import { CamundaPlatform8Configuration, DeepPartial } from '../../lib';
import { IHeadersProvider, Token } from '../index';
import { TokenGrantAudienceType } from './IHeadersProvider';
/**
 * The `OAuthProvider` class is an implementation of the {@link IHeadersProvider}
 * interface that uses the OAuth 2.0 client credentials grant to authenticate
 * with the Camunda Platform 8 Identity service. It handles token expiration
 * and renewal, and caches tokens in memory and on disk.
 *
 * It is used by the SDK to authenticate with the Camunda Platform 8. You will
 * rarely need to use this class directly, as it is used internally by the SDK.
 *
 * @example
 * ```typescript
 * const authProvider = new OAuthProvider({
 *   config: {
 *     CAMUNDA_OAUTH_URL: 'https://login.cloud.camunda.io/oauth/token',
 *     ZEEBE_CLIENT_ID: 'your-client-id',
 *     ZEEBE_CLIENT_SECRET: 'your-client-secret',
 *   },
 * })
 *
 * const token = await authProvider.getToken('ZEEBE')
 * ```
 */
export declare class OAuthProvider implements IHeadersProvider {
    private static readonly defaultTokenCache;
    private static instances;
    private cacheDir;
    private authServerUrl;
    private mTLSPrivateKey;
    private mTLSCertChain;
    private clientId;
    private clientSecret;
    private useFileCache;
    tokenCache: {
        [key: string]: Token;
    };
    private failed;
    private failureCount;
    private inflightTokenRequests;
    /** Memoized 401 responses for SaaS cooldown buffering */
    private memoized401;
    /** Persistent tarpit flag files for SaaS 401 (keyed by clientId+secret+audience) */
    private tarpit401;
    userAgentString: string;
    private scope;
    private audienceMap;
    private consoleClientId;
    private consoleClientSecret;
    private isCamundaSaaS;
    private camundaModelerOAuthAudience;
    private refreshWindow;
    private rest;
    private log;
    private failOnError;
    /**
     *
     * @param dir Optional directory to clear the cache from. If not provided, the default cache directory is used.
     * @description Clears the OAuth token cache directory. This will remove all cached tokens from the specified directory.
     */
    static clearCacheDir(dir?: string): void;
    constructor(options?: {
        config?: DeepPartial<CamundaPlatform8Configuration>;
    });
    getHeaders(audienceType: TokenGrantAudienceType): Promise<import("./IHeadersProvider").AuthHeader | {
        authorization: string;
    }>;
    flushMemoryCache(): void;
    flushFileCache(): void;
    /** Camunda SaaS needs an audience for a Modeler token request, and Self-Managed does not. */
    private addAudienceIfNeeded;
    private makeDebouncedTokenRequest;
    private sendToMemoryCache;
    private retrieveFromFileCache;
    private sendToFileCache;
    private isExpired;
    private evictFromMemoryCache;
    private evictFromFileCache;
    private getCacheKey;
    private getCachedTokenFileName;
    private getAudience;
    private addBearer;
    private redactClientSecret;
    static SAAS_401_COOLDOWN_MS: number;
    /**
     * Known Camunda SaaS OAuth hosts. Used for centralised SaaS detection.
     */
    private static readonly SAAS_OAUTH_HOSTS;
    /**
     * Determines whether the given OAuth URL belongs to a Camunda SaaS environment.
     * Normalises the URL by stripping trailing slashes, query params, and fragments
     * so that logically equivalent URLs are detected consistently.
     */
    private static isSaaSUrl;
    private getCredentialAudienceKey;
    private is401Error;
    /** Persistent 401 tarpit helpers */
    private getTarpitFilePath;
    private isTarpitted;
    private hashSecret;
    private createTarpitFile;
    /** Public static helper to clear a specific persistent 401 tarpit */
    static clear401Tarpit({ cacheDir, clientId, clientSecret, audienceType, }: {
        cacheDir?: string;
        clientId: string;
        clientSecret: string;
        audienceType: TokenGrantAudienceType;
    }): void;
}