naftiko: 1.0.0-alpha2 info: label: Okta API — Application description: 'Okta API — Application. 49 operations. Lead operation: Okta List Applications. Self-contained Naftiko capability covering one Okta business surface.' tags: - Okta - Application created: '2026-05-19' modified: '2026-05-19' binds: - namespace: env keys: OKTA_API_KEY: OKTA_API_KEY capability: consumes: - type: http namespace: okta-application baseUri: https://your-subdomain.okta.com description: Okta API — Application business capability. Self-contained, no shared references. resources: - name: api-v1-apps path: /api/v1/apps operations: - name: listapplications method: GET description: Okta List Applications outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: q in: query type: string - name: after in: query type: string description: Specifies the pagination cursor for the next page of apps - name: limit in: query type: integer description: Specifies the number of results for a page - name: filter in: query type: string description: Filters apps by status, user.id, group.id or credentials.signing.kid expression - name: expand in: query type: string description: Traverses users link relationship and optionally embeds Application User resource - name: includeNonDeleted in: query type: boolean - name: createapplication method: POST description: Okta Add Application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: activate in: query type: boolean description: Executes activation lifecycle operation when creating the app - name: OktaAccessGateway-Agent in: header type: string - name: body in: body type: object description: Request body (JSON). required: true - name: api-v1-apps-appId path: /api/v1/apps/{appId} operations: - name: getapplication method: GET description: Okta Get Application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: expand in: query type: string - name: updateapplication method: PUT description: Okta Update Application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: body in: body type: object description: Request body (JSON). required: true - name: deleteapplication method: DELETE description: Okta Delete Application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: api-v1-apps-appId-connections-default path: /api/v1/apps/{appId}/connections/default operations: - name: getdefaultprovisioningconnectionforapplication method: GET description: Okta Fetches the default Provisioning Connection for an application. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: setdefaultprovisioningconnectionforapplication method: POST description: Okta Sets the default Provisioning Connection for an application. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: activate in: query type: boolean - name: body in: body type: object description: Request body (JSON). required: true - name: api-v1-apps-appId-connections-default-lifecycle-activate path: /api/v1/apps/{appId}/connections/default/lifecycle/activate operations: - name: activatedefaultprovisioningconnectionforapplication method: POST description: Okta Activate default Provisioning Connection for application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: api-v1-apps-appId-connections-default-lifecycle-deactivate path: /api/v1/apps/{appId}/connections/default/lifecycle/deactivate operations: - name: deactivatedefaultprovisioningconnectionforapplication method: POST description: Okta Deactivate default Provisioning Connection for application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: api-v1-apps-appId-credentials-csrs path: /api/v1/apps/{appId}/credentials/csrs operations: - name: listcsrsforapplication method: GET description: Okta List Certificate Signing Requests for Application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: generatecsrforapplication method: POST description: Okta Generate Certificate Signing Request for Application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: body in: body type: object description: Request body (JSON). required: true - name: api-v1-apps-appId-credentials-csrs-csrId path: /api/v1/apps/{appId}/credentials/csrs/{csrId} operations: - name: getcsrforapplication method: GET description: '' outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: csrId in: path type: string required: true - name: revokecsrfromapplication method: DELETE description: '' outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: csrId in: path type: string required: true - name: api-v1-apps-appId-credentials-csrs-csrId-lifecycle-publish path: /api/v1/apps/{appId}/credentials/csrs/{csrId}/lifecycle/publish operations: - name: post method: POST description: '' outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: csrId in: path type: string required: true - name: api-v1-apps-appId-credentials-keys path: /api/v1/apps/{appId}/credentials/keys operations: - name: listapplicationkeys method: GET description: Okta List Key Credentials for Application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: api-v1-apps-appId-credentials-keys-generate path: /api/v1/apps/{appId}/credentials/keys/generate operations: - name: generateapplicationkey method: POST description: Generates a new X.509 certificate for an application key credential outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: validityYears in: query type: integer - name: api-v1-apps-appId-credentials-keys-keyId path: /api/v1/apps/{appId}/credentials/keys/{keyId} operations: - name: getapplicationkey method: GET description: Okta Get Key Credential for Application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: keyId in: path type: string required: true - name: api-v1-apps-appId-credentials-keys-keyId-clone path: /api/v1/apps/{appId}/credentials/keys/{keyId}/clone operations: - name: cloneapplicationkey method: POST description: Okta Clone Application Key Credential outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: keyId in: path type: string required: true - name: targetAid in: query type: string description: Unique key of the target Application required: true - name: api-v1-apps-appId-credentials-secrets path: /api/v1/apps/{appId}/credentials/secrets operations: - name: listclientsecretsforapplication method: GET description: Okta List client secrets outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: createnewclientsecretforapplication method: POST description: Okta Add new client secret outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: body in: body type: object description: Request body (JSON). required: true - name: api-v1-apps-appId-credentials-secrets-secretId path: /api/v1/apps/{appId}/credentials/secrets/{secretId} operations: - name: getclientsecretforapplication method: GET description: Okta Get client secret outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: secretId in: path type: string required: true - name: deleteclientsecretforapplication method: DELETE description: Removes a secret from the client's collection of secrets. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: secretId in: path type: string required: true - name: api-v1-apps-appId-credentials-secrets-secretId-lifecycle-activate path: /api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/activate operations: - name: activateclientsecretforapplication method: POST description: Okta Activate a client secret outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: secretId in: path type: string required: true - name: api-v1-apps-appId-credentials-secrets-secretId-lifecycle-deactivate path: /api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/deactivate operations: - name: deactivateclientsecretforapplication method: POST description: Okta Deactivate a client secret outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: secretId in: path type: string required: true - name: api-v1-apps-appId-features path: /api/v1/apps/{appId}/features operations: - name: listfeaturesforapplication method: GET description: Okta Fetches the Feature objects for an application. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: api-v1-apps-appId-features-name path: /api/v1/apps/{appId}/features/{name} operations: - name: getfeatureforapplication method: GET description: Okta Fetches a Feature object for an application. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: name in: path type: string required: true - name: updatefeatureforapplication method: PUT description: Okta Updates a Feature object for an application. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: name in: path type: string required: true - name: body in: body type: object description: Request body (JSON). required: true - name: api-v1-apps-appId-grants path: /api/v1/apps/{appId}/grants operations: - name: listscopeconsentgrants method: GET description: Lists all scope consent grants for the application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: expand in: query type: string - name: grantconsenttoscope method: POST description: Grants consent for the application to request an OAuth 2.0 Okta scope outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: body in: body type: object description: Request body (JSON). required: true - name: api-v1-apps-appId-grants-grantId path: /api/v1/apps/{appId}/grants/{grantId} operations: - name: getscopeconsentgrant method: GET description: Fetches a single scope consent grant for the application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: grantId in: path type: string required: true - name: expand in: query type: string - name: revokescopeconsentgrant method: DELETE description: Revokes permission for the application to request the given scope outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: grantId in: path type: string required: true - name: api-v1-apps-appId-groups path: /api/v1/apps/{appId}/groups operations: - name: listapplicationgroupassignments method: GET description: Okta List Groups Assigned to Application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: q in: query type: string - name: after in: query type: string description: Specifies the pagination cursor for the next page of assignments - name: limit in: query type: integer description: Specifies the number of results for a page - name: expand in: query type: string - name: api-v1-apps-appId-groups-groupId path: /api/v1/apps/{appId}/groups/{groupId} operations: - name: getapplicationgroupassignment method: GET description: Okta Get Assigned Group for Application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: groupId in: path type: string required: true - name: expand in: query type: string - name: createapplicationgroupassignment method: PUT description: Okta Assign Group to Application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: groupId in: path type: string required: true - name: body in: body type: object description: Request body (JSON). required: false - name: deleteapplicationgroupassignment method: DELETE description: Okta Remove Group from Application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: groupId in: path type: string required: true - name: api-v1-apps-appId-lifecycle-activate path: /api/v1/apps/{appId}/lifecycle/activate operations: - name: activateapplication method: POST description: Okta Activate Application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: api-v1-apps-appId-lifecycle-deactivate path: /api/v1/apps/{appId}/lifecycle/deactivate operations: - name: deactivateapplication method: POST description: Okta Deactivate Application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: api-v1-apps-appId-logo path: /api/v1/apps/{appId}/logo operations: - name: uploadapplicationlogo method: POST description: Okta The file must be in PNG, JPG, or GIF format, and less than 1 MB in size. For best results use landscape orientation, a transparent background, and a minimum size of 420px by 120px to prevent upscaling. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: body in: body type: object description: Request body (JSON). required: true - name: api-v1-apps-appId-policies-policyId path: /api/v1/apps/{appId}/policies/{policyId} operations: - name: updateapplicationpolicy method: PUT description: Okta Update application policy outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: policyId in: path type: string required: true - name: api-v1-apps-appId-sso-saml-metadata path: /api/v1/apps/{appId}/sso/saml/metadata operations: - name: previewsamlappmetadata method: GET description: Previews SAML metadata based on a specific key credential for an application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: kid in: query type: string description: unique key identifier of an Application Key Credential required: true - name: api-v1-apps-appId-tokens path: /api/v1/apps/{appId}/tokens operations: - name: listoauth2tokensforapplication method: GET description: Lists all tokens for the application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: expand in: query type: string - name: after in: query type: string - name: limit in: query type: integer - name: revokeoauth2tokensforapplication method: DELETE description: Revokes all tokens for the specified application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: api-v1-apps-appId-tokens-tokenId path: /api/v1/apps/{appId}/tokens/{tokenId} operations: - name: getoauth2tokenforapplication method: GET description: Gets a token for the specified application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: tokenId in: path type: string required: true - name: expand in: query type: string - name: revokeoauth2tokenforapplication method: DELETE description: Revokes the specified token for the specified application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: tokenId in: path type: string required: true - name: api-v1-apps-appId-users path: /api/v1/apps/{appId}/users operations: - name: listapplicationusers method: GET description: Okta List Users Assigned to Application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: q in: query type: string - name: query_scope in: query type: string - name: after in: query type: string description: specifies the pagination cursor for the next page of assignments - name: limit in: query type: integer description: specifies the number of results for a page - name: filter in: query type: string - name: expand in: query type: string - name: assignusertoapplication method: POST description: Okta Assign User to Application for SSO & Provisioning outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: body in: body type: object description: Request body (JSON). required: true - name: api-v1-apps-appId-users-userId path: /api/v1/apps/{appId}/users/{userId} operations: - name: getapplicationuser method: GET description: Okta Get Assigned User for Application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: userId in: path type: string required: true - name: expand in: query type: string - name: updateapplicationuser method: POST description: Okta Update Application Profile for Assigned User outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: userId in: path type: string required: true - name: body in: body type: object description: Request body (JSON). required: true - name: deleteapplicationuser method: DELETE description: Okta Remove User from Application outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: appId in: path type: string required: true - name: userId in: path type: string required: true - name: sendEmail in: query type: boolean authentication: type: apikey key: Authorization value: '{{env.OKTA_API_KEY}}' placement: header exposes: - type: rest namespace: okta-application-rest port: 8080 description: REST adapter for Okta API — Application. One Spectral-compliant resource per consumed operation, prefixed with /v1. resources: - path: /v1/api/v1/apps name: api-v1-apps description: REST surface for api-v1-apps. operations: - method: GET name: listapplications description: Okta List Applications call: okta-application.listapplications with: q: rest.q after: rest.after limit: rest.limit filter: rest.filter expand: rest.expand includeNonDeleted: rest.includeNonDeleted outputParameters: - type: object mapping: $. - method: POST name: createapplication description: Okta Add Application call: okta-application.createapplication with: activate: rest.activate OktaAccessGateway-Agent: rest.OktaAccessGateway-Agent body: rest.body outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid} name: api-v1-apps-appid description: REST surface for api-v1-apps-appId. operations: - method: GET name: getapplication description: Okta Get Application call: okta-application.getapplication with: appId: rest.appId expand: rest.expand outputParameters: - type: object mapping: $. - method: PUT name: updateapplication description: Okta Update Application call: okta-application.updateapplication with: appId: rest.appId body: rest.body outputParameters: - type: object mapping: $. - method: DELETE name: deleteapplication description: Okta Delete Application call: okta-application.deleteapplication with: appId: rest.appId outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/connections/default name: api-v1-apps-appid-connections-default description: REST surface for api-v1-apps-appId-connections-default. operations: - method: GET name: getdefaultprovisioningconnectionforapplication description: Okta Fetches the default Provisioning Connection for an application. call: okta-application.getdefaultprovisioningconnectionforapplication with: appId: rest.appId outputParameters: - type: object mapping: $. - method: POST name: setdefaultprovisioningconnectionforapplication description: Okta Sets the default Provisioning Connection for an application. call: okta-application.setdefaultprovisioningconnectionforapplication with: appId: rest.appId activate: rest.activate body: rest.body outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/connections/default/lifecycle/activate name: api-v1-apps-appid-connections-default-lifecycle-activate description: REST surface for api-v1-apps-appId-connections-default-lifecycle-activate. operations: - method: POST name: activatedefaultprovisioningconnectionforapplication description: Okta Activate default Provisioning Connection for application call: okta-application.activatedefaultprovisioningconnectionforapplication with: appId: rest.appId outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/connections/default/lifecycle/deactivate name: api-v1-apps-appid-connections-default-lifecycle-deactivate description: REST surface for api-v1-apps-appId-connections-default-lifecycle-deactivate. operations: - method: POST name: deactivatedefaultprovisioningconnectionforapplication description: Okta Deactivate default Provisioning Connection for application call: okta-application.deactivatedefaultprovisioningconnectionforapplication with: appId: rest.appId outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/credentials/csrs name: api-v1-apps-appid-credentials-csrs description: REST surface for api-v1-apps-appId-credentials-csrs. operations: - method: GET name: listcsrsforapplication description: Okta List Certificate Signing Requests for Application call: okta-application.listcsrsforapplication with: appId: rest.appId outputParameters: - type: object mapping: $. - method: POST name: generatecsrforapplication description: Okta Generate Certificate Signing Request for Application call: okta-application.generatecsrforapplication with: appId: rest.appId body: rest.body outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/credentials/csrs/{csrid} name: api-v1-apps-appid-credentials-csrs-csrid description: REST surface for api-v1-apps-appId-credentials-csrs-csrId. operations: - method: GET name: getcsrforapplication description: getcsrforapplication call: okta-application.getcsrforapplication with: appId: rest.appId csrId: rest.csrId outputParameters: - type: object mapping: $. - method: DELETE name: revokecsrfromapplication description: revokecsrfromapplication call: okta-application.revokecsrfromapplication with: appId: rest.appId csrId: rest.csrId outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/credentials/csrs/{csrid}/lifecycle/publish name: api-v1-apps-appid-credentials-csrs-csrid-lifecycle-publish description: REST surface for api-v1-apps-appId-credentials-csrs-csrId-lifecycle-publish. operations: - method: POST name: post description: post call: okta-application.post with: appId: rest.appId csrId: rest.csrId outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/credentials/keys name: api-v1-apps-appid-credentials-keys description: REST surface for api-v1-apps-appId-credentials-keys. operations: - method: GET name: listapplicationkeys description: Okta List Key Credentials for Application call: okta-application.listapplicationkeys with: appId: rest.appId outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/credentials/keys/generate name: api-v1-apps-appid-credentials-keys-generate description: REST surface for api-v1-apps-appId-credentials-keys-generate. operations: - method: POST name: generateapplicationkey description: Generates a new X.509 certificate for an application key credential call: okta-application.generateapplicationkey with: appId: rest.appId validityYears: rest.validityYears outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/credentials/keys/{keyid} name: api-v1-apps-appid-credentials-keys-keyid description: REST surface for api-v1-apps-appId-credentials-keys-keyId. operations: - method: GET name: getapplicationkey description: Okta Get Key Credential for Application call: okta-application.getapplicationkey with: appId: rest.appId keyId: rest.keyId outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/credentials/keys/{keyid}/clone name: api-v1-apps-appid-credentials-keys-keyid-clone description: REST surface for api-v1-apps-appId-credentials-keys-keyId-clone. operations: - method: POST name: cloneapplicationkey description: Okta Clone Application Key Credential call: okta-application.cloneapplicationkey with: appId: rest.appId keyId: rest.keyId targetAid: rest.targetAid outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/credentials/secrets name: api-v1-apps-appid-credentials-secrets description: REST surface for api-v1-apps-appId-credentials-secrets. operations: - method: GET name: listclientsecretsforapplication description: Okta List client secrets call: okta-application.listclientsecretsforapplication with: appId: rest.appId outputParameters: - type: object mapping: $. - method: POST name: createnewclientsecretforapplication description: Okta Add new client secret call: okta-application.createnewclientsecretforapplication with: appId: rest.appId body: rest.body outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/credentials/secrets/{secretid} name: api-v1-apps-appid-credentials-secrets-secretid description: REST surface for api-v1-apps-appId-credentials-secrets-secretId. operations: - method: GET name: getclientsecretforapplication description: Okta Get client secret call: okta-application.getclientsecretforapplication with: appId: rest.appId secretId: rest.secretId outputParameters: - type: object mapping: $. - method: DELETE name: deleteclientsecretforapplication description: Removes a secret from the client's collection of secrets. call: okta-application.deleteclientsecretforapplication with: appId: rest.appId secretId: rest.secretId outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/credentials/secrets/{secretid}/lifecycle/activate name: api-v1-apps-appid-credentials-secrets-secretid-lifecycle-activate description: REST surface for api-v1-apps-appId-credentials-secrets-secretId-lifecycle-activate. operations: - method: POST name: activateclientsecretforapplication description: Okta Activate a client secret call: okta-application.activateclientsecretforapplication with: appId: rest.appId secretId: rest.secretId outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/credentials/secrets/{secretid}/lifecycle/deactivate name: api-v1-apps-appid-credentials-secrets-secretid-lifecycle-deactivate description: REST surface for api-v1-apps-appId-credentials-secrets-secretId-lifecycle-deactivate. operations: - method: POST name: deactivateclientsecretforapplication description: Okta Deactivate a client secret call: okta-application.deactivateclientsecretforapplication with: appId: rest.appId secretId: rest.secretId outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/features name: api-v1-apps-appid-features description: REST surface for api-v1-apps-appId-features. operations: - method: GET name: listfeaturesforapplication description: Okta Fetches the Feature objects for an application. call: okta-application.listfeaturesforapplication with: appId: rest.appId outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/features/{name} name: api-v1-apps-appid-features-name description: REST surface for api-v1-apps-appId-features-name. operations: - method: GET name: getfeatureforapplication description: Okta Fetches a Feature object for an application. call: okta-application.getfeatureforapplication with: appId: rest.appId name: rest.name outputParameters: - type: object mapping: $. - method: PUT name: updatefeatureforapplication description: Okta Updates a Feature object for an application. call: okta-application.updatefeatureforapplication with: appId: rest.appId name: rest.name body: rest.body outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/grants name: api-v1-apps-appid-grants description: REST surface for api-v1-apps-appId-grants. operations: - method: GET name: listscopeconsentgrants description: Lists all scope consent grants for the application call: okta-application.listscopeconsentgrants with: appId: rest.appId expand: rest.expand outputParameters: - type: object mapping: $. - method: POST name: grantconsenttoscope description: Grants consent for the application to request an OAuth 2.0 Okta scope call: okta-application.grantconsenttoscope with: appId: rest.appId body: rest.body outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/grants/{grantid} name: api-v1-apps-appid-grants-grantid description: REST surface for api-v1-apps-appId-grants-grantId. operations: - method: GET name: getscopeconsentgrant description: Fetches a single scope consent grant for the application call: okta-application.getscopeconsentgrant with: appId: rest.appId grantId: rest.grantId expand: rest.expand outputParameters: - type: object mapping: $. - method: DELETE name: revokescopeconsentgrant description: Revokes permission for the application to request the given scope call: okta-application.revokescopeconsentgrant with: appId: rest.appId grantId: rest.grantId outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/groups name: api-v1-apps-appid-groups description: REST surface for api-v1-apps-appId-groups. operations: - method: GET name: listapplicationgroupassignments description: Okta List Groups Assigned to Application call: okta-application.listapplicationgroupassignments with: appId: rest.appId q: rest.q after: rest.after limit: rest.limit expand: rest.expand outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/groups/{groupid} name: api-v1-apps-appid-groups-groupid description: REST surface for api-v1-apps-appId-groups-groupId. operations: - method: GET name: getapplicationgroupassignment description: Okta Get Assigned Group for Application call: okta-application.getapplicationgroupassignment with: appId: rest.appId groupId: rest.groupId expand: rest.expand outputParameters: - type: object mapping: $. - method: PUT name: createapplicationgroupassignment description: Okta Assign Group to Application call: okta-application.createapplicationgroupassignment with: appId: rest.appId groupId: rest.groupId body: rest.body outputParameters: - type: object mapping: $. - method: DELETE name: deleteapplicationgroupassignment description: Okta Remove Group from Application call: okta-application.deleteapplicationgroupassignment with: appId: rest.appId groupId: rest.groupId outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/lifecycle/activate name: api-v1-apps-appid-lifecycle-activate description: REST surface for api-v1-apps-appId-lifecycle-activate. operations: - method: POST name: activateapplication description: Okta Activate Application call: okta-application.activateapplication with: appId: rest.appId outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/lifecycle/deactivate name: api-v1-apps-appid-lifecycle-deactivate description: REST surface for api-v1-apps-appId-lifecycle-deactivate. operations: - method: POST name: deactivateapplication description: Okta Deactivate Application call: okta-application.deactivateapplication with: appId: rest.appId outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/logo name: api-v1-apps-appid-logo description: REST surface for api-v1-apps-appId-logo. operations: - method: POST name: uploadapplicationlogo description: Okta The file must be in PNG, JPG, or GIF format, and less than 1 MB in size. For best results use landscape orientation, a transparent background, and a minimum size of 420px by 120px to prevent upscaling. call: okta-application.uploadapplicationlogo with: appId: rest.appId body: rest.body outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/policies/{policyid} name: api-v1-apps-appid-policies-policyid description: REST surface for api-v1-apps-appId-policies-policyId. operations: - method: PUT name: updateapplicationpolicy description: Okta Update application policy call: okta-application.updateapplicationpolicy with: appId: rest.appId policyId: rest.policyId outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/sso/saml/metadata name: api-v1-apps-appid-sso-saml-metadata description: REST surface for api-v1-apps-appId-sso-saml-metadata. operations: - method: GET name: previewsamlappmetadata description: Previews SAML metadata based on a specific key credential for an application call: okta-application.previewsamlappmetadata with: appId: rest.appId kid: rest.kid outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/tokens name: api-v1-apps-appid-tokens description: REST surface for api-v1-apps-appId-tokens. operations: - method: GET name: listoauth2tokensforapplication description: Lists all tokens for the application call: okta-application.listoauth2tokensforapplication with: appId: rest.appId expand: rest.expand after: rest.after limit: rest.limit outputParameters: - type: object mapping: $. - method: DELETE name: revokeoauth2tokensforapplication description: Revokes all tokens for the specified application call: okta-application.revokeoauth2tokensforapplication with: appId: rest.appId outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/tokens/{tokenid} name: api-v1-apps-appid-tokens-tokenid description: REST surface for api-v1-apps-appId-tokens-tokenId. operations: - method: GET name: getoauth2tokenforapplication description: Gets a token for the specified application call: okta-application.getoauth2tokenforapplication with: appId: rest.appId tokenId: rest.tokenId expand: rest.expand outputParameters: - type: object mapping: $. - method: DELETE name: revokeoauth2tokenforapplication description: Revokes the specified token for the specified application call: okta-application.revokeoauth2tokenforapplication with: appId: rest.appId tokenId: rest.tokenId outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/users name: api-v1-apps-appid-users description: REST surface for api-v1-apps-appId-users. operations: - method: GET name: listapplicationusers description: Okta List Users Assigned to Application call: okta-application.listapplicationusers with: appId: rest.appId q: rest.q query_scope: rest.query_scope after: rest.after limit: rest.limit filter: rest.filter expand: rest.expand outputParameters: - type: object mapping: $. - method: POST name: assignusertoapplication description: Okta Assign User to Application for SSO & Provisioning call: okta-application.assignusertoapplication with: appId: rest.appId body: rest.body outputParameters: - type: object mapping: $. - path: /v1/api/v1/apps/{appid}/users/{userid} name: api-v1-apps-appid-users-userid description: REST surface for api-v1-apps-appId-users-userId. operations: - method: GET name: getapplicationuser description: Okta Get Assigned User for Application call: okta-application.getapplicationuser with: appId: rest.appId userId: rest.userId expand: rest.expand outputParameters: - type: object mapping: $. - method: POST name: updateapplicationuser description: Okta Update Application Profile for Assigned User call: okta-application.updateapplicationuser with: appId: rest.appId userId: rest.userId body: rest.body outputParameters: - type: object mapping: $. - method: DELETE name: deleteapplicationuser description: Okta Remove User from Application call: okta-application.deleteapplicationuser with: appId: rest.appId userId: rest.userId sendEmail: rest.sendEmail outputParameters: - type: object mapping: $. - type: mcp namespace: okta-application-mcp port: 9090 transport: http description: MCP adapter for Okta API — Application. One tool per consumed operation, routed inline through this capability's consumes block. tools: - name: okta-list-applications description: Okta List Applications hints: readOnly: true destructive: false idempotent: true call: okta-application.listapplications with: q: tools.q after: tools.after limit: tools.limit filter: tools.filter expand: tools.expand includeNonDeleted: tools.includeNonDeleted outputParameters: - type: object mapping: $. - name: okta-add-application description: Okta Add Application hints: readOnly: false destructive: false idempotent: false call: okta-application.createapplication with: activate: tools.activate OktaAccessGateway-Agent: tools.OktaAccessGateway-Agent body: tools.body outputParameters: - type: object mapping: $. - name: okta-get-application description: Okta Get Application hints: readOnly: true destructive: false idempotent: true call: okta-application.getapplication with: appId: tools.appId expand: tools.expand outputParameters: - type: object mapping: $. - name: okta-update-application description: Okta Update Application hints: readOnly: false destructive: false idempotent: true call: okta-application.updateapplication with: appId: tools.appId body: tools.body outputParameters: - type: object mapping: $. - name: okta-delete-application description: Okta Delete Application hints: readOnly: false destructive: true idempotent: true call: okta-application.deleteapplication with: appId: tools.appId outputParameters: - type: object mapping: $. - name: okta-fetches-default-provisioning-connection description: Okta Fetches the default Provisioning Connection for an application. hints: readOnly: true destructive: false idempotent: true call: okta-application.getdefaultprovisioningconnectionforapplication with: appId: tools.appId outputParameters: - type: object mapping: $. - name: okta-sets-default-provisioning-connection description: Okta Sets the default Provisioning Connection for an application. hints: readOnly: false destructive: false idempotent: false call: okta-application.setdefaultprovisioningconnectionforapplication with: appId: tools.appId activate: tools.activate body: tools.body outputParameters: - type: object mapping: $. - name: okta-activate-default-provisioning-connection description: Okta Activate default Provisioning Connection for application hints: readOnly: false destructive: false idempotent: false call: okta-application.activatedefaultprovisioningconnectionforapplication with: appId: tools.appId outputParameters: - type: object mapping: $. - name: okta-deactivate-default-provisioning-connection description: Okta Deactivate default Provisioning Connection for application hints: readOnly: false destructive: false idempotent: false call: okta-application.deactivatedefaultprovisioningconnectionforapplication with: appId: tools.appId outputParameters: - type: object mapping: $. - name: okta-list-certificate-signing-requests description: Okta List Certificate Signing Requests for Application hints: readOnly: true destructive: false idempotent: true call: okta-application.listcsrsforapplication with: appId: tools.appId outputParameters: - type: object mapping: $. - name: okta-generate-certificate-signing-request description: Okta Generate Certificate Signing Request for Application hints: readOnly: false destructive: false idempotent: false call: okta-application.generatecsrforapplication with: appId: tools.appId body: tools.body outputParameters: - type: object mapping: $. - name: getcsrforapplication description: getcsrforapplication hints: readOnly: true destructive: false idempotent: true call: okta-application.getcsrforapplication with: appId: tools.appId csrId: tools.csrId outputParameters: - type: object mapping: $. - name: revokecsrfromapplication description: revokecsrfromapplication hints: readOnly: false destructive: true idempotent: true call: okta-application.revokecsrfromapplication with: appId: tools.appId csrId: tools.csrId outputParameters: - type: object mapping: $. - name: post description: post hints: readOnly: false destructive: false idempotent: false call: okta-application.post with: appId: tools.appId csrId: tools.csrId outputParameters: - type: object mapping: $. - name: okta-list-key-credentials-application description: Okta List Key Credentials for Application hints: readOnly: true destructive: false idempotent: true call: okta-application.listapplicationkeys with: appId: tools.appId outputParameters: - type: object mapping: $. - name: generates-new-x-509-certificate-application description: Generates a new X.509 certificate for an application key credential hints: readOnly: false destructive: false idempotent: false call: okta-application.generateapplicationkey with: appId: tools.appId validityYears: tools.validityYears outputParameters: - type: object mapping: $. - name: okta-get-key-credential-application description: Okta Get Key Credential for Application hints: readOnly: true destructive: false idempotent: true call: okta-application.getapplicationkey with: appId: tools.appId keyId: tools.keyId outputParameters: - type: object mapping: $. - name: okta-clone-application-key-credential description: Okta Clone Application Key Credential hints: readOnly: false destructive: false idempotent: false call: okta-application.cloneapplicationkey with: appId: tools.appId keyId: tools.keyId targetAid: tools.targetAid outputParameters: - type: object mapping: $. - name: okta-list-client-secrets description: Okta List client secrets hints: readOnly: true destructive: false idempotent: true call: okta-application.listclientsecretsforapplication with: appId: tools.appId outputParameters: - type: object mapping: $. - name: okta-add-new-client-secret description: Okta Add new client secret hints: readOnly: false destructive: false idempotent: false call: okta-application.createnewclientsecretforapplication with: appId: tools.appId body: tools.body outputParameters: - type: object mapping: $. - name: okta-get-client-secret description: Okta Get client secret hints: readOnly: true destructive: false idempotent: true call: okta-application.getclientsecretforapplication with: appId: tools.appId secretId: tools.secretId outputParameters: - type: object mapping: $. - name: removes-secret-client-s-collection-secrets description: Removes a secret from the client's collection of secrets. hints: readOnly: false destructive: true idempotent: true call: okta-application.deleteclientsecretforapplication with: appId: tools.appId secretId: tools.secretId outputParameters: - type: object mapping: $. - name: okta-activate-client-secret description: Okta Activate a client secret hints: readOnly: false destructive: false idempotent: false call: okta-application.activateclientsecretforapplication with: appId: tools.appId secretId: tools.secretId outputParameters: - type: object mapping: $. - name: okta-deactivate-client-secret description: Okta Deactivate a client secret hints: readOnly: false destructive: false idempotent: false call: okta-application.deactivateclientsecretforapplication with: appId: tools.appId secretId: tools.secretId outputParameters: - type: object mapping: $. - name: okta-fetches-feature-objects-application description: Okta Fetches the Feature objects for an application. hints: readOnly: true destructive: false idempotent: true call: okta-application.listfeaturesforapplication with: appId: tools.appId outputParameters: - type: object mapping: $. - name: okta-fetches-feature-object-application description: Okta Fetches a Feature object for an application. hints: readOnly: true destructive: false idempotent: true call: okta-application.getfeatureforapplication with: appId: tools.appId name: tools.name outputParameters: - type: object mapping: $. - name: okta-updates-feature-object-application description: Okta Updates a Feature object for an application. hints: readOnly: false destructive: false idempotent: true call: okta-application.updatefeatureforapplication with: appId: tools.appId name: tools.name body: tools.body outputParameters: - type: object mapping: $. - name: lists-all-scope-consent-grants description: Lists all scope consent grants for the application hints: readOnly: true destructive: false idempotent: true call: okta-application.listscopeconsentgrants with: appId: tools.appId expand: tools.expand outputParameters: - type: object mapping: $. - name: grants-consent-application-request-oauth description: Grants consent for the application to request an OAuth 2.0 Okta scope hints: readOnly: false destructive: false idempotent: false call: okta-application.grantconsenttoscope with: appId: tools.appId body: tools.body outputParameters: - type: object mapping: $. - name: fetches-single-scope-consent-grant description: Fetches a single scope consent grant for the application hints: readOnly: true destructive: false idempotent: true call: okta-application.getscopeconsentgrant with: appId: tools.appId grantId: tools.grantId expand: tools.expand outputParameters: - type: object mapping: $. - name: revokes-permission-application-request-given description: Revokes permission for the application to request the given scope hints: readOnly: false destructive: true idempotent: true call: okta-application.revokescopeconsentgrant with: appId: tools.appId grantId: tools.grantId outputParameters: - type: object mapping: $. - name: okta-list-groups-assigned-application description: Okta List Groups Assigned to Application hints: readOnly: true destructive: false idempotent: true call: okta-application.listapplicationgroupassignments with: appId: tools.appId q: tools.q after: tools.after limit: tools.limit expand: tools.expand outputParameters: - type: object mapping: $. - name: okta-get-assigned-group-application description: Okta Get Assigned Group for Application hints: readOnly: true destructive: false idempotent: true call: okta-application.getapplicationgroupassignment with: appId: tools.appId groupId: tools.groupId expand: tools.expand outputParameters: - type: object mapping: $. - name: okta-assign-group-application description: Okta Assign Group to Application hints: readOnly: false destructive: false idempotent: true call: okta-application.createapplicationgroupassignment with: appId: tools.appId groupId: tools.groupId body: tools.body outputParameters: - type: object mapping: $. - name: okta-remove-group-application description: Okta Remove Group from Application hints: readOnly: false destructive: true idempotent: true call: okta-application.deleteapplicationgroupassignment with: appId: tools.appId groupId: tools.groupId outputParameters: - type: object mapping: $. - name: okta-activate-application description: Okta Activate Application hints: readOnly: false destructive: false idempotent: false call: okta-application.activateapplication with: appId: tools.appId outputParameters: - type: object mapping: $. - name: okta-deactivate-application description: Okta Deactivate Application hints: readOnly: false destructive: false idempotent: false call: okta-application.deactivateapplication with: appId: tools.appId outputParameters: - type: object mapping: $. - name: okta-file-must-be-png description: Okta The file must be in PNG, JPG, or GIF format, and less than 1 MB in size. For best results use landscape orientation, a transparent background, and a minimum size of 420px by 120px to prevent upscaling. hints: readOnly: false destructive: false idempotent: false call: okta-application.uploadapplicationlogo with: appId: tools.appId body: tools.body outputParameters: - type: object mapping: $. - name: okta-update-application-policy description: Okta Update application policy hints: readOnly: false destructive: false idempotent: true call: okta-application.updateapplicationpolicy with: appId: tools.appId policyId: tools.policyId outputParameters: - type: object mapping: $. - name: previews-saml-metadata-based-specific description: Previews SAML metadata based on a specific key credential for an application hints: readOnly: true destructive: false idempotent: true call: okta-application.previewsamlappmetadata with: appId: tools.appId kid: tools.kid outputParameters: - type: object mapping: $. - name: lists-all-tokens-application description: Lists all tokens for the application hints: readOnly: true destructive: false idempotent: true call: okta-application.listoauth2tokensforapplication with: appId: tools.appId expand: tools.expand after: tools.after limit: tools.limit outputParameters: - type: object mapping: $. - name: revokes-all-tokens-specified-application description: Revokes all tokens for the specified application hints: readOnly: false destructive: true idempotent: true call: okta-application.revokeoauth2tokensforapplication with: appId: tools.appId outputParameters: - type: object mapping: $. - name: gets-token-specified-application description: Gets a token for the specified application hints: readOnly: true destructive: false idempotent: true call: okta-application.getoauth2tokenforapplication with: appId: tools.appId tokenId: tools.tokenId expand: tools.expand outputParameters: - type: object mapping: $. - name: revokes-specified-token-specified-application description: Revokes the specified token for the specified application hints: readOnly: false destructive: true idempotent: true call: okta-application.revokeoauth2tokenforapplication with: appId: tools.appId tokenId: tools.tokenId outputParameters: - type: object mapping: $. - name: okta-list-users-assigned-application description: Okta List Users Assigned to Application hints: readOnly: true destructive: false idempotent: true call: okta-application.listapplicationusers with: appId: tools.appId q: tools.q query_scope: tools.query_scope after: tools.after limit: tools.limit filter: tools.filter expand: tools.expand outputParameters: - type: object mapping: $. - name: okta-assign-user-application-sso description: Okta Assign User to Application for SSO & Provisioning hints: readOnly: false destructive: false idempotent: false call: okta-application.assignusertoapplication with: appId: tools.appId body: tools.body outputParameters: - type: object mapping: $. - name: okta-get-assigned-user-application description: Okta Get Assigned User for Application hints: readOnly: true destructive: false idempotent: true call: okta-application.getapplicationuser with: appId: tools.appId userId: tools.userId expand: tools.expand outputParameters: - type: object mapping: $. - name: okta-update-application-profile-assigned description: Okta Update Application Profile for Assigned User hints: readOnly: false destructive: false idempotent: false call: okta-application.updateapplicationuser with: appId: tools.appId userId: tools.userId body: tools.body outputParameters: - type: object mapping: $. - name: okta-remove-user-application description: Okta Remove User from Application hints: readOnly: false destructive: true idempotent: true call: okta-application.deleteapplicationuser with: appId: tools.appId userId: tools.userId sendEmail: tools.sendEmail outputParameters: - type: object mapping: $.