export interface UmbAuthClientEndpoints {
    authorizationEndpoint: string;
    tokenEndpoint: string;
    revocationEndpoint: string;
    linkEndpoint: string;
    linkKeyEndpoint: string;
    unlinkEndpoint: string;
}
export interface UmbTokenEndpointResponse {
    expiresIn: number;
    issuedAt: number;
}
/**
 * Minimal PKCE + token endpoint client.
 * All token values are `[redacted]` with cookie auth — this client only tracks session timing.
 * Zero localStorage usage.
 */
export declare class UmbAuthClient {
    #private;
    constructor(endpoints: UmbAuthClientEndpoints, redirectUri: string, clientId?: string, scope?: string);
    get codeVerifier(): string | undefined;
    get state(): string | undefined;
    /**
     * Generates PKCE parameters and builds the authorization URL.
     */
    buildAuthorizationUrl(identityProvider: string, usernameHint?: string): Promise<string>;
    /**
     * Exchanges an authorization code for tokens.
     * Real tokens are stored in httpOnly cookies by the server.
     * We only extract session timing from the response.
     */
    exchangeCode(code: string, codeVerifier: string): Promise<UmbTokenEndpointResponse | undefined>;
    /**
     * Refreshes the session using the httpOnly refresh token cookie.
     * The `refresh_token` body parameter is `[redacted]` because the server's
     * `HideBackOfficeTokensHandler` intercepts the request and swaps it for
     * the real token from the httpOnly cookie. The parameter must be present
     * (OpenIddict's pipeline requires it) but the value is ignored by the handler.
     */
    refreshToken(): Promise<UmbTokenEndpointResponse | undefined>;
    /**
     * Revokes the current session tokens via the revocation endpoint.
     */
    revokeToken(): Promise<void>;
    /**
     * Clears the in-memory PKCE state after login completes.
     */
    clearPkceState(): void;
}