import * as jose from "jose";
import { AuthPolicy } from "./lib/auth-policy";
import { AuthenticateResponse } from "./lib/auth";
import { JWTVerificationOptions } from "lets-mfa-rp-lib";
import { AuthStartResponse, EnrollStartResponse, JWT } from "./main";
export type SuccessResponse = AuthenticateResponse & {
    sub: string;
    jwt: JWT;
};
export interface LetsMFAOptions {
    /** The LetsMFA realm to use. Defaults to "auth.letsmfa.com" */
    realm?: string;
    /** A response URL that will be used when there no response URL is
     * provided for each request. This is useful when you have a single
     * response url for all types of requests.
     */
    defaultResponseUrl?: string;
    /** The domain for this LetsMFA instance */
    domain: string;
    /** The logo to display to the user during auth. This must be from a domain
     * covered by the 'domain' value. For example, if the domain is 'example.com',
     * the logoUrl may be from 'https://images.example.com/logo.png'
     */
    logoUrl?: string;
    /** The unique identifier, such as IP address, for this client/host */
    clientId?: string;
    /** Public/private keys for communicating with LetsMFA. Each must be a json JWK object,
     * or a string that can base JSON.parse() into a JWK object.
     */
    keys: {
        publicKey: jose.JWK | string;
        privateKey: jose.JWK | string;
    };
    /** An AuthPolicy that will be used as a default when none is supplied to the enroll/auth methods. */
    defaultAuthPolicy?: AuthPolicy;
    /** Validation requirements for any JWT given on the enroll/auth flows. */
    nestedJWTValidationOptions?: JWTVerificationOptions;
}
export declare class LetsMFA {
    private options;
    private privateKey;
    private publicKey;
    constructor(options: LetsMFAOptions);
    /** Returns the public key */
    getPublicKey(): jose.JWK;
    /** The Enrollment flow allows a user to define their methods of authentication. The EnrollmentResponse
     * object is returned as a query parameter to the responseUrl provided in the EnrollRequest.
     *
     * @param responseUrl The URL to which the user will be redirected after enrollment is complete.
     * @param nestedJWT A signed JWT from another provider, or self generated. This value will be nested in the JWT returned by LetsMFA.
     * @param enrollOptions Optional configuration for the enrollment flow. These can be used to configure the user interface and to enforce authentication requirements.
     * @param validThrough Optional The epoch seconds UTC through which the user has to complete enrollment. If not provided, the request will expire in 5 minutes.
     * @param accountVault Optional supply an existing account vault to allow the user to update/change their methods of authentication.
     * @param requestId Optional supply a unique identifier for this request. If not provided, a random UUID will be generated. This may be used to prevent replay attacks.
     *
     * returns a URL to which the user should be redirect to begin the enrollment flow
     */
    startEnroll(options: {
        responseUrl?: string;
        nestedJWT: string;
        authPolicy?: AuthPolicy;
        validThrough?: number;
        accountVault?: string;
        requestId?: string;
        accountDisplayName: string;
        isTestAccount?: boolean;
    }): Promise<EnrollStartResponse>;
    handleAuthResponse(responseToken: string): Promise<SuccessResponse>;
    /** A convenience method for generating a self signed JWT (aka a JWS)
     * that can be used in the generateEnrollRequest and generateAuthenticateRequest methods.
     *
     * Supply the user value, which can be any string. THe value will be used as the subject of the JWT.
     *
     * @param user The user value to use as the subject of the JWT
     * @param expirationEpochSeconds Optional The epoch UTC seconds through which the JWT is valid. If not provided, the JWT will expire in 8 hours.
     * @param requestId Optional supply a unique identifier for this request. If not provided, a random UUID will be generated. This may be used to prevent replay attacks.
     */
    generateSelfSignedJWT(user: string, expirationEpochSeconds?: number): Promise<string>;
    /** The Authentication flow allows a user to authenticate using the methods they have enrolled. */
    startAuthentication(options: {
        responseUrl?: string;
        nestedJWT: string;
        accountVault: string;
        validThrough?: number;
        authPolicy?: AuthPolicy;
        accountDisplayName: string;
        requestId?: string;
        isTestAccount?: boolean;
    }): Promise<AuthStartResponse>;
    validateJwt(jwt: string): Promise<JWT[]>;
    getRealm(): string;
}
//# sourceMappingURL=letsmfa.d.ts.map