type JsonRecord = Record; export declare const AP2_PROTOCOL = "agent-payments-protocol"; export declare const AP2_MANDATE_JWS_ALG = "EdDSA"; /** Logical claims extracted from a verified AP2 Payment Mandate. */ export interface Ap2MandateClaims { /** Mandate type marker — the PaymentMandate `vct` (e.g. "mandate.payment.1"), or a legacy type string. */ mandateType: string | null; /** Maximum authorized amount, integer minor units (matches VRP/Stripe). */ maxAmountMinor: number | null; /** ISO 4217 currency code, uppercased. */ currency: string | null; /** Merchant the human authorized to be paid — here, the host domain (normalised). */ merchant: string | null; /** Optional cart/offer identifier tying the mandate to a specific VRP offer. */ cartId: string | null; /** Expiry as epoch milliseconds, or null if none present. */ expiresAtMs: number | null; } export interface Ap2ChargeContext { /** Amount about to be charged, integer minor units. */ amountMinor: number; /** ISO 4217 currency code of the charge (any case). */ currency: string; /** Merchant / host domain receiving payment. */ merchantDomain: string; /** Optional VRP offer/cart id the charge corresponds to. */ cartId?: string; } export interface Ap2AuthorizationResult { authorized: boolean; reason?: string; claims?: Ap2MandateClaims; } /** Extract logical claims from a (signature-verified) mandate payload. */ export declare function extractMandateClaims(payload: JsonRecord): Ap2MandateClaims; /** * Verify an AP2 mandate JWS and decode its claims. Throws on signature * failure or malformed token (fail-closed). */ export declare function verifyAp2Mandate(mandateJws: string, issuerJwks: JsonRecord): { header: JsonRecord; payload: JsonRecord; claims: Ap2MandateClaims; }; /** * Check that a (signature-verified) mandate authorizes a specific charge. * Fails closed: any missing constraint or mismatch → not authorized. */ export declare function mandateAuthorizesCharge(claims: Ap2MandateClaims, charge: Ap2ChargeContext, nowMs?: number): Ap2AuthorizationResult; /** * Full verify-and-authorize for the payment step: verify the mandate * signature against the issuer JWKS, then check it authorizes the charge. * Throws only on signature/parse failure; returns { authorized:false, * reason } for policy failures. */ export declare function verifyAp2PaymentMandate(mandateJws: string, issuerJwks: JsonRecord, charge: Ap2ChargeContext, nowMs?: number): Ap2AuthorizationResult; /** * Resolve the issuer's Ed25519 JWKS from a mandate's jwks_uri (https only). * The payer's credentials provider publishes its keys; the merchant fetches * them to verify the mandate signature. Returns null if unavailable. */ export declare function resolveAp2IssuerJwks(jwksUri: string): Promise; export {};