naftiko: 1.0.0-alpha2 info: title: Okta Auth0 Obo Token Propagation Capability description: A capability that propagates Okta/Auth0 on-behalf-of (OBO) tokens through the Naftiko proxy so upstream APIs see the original user identity. tags: [Naftiko, Okta, Auth0, OBO] created: '2026-05-01' modified: '2026-05-04' binds: - namespace: okta-env keys: {OKTA_DOMAIN: OKTA_DOMAIN, OKTA_TOKEN: OKTA_TOKEN} capability: consumes: - namespace: okta type: http baseUri: https://{{OKTA_DOMAIN}} authentication: {type: bearer, token: '{{OKTA_TOKEN}}'} resources: - {name: token, path: /oauth2/v1/token, operations: [{name: exchange-obo-token, method: POST, description: RFC 8693 token exchange for OBO.}]} - {name: introspect, path: /oauth2/v1/introspect, operations: [{name: introspect-token, method: POST}]} exposes: - type: rest address: 0.0.0.0 port: 8080 namespace: okta-auth0-obo-token-propagation-capability-rest description: REST surface for OBO token exchange. resources: - {name: exchange, path: /token/exchange, operations: [{method: POST, name: exchange-obo-token, call: okta.exchange-obo-token}]} - type: mcp address: 0.0.0.0 port: 3010 namespace: okta-auth0-obo-token-propagation-capability-mcp description: MCP for OBO token exchange. tools: - {name: exchange-obo-token, call: okta.exchange-obo-token} - {name: introspect-token, call: okta.introspect-token} - type: skill address: 0.0.0.0 port: 3011 namespace: okta-auth0-obo-token-propagation-capability-skills description: Skill for OBO propagation. skills: - name: okta-auth0-obo-token-propagation-capability description: Okta/Auth0 OBO token propagation. location: file:///opt/naftiko/skills/okta-auth0-obo-token-propagation-capability allowed-tools: exchange-obo-token,introspect-token tools: - {name: exchange-obo-token, from: {sourceNamespace: okta-auth0-obo-token-propagation-capability-mcp, action: exchange-obo-token}} - {name: introspect-token, from: {sourceNamespace: okta-auth0-obo-token-propagation-capability-mcp, action: introspect-token}}