import type { ErrorInfo } from './errors';
import type { SignatureVerifier } from './jws-verifier';
import type { KeyStorer } from './key-store';
export declare const FIREBASE_AUDIENCE = "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit";
/**
 * Interface representing a decoded Firebase ID token, returned from the
 * {@link BaseAuth.verifyIdToken} method.
 *
 * Firebase ID tokens are OpenID Connect spec-compliant JSON Web Tokens (JWTs).
 * See the
 * [ID Token section of the OpenID Connect spec](http://openid.net/specs/openid-connect-core-1_0.html#IDToken)
 * for more information about the specific properties below.
 */
export interface FirebaseIdToken {
    /**
     * The audience for which this token is intended.
     *
     * This value is a string equal to your Firebase project ID, the unique
     * identifier for your Firebase project, which can be found in [your project's
     * settings](https://console.firebase.google.com/project/_/settings/general/android:com.random.android).
     */
    aud: string;
    /**
     * Time, in seconds since the Unix epoch, when the end-user authentication
     * occurred.
     *
     * This value is not set when this particular ID token was created, but when the
     * user initially logged in to this session. In a single session, the Firebase
     * SDKs will refresh a user's ID tokens every hour. Each ID token will have a
     * different [`iat`](#iat) value, but the same `auth_time` value.
     */
    auth_time: number;
    /**
     * The email of the user to whom the ID token belongs, if available.
     */
    email?: string;
    /**
     * Whether or not the email of the user to whom the ID token belongs is
     * verified, provided the user has an email.
     */
    email_verified?: boolean;
    /**
     * The ID token's expiration time, in seconds since the Unix epoch. That is, the
     * time at which this ID token expires and should no longer be considered valid.
     *
     * The Firebase SDKs transparently refresh ID tokens every hour, issuing a new
     * ID token with up to a one hour expiration.
     */
    exp: number;
    /**
     * Information about the sign in event, including which sign in provider was
     * used and provider-specific identity details.
     *
     * This data is provided by the Firebase Authentication service and is a
     * reserved claim in the ID token.
     */
    firebase: {
        /**
         * Provider-specific identity details corresponding
         * to the provider used to sign in the user.
         */
        identities: {
            [key: string]: any;
        };
        /**
         * The ID of the provider used to sign in the user.
         * One of `"anonymous"`, `"password"`, `"facebook.com"`, `"github.com"`,
         * `"google.com"`, `"twitter.com"`, `"apple.com"`, `"microsoft.com"`,
         * `"yahoo.com"`, `"phone"`, `"playgames.google.com"`, `"gc.apple.com"`,
         * or `"custom"`.
         *
         * Additional Identity Platform provider IDs include `"linkedin.com"`,
         * OIDC and SAML identity providers prefixed with `"saml."` and `"oidc."`
         * respectively.
         */
        sign_in_provider: string;
        /**
         * The type identifier or `factorId` of the second factor, provided the
         * ID token was obtained from a multi-factor authenticated user.
         * For phone, this is `"phone"`.
         */
        sign_in_second_factor?: string;
        /**
         * The `uid` of the second factor used to sign in, provided the
         * ID token was obtained from a multi-factor authenticated user.
         */
        second_factor_identifier?: string;
        /**
         * The ID of the tenant the user belongs to, if available.
         */
        tenant?: string;
        [key: string]: any;
    };
    /**
     * The ID token's issued-at time, in seconds since the Unix epoch. That is, the
     * time at which this ID token was issued and should start to be considered
     * valid.
     *
     * The Firebase SDKs transparently refresh ID tokens every hour, issuing a new
     * ID token with a new issued-at time. If you want to get the time at which the
     * user session corresponding to the ID token initially occurred, see the
     * [`auth_time`](#auth_time) property.
     */
    iat: number;
    /**
     * The issuer identifier for the issuer of the response.
     *
     * This value is a URL with the format
     * `https://securetoken.google.com/<PROJECT_ID>`, where `<PROJECT_ID>` is the
     * same project ID specified in the [`aud`](#aud) property.
     */
    iss: string;
    /**
     * The phone number of the user to whom the ID token belongs, if available.
     */
    phone_number?: string;
    /**
     * The photo URL for the user to whom the ID token belongs, if available.
     */
    picture?: string;
    /**
     * The `uid` corresponding to the user who the ID token belonged to.
     *
     * As a convenience, this value is copied over to the [`uid`](#uid) property.
     */
    sub: string;
    /**
     * The `uid` corresponding to the user who the ID token belonged to.
     *
     * This value is not actually in the JWT token claims itself. It is added as a
     * convenience, and is set as the value of the [`sub`](#sub) property.
     */
    uid: string;
    /**
     * Other arbitrary claims included in the ID token.
     */
    [key: string]: any;
}
/**
 * Class for verifying general purpose Firebase JWTs. This verifies ID tokens and session cookies.
 *
 * @internal
 */
export declare class FirebaseTokenVerifier {
    private readonly signatureVerifier;
    private projectId;
    private issuer;
    private tokenInfo;
    private readonly shortNameArticle;
    constructor(signatureVerifier: SignatureVerifier, projectId: string, issuer: string, tokenInfo: FirebaseTokenInfo);
    /**
     * Verifies the format and signature of a Firebase Auth JWT token.
     *
     * @param jwtToken - The Firebase Auth JWT token to verify.
     * @param isEmulator - Whether to accept Auth Emulator tokens.
     * @param clockSkewSeconds - The number of seconds to tolerate when checking the token's iat. Must be between 0-60, and an integer. Defualts to 0.
     * @returns A promise fulfilled with the decoded claims of the Firebase Auth ID token.
     */
    verifyJWT(jwtToken: string, isEmulator?: boolean, clockSkewSeconds?: number): Promise<FirebaseIdToken>;
    private decodeAndVerify;
    private safeDecode;
    private verifyPayload;
    private verifySignature;
    /**
     * Maps JwtError to FirebaseAuthError
     *
     * @param error - JwtError to be mapped.
     * @returns FirebaseAuthError or Error instance.
     */
    private mapJwtErrorToAuthError;
}
/**
 * Interface that defines token related user facing information.
 *
 * @internal
 */
export interface FirebaseTokenInfo {
    /** Documentation URL. */
    url: string;
    /** verify API name. */
    verifyApiName: string;
    /** The JWT full name. */
    jwtName: string;
    /** The JWT short name. */
    shortName: string;
    /** JWT Expiration error code. */
    expiredErrorCode: ErrorInfo;
}
/**
 * User facing token information related to the Firebase ID token.
 *
 * @internal
 */
export declare const ID_TOKEN_INFO: FirebaseTokenInfo;
/**
 * Creates a new FirebaseTokenVerifier to verify Firebase ID tokens.
 *
 * @internal
 * @returns FirebaseTokenVerifier
 */
export declare function createIdTokenVerifier(projectID: string, keyStorer: KeyStorer): FirebaseTokenVerifier;
/**
 * @internal
 * @returns FirebaseTokenVerifier
 */
export declare function baseCreateIdTokenVerifier(signatureVerifier: SignatureVerifier, projectID: string): FirebaseTokenVerifier;
/**
 * User facing token information related to the Firebase session cookie.
 *
 * @internal
 */
export declare const SESSION_COOKIE_INFO: FirebaseTokenInfo;
/**
 * Creates a new FirebaseTokenVerifier to verify Firebase session cookies.
 *
 * @internal
 * @param app - Firebase app instance.
 * @returns FirebaseTokenVerifier
 */
export declare function createSessionCookieVerifier(projectID: string, keyStorer: KeyStorer): FirebaseTokenVerifier;
/**
 * @internal
 * @returns FirebaseTokenVerifier
 */
export declare function baseCreateSessionCookieVerifier(signatureVerifier: SignatureVerifier, projectID: string): FirebaseTokenVerifier;
