import type { AuthProvider } from "../../auth.js";
/** Options for {@link createSalesforceProvider}. */
export interface SalesforceProviderOptions {
    /**
     * Connected-app consumer key. Used as the JWT `iss` claim.
     */
    clientId: string;
    /**
     * Salesforce username to impersonate. Used as the JWT `sub` claim. This user
     * must be pre-authorized for the connected app.
     */
    username: string;
    /**
     * RSA private key in **PKCS#8 PEM** form (a `-----BEGIN PRIVATE KEY-----`
     * block) whose matching certificate is uploaded to the connected app. Used to
     * RS256-sign the assertion. Convert a PKCS#1 (`BEGIN RSA PRIVATE KEY`) key
     * with `openssl pkcs8 -topk8 -nocrypt`.
     */
    privateKey: string;
    /**
     * Login host to POST the assertion to. Defaults to
     * {@link DEFAULT_LOGIN_URL}; use `https://test.salesforce.com` for sandboxes,
     * or your My Domain login URL.
     */
    loginUrl?: string;
    /**
     * Expected JWT `aud` claim. Defaults to {@link loginUrl}. Salesforce validates
     * this against the authorization server; production accepts
     * `https://login.salesforce.com` and sandboxes `https://test.salesforce.com`
     * regardless of a My Domain {@link loginUrl}.
     */
    audience?: string;
    /** Registry key. Defaults to "salesforce". */
    name?: string;
    /**
     * Assumed access-token lifetime in seconds (see
     * {@link DEFAULT_TOKEN_LIFETIME_SEC}). Set this at or below your org's session
     * timeout.
     */
    tokenLifetimeSec?: number;
}
/**
 * A Salesforce auth provider. Extends {@link AuthProvider} with access to the
 * `instance_url` returned alongside the token, which REST callers need to build
 * request URLs.
 */
export interface SalesforceProvider extends AuthProvider {
    /**
     * The `instance_url` from the most recent token response (e.g.
     * `https://mydomain.my.salesforce.com`), or `undefined` before the first
     * successful token request.
     */
    getInstanceUrl(): string | undefined;
}
/**
 * Creates a Salesforce OAuth 2.0 JWT-bearer auth provider.
 *
 * The flow: sign a short-lived RS256 JWT asserting `iss` (connected-app
 * consumer key), `sub` (username), and `aud` (login URL), POST it to the token
 * endpoint, and exchange it for an access token — no interactive login or
 * client secret required. See Salesforce's "OAuth 2.0 JWT Bearer Flow for
 * Server-to-Server Integration".
 *
 * All configuration is passed in explicitly — nothing is read from the
 * environment. Register the returned provider with the token manager:
 *
 *   import { registerProvider } from "@sedibyte/auth";
 *   registerProvider(createSalesforceProvider({ clientId, username, privateKey }));
 */
export declare function createSalesforceProvider(options: SalesforceProviderOptions): SalesforceProvider;
//# sourceMappingURL=provider.d.ts.map