import { type JwtPayload } from 'jsonwebtoken';
import { ILogger } from '@microsoft/teams.common';
export interface IJwtValidationOptions {
    /** Required: Application/Client ID for audience validation */
    clientId: string;
    audience?: string[];
    /**
     * This may be 'common', 'organizations', 'consumers' for multi-tenant apps,
     * or a specific tenant ID for single-tenant apps.
     */
    tenantId?: string;
    /**
     * The Azure AD login endpoint. Used for JWKS URI construction and issuer validation.
     * Defaults to "https://login.microsoftonline.com".
     */
    loginEndpoint?: string;
    /**
     * JWKS URI options for fetching public keys
     */
    jwksUriOptions: {
        type: 'tenantId';
    } | {
        type: 'uri';
        uri: string;
    };
    /** Optional: Validate required scope in token */
    validateScope?: {
        requiredScope: string;
    };
    /** Optional: Validate service URL (Bot Framework specific) */
    validateServiceUrl?: {
        expectedServiceUrl: string;
    };
    /** Optional: Custom issuer validation */
    validateIssuer?: {
        /** Allowed */
        allowedIssuer: string;
    } | {
        /** For multi-tenant apps, restrict to specific tenant IDs */
        allowedTenantIds?: string[];
    };
    /** Optional: Clock tolerance in seconds (default: 300) */
    clockTolerance?: number;
}
export declare class JwtValidator {
    readonly options: IJwtValidationOptions;
    private readonly logger?;
    private readonly jwksCache;
    constructor(options: IJwtValidationOptions, logger?: ILogger);
    /**
     * Validates a JWT token using the configured options
     */
    validateAccessToken(rawToken: string, overrideOptions?: Pick<IJwtValidationOptions, 'validateServiceUrl' | 'validateScope'>): Promise<JwtPayload | null>;
    private getJwksClient;
    private getSigningKey;
    private validateIssuer;
    private validateScope;
    private validateServiceUrl;
    private performCustomValidations;
}
export declare const createEntraTokenValidator: (tenantId: string, clientId: string, options?: {
    allowedTenantIds?: string[];
    requiredScope?: string;
    applicationIdUri?: string;
    loginEndpoint?: string;
    logger?: ILogger;
}) => JwtValidator;
