/**
 * SDK Authentication Utilities
 *
 * This module provides SDK-level authentication utilities focused
 * on token acquisition. It uses the credentials system for resolution
 * and handles different credential types appropriately.
 *
 * CLI-specific functionality like login/logout is handled by the
 * @zapier/zapier-sdk-cli package (imported via its `./login` subpath).
 */
import type { EventCallback } from "./types/events";
import type { Credentials, ClientCredentialsObject } from "./types/credentials";
import { type ZapierCache } from "./cache";
export type { ZapierCache, ZapierCacheEntry, ZapierCacheSetOptions, } from "./cache";
export { createMemoryCache } from "./cache";
export type { SdkEvent, AuthEvent, ApiEvent, LoadingEvent, EventCallback, } from "./types/events";
export type { Credentials, ResolvedCredentials, CredentialsObject, ClientCredentialsObject, PkceCredentialsObject, } from "./types/credentials";
export { isClientCredentials, isPkceCredentials, isCredentialsObject, isCredentialsFunction, } from "./types/credentials";
/**
 * Options for resolving auth tokens.
 */
export interface ResolveAuthTokenOptions {
    credentials?: Credentials;
    /** @deprecated Use `credentials` instead */
    token?: string;
    onEvent?: EventCallback;
    fetch?: typeof globalThis.fetch;
    baseUrl?: string;
    /**
     * Additional OAuth scopes required for this request. When using client
     * credentials, these scopes will be merged with any scopes specified in
     * the credentials object during token exchange.
     */
    requiredScopes?: string[];
    /** Enable debug logging for auth operations. */
    debug?: boolean;
    /**
     * Pluggable key-value cache used to cache access tokens across
     * process boundaries. When omitted, the SDK tries to load a default
     * adapter from the cli-login package (file system + keychain) and
     * falls back to in-memory cache if none is available.
     */
    cache?: ZapierCache;
}
/**
 * Clear in-process caches. Useful for testing or to force the next
 * resolve to re-import the default cache adapter. Does not touch
 * persistent cache — use `invalidateCachedToken` for that.
 */
export declare function clearTokenCache(): void;
/**
 * Invalidate the cached token for a given client_credentials identity.
 * Called on 401 so the next request re-exchanges. Clears both the
 * in-process pending-exchange map and the persistent layer via the
 * resolved cache adapter.
 */
export declare function invalidateCachedToken(options: {
    clientId: string;
    scopes: string[];
    baseUrl: string;
    cache?: ZapierCache;
}): Promise<void>;
/**
 * Options for getTokenFromCliLogin.
 */
interface CliLoginOptions {
    onEvent?: EventCallback;
    fetch?: typeof globalThis.fetch;
    credentials?: {
        type?: "pkce";
        clientId: string;
        baseUrl?: string;
        scope?: string;
    };
    debug?: boolean;
}
type CliLoginModule = typeof import("@zapier/zapier-sdk-cli/login") & {
    getActiveCredentials?: (options?: {
        baseUrl?: string;
    }) => {
        clientId: string;
        scopes: string[];
        baseUrl?: string;
    } | undefined;
    getStoredClientCredentials?: (options?: {
        baseUrl?: string;
    }) => Promise<ClientCredentialsObject | undefined>;
};
/**
 * Inject an already-loaded CLI login module so the SDK skips its dynamic import.
 * This guarantees CLI and SDK share the same module instance in the same process.
 */
export declare function injectCliLogin(module: CliLoginModule): void;
/**
 * Returns whether a CLI login package is available.
 * `undefined` if no import has been attempted yet, `true` if found, `false` if not.
 */
export declare function isCliLoginAvailable(): boolean | undefined;
/**
 * Attempts to get a token from the CLI login package.
 *
 * Returns undefined if no valid token is found or no login package is available.
 * Throws if there's an actual error (like token refresh failure).
 */
export declare function getTokenFromCliLogin(options: CliLoginOptions): Promise<string | undefined>;
/**
 * Resolves an auth token from wherever it can be found.
 *
 * Resolution order:
 * 1. Explicit credentials option (or deprecated token option)
 * 2. Environment variables
 * 3. CLI login package (if available)
 *
 * For different credential types:
 * - String: Used directly as the token
 * - Client credentials: Exchanged for an access token (with caching)
 * - PKCE: Delegates to CLI login (throws if not available)
 *
 * Returns undefined if no valid token is found.
 */
export declare function resolveAuthToken(options?: ResolveAuthTokenOptions): Promise<string | undefined>;
/**
 * Invalidate the cached token for the given credentials, if applicable.
 * This is called when we receive a 401 response, indicating the token
 * is no longer valid. Only affects client_credentials flow tokens.
 */
export declare function invalidateCredentialsToken(options: {
    credentials?: Credentials;
    token?: string;
    baseUrl?: string;
    requiredScopes?: string[];
    cache?: ZapierCache;
}): Promise<void>;
//# sourceMappingURL=auth.d.ts.map