/**
 * json-web-token — JWT encode/decode with zero runtime dependencies.
 *
 * v4 highlights:
 *   - Fixes CVE-2023-48238 (algorithm confusion). The library now
 *     rejects any token whose algorithm family does not match the
 *     key it was handed. PEM-encoded keys can only be used with the
 *     asymmetric algorithms; plain secrets can only be used with the
 *     HMAC algorithms. Optional `algorithms` allowlist on `decode`
 *     adds a second layer for safety-conscious callers.
 *   - Zero runtime deps (Node's `crypto` + `Buffer` only). Drops
 *     base64-url, is.object, json-parse-safe, xtend.
 *   - HMAC verification uses `crypto.timingSafeEqual` instead of a
 *     plain `===` compare, so an attacker can't timing-leak which
 *     prefix bytes of the signature match.
 *   - `alg: 'none'` and unknown algorithms continue to be rejected.
 *   - Synchronous result-object API only — callbacks dropped:
 *       encode(key, data, [algorithm])  →  { error, value }
 *       decode(key, token, [options])   →  { error, value, header? }
 *     Wrap in a Promise yourself if you want async ergonomics.
 */
declare const algorithms: {
    readonly HS256: {
        readonly hash: "sha256";
        readonly type: "hmac";
    };
    readonly HS384: {
        readonly hash: "sha384";
        readonly type: "hmac";
    };
    readonly HS512: {
        readonly hash: "sha512";
        readonly type: "hmac";
    };
    readonly RS256: {
        readonly hash: "RSA-SHA256";
        readonly type: "sign";
    };
};
type AlgorithmName = keyof typeof algorithms;
declare class JWTError extends Error {
    constructor(message: string);
}
interface JWTHeader {
    typ?: string;
    alg?: string;
    [key: string]: unknown;
}
interface EncodeResult {
    error: JWTError | null;
    value: string | null;
}
interface DecodeResult {
    error: JWTError | null;
    value: unknown;
    header?: JWTHeader;
}
interface DecodeOptions {
    /**
     * Optional whitelist of acceptable algorithms (e.g. `["RS256"]`).
     * When provided, `decode` rejects any token whose `header.alg` is
     * not in the list. The key-type vs algorithm-type guard runs
     * regardless of this option.
     */
    algorithms?: string[];
}
type Key = string | Buffer;
declare function getAlgorithms(): AlgorithmName[];
declare function encode(key: Key, data: unknown, algorithm?: string): EncodeResult;
declare function decode(key: Key, token: string, options?: DecodeOptions): DecodeResult;

export { type DecodeOptions, type DecodeResult, type EncodeResult, JWTError, type JWTHeader, decode, encode, getAlgorithms };