/**
 * Refresh token lifecycle (Platform-audience OAuth rotation).
 *
 *   POST /auth/refresh   — rotate a refresh token and mint a new access JWT
 *   POST /auth/logout    — revoke the presented refresh token (sign out)
 *
 * The refresh endpoint is PUBLIC (no platformAuth middleware) because it
 * authenticates via the refresh token itself in the JSON body.
 *
 * Note (ADR-089 Phase 5.1): these endpoints currently live on the
 * Platform host but authenticate BaaS-issued refresh tokens. When Phase
 * 5.1 consolidates the full OAuth AS on the runtime/BaaS plane, these
 * methods will move to `@sylphx/sdk.auth.oauth`. Until then, Management
 * exposes them so Console / CLI have a single type-safe surface.
 *
 * @see docs/adr/ADR-059-unified-credentials.md §1.1
 * @see docs/adr/ADR-089-platform-as-first-customer-of-baas.md
 */
import { authEndpoints, type RefreshTokenResult } from '@sylphx/contract';
import type { Client } from './client.js';
export type RefreshResult = RefreshTokenResult;
type EndpointResponse<E> = E extends {
    readonly response: {
        readonly Type: infer T;
    };
} ? T : never;
export type SignOutResult = EndpointResponse<typeof authEndpoints.signOut>;
/**
 * Rotate a refresh token. Returns a fresh access+refresh pair; the
 * presented refresh token is invalidated server-side (single-use
 * rotation per ADR-059 §1.1).
 */
export declare const rotate: (client: Client, refreshToken: string) => Promise<RefreshResult>;
/**
 * Revoke a refresh token (sign out). Idempotent — revoking an already-
 * revoked or unknown token still returns success to prevent side-channel
 * token-existence probing.
 */
export declare const signOut: (client: Client, refreshToken: string) => Promise<SignOutResult>;
/** Backwards-compat alias used by some Console flows. */
export declare const revoke: (client: Client, refreshToken: string) => Promise<SignOutResult>;
export {};
//# sourceMappingURL=refresh.d.ts.map