naftiko: 1.0.0-alpha2 info: label: HashiCorp Vault Vault Identity API — OIDC description: 'HashiCorp Vault Vault Identity API — OIDC. 3 operations. Lead operation: HashiCorp Vault Read OIDC JWKS. Self-contained Naftiko capability covering one Hvault business surface.' tags: - Hvault - OIDC created: '2026-05-19' modified: '2026-05-19' binds: - namespace: env keys: HVAULT_API_KEY: HVAULT_API_KEY capability: consumes: - type: http namespace: identity-oidc baseUri: https://vault.example.com/v1 description: HashiCorp Vault Vault Identity API — OIDC business capability. Self-contained, no shared references. resources: - name: identity-oidc-.well-known-keys path: /identity/oidc/.well-known/keys operations: - name: readoidcjwks method: GET description: HashiCorp Vault Read OIDC JWKS outputRawFormat: json outputParameters: - name: result type: object value: $. - name: identity-oidc-.well-known-openid-configuration path: /identity/oidc/.well-known/openid-configuration operations: - name: readoidcwellknownconfig method: GET description: HashiCorp Vault Read OIDC discovery configuration outputRawFormat: json outputParameters: - name: result type: object value: $. - name: identity-oidc-token-name path: /identity/oidc/token/{name} operations: - name: readoidctoken method: GET description: HashiCorp Vault Read OIDC token outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: name in: path type: string description: Name of the OIDC role required: true authentication: type: apikey key: X-Vault-Token value: '{{env.HVAULT_API_KEY}}' placement: header exposes: - type: rest namespace: identity-oidc-rest port: 8080 description: REST adapter for HashiCorp Vault Vault Identity API — OIDC. One Spectral-compliant resource per consumed operation, prefixed with /v1. resources: - path: /v1/identity/oidc/well-known/keys name: identity-oidc-well-known-keys description: REST surface for identity-oidc-.well-known-keys. operations: - method: GET name: readoidcjwks description: HashiCorp Vault Read OIDC JWKS call: identity-oidc.readoidcjwks outputParameters: - type: object mapping: $. - path: /v1/identity/oidc/well-known/openid-configuration name: identity-oidc-well-known-openid-configuration description: REST surface for identity-oidc-.well-known-openid-configuration. operations: - method: GET name: readoidcwellknownconfig description: HashiCorp Vault Read OIDC discovery configuration call: identity-oidc.readoidcwellknownconfig outputParameters: - type: object mapping: $. - path: /v1/identity/oidc/token/{name} name: identity-oidc-token-name description: REST surface for identity-oidc-token-name. operations: - method: GET name: readoidctoken description: HashiCorp Vault Read OIDC token call: identity-oidc.readoidctoken with: name: rest.name outputParameters: - type: object mapping: $. - type: mcp namespace: identity-oidc-mcp port: 9090 transport: http description: MCP adapter for HashiCorp Vault Vault Identity API — OIDC. One tool per consumed operation, routed inline through this capability's consumes block. tools: - name: hashicorp-vault-read-oidc-jwks description: HashiCorp Vault Read OIDC JWKS hints: readOnly: true destructive: false idempotent: true call: identity-oidc.readoidcjwks outputParameters: - type: object mapping: $. - name: hashicorp-vault-read-oidc-discovery description: HashiCorp Vault Read OIDC discovery configuration hints: readOnly: true destructive: false idempotent: true call: identity-oidc.readoidcwellknownconfig outputParameters: - type: object mapping: $. - name: hashicorp-vault-read-oidc-token description: HashiCorp Vault Read OIDC token hints: readOnly: true destructive: false idempotent: true call: identity-oidc.readoidctoken with: name: tools.name outputParameters: - type: object mapping: $.