import type { DateTime } from "node-opcua-basic-types";
import type { DerivedKeys } from "node-opcua-crypto/web";
import type { DerivedKeys1 } from "./security_policy";
export interface ISecurityToken {
    tokenId: number;
    createdAt: DateTime;
    revisedLifetime: number;
    channelId: number;
}
export interface SecurityTokenAndDerivedKeys {
    securityToken: ISecurityToken;
    derivedKeys: DerivedKeys1 | null;
}
export interface IDerivedKeyProvider {
    getDerivedKey(tokenId: number): DerivedKeys | null;
}
export declare class TokenStack {
    #private;
    private id;
    constructor(channelId: number);
    serverKeyProvider(): IDerivedKeyProvider;
    clientKeyProvider(): IDerivedKeyProvider;
    pushNewToken(securityToken: ISecurityToken, derivedKeys: DerivedKeys1 | null): void;
    private tokenIds;
    getToken(tokenId: number): ISecurityToken | null;
    getTokenDerivedKeys(tokenId: number): DerivedKeys1 | null;
    /**
     * Returns the derived keys for the most recent (newest) token
     * that has not "really expired".
     *
     * This is used as a fallback when the tokenId from the original
     * request has expired: as per OPC UA Part 6 §6.7.3, the server
     * should use the current active token to secure outgoing messages.
     */
    getLatestTokenDerivedKeys(): {
        tokenId: number;
        derivedKeys: DerivedKeys1;
    } | null;
    removeOldTokens(): void;
}