declare module '@encryptid/sdk/server' {
	export interface VerifyOptions {
		/** JWT secret for local HMAC-SHA256 verification */
		secret?: string;
		/** EncryptID server URL for remote verification */
		serverUrl?: string;
		/** Expected audience */
		audience?: string;
		/** Clock tolerance in seconds */
		clockTolerance?: number;
	}

	export function verifyEncryptIDToken(token: string, options?: VerifyOptions): Promise<EncryptIDClaims>;
	export function evaluateSpaceAccess(
		slug: string,
		token: string | null,
		method: string,
		options: { getSpaceConfig: (slug: string) => Promise<SpaceAuthConfig | null> },
	): Promise<{ allowed: boolean; readOnly: boolean; reason?: string; claims?: EncryptIDClaims }>;
	export function extractToken(headers: Headers): string | null;
	export function authenticateWSUpgrade(req: Request, options?: VerifyOptions): Promise<EncryptIDClaims | null>;

	export interface EncryptIDClaims {
		sub: string;
		username?: string;
		iat?: number;
		exp?: number;
		[key: string]: unknown;
	}

	export interface SpaceAuthConfig {
		spaceSlug: string;
		visibility: string;
		ownerDID?: string;
		app?: string;
	}
}