/**
 * JWT signing and verification using node:crypto HMAC-SHA256.
 *
 * No external libraries — implements the minimal JWT subset needed
 * for dot-ai access tokens (HS256 only).
 */
import type { JwtClaims } from './types';
/**
 * Returns the JWT signing secret.
 * Uses DOT_AI_JWT_SECRET env var if set, otherwise generates
 * a random 32-byte hex secret cached for the process lifetime.
 */
export declare function getJwtSecret(): string;
/**
 * Reset the cached secret. Only for testing.
 * @internal
 */
export declare function _resetCachedSecret(): void;
/**
 * Sign a JWT with HMAC-SHA256.
 *
 * @param claims - The JWT payload claims
 * @param secret - The signing secret
 * @returns Encoded JWT string (header.payload.signature)
 */
export declare function signJwt(claims: JwtClaims, secret: string): string;
/**
 * Verify a JWT signed with HMAC-SHA256.
 *
 * Performs timing-safe signature comparison and expiry check.
 *
 * @param token - The JWT string to verify
 * @param secret - The signing secret
 * @returns Decoded claims if valid, null otherwise
 */
export declare function verifyJwt(token: string, secret: string): JwtClaims | null;
//# sourceMappingURL=jwt.d.ts.map