naftiko: 1.0.0-alpha2 info: label: HashiCorp Vault API — Auth description: 'HashiCorp Vault API — Auth. 21 operations. Lead operation: HashiCorp List token accessors, which can then be be used to iterate and discover their properties or revoke them. Because this can be used to cause a denial of service, this endpoint requires ''sudo'' capability in addition to ''list''.. Self-contained Naftiko capability covering one Hashicorp business surface.' tags: - Hashicorp - Auth created: '2026-05-19' modified: '2026-05-19' binds: - namespace: env keys: HASHICORP_API_KEY: HASHICORP_API_KEY capability: consumes: - type: http namespace: vault-auth baseUri: '' description: HashiCorp Vault API — Auth business capability. Self-contained, no shared references. resources: - name: auth-token-accessors path: /auth/token/accessors/ operations: - name: getauthtokenaccessors method: GET description: HashiCorp List token accessors, which can then be outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: list in: query type: string description: Return a list if `true` - name: auth-token-create path: /auth/token/create operations: - name: postauthtokencreate method: POST description: HashiCorp The token create path is used to create new tokens. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth-token-create-orphan path: /auth/token/create-orphan operations: - name: postauthtokencreateorphan method: POST description: HashiCorp The token create path is used to create new orphan tokens. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth-token-create-role_name path: /auth/token/create/{role_name} operations: - name: postauthtokencreaterolename method: POST description: HashiCorp This token create path is used to create new tokens adhering to the given role. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth-token-lookup path: /auth/token/lookup operations: - name: getauthtokenlookup method: GET description: HashiCorp This endpoint will lookup a token and its properties. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: postauthtokenlookup method: POST description: HashiCorp This endpoint will lookup a token and its properties. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: auth-token-lookup-accessor path: /auth/token/lookup-accessor operations: - name: postauthtokenlookupaccessor method: POST description: HashiCorp This endpoint will lookup a token associated with the given accessor and its properties. Response will not contain the token ID. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: auth-token-lookup-self path: /auth/token/lookup-self operations: - name: getauthtokenlookupself method: GET description: HashiCorp This endpoint will lookup a token and its properties. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: postauthtokenlookupself method: POST description: HashiCorp This endpoint will lookup a token and its properties. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: auth-token-renew path: /auth/token/renew operations: - name: postauthtokenrenew method: POST description: HashiCorp This endpoint will renew the given token and prevent expiration. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: auth-token-renew-accessor path: /auth/token/renew-accessor operations: - name: postauthtokenrenewaccessor method: POST description: HashiCorp This endpoint will renew a token associated with the given accessor and its properties. Response will not contain the token ID. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: auth-token-renew-self path: /auth/token/renew-self operations: - name: postauthtokenrenewself method: POST description: HashiCorp This endpoint will renew the token used to call it and prevent expiration. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: auth-token-revoke path: /auth/token/revoke operations: - name: postauthtokenrevoke method: POST description: HashiCorp This endpoint will delete the given token and all of its child tokens. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: auth-token-revoke-accessor path: /auth/token/revoke-accessor operations: - name: postauthtokenrevokeaccessor method: POST description: HashiCorp This endpoint will delete the token associated with the accessor and all of its child tokens. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: auth-token-revoke-orphan path: /auth/token/revoke-orphan operations: - name: postauthtokenrevokeorphan method: POST description: HashiCorp This endpoint will delete the token and orphan its child tokens. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: auth-token-revoke-self path: /auth/token/revoke-self operations: - name: postauthtokenrevokeself method: POST description: HashiCorp This endpoint will delete the token used to call it and all of its child tokens. outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth-token-roles path: /auth/token/roles operations: - name: getauthtokenroles method: GET description: HashiCorp This endpoint lists configured roles. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: list in: query type: string description: Return a list if `true` - name: auth-token-roles-role_name path: /auth/token/roles/{role_name} operations: - name: getauthtokenrolesrolename method: GET description: '' outputRawFormat: json outputParameters: - name: result type: object value: $. - name: postauthtokenrolesrolename method: POST description: '' outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: false - name: deleteauthtokenrolesrolename method: DELETE description: '' outputRawFormat: json outputParameters: - name: result type: object value: $. - name: auth-token-tidy path: /auth/token/tidy operations: - name: postauthtokentidy method: POST description: HashiCorp This endpoint performs cleanup tasks that can be run if certain error outputRawFormat: json outputParameters: - name: result type: object value: $. exposes: - type: rest namespace: vault-auth-rest port: 8080 description: REST adapter for HashiCorp Vault API — Auth. One Spectral-compliant resource per consumed operation, prefixed with /v1. resources: - path: /v1/auth/token/accessors name: auth-token-accessors description: REST surface for auth-token-accessors. operations: - method: GET name: getauthtokenaccessors description: HashiCorp List token accessors, which can then be call: vault-auth.getauthtokenaccessors with: list: rest.list outputParameters: - type: object mapping: $. - path: /v1/auth/token/create name: auth-token-create description: REST surface for auth-token-create. operations: - method: POST name: postauthtokencreate description: HashiCorp The token create path is used to create new tokens. call: vault-auth.postauthtokencreate outputParameters: - type: object mapping: $. - path: /v1/auth/token/create-orphan name: auth-token-create-orphan description: REST surface for auth-token-create-orphan. operations: - method: POST name: postauthtokencreateorphan description: HashiCorp The token create path is used to create new orphan tokens. call: vault-auth.postauthtokencreateorphan outputParameters: - type: object mapping: $. - path: /v1/auth/token/create/{role-name} name: auth-token-create-role-name description: REST surface for auth-token-create-role_name. operations: - method: POST name: postauthtokencreaterolename description: HashiCorp This token create path is used to create new tokens adhering to the given role. call: vault-auth.postauthtokencreaterolename outputParameters: - type: object mapping: $. - path: /v1/auth/token/lookup name: auth-token-lookup description: REST surface for auth-token-lookup. operations: - method: GET name: getauthtokenlookup description: HashiCorp This endpoint will lookup a token and its properties. call: vault-auth.getauthtokenlookup outputParameters: - type: object mapping: $. - method: POST name: postauthtokenlookup description: HashiCorp This endpoint will lookup a token and its properties. call: vault-auth.postauthtokenlookup with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/auth/token/lookup-accessor name: auth-token-lookup-accessor description: REST surface for auth-token-lookup-accessor. operations: - method: POST name: postauthtokenlookupaccessor description: HashiCorp This endpoint will lookup a token associated with the given accessor and its properties. Response will not contain the token ID. call: vault-auth.postauthtokenlookupaccessor with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/auth/token/lookup-self name: auth-token-lookup-self description: REST surface for auth-token-lookup-self. operations: - method: GET name: getauthtokenlookupself description: HashiCorp This endpoint will lookup a token and its properties. call: vault-auth.getauthtokenlookupself outputParameters: - type: object mapping: $. - method: POST name: postauthtokenlookupself description: HashiCorp This endpoint will lookup a token and its properties. call: vault-auth.postauthtokenlookupself with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/auth/token/renew name: auth-token-renew description: REST surface for auth-token-renew. operations: - method: POST name: postauthtokenrenew description: HashiCorp This endpoint will renew the given token and prevent expiration. call: vault-auth.postauthtokenrenew with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/auth/token/renew-accessor name: auth-token-renew-accessor description: REST surface for auth-token-renew-accessor. operations: - method: POST name: postauthtokenrenewaccessor description: HashiCorp This endpoint will renew a token associated with the given accessor and its properties. Response will not contain the token ID. call: vault-auth.postauthtokenrenewaccessor with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/auth/token/renew-self name: auth-token-renew-self description: REST surface for auth-token-renew-self. operations: - method: POST name: postauthtokenrenewself description: HashiCorp This endpoint will renew the token used to call it and prevent expiration. call: vault-auth.postauthtokenrenewself with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/auth/token/revoke name: auth-token-revoke description: REST surface for auth-token-revoke. operations: - method: POST name: postauthtokenrevoke description: HashiCorp This endpoint will delete the given token and all of its child tokens. call: vault-auth.postauthtokenrevoke with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/auth/token/revoke-accessor name: auth-token-revoke-accessor description: REST surface for auth-token-revoke-accessor. operations: - method: POST name: postauthtokenrevokeaccessor description: HashiCorp This endpoint will delete the token associated with the accessor and all of its child tokens. call: vault-auth.postauthtokenrevokeaccessor with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/auth/token/revoke-orphan name: auth-token-revoke-orphan description: REST surface for auth-token-revoke-orphan. operations: - method: POST name: postauthtokenrevokeorphan description: HashiCorp This endpoint will delete the token and orphan its child tokens. call: vault-auth.postauthtokenrevokeorphan with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/auth/token/revoke-self name: auth-token-revoke-self description: REST surface for auth-token-revoke-self. operations: - method: POST name: postauthtokenrevokeself description: HashiCorp This endpoint will delete the token used to call it and all of its child tokens. call: vault-auth.postauthtokenrevokeself outputParameters: - type: object mapping: $. - path: /v1/auth/token/roles name: auth-token-roles description: REST surface for auth-token-roles. operations: - method: GET name: getauthtokenroles description: HashiCorp This endpoint lists configured roles. call: vault-auth.getauthtokenroles with: list: rest.list outputParameters: - type: object mapping: $. - path: /v1/auth/token/roles/{role-name} name: auth-token-roles-role-name description: REST surface for auth-token-roles-role_name. operations: - method: GET name: getauthtokenrolesrolename description: getauthtokenrolesrolename call: vault-auth.getauthtokenrolesrolename outputParameters: - type: object mapping: $. - method: POST name: postauthtokenrolesrolename description: postauthtokenrolesrolename call: vault-auth.postauthtokenrolesrolename with: body: rest.body outputParameters: - type: object mapping: $. - method: DELETE name: deleteauthtokenrolesrolename description: deleteauthtokenrolesrolename call: vault-auth.deleteauthtokenrolesrolename outputParameters: - type: object mapping: $. - path: /v1/auth/token/tidy name: auth-token-tidy description: REST surface for auth-token-tidy. operations: - method: POST name: postauthtokentidy description: HashiCorp This endpoint performs cleanup tasks that can be run if certain error call: vault-auth.postauthtokentidy outputParameters: - type: object mapping: $. - type: mcp namespace: vault-auth-mcp port: 9090 transport: http description: MCP adapter for HashiCorp Vault API — Auth. One tool per consumed operation, routed inline through this capability's consumes block. tools: - name: hashicorp-list-token-accessors-which description: HashiCorp List token accessors, which can then be hints: readOnly: true destructive: false idempotent: true call: vault-auth.getauthtokenaccessors with: list: tools.list outputParameters: - type: object mapping: $. - name: hashicorp-token-create-path-is description: HashiCorp The token create path is used to create new tokens. hints: readOnly: false destructive: false idempotent: false call: vault-auth.postauthtokencreate outputParameters: - type: object mapping: $. - name: hashicorp-token-create-path-is-2 description: HashiCorp The token create path is used to create new orphan tokens. hints: readOnly: false destructive: false idempotent: false call: vault-auth.postauthtokencreateorphan outputParameters: - type: object mapping: $. - name: hashicorp-this-token-create-path description: HashiCorp This token create path is used to create new tokens adhering to the given role. hints: readOnly: false destructive: false idempotent: false call: vault-auth.postauthtokencreaterolename outputParameters: - type: object mapping: $. - name: hashicorp-this-endpoint-will-lookup description: HashiCorp This endpoint will lookup a token and its properties. hints: readOnly: true destructive: false idempotent: true call: vault-auth.getauthtokenlookup outputParameters: - type: object mapping: $. - name: hashicorp-this-endpoint-will-lookup-2 description: HashiCorp This endpoint will lookup a token and its properties. hints: readOnly: true destructive: false idempotent: false call: vault-auth.postauthtokenlookup with: body: tools.body outputParameters: - type: object mapping: $. - name: hashicorp-this-endpoint-will-lookup-3 description: HashiCorp This endpoint will lookup a token associated with the given accessor and its properties. Response will not contain the token ID. hints: readOnly: true destructive: false idempotent: false call: vault-auth.postauthtokenlookupaccessor with: body: tools.body outputParameters: - type: object mapping: $. - name: hashicorp-this-endpoint-will-lookup-4 description: HashiCorp This endpoint will lookup a token and its properties. hints: readOnly: true destructive: false idempotent: true call: vault-auth.getauthtokenlookupself outputParameters: - type: object mapping: $. - name: hashicorp-this-endpoint-will-lookup-5 description: HashiCorp This endpoint will lookup a token and its properties. hints: readOnly: true destructive: false idempotent: false call: vault-auth.postauthtokenlookupself with: body: tools.body outputParameters: - type: object mapping: $. - name: hashicorp-this-endpoint-will-renew description: HashiCorp This endpoint will renew the given token and prevent expiration. hints: readOnly: false destructive: false idempotent: false call: vault-auth.postauthtokenrenew with: body: tools.body outputParameters: - type: object mapping: $. - name: hashicorp-this-endpoint-will-renew-2 description: HashiCorp This endpoint will renew a token associated with the given accessor and its properties. Response will not contain the token ID. hints: readOnly: false destructive: false idempotent: false call: vault-auth.postauthtokenrenewaccessor with: body: tools.body outputParameters: - type: object mapping: $. - name: hashicorp-this-endpoint-will-renew-3 description: HashiCorp This endpoint will renew the token used to call it and prevent expiration. hints: readOnly: false destructive: false idempotent: false call: vault-auth.postauthtokenrenewself with: body: tools.body outputParameters: - type: object mapping: $. - name: hashicorp-this-endpoint-will-delete description: HashiCorp This endpoint will delete the given token and all of its child tokens. hints: readOnly: false destructive: false idempotent: false call: vault-auth.postauthtokenrevoke with: body: tools.body outputParameters: - type: object mapping: $. - name: hashicorp-this-endpoint-will-delete-2 description: HashiCorp This endpoint will delete the token associated with the accessor and all of its child tokens. hints: readOnly: false destructive: false idempotent: false call: vault-auth.postauthtokenrevokeaccessor with: body: tools.body outputParameters: - type: object mapping: $. - name: hashicorp-this-endpoint-will-delete-3 description: HashiCorp This endpoint will delete the token and orphan its child tokens. hints: readOnly: false destructive: false idempotent: false call: vault-auth.postauthtokenrevokeorphan with: body: tools.body outputParameters: - type: object mapping: $. - name: hashicorp-this-endpoint-will-delete-4 description: HashiCorp This endpoint will delete the token used to call it and all of its child tokens. hints: readOnly: false destructive: false idempotent: false call: vault-auth.postauthtokenrevokeself outputParameters: - type: object mapping: $. - name: hashicorp-this-endpoint-lists-configured description: HashiCorp This endpoint lists configured roles. hints: readOnly: true destructive: false idempotent: true call: vault-auth.getauthtokenroles with: list: tools.list outputParameters: - type: object mapping: $. - name: getauthtokenrolesrolename description: getauthtokenrolesrolename hints: readOnly: true destructive: false idempotent: true call: vault-auth.getauthtokenrolesrolename outputParameters: - type: object mapping: $. - name: postauthtokenrolesrolename description: postauthtokenrolesrolename hints: readOnly: false destructive: false idempotent: false call: vault-auth.postauthtokenrolesrolename with: body: tools.body outputParameters: - type: object mapping: $. - name: deleteauthtokenrolesrolename description: deleteauthtokenrolesrolename hints: readOnly: false destructive: true idempotent: true call: vault-auth.deleteauthtokenrolesrolename outputParameters: - type: object mapping: $. - name: hashicorp-this-endpoint-performs-cleanup description: HashiCorp This endpoint performs cleanup tasks that can be run if certain error hints: readOnly: false destructive: false idempotent: false call: vault-auth.postauthtokentidy outputParameters: - type: object mapping: $.