naftiko: 1.0.0-alpha2 info: label: Duo Admin API — Users description: 'Duo Admin API — Users. 24 operations. Lead operation: List users. Self-contained Naftiko capability covering one Duo Security business surface.' tags: - Duo Security - Users created: '2026-05-19' modified: '2026-05-19' binds: - namespace: env keys: DUO_SECURITY_API_KEY: DUO_SECURITY_API_KEY capability: consumes: - type: http namespace: duo-admin-users baseUri: https://api-XXXXXXXX.duosecurity.com description: Duo Admin API — Users business capability. Self-contained, no shared references. resources: - name: admin-v1-users path: /admin/v1/users operations: - name: listusers method: GET description: List users outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: username in: query type: string - name: limit in: query type: integer - name: offset in: query type: integer - name: createuser method: POST description: Create user outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: admin-v1-users-bulk_create path: /admin/v1/users/bulk_create operations: - name: bulkcreateusers method: POST description: Bulk create users outputRawFormat: json outputParameters: - name: result type: object value: $. - name: admin-v1-users-bulk_restore path: /admin/v1/users/bulk_restore operations: - name: bulkrestoreusers method: POST description: Bulk restore users outputRawFormat: json outputParameters: - name: result type: object value: $. - name: admin-v1-users-bulk_send_to_trash path: /admin/v1/users/bulk_send_to_trash operations: - name: bulksenduserstotrash method: POST description: Bulk send users to Trash outputRawFormat: json outputParameters: - name: result type: object value: $. - name: admin-v1-users-directorysync path: /admin/v1/users/directorysync operations: - name: listuserdirectorysyncs method: GET description: List user directory syncs outputRawFormat: json outputParameters: - name: result type: object value: $. - name: admin-v1-users-directorysync-directory_key-syncuser path: /admin/v1/users/directorysync/{directory_key}/syncuser operations: - name: syncdirectoryuser method: POST description: Sync directory user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: admin-v1-users-enroll path: /admin/v1/users/enroll operations: - name: enrolluser method: POST description: Enroll user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: admin-v1-users-user_id path: /admin/v1/users/{user_id} operations: - name: getuser method: GET description: Get user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: updateuser method: POST description: Update user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: deleteuser method: DELETE description: Delete user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: admin-v1-users-user_id-desktopauthenticators path: /admin/v1/users/{user_id}/desktopauthenticators operations: - name: listuserdesktopauthenticators method: GET description: List desktop authenticators for user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: admin-v1-users-user_id-groups path: /admin/v1/users/{user_id}/groups operations: - name: listusergroups method: GET description: List user groups outputRawFormat: json outputParameters: - name: result type: object value: $. - name: associateusergroup method: POST description: Associate group with user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: admin-v1-users-user_id-groups-group_id path: /admin/v1/users/{user_id}/groups/{group_id} operations: - name: disassociateusergroup method: DELETE description: Disassociate group from user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: admin-v1-users-user_id-phones path: /admin/v1/users/{user_id}/phones operations: - name: listuserphones method: GET description: List user phones outputRawFormat: json outputParameters: - name: result type: object value: $. - name: associateuserphone method: POST description: Associate phone with user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: admin-v1-users-user_id-phones-phone_id path: /admin/v1/users/{user_id}/phones/{phone_id} operations: - name: disassociateuserphone method: DELETE description: Disassociate phone from user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: admin-v1-users-user_id-send_verification_push path: /admin/v1/users/{user_id}/send_verification_push operations: - name: sendverificationpush method: POST description: Send verification Duo Push outputRawFormat: json outputParameters: - name: result type: object value: $. - name: admin-v1-users-user_id-tokens path: /admin/v1/users/{user_id}/tokens operations: - name: listusertokens method: GET description: List user hardware tokens outputRawFormat: json outputParameters: - name: result type: object value: $. - name: associateusertoken method: POST description: Associate hardware token with user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: admin-v1-users-user_id-tokens-token_id path: /admin/v1/users/{user_id}/tokens/{token_id} operations: - name: disassociateusertoken method: DELETE description: Disassociate hardware token from user outputRawFormat: json outputParameters: - name: result type: object value: $. - name: admin-v1-users-user_id-verification_push_response path: /admin/v1/users/{user_id}/verification_push_response operations: - name: getverificationpushresponse method: GET description: Retrieve verification push result outputRawFormat: json outputParameters: - name: result type: object value: $. - name: admin-v1-users-user_id-webauthncredentials path: /admin/v1/users/{user_id}/webauthncredentials operations: - name: listuserwebauthncredentials method: GET description: List WebAuthn credentials for user outputRawFormat: json outputParameters: - name: result type: object value: $. authentication: type: basic username: '{{env.DUO_SECURITY_USER}}' password: '{{env.DUO_SECURITY_PASS}}' exposes: - type: rest namespace: duo-admin-users-rest port: 8080 description: REST adapter for Duo Admin API — Users. One Spectral-compliant resource per consumed operation, prefixed with /v1. resources: - path: /v1/admin/v1/users name: admin-v1-users description: REST surface for admin-v1-users. operations: - method: GET name: listusers description: List users call: duo-admin-users.listusers with: username: rest.username limit: rest.limit offset: rest.offset outputParameters: - type: object mapping: $. - method: POST name: createuser description: Create user call: duo-admin-users.createuser with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/admin/v1/users/bulk-create name: admin-v1-users-bulk-create description: REST surface for admin-v1-users-bulk_create. operations: - method: POST name: bulkcreateusers description: Bulk create users call: duo-admin-users.bulkcreateusers outputParameters: - type: object mapping: $. - path: /v1/admin/v1/users/bulk-restore name: admin-v1-users-bulk-restore description: REST surface for admin-v1-users-bulk_restore. operations: - method: POST name: bulkrestoreusers description: Bulk restore users call: duo-admin-users.bulkrestoreusers outputParameters: - type: object mapping: $. - path: /v1/admin/v1/users/bulk-send-to-trash name: admin-v1-users-bulk-send-to-trash description: REST surface for admin-v1-users-bulk_send_to_trash. operations: - method: POST name: bulksenduserstotrash description: Bulk send users to Trash call: duo-admin-users.bulksenduserstotrash outputParameters: - type: object mapping: $. - path: /v1/admin/v1/users/directorysync name: admin-v1-users-directorysync description: REST surface for admin-v1-users-directorysync. operations: - method: GET name: listuserdirectorysyncs description: List user directory syncs call: duo-admin-users.listuserdirectorysyncs outputParameters: - type: object mapping: $. - path: /v1/admin/v1/users/directorysync/{directory-key}/syncuser name: admin-v1-users-directorysync-directory-key-syncuser description: REST surface for admin-v1-users-directorysync-directory_key-syncuser. operations: - method: POST name: syncdirectoryuser description: Sync directory user call: duo-admin-users.syncdirectoryuser outputParameters: - type: object mapping: $. - path: /v1/admin/v1/users/enroll name: admin-v1-users-enroll description: REST surface for admin-v1-users-enroll. operations: - method: POST name: enrolluser description: Enroll user call: duo-admin-users.enrolluser outputParameters: - type: object mapping: $. - path: /v1/admin/v1/users/{user-id} name: admin-v1-users-user-id description: REST surface for admin-v1-users-user_id. operations: - method: GET name: getuser description: Get user call: duo-admin-users.getuser outputParameters: - type: object mapping: $. - method: POST name: updateuser description: Update user call: duo-admin-users.updateuser outputParameters: - type: object mapping: $. - method: DELETE name: deleteuser description: Delete user call: duo-admin-users.deleteuser outputParameters: - type: object mapping: $. - path: /v1/admin/v1/users/{user-id}/desktopauthenticators name: admin-v1-users-user-id-desktopauthenticators description: REST surface for admin-v1-users-user_id-desktopauthenticators. operations: - method: GET name: listuserdesktopauthenticators description: List desktop authenticators for user call: duo-admin-users.listuserdesktopauthenticators outputParameters: - type: object mapping: $. - path: /v1/admin/v1/users/{user-id}/groups name: admin-v1-users-user-id-groups description: REST surface for admin-v1-users-user_id-groups. operations: - method: GET name: listusergroups description: List user groups call: duo-admin-users.listusergroups outputParameters: - type: object mapping: $. - method: POST name: associateusergroup description: Associate group with user call: duo-admin-users.associateusergroup outputParameters: - type: object mapping: $. - path: /v1/admin/v1/users/{user-id}/groups/{group-id} name: admin-v1-users-user-id-groups-group-id description: REST surface for admin-v1-users-user_id-groups-group_id. operations: - method: DELETE name: disassociateusergroup description: Disassociate group from user call: duo-admin-users.disassociateusergroup outputParameters: - type: object mapping: $. - path: /v1/admin/v1/users/{user-id}/phones name: admin-v1-users-user-id-phones description: REST surface for admin-v1-users-user_id-phones. operations: - method: GET name: listuserphones description: List user phones call: duo-admin-users.listuserphones outputParameters: - type: object mapping: $. - method: POST name: associateuserphone description: Associate phone with user call: duo-admin-users.associateuserphone outputParameters: - type: object mapping: $. - path: /v1/admin/v1/users/{user-id}/phones/{phone-id} name: admin-v1-users-user-id-phones-phone-id description: REST surface for admin-v1-users-user_id-phones-phone_id. operations: - method: DELETE name: disassociateuserphone description: Disassociate phone from user call: duo-admin-users.disassociateuserphone outputParameters: - type: object mapping: $. - path: /v1/admin/v1/users/{user-id}/send-verification-push name: admin-v1-users-user-id-send-verification-push description: REST surface for admin-v1-users-user_id-send_verification_push. operations: - method: POST name: sendverificationpush description: Send verification Duo Push call: duo-admin-users.sendverificationpush outputParameters: - type: object mapping: $. - path: /v1/admin/v1/users/{user-id}/tokens name: admin-v1-users-user-id-tokens description: REST surface for admin-v1-users-user_id-tokens. operations: - method: GET name: listusertokens description: List user hardware tokens call: duo-admin-users.listusertokens outputParameters: - type: object mapping: $. - method: POST name: associateusertoken description: Associate hardware token with user call: duo-admin-users.associateusertoken outputParameters: - type: object mapping: $. - path: /v1/admin/v1/users/{user-id}/tokens/{token-id} name: admin-v1-users-user-id-tokens-token-id description: REST surface for admin-v1-users-user_id-tokens-token_id. operations: - method: DELETE name: disassociateusertoken description: Disassociate hardware token from user call: duo-admin-users.disassociateusertoken outputParameters: - type: object mapping: $. - path: /v1/admin/v1/users/{user-id}/verification-push-response name: admin-v1-users-user-id-verification-push-response description: REST surface for admin-v1-users-user_id-verification_push_response. operations: - method: GET name: getverificationpushresponse description: Retrieve verification push result call: duo-admin-users.getverificationpushresponse outputParameters: - type: object mapping: $. - path: /v1/admin/v1/users/{user-id}/webauthncredentials name: admin-v1-users-user-id-webauthncredentials description: REST surface for admin-v1-users-user_id-webauthncredentials. operations: - method: GET name: listuserwebauthncredentials description: List WebAuthn credentials for user call: duo-admin-users.listuserwebauthncredentials outputParameters: - type: object mapping: $. - type: mcp namespace: duo-admin-users-mcp port: 9090 transport: http description: MCP adapter for Duo Admin API — Users. One tool per consumed operation, routed inline through this capability's consumes block. tools: - name: list-users description: List users hints: readOnly: true destructive: false idempotent: true call: duo-admin-users.listusers with: username: tools.username limit: tools.limit offset: tools.offset outputParameters: - type: object mapping: $. - name: create-user description: Create user hints: readOnly: false destructive: false idempotent: false call: duo-admin-users.createuser with: body: tools.body outputParameters: - type: object mapping: $. - name: bulk-create-users description: Bulk create users hints: readOnly: false destructive: false idempotent: false call: duo-admin-users.bulkcreateusers outputParameters: - type: object mapping: $. - name: bulk-restore-users description: Bulk restore users hints: readOnly: false destructive: false idempotent: false call: duo-admin-users.bulkrestoreusers outputParameters: - type: object mapping: $. - name: bulk-send-users-trash description: Bulk send users to Trash hints: readOnly: false destructive: false idempotent: false call: duo-admin-users.bulksenduserstotrash outputParameters: - type: object mapping: $. - name: list-user-directory-syncs description: List user directory syncs hints: readOnly: true destructive: false idempotent: true call: duo-admin-users.listuserdirectorysyncs outputParameters: - type: object mapping: $. - name: sync-directory-user description: Sync directory user hints: readOnly: false destructive: false idempotent: false call: duo-admin-users.syncdirectoryuser outputParameters: - type: object mapping: $. - name: enroll-user description: Enroll user hints: readOnly: false destructive: false idempotent: false call: duo-admin-users.enrolluser outputParameters: - type: object mapping: $. - name: get-user description: Get user hints: readOnly: true destructive: false idempotent: true call: duo-admin-users.getuser outputParameters: - type: object mapping: $. - name: update-user description: Update user hints: readOnly: false destructive: false idempotent: false call: duo-admin-users.updateuser outputParameters: - type: object mapping: $. - name: delete-user description: Delete user hints: readOnly: false destructive: true idempotent: true call: duo-admin-users.deleteuser outputParameters: - type: object mapping: $. - name: list-desktop-authenticators-user description: List desktop authenticators for user hints: readOnly: true destructive: false idempotent: true call: duo-admin-users.listuserdesktopauthenticators outputParameters: - type: object mapping: $. - name: list-user-groups description: List user groups hints: readOnly: true destructive: false idempotent: true call: duo-admin-users.listusergroups outputParameters: - type: object mapping: $. - name: associate-group-user description: Associate group with user hints: readOnly: false destructive: false idempotent: false call: duo-admin-users.associateusergroup outputParameters: - type: object mapping: $. - name: disassociate-group-user description: Disassociate group from user hints: readOnly: false destructive: true idempotent: true call: duo-admin-users.disassociateusergroup outputParameters: - type: object mapping: $. - name: list-user-phones description: List user phones hints: readOnly: true destructive: false idempotent: true call: duo-admin-users.listuserphones outputParameters: - type: object mapping: $. - name: associate-phone-user description: Associate phone with user hints: readOnly: false destructive: false idempotent: false call: duo-admin-users.associateuserphone outputParameters: - type: object mapping: $. - name: disassociate-phone-user description: Disassociate phone from user hints: readOnly: false destructive: true idempotent: true call: duo-admin-users.disassociateuserphone outputParameters: - type: object mapping: $. - name: send-verification-duo-push description: Send verification Duo Push hints: readOnly: false destructive: false idempotent: false call: duo-admin-users.sendverificationpush outputParameters: - type: object mapping: $. - name: list-user-hardware-tokens description: List user hardware tokens hints: readOnly: true destructive: false idempotent: true call: duo-admin-users.listusertokens outputParameters: - type: object mapping: $. - name: associate-hardware-token-user description: Associate hardware token with user hints: readOnly: false destructive: false idempotent: false call: duo-admin-users.associateusertoken outputParameters: - type: object mapping: $. - name: disassociate-hardware-token-user description: Disassociate hardware token from user hints: readOnly: false destructive: true idempotent: true call: duo-admin-users.disassociateusertoken outputParameters: - type: object mapping: $. - name: retrieve-verification-push-result description: Retrieve verification push result hints: readOnly: true destructive: false idempotent: true call: duo-admin-users.getverificationpushresponse outputParameters: - type: object mapping: $. - name: list-webauthn-credentials-user description: List WebAuthn credentials for user hints: readOnly: true destructive: false idempotent: true call: duo-admin-users.listuserwebauthncredentials outputParameters: - type: object mapping: $.