naftiko: 1.0.0-alpha2 info: label: Ory Keto API — permission description: 'Ory Keto API — permission. 6 operations. Lead operation: Batch check permissions. Self-contained Naftiko capability covering one Ory business surface.' tags: - Ory - permission created: '2026-05-19' modified: '2026-05-19' binds: - namespace: env keys: ORY_API_KEY: ORY_API_KEY capability: consumes: - type: http namespace: keto-permission baseUri: '' description: Ory Keto API — permission business capability. Self-contained, no shared references. resources: - name: relation-tuples-batch-check path: /relation-tuples/batch/check operations: - name: batchcheckpermission method: POST description: Batch check permissions outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: max-depth in: query type: integer - name: body in: body type: object description: Request body (JSON). required: false - name: relation-tuples-check path: /relation-tuples/check operations: - name: checkpermissionorerror method: GET description: Check a permission outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: namespace in: query type: string description: Namespace of the Relationship - name: object in: query type: string description: Object of the Relationship - name: relation in: query type: string description: Relation of the Relationship - name: subject_id in: query type: string description: SubjectID of the Relationship - name: subject_set.namespace in: query type: string description: Namespace of the Subject Set - name: subject_set.object in: query type: string description: Object of the Subject Set - name: subject_set.relation in: query type: string description: Relation of the Subject Set - name: max-depth in: query type: integer - name: postcheckpermissionorerror method: POST description: Check a permission outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: max-depth in: query type: integer - name: body in: body type: object description: Request body (JSON). required: false - name: relation-tuples-check-openapi path: /relation-tuples/check/openapi operations: - name: checkpermission method: GET description: Check a permission outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: namespace in: query type: string description: Namespace of the Relationship - name: object in: query type: string description: Object of the Relationship - name: relation in: query type: string description: Relation of the Relationship - name: subject_id in: query type: string description: SubjectID of the Relationship - name: subject_set.namespace in: query type: string description: Namespace of the Subject Set - name: subject_set.object in: query type: string description: Object of the Subject Set - name: subject_set.relation in: query type: string description: Relation of the Subject Set - name: max-depth in: query type: integer - name: postcheckpermission method: POST description: Check a permission outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: max-depth in: query type: integer - name: body in: body type: object description: Request body (JSON). required: false - name: relation-tuples-expand path: /relation-tuples/expand operations: - name: expandpermissions method: GET description: Expand a Relationship into permissions. outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: namespace in: query type: string description: Namespace of the Subject Set required: true - name: object in: query type: string description: Object of the Subject Set required: true - name: relation in: query type: string description: Relation of the Subject Set required: true - name: max-depth in: query type: integer exposes: - type: rest namespace: keto-permission-rest port: 8080 description: REST adapter for Ory Keto API — permission. One Spectral-compliant resource per consumed operation, prefixed with /v1. resources: - path: /v1/relation-tuples/batch/check name: relation-tuples-batch-check description: REST surface for relation-tuples-batch-check. operations: - method: POST name: batchcheckpermission description: Batch check permissions call: keto-permission.batchcheckpermission with: max-depth: rest.max-depth body: rest.body outputParameters: - type: object mapping: $. - path: /v1/relation-tuples/check name: relation-tuples-check description: REST surface for relation-tuples-check. operations: - method: GET name: checkpermissionorerror description: Check a permission call: keto-permission.checkpermissionorerror with: namespace: rest.namespace object: rest.object relation: rest.relation subject_id: rest.subject_id subject_set.namespace: rest.subject_set.namespace subject_set.object: rest.subject_set.object subject_set.relation: rest.subject_set.relation max-depth: rest.max-depth outputParameters: - type: object mapping: $. - method: POST name: postcheckpermissionorerror description: Check a permission call: keto-permission.postcheckpermissionorerror with: max-depth: rest.max-depth body: rest.body outputParameters: - type: object mapping: $. - path: /v1/relation-tuples/check/openapi name: relation-tuples-check-openapi description: REST surface for relation-tuples-check-openapi. operations: - method: GET name: checkpermission description: Check a permission call: keto-permission.checkpermission with: namespace: rest.namespace object: rest.object relation: rest.relation subject_id: rest.subject_id subject_set.namespace: rest.subject_set.namespace subject_set.object: rest.subject_set.object subject_set.relation: rest.subject_set.relation max-depth: rest.max-depth outputParameters: - type: object mapping: $. - method: POST name: postcheckpermission description: Check a permission call: keto-permission.postcheckpermission with: max-depth: rest.max-depth body: rest.body outputParameters: - type: object mapping: $. - path: /v1/relation-tuples/expand name: relation-tuples-expand description: REST surface for relation-tuples-expand. operations: - method: GET name: expandpermissions description: Expand a Relationship into permissions. call: keto-permission.expandpermissions with: namespace: rest.namespace object: rest.object relation: rest.relation max-depth: rest.max-depth outputParameters: - type: object mapping: $. - type: mcp namespace: keto-permission-mcp port: 9090 transport: http description: MCP adapter for Ory Keto API — permission. One tool per consumed operation, routed inline through this capability's consumes block. tools: - name: batch-check-permissions description: Batch check permissions hints: readOnly: true destructive: false idempotent: false call: keto-permission.batchcheckpermission with: max-depth: tools.max-depth body: tools.body outputParameters: - type: object mapping: $. - name: check-permission description: Check a permission hints: readOnly: true destructive: false idempotent: true call: keto-permission.checkpermissionorerror with: namespace: tools.namespace object: tools.object relation: tools.relation subject_id: tools.subject_id subject_set.namespace: tools.subject_set.namespace subject_set.object: tools.subject_set.object subject_set.relation: tools.subject_set.relation max-depth: tools.max-depth outputParameters: - type: object mapping: $. - name: check-permission-2 description: Check a permission hints: readOnly: true destructive: false idempotent: false call: keto-permission.postcheckpermissionorerror with: max-depth: tools.max-depth body: tools.body outputParameters: - type: object mapping: $. - name: check-permission-3 description: Check a permission hints: readOnly: true destructive: false idempotent: true call: keto-permission.checkpermission with: namespace: tools.namespace object: tools.object relation: tools.relation subject_id: tools.subject_id subject_set.namespace: tools.subject_set.namespace subject_set.object: tools.subject_set.object subject_set.relation: tools.subject_set.relation max-depth: tools.max-depth outputParameters: - type: object mapping: $. - name: check-permission-4 description: Check a permission hints: readOnly: true destructive: false idempotent: false call: keto-permission.postcheckpermission with: max-depth: tools.max-depth body: tools.body outputParameters: - type: object mapping: $. - name: expand-relationship-permissions description: Expand a Relationship into permissions. hints: readOnly: true destructive: false idempotent: true call: keto-permission.expandpermissions with: namespace: tools.namespace object: tools.object relation: tools.relation max-depth: tools.max-depth outputParameters: - type: object mapping: $.