naftiko: 1.0.0-alpha2 info: label: Microsoft Azure InstanceMetadataClient — Get Token description: 'Microsoft Azure InstanceMetadataClient — Get Token. 1 operations. Lead operation: Microsoft Azure Get Identity Oauth2 Token. Self-contained Naftiko capability covering one Microsoft Azure business surface.' tags: - Microsoft Azure - Get Token created: '2026-05-19' modified: '2026-05-19' binds: - namespace: env keys: MICROSOFT_AZURE_API_KEY: MICROSOFT_AZURE_API_KEY capability: consumes: - type: http namespace: instancemetadataclient-get-token baseUri: http://169.254.169.254/metadata description: Microsoft Azure InstanceMetadataClient — Get Token business capability. Self-contained, no shared references. resources: - name: identity-oauth2-token path: /identity/oauth2/token operations: - name: microsoftazureidentitygettoken method: GET description: Microsoft Azure Get Identity Oauth2 Token outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: resource in: query type: string description: This is the urlencoded identifier URI of the sink resource for the requested Azure AD token. The resulting token contains the corresponding aud for this resourc required: true - name: client_id in: query type: string description: This identifies, by Azure AD client id, a specific explicit identity to use when authenticating to Azure AD. Mutually exclusive with object_id and msi_res_id. - name: object_id in: query type: string description: This identifies, by Azure AD object id, a specific explicit identity to use when authenticating to Azure AD. Mutually exclusive with client_id and msi_res_id. - name: msi_res_id in: query type: string description: This identifies, by urlencoded ARM resource id, a specific explicit identity to use when authenticating to Azure AD. Mutually exclusive with client_id and objec - name: authority in: query type: string description: This indicates the authority to request AAD tokens from. Defaults to the known authority of the identity to be used. - name: bypass_cache in: query type: string description: If provided, the value must be 'true'. This indicates to the server that the token must be retrieved from Azure AD and cannot be retrieved from an internal cach exposes: - type: rest namespace: instancemetadataclient-get-token-rest port: 8080 description: REST adapter for Microsoft Azure InstanceMetadataClient — Get Token. One Spectral-compliant resource per consumed operation, prefixed with /v1. resources: - path: /v1/identity/oauth2/token name: identity-oauth2-token description: REST surface for identity-oauth2-token. operations: - method: GET name: microsoftazureidentitygettoken description: Microsoft Azure Get Identity Oauth2 Token call: instancemetadataclient-get-token.microsoftazureidentitygettoken with: resource: rest.resource client_id: rest.client_id object_id: rest.object_id msi_res_id: rest.msi_res_id authority: rest.authority bypass_cache: rest.bypass_cache outputParameters: - type: object mapping: $. - type: mcp namespace: instancemetadataclient-get-token-mcp port: 9090 transport: http description: MCP adapter for Microsoft Azure InstanceMetadataClient — Get Token. One tool per consumed operation, routed inline through this capability's consumes block. tools: - name: microsoft-azure-get-identity-oauth2 description: Microsoft Azure Get Identity Oauth2 Token hints: readOnly: true destructive: false idempotent: true call: instancemetadataclient-get-token.microsoftazureidentitygettoken with: resource: tools.resource client_id: tools.client_id object_id: tools.object_id msi_res_id: tools.msi_res_id authority: tools.authority bypass_cache: tools.bypass_cache outputParameters: - type: object mapping: $.