export type TurnkeyWebhookVerificationKey = {
    keyId: string;
    publicKey: string;
    algorithm?: "ed25519";
};
export type TurnkeyWebhookHeaders = Headers | Record<string, string | string[] | undefined>;
export type TurnkeyWebhookBody = string | Uint8Array | ArrayBuffer;
export type VerifyTurnkeyWebhookSignatureParams = {
    headers: TurnkeyWebhookHeaders;
    body: TurnkeyWebhookBody;
    verificationKeys: TurnkeyWebhookVerificationKey[];
    maxTimestampAgeMs: number;
    nowMs?: number;
};
export declare const TurnkeyWebhookVerificationFailureReasons: {
    readonly InvalidMaxTimestampAge: "invalid_max_timestamp_age";
    readonly InvalidNow: "invalid_now";
    readonly MissingHeader: "missing_header";
    readonly InvalidTimestamp: "invalid_timestamp";
    readonly StaleTimestamp: "stale_timestamp";
    readonly UnsupportedSignatureVersion: "unsupported_signature_version";
    readonly UnsupportedSignatureAlgorithm: "unsupported_signature_algorithm";
    readonly MissingKey: "missing_key";
    readonly InvalidVerificationKeyAlgorithm: "invalid_verification_key_algorithm";
    readonly InvalidVerificationKey: "invalid_verification_key";
    readonly InvalidSignature: "invalid_signature";
};
export type TurnkeyWebhookVerificationFailureReason = (typeof TurnkeyWebhookVerificationFailureReasons)[keyof typeof TurnkeyWebhookVerificationFailureReasons];
export type TurnkeyWebhookVerificationSuccess = {
    ok: true;
    eventId: string;
    keyId: string;
    timestampMs: number;
};
export type TurnkeyWebhookVerificationFailure = {
    ok: false;
    reason: TurnkeyWebhookVerificationFailureReason;
    headerName?: string;
};
export type TurnkeyWebhookVerificationResult = TurnkeyWebhookVerificationSuccess | TurnkeyWebhookVerificationFailure;
/**
 * Verifies a Turnkey webhook signature with caller-provided Ed25519
 * verification keys.
 *
 * Pass the exact raw request body bytes Turnkey sent, the request headers, and
 * a bounded `maxTimestampAgeMs` replay window. The function returns a typed
 * failure result for invalid webhook input instead of throwing, so handlers can
 * reject expected verification failures without exception-driven control flow.
 */
export declare function verifyTurnkeyWebhookSignature({ headers, body, verificationKeys, maxTimestampAgeMs, nowMs, }: VerifyTurnkeyWebhookSignatureParams): TurnkeyWebhookVerificationResult;
export declare function buildSignedInput({ version, algorithm, keyId, timestampMs, eventId, body, }: {
    version: string;
    algorithm: string;
    keyId: string;
    timestampMs: string;
    eventId: string;
    body: TurnkeyWebhookBody;
}): Uint8Array;
//# sourceMappingURL=webhooks.d.ts.map