naftiko: 1.0.0-alpha2 info: label: Gravitee Access Management description: Identity and access management workflow for security engineers to manage Gravitee AM security domains, OAuth2/OIDC applications, users, roles, identity providers, and authentication flows. tags: - Gravitee - Identity - Access Management - OAuth2 created: '2026-05-04' modified: '2026-05-06' binds: - namespace: env keys: GRAVITEE_AM_URL: GRAVITEE_AM_URL GRAVITEE_AM_TOKEN: GRAVITEE_AM_TOKEN capability: consumes: - type: http namespace: gravitee-am baseUri: '{GRAVITEE_AM_URL}' description: Gravitee Access Management administration API. authentication: type: bearer value: '{{GRAVITEE_AM_TOKEN}}' placement: header resources: - name: domains path: /organizations/{organizationId}/environments/{environmentId}/domains description: Security domain management. operations: - name: list-domains method: GET description: List all security domains within an environment. inputParameters: - name: organizationId in: path type: string required: true description: Organization identifier. - name: environmentId in: path type: string required: true description: Environment identifier. - name: page in: query type: integer required: false description: Page number. - name: size in: query type: integer required: false description: Items per page. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: create-domain method: POST description: Create a new security domain. inputParameters: - name: organizationId in: path type: string required: true description: Organization identifier. - name: environmentId in: path type: string required: true description: Environment identifier. outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: name: '{{tools.name}}' description: '{{tools.description}}' path: '{{tools.path}}' - name: get-domain method: GET description: Get a security domain by ID. inputParameters: - name: organizationId in: path type: string required: true description: Organization identifier. - name: environmentId in: path type: string required: true description: Environment identifier. - name: domainId in: path type: string required: true description: Domain identifier. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: update-domain method: PUT description: Update a security domain. inputParameters: - name: organizationId in: path type: string required: true description: Organization identifier. - name: environmentId in: path type: string required: true description: Environment identifier. - name: domainId in: path type: string required: true description: Domain identifier. outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: name: '{{tools.name}}' description: '{{tools.description}}' enabled: '{{tools.enabled}}' - name: delete-domain method: DELETE description: Delete a security domain. inputParameters: - name: organizationId in: path type: string required: true description: Organization identifier. - name: environmentId in: path type: string required: true description: Environment identifier. - name: domainId in: path type: string required: true description: Domain identifier. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: domain-applications path: /organizations/{organizationId}/environments/{environmentId}/domains/{domainId}/applications description: OAuth2/OIDC application management within a domain. operations: - name: list-domain-applications method: GET description: List applications within a security domain. inputParameters: - name: organizationId in: path type: string required: true description: Organization identifier. - name: environmentId in: path type: string required: true description: Environment identifier. - name: domainId in: path type: string required: true description: Domain identifier. - name: page in: query type: integer required: false description: Page number. - name: size in: query type: integer required: false description: Items per page. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: create-domain-application method: POST description: Create a new OAuth2/OIDC application within a domain. inputParameters: - name: organizationId in: path type: string required: true description: Organization identifier. - name: environmentId in: path type: string required: true description: Environment identifier. - name: domainId in: path type: string required: true description: Domain identifier. outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: name: '{{tools.name}}' type: '{{tools.type}}' settings: '{{tools.settings}}' - name: domain-users path: /organizations/{organizationId}/environments/{environmentId}/domains/{domainId}/users description: Users within a security domain. operations: - name: list-domain-users method: GET description: List users within a security domain. inputParameters: - name: organizationId in: path type: string required: true description: Organization identifier. - name: environmentId in: path type: string required: true description: Environment identifier. - name: domainId in: path type: string required: true description: Domain identifier. - name: page in: query type: integer required: false description: Page number. - name: size in: query type: integer required: false description: Items per page. - name: q in: query type: string required: false description: Search query. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: create-domain-user method: POST description: Create a user within a security domain. inputParameters: - name: organizationId in: path type: string required: true description: Organization identifier. - name: environmentId in: path type: string required: true description: Environment identifier. - name: domainId in: path type: string required: true description: Domain identifier. outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: username: '{{tools.username}}' firstName: '{{tools.firstName}}' lastName: '{{tools.lastName}}' email: '{{tools.email}}' password: '{{tools.password}}' - name: domain-roles path: /organizations/{organizationId}/environments/{environmentId}/domains/{domainId}/roles description: Roles within a security domain. operations: - name: list-domain-roles method: GET description: List roles within a security domain. inputParameters: - name: organizationId in: path type: string required: true description: Organization identifier. - name: environmentId in: path type: string required: true description: Environment identifier. - name: domainId in: path type: string required: true description: Domain identifier. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: domain-identities path: /organizations/{organizationId}/environments/{environmentId}/domains/{domainId}/identities description: Identity providers within a security domain. operations: - name: list-identity-providers method: GET description: List identity providers within a security domain. inputParameters: - name: organizationId in: path type: string required: true description: Organization identifier. - name: environmentId in: path type: string required: true description: Environment identifier. - name: domainId in: path type: string required: true description: Domain identifier. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: domain-flows path: /organizations/{organizationId}/environments/{environmentId}/domains/{domainId}/flows description: Authentication and authorization flows within a domain. operations: - name: list-domain-flows method: GET description: List flows configured in a security domain. inputParameters: - name: organizationId in: path type: string required: true description: Organization identifier. - name: environmentId in: path type: string required: true description: Environment identifier. - name: domainId in: path type: string required: true description: Domain identifier. outputRawFormat: json outputParameters: - name: result type: object value: $. exposes: - type: rest port: 8081 namespace: gravitee-access-management-api description: Unified REST API for Gravitee AM administration. resources: - path: /v1/domains name: domains description: Security domains. operations: - method: GET name: list-domains description: List all security domains. call: gravitee-am.list-domains with: organizationId: rest.organizationId environmentId: rest.environmentId outputParameters: - type: object mapping: $. - method: POST name: create-domain description: Create a new security domain. call: gravitee-am.create-domain with: organizationId: rest.organizationId environmentId: rest.environmentId name: rest.name description: rest.description path: rest.path outputParameters: - type: object mapping: $. - path: /v1/domains/{domainId} name: domain description: A single security domain. operations: - method: GET name: get-domain description: Get a security domain by ID. call: gravitee-am.get-domain with: organizationId: rest.organizationId environmentId: rest.environmentId domainId: rest.domainId outputParameters: - type: object mapping: $. - method: DELETE name: delete-domain description: Delete a security domain. call: gravitee-am.delete-domain with: organizationId: rest.organizationId environmentId: rest.environmentId domainId: rest.domainId outputParameters: - type: object mapping: $. - path: /v1/domains/{domainId}/applications name: domain-applications description: Applications within a domain. operations: - method: GET name: list-domain-applications description: List OAuth2/OIDC applications within a domain. call: gravitee-am.list-domain-applications with: organizationId: rest.organizationId environmentId: rest.environmentId domainId: rest.domainId outputParameters: - type: object mapping: $. - path: /v1/domains/{domainId}/users name: domain-users description: Users within a domain. operations: - method: GET name: list-domain-users description: List users within a security domain. call: gravitee-am.list-domain-users with: organizationId: rest.organizationId environmentId: rest.environmentId domainId: rest.domainId outputParameters: - type: object mapping: $. - path: /v1/domains/{domainId}/roles name: domain-roles description: Roles within a domain. operations: - method: GET name: list-domain-roles description: List roles within a security domain. call: gravitee-am.list-domain-roles with: organizationId: rest.organizationId environmentId: rest.environmentId domainId: rest.domainId outputParameters: - type: object mapping: $. - path: /v1/domains/{domainId}/identities name: domain-identities description: Identity providers within a domain. operations: - method: GET name: list-identity-providers description: List identity providers within a security domain. call: gravitee-am.list-identity-providers with: organizationId: rest.organizationId environmentId: rest.environmentId domainId: rest.domainId outputParameters: - type: object mapping: $. - path: /v1/domains/{domainId}/flows name: domain-flows description: Flows within a domain. operations: - method: GET name: list-domain-flows description: List authentication and authorization flows within a domain. call: gravitee-am.list-domain-flows with: organizationId: rest.organizationId environmentId: rest.environmentId domainId: rest.domainId outputParameters: - type: object mapping: $. - type: mcp port: 9091 namespace: gravitee-access-management-mcp transport: http description: MCP server for AI-assisted Gravitee AM administration. tools: - name: list-domains description: List all Gravitee AM security domains within an environment. hints: readOnly: true call: gravitee-am.list-domains with: organizationId: tools.organizationId environmentId: tools.environmentId outputParameters: - type: object mapping: $. - name: get-domain description: Get a Gravitee AM security domain by ID. hints: readOnly: true call: gravitee-am.get-domain with: organizationId: tools.organizationId environmentId: tools.environmentId domainId: tools.domainId outputParameters: - type: object mapping: $. - name: create-domain description: Create a new Gravitee AM security domain. hints: readOnly: false call: gravitee-am.create-domain with: organizationId: tools.organizationId environmentId: tools.environmentId name: tools.name description: tools.description path: tools.path outputParameters: - type: object mapping: $. - name: update-domain description: Update a Gravitee AM security domain. hints: readOnly: false idempotent: true call: gravitee-am.update-domain with: organizationId: tools.organizationId environmentId: tools.environmentId domainId: tools.domainId outputParameters: - type: object mapping: $. - name: delete-domain description: Delete a Gravitee AM security domain and its resources. hints: destructive: true call: gravitee-am.delete-domain with: organizationId: tools.organizationId environmentId: tools.environmentId domainId: tools.domainId outputParameters: - type: object mapping: $. - name: list-domain-applications description: List OAuth2/OIDC applications within a domain. hints: readOnly: true call: gravitee-am.list-domain-applications with: organizationId: tools.organizationId environmentId: tools.environmentId domainId: tools.domainId outputParameters: - type: object mapping: $. - name: create-domain-application description: Create a new OAuth2/OIDC application within a domain. hints: readOnly: false call: gravitee-am.create-domain-application with: organizationId: tools.organizationId environmentId: tools.environmentId domainId: tools.domainId name: tools.name type: tools.type outputParameters: - type: object mapping: $. - name: list-domain-users description: List users within a security domain. hints: readOnly: true call: gravitee-am.list-domain-users with: organizationId: tools.organizationId environmentId: tools.environmentId domainId: tools.domainId outputParameters: - type: object mapping: $. - name: create-domain-user description: Create a user within a security domain. hints: readOnly: false call: gravitee-am.create-domain-user with: organizationId: tools.organizationId environmentId: tools.environmentId domainId: tools.domainId username: tools.username email: tools.email outputParameters: - type: object mapping: $. - name: list-domain-roles description: List roles within a security domain. hints: readOnly: true call: gravitee-am.list-domain-roles with: organizationId: tools.organizationId environmentId: tools.environmentId domainId: tools.domainId outputParameters: - type: object mapping: $. - name: list-identity-providers description: List identity providers within a security domain. hints: readOnly: true call: gravitee-am.list-identity-providers with: organizationId: tools.organizationId environmentId: tools.environmentId domainId: tools.domainId outputParameters: - type: object mapping: $. - name: list-domain-flows description: List authentication and authorization flows within a domain. hints: readOnly: true call: gravitee-am.list-domain-flows with: organizationId: tools.organizationId environmentId: tools.environmentId domainId: tools.domainId outputParameters: - type: object mapping: $.