/**
 * authProvider.ts
 *
 * Implements the OAuth client interface for authentication with Civic services.
 * Handles PKCE flow and token management through the OAuthClientProvider interface.
 */
import type { OAuthClientProvider } from '@modelcontextprotocol/sdk/client/auth.js';
import type { Tokens } from "./types.js";
/**
 * Implementation of OAuthClientProvider for Civic authentication
 * Handles PKCE flow and token management
 */
export declare class CivicAuthProvider implements OAuthClientProvider {
    private _codeVerifier;
    private _oidcConfigPromise;
    private _authInProgress;
    private _refreshInProgress;
    private _tokenChangedCallbacks;
    private _isInstallMode;
    constructor();
    /**
     * Check for refresh token on startup and refresh tokens if available
     */
    refreshTokensIfAvailable(): Promise<boolean>;
    /**
     * Refresh tokens using the refresh_token grant type
     * @param refreshToken The refresh token to use
     */
    refreshTokens(refreshToken: string): Promise<boolean>;
    /**
     * Generate a random PKCE code verifier
     * This is a cryptographically random string used for PKCE flow
     */
    private generateCodeVerifier;
    /**
     * Generate a code challenge from the code verifier
     * This is the SHA256 hash of the verifier, encoded as base64url
     */
    private generateCodeChallenge;
    onTokensChanged(callback: () => void | Promise<void>): void;
    /**
     * The URL to redirect to after authorization
     * This is where the browser will be redirected after the user authenticates
     */
    get redirectUrl(): string;
    /**
     * Metadata about this OAuth client
     * Used during dynamic registration if supported
     */
    get clientMetadata(): {
        client_name: string;
        redirect_uris: string[];
    };
    /**
     * Return static client information
     * Civic auth service uses pre-registered clients
     */
    clientInformation(): {
        client_id: string;
        client_name: string;
    };
    /**
     * Load any existing OAuth tokens from storage
     * Used by SSEClientTransport to include tokens in requests
     * This is called by the SDK when making authenticated requests
     *
     * If NO_LOGIN is set to true, we'll use the CLIENT_ID as the bearer token
     * instead of requiring user authentication
     */
    tokens(): Promise<{
        access_token: string;
        token_type: string;
        id_token?: string;
        refresh_token?: string;
    } | undefined>;
    /**
     * Store new OAuth tokens after successful authorization
     * Called by the auth flow when new tokens are received
     * @param tokens The tokens to store
     * @param triggerTokenChange Whether to trigger token change callbacks (defaults to false)
     */
    saveTokens(tokens: Tokens, triggerTokenChange?: boolean): Promise<void>;
    private _lastBrowserOpenTime;
    private _minBrowserOpenInterval;
    /**
     * Open the browser to begin authorization flow
     * This method is called when authentication is needed
     */
    redirectToAuthorization(authorizationUrl: URL): Promise<void>;
    /**
     * Save PKCE code verifier
     * Called during the authorization flow before redirecting
     */
    saveCodeVerifier(codeVerifier: string): void;
    /**
     * Return the stored PKCE code verifier
     * Used during token exchange to prove code ownership
     */
    codeVerifier(): string;
}
export declare const authProvider: CivicAuthProvider;
//# sourceMappingURL=authProvider.d.ts.map