import type { Secret } from 'jsonwebtoken';
import { z } from 'zod';
export declare const TOKEN_EXCHANGE_GRANT_TYPE: "urn:ietf:params:oauth:grant-type:token-exchange";
export declare const JwtAlgorithmSchema: z.ZodEnum<["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "EdDSA"]>;
export declare const ExternalTokenClaimsSchema: z.ZodObject<{
    sub: z.ZodString;
    iss: z.ZodString;
    aud: z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>;
    iat: z.ZodNumber;
    exp: z.ZodNumber;
    jti: z.ZodString;
    nbf: z.ZodOptional<z.ZodNumber>;
    email: z.ZodOptional<z.ZodString>;
    given_name: z.ZodOptional<z.ZodString>;
    family_name: z.ZodOptional<z.ZodString>;
    role: z.ZodOptional<z.ZodString>;
}, "strip", z.ZodTypeAny, {
    sub: string;
    exp: number;
    iss: string;
    aud: string | string[];
    iat: number;
    jti: string;
    email?: string | undefined;
    role?: string | undefined;
    nbf?: number | undefined;
    given_name?: string | undefined;
    family_name?: string | undefined;
}, {
    sub: string;
    exp: number;
    iss: string;
    aud: string | string[];
    iat: number;
    jti: string;
    email?: string | undefined;
    role?: string | undefined;
    nbf?: number | undefined;
    given_name?: string | undefined;
    family_name?: string | undefined;
}>;
export type ExternalTokenClaims = z.infer<typeof ExternalTokenClaimsSchema>;
export declare const TrustedKeySourceSchema: z.ZodDiscriminatedUnion<"type", [z.ZodObject<{
    type: z.ZodLiteral<"static">;
    kid: z.ZodString;
    algorithms: z.ZodArray<z.ZodEnum<["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "EdDSA"]>, "many">;
    key: z.ZodString;
    issuer: z.ZodString;
    expectedAudience: z.ZodOptional<z.ZodString>;
    allowedRoles: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
}, "strip", z.ZodTypeAny, {
    key: string;
    type: "static";
    issuer: string;
    kid: string;
    algorithms: ("RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "PS256" | "PS384" | "PS512" | "EdDSA")[];
    expectedAudience?: string | undefined;
    allowedRoles?: string[] | undefined;
}, {
    key: string;
    type: "static";
    issuer: string;
    kid: string;
    algorithms: ("RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "PS256" | "PS384" | "PS512" | "EdDSA")[];
    expectedAudience?: string | undefined;
    allowedRoles?: string[] | undefined;
}>, z.ZodObject<{
    type: z.ZodLiteral<"jwks">;
    url: z.ZodString;
    issuer: z.ZodString;
    expectedAudience: z.ZodOptional<z.ZodString>;
    allowedRoles: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
    cacheTtlSeconds: z.ZodOptional<z.ZodNumber>;
}, "strip", z.ZodTypeAny, {
    url: string;
    type: "jwks";
    issuer: string;
    expectedAudience?: string | undefined;
    allowedRoles?: string[] | undefined;
    cacheTtlSeconds?: number | undefined;
}, {
    url: string;
    type: "jwks";
    issuer: string;
    expectedAudience?: string | undefined;
    allowedRoles?: string[] | undefined;
    cacheTtlSeconds?: number | undefined;
}>]>;
export type TrustedKeySource = z.infer<typeof TrustedKeySourceSchema>;
export type StaticKeySource = Extract<TrustedKeySource, {
    type: 'static';
}>;
export type JwksKeySource = Extract<TrustedKeySource, {
    type: 'jwks';
}>;
export type JwtAlgorithm = z.infer<typeof JwtAlgorithmSchema>;
export type TrustedKeySourceType = 'static' | 'jwks';
export type TrustedKeySourceStatus = 'pending' | 'healthy' | 'error';
export declare const TrustedKeyDataSchema: z.ZodObject<{
    algorithms: z.ZodArray<z.ZodEnum<["RS256", "RS384", "RS512", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "EdDSA"]>, "many">;
    keyMaterial: z.ZodString;
    issuer: z.ZodString;
    expectedAudience: z.ZodOptional<z.ZodString>;
    allowedRoles: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
    expiresAt: z.ZodOptional<z.ZodString>;
}, "strip", z.ZodTypeAny, {
    issuer: string;
    algorithms: ("RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "PS256" | "PS384" | "PS512" | "EdDSA")[];
    keyMaterial: string;
    expiresAt?: string | undefined;
    expectedAudience?: string | undefined;
    allowedRoles?: string[] | undefined;
}, {
    issuer: string;
    algorithms: ("RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "PS256" | "PS384" | "PS512" | "EdDSA")[];
    keyMaterial: string;
    expiresAt?: string | undefined;
    expectedAudience?: string | undefined;
    allowedRoles?: string[] | undefined;
}>;
export type TrustedKeyData = z.infer<typeof TrustedKeyDataSchema>;
export interface ResolvedTrustedKey {
    kid: string;
    algorithms: JwtAlgorithm[];
    key: Secret;
    issuer: string;
    expectedAudience?: string;
    allowedRoles?: string[];
}
export declare const TokenExchangeRequestSchema: z.ZodObject<{
    grant_type: z.ZodLiteral<"urn:ietf:params:oauth:grant-type:token-exchange">;
    subject_token: z.ZodString;
    subject_token_type: z.ZodOptional<z.ZodString>;
    actor_token: z.ZodOptional<z.ZodString>;
    actor_token_type: z.ZodOptional<z.ZodString>;
    requested_token_type: z.ZodOptional<z.ZodString>;
    scope: z.ZodOptional<z.ZodString>;
    audience: z.ZodOptional<z.ZodString>;
    resource: z.ZodOptional<z.ZodString>;
}, "strip", z.ZodTypeAny, {
    grant_type: "urn:ietf:params:oauth:grant-type:token-exchange";
    subject_token: string;
    resource?: string | undefined;
    subject_token_type?: string | undefined;
    actor_token?: string | undefined;
    actor_token_type?: string | undefined;
    requested_token_type?: string | undefined;
    scope?: string | undefined;
    audience?: string | undefined;
}, {
    grant_type: "urn:ietf:params:oauth:grant-type:token-exchange";
    subject_token: string;
    resource?: string | undefined;
    subject_token_type?: string | undefined;
    actor_token?: string | undefined;
    actor_token_type?: string | undefined;
    requested_token_type?: string | undefined;
    scope?: string | undefined;
    audience?: string | undefined;
}>;
export type TokenExchangeRequest = z.infer<typeof TokenExchangeRequestSchema>;