import { AuthorizationParams } from './types.js';
import { OAuthRegisteredClientsStore } from './clients.js';
import { OAuthClientInformationFull, OAuthClientMetadata, OAuthTokenRevocationRequest, OAuthTokens } from './schemas.js';
import { Response } from 'express';
import { AuthInfo } from './types.js';
import { DeviceAuthorizationEndpointResponse } from './types';
import { OAuthServerModel } from './OAuthServerModel';
export declare const SUPPORTED_GRANT_TYPES: readonly ["authorization_code", "refresh_token", "client_credentials", "urn:ietf:params:oauth:grant-type:device_code"];
export type OAuthGrantType = (typeof SUPPORTED_GRANT_TYPES)[number];
export declare const DEFAULT_GRANT_TYPES: OAuthGrantType[];
type ErrorHandler = (step: 'getClient' | 'registerClient' | 'authorize' | 'authenticate' | 'exchangeAuthorizationCode' | 'exchangeRefreshToken' | 'exchangeClientCredentials' | 'verifyAccessToken' | 'revokeToken' | 'requestDeviceAuthorization' | 'exchangeDeviceCode' | 'approveDeviceAuthorization' | 'denyDeviceAuthorization', error: Error, params?: any) => void;
export interface OAuthServerOptions {
    /**
     * The model to use for the OAuth server.
     * @default {@link MemoryOAuthServerModel}
     */
    model?: OAuthServerModel;
    /**
     * The URL to redirect the user to for authorization.
     *
     * This may be a consent screen hosted on the Authorization Server
     * or a custom consent screen hosted on another frontend,
     * like your web application.
     */
    authorizationUrl?: URL;
    /**
     * The scopes supported by this OAuth server.
     *
     * If the client does not include any scopes in the request, the server will default to all the supported scopes.
     *
     * Some MCP clients do not follow the spec and do not include any scopes in the request.
     */
    scopesSupported?: string[];
    /**
     * The lifetime of the access token in seconds.
     *
     * @default 1 hour
     */
    accessTokenLifetime?: number;
    /**
     * Whether to validate the resource indicator in the authorization request.
     *
     * @default true
     */
    strictResource?: boolean;
    /**
     * The number of seconds after which to expire issued client secrets, or 0 to prevent expiration of client secrets (not recommended).
     *
     * Public clients (clients registered with token_endpoint_auth_method = 'none') do not have a client secret and lives forever.
     *
     * @default 3 months
     */
    clientSecretLifetime?: number;
    /**
     * The lifetime of the refresh token in seconds.
     *
     * @default 2 weeks
     */
    refreshTokenLifetime?: number;
    /**
     * The lifetime of the authorization code in seconds.
     *
     * @default 5 minutes
     */
    authorizationCodeLifetime?: number;
    /**
     * The URL of the protected resource (RS) whose metadata we advertise.
     * If not provided, the resource param will not be validated.
     */
    resourceServerUrl?: URL;
    /**
     * Modify the authorization redirect URL.
     * This can be used to add metadata to the authorization redirect URL, like the client name, client URI, or logo URI.
     * @param url The authorizationUrl with required oauth query string parameters set
     * @param client The client trying to authenticate
     * @param params The authorization parameters
     * @returns nothing, the url object is mutated
     */
    modifyAuthorizationRedirectUrl?: (url: URL, client: OAuthClientInformationFull, params: AuthorizationParams) => Promise<void> | void;
    /**
     * The auth router may swallow errors thrown in OAuthServer methods.
     */
    errorHandler?: ErrorHandler;
    /**
     * RFC 8628: URL where the user enters the `user_code` (device flow).
     * When set, device authorization endpoints are enabled and the model must implement device persistence methods.
     */
    deviceAuthorizationUrl?: URL;
    /**
     * Lifetime of the device code in seconds (RFC 8628 `expires_in`).
     * @default 900 (15 minutes)
     */
    deviceAuthorizationLifetime?: number;
    /**
     * Minimum interval in seconds between token polls while authorization is pending (RFC 8628 `interval`).
     * @default 5
     */
    devicePollIntervalSeconds?: number;
    /**
     * Enabled OAuth grant types.
     * @default ['authorization_code', 'refresh_token']
     */
    grantTypes?: OAuthGrantType[];
    /**
     * Enable RFC 7591 dynamic client registration (`/register`).
     * @default true
     */
    dynamicClientRegistration?: boolean;
}
/**
 * The OAuth Server provider to be used with `mcpAuthRouter` from [@modelcontextprotocol/typescript-sdk](https://github.com/modelcontextprotocol/typescript-sdk)
 */
export declare class OAuthServer implements OAuthServerOptions, OAuthRegisteredClientsStore {
    model: OAuthServerModel;
    authorizationUrl?: URL;
    scopesSupported?: string[];
    accessTokenLifetime: number;
    refreshTokenLifetime: number;
    clientSecretLifetime: number;
    authorizationCodeLifetime: number;
    strictResource: boolean;
    resourceServerUrl?: URL;
    modifyAuthorizationRedirectUrl?: OAuthServerOptions['modifyAuthorizationRedirectUrl'];
    errorHandler: ErrorHandler;
    grantTypes: OAuthGrantType[];
    dynamicClientRegistration: boolean;
    deviceAuthorizationUrl?: URL;
    deviceAuthorizationLifetime: number;
    devicePollIntervalSeconds: number;
    constructor(options: OAuthServerOptions);
    private validateGrantTypesAndModelCapabilities;
    getClient(clientId: string): Promise<{
        redirect_uris: string[];
        client_id: string;
        token_endpoint_auth_method?: string | undefined;
        grant_types?: string[] | undefined;
        response_types?: string[] | undefined;
        client_name?: string | undefined;
        client_uri?: string | undefined;
        logo_uri?: string | undefined;
        scope?: string | undefined;
        contacts?: string[] | undefined;
        tos_uri?: string | undefined;
        policy_uri?: string | undefined;
        jwks_uri?: string | undefined;
        jwks?: any;
        software_id?: string | undefined;
        software_version?: string | undefined;
        software_statement?: string | undefined;
        client_secret?: string | undefined;
        client_id_issued_at?: number | undefined;
        client_secret_expires_at?: number | undefined;
    } | undefined>;
    registerClient(clientMetadata: OAuthClientMetadata): Promise<{
        redirect_uris: string[];
        client_id: string;
        token_endpoint_auth_method?: string | undefined;
        grant_types?: string[] | undefined;
        response_types?: string[] | undefined;
        client_name?: string | undefined;
        client_uri?: string | undefined;
        logo_uri?: string | undefined;
        scope?: string | undefined;
        contacts?: string[] | undefined;
        tos_uri?: string | undefined;
        policy_uri?: string | undefined;
        jwks_uri?: string | undefined;
        jwks?: any;
        software_id?: string | undefined;
        software_version?: string | undefined;
        software_statement?: string | undefined;
        client_secret?: string | undefined;
        client_id_issued_at?: number | undefined;
        client_secret_expires_at?: number | undefined;
    }>;
    authorize(client: OAuthClientInformationFull, params: AuthorizationParams, res: Response): Promise<void>;
    authenticate(client: OAuthClientInformationFull, params: AuthorizationParams, userId: string, res: Response): Promise<void>;
    exchangeAuthorizationCode(client: OAuthClientInformationFull, authorizationCode: string, codeVerifier: string, redirectUri?: string, // the redirect URI used to obtain the authorization code, removed in OAuth 2.1
    resource?: URL): Promise<OAuthTokens>;
    exchangeRefreshToken(client: OAuthClientInformationFull, refreshToken: string, scopes?: string[], resource?: URL): Promise<OAuthTokens>;
    exchangeClientCredentials(client: OAuthClientInformationFull, scopes?: string[], resource?: URL): Promise<OAuthTokens>;
    verifyAccessToken(token: string): Promise<AuthInfo>;
    revokeToken(client: OAuthClientInformationFull, request: OAuthTokenRevocationRequest): Promise<void>;
    requestDeviceAuthorization(client: OAuthClientInformationFull, params: {
        scopes?: string[];
        resource?: URL;
    }): Promise<DeviceAuthorizationEndpointResponse>;
    exchangeDeviceCode(client: OAuthClientInformationFull, deviceCode: string): Promise<OAuthTokens>;
    /**
     * Mark a pending device authorization as approved after the resource owner authenticated
     * (call from your verification UI when the user confirms).
     */
    approveDeviceAuthorization(userCode: string, userId: string): Promise<void>;
    /**
     * Mark a pending device authorization as denied (call from your verification UI when the user declines).
     */
    denyDeviceAuthorization(userCode: string): Promise<void>;
    private generateToken;
    /**
     * Validates requested scopes.
     *
     * Some MCP clients do not send scopes at all. If no scopes are requested,
     * we default to the scopes supported by the server.
     *
     * If a scope that is not supported by the server is requested, we throw an error.
     */
    private validateScope;
    /**
     * Validates the resource indicator against the configured resourceServerUrl.
     *
     * If strictResource is not set, we do not validate the resource indicator and it's up to the user
     * to validate the resource indicator themselves, if desired.
     */
    private validateResource;
}
export {};