizationScope, SellingPartnerApiAuth, SellingPartnerApiAuthError, type SellingPartnerAuthParameters };