/**
 * OAuth 2.1 Client Provider for MCP HTTP Transport
 * Implements OAuth 2.1 authentication with PKCE support
 */
import type { OAuthTokens, TokenStorage, MCPOAuthConfig, OAuthClientInformation, AuthorizationUrlResult, TokenExchangeRequest } from "../../types/index.js";
/**
 * NeuroLink OAuth Provider for MCP HTTP Transport
 * Handles OAuth 2.1 authentication flow with optional PKCE support
 */
export declare class NeuroLinkOAuthProvider {
    private config;
    private storage;
    private pendingChallenges;
    private pendingStates;
    constructor(config: MCPOAuthConfig, storage?: TokenStorage);
    /**
     * Get stored tokens for a server
     * Returns null if tokens are not available or expired (without refresh token)
     */
    tokens(serverId: string): Promise<OAuthTokens | null>;
    /**
     * Save tokens for a server
     */
    saveTokens(serverId: string, tokens: OAuthTokens): Promise<void>;
    /**
     * Delete tokens for a server
     */
    deleteTokens(serverId: string): Promise<void>;
    /**
     * Get client information for MCP SDK
     */
    clientInformation(): OAuthClientInformation;
    /**
     * Generate authorization URL for OAuth flow
     * Returns the URL to redirect the user to for authorization
     * @param _serverId - Server ID (reserved for future use in state management)
     */
    redirectToAuthorization(_serverId: string): AuthorizationUrlResult;
    /**
     * Exchange authorization code for tokens
     */
    exchangeCode(serverId: string, request: TokenExchangeRequest): Promise<OAuthTokens>;
    /**
     * Refresh tokens using refresh token
     */
    refreshTokens(serverId: string, refreshToken: string): Promise<OAuthTokens>;
    /**
     * Revoke tokens (if supported by the OAuth server)
     */
    revokeTokens(serverId: string, revocationUrl: string): Promise<void>;
    /**
     * Get authorization header value for API requests
     */
    getAuthorizationHeader(serverId: string): Promise<string | null>;
    /**
     * Check if a server has valid (non-expired) tokens
     */
    hasValidTokens(serverId: string): Promise<boolean>;
    /**
     * Generate a cryptographically secure state parameter
     */
    private generateState;
    /**
     * Generate PKCE code verifier and challenge
     * Uses SHA-256 for code challenge method (required by OAuth 2.1)
     */
    private generatePKCE;
    /**
     * Get the OAuth configuration
     */
    getConfig(): Readonly<MCPOAuthConfig>;
    /**
     * Get the token storage instance
     */
    getStorage(): TokenStorage;
    /**
     * Clean up expired pending states and challenges
     * Should be called periodically to prevent memory leaks
     */
    cleanupPendingRequests(): void;
}
/**
 * Create an OAuth provider from MCP server auth configuration
 */
export declare function createOAuthProviderFromConfig(authConfig: {
    clientId: string;
    clientSecret?: string;
    authorizationUrl: string;
    tokenUrl: string;
    redirectUrl: string;
    scope?: string;
    usePKCE?: boolean;
}, storage?: TokenStorage): NeuroLinkOAuthProvider;