Amazon KMS · Capability

Amazon KMS API — Cryptographic Operations

Amazon KMS API — Cryptographic Operations. 5 operations. Lead operation: Amazon KMS Decrypt. Self-contained Naftiko capability covering one Amazon Kms business surface.

Run with Naftiko Amazon KmsCryptographic Operations

What You Can Do

POST
Decrypt — Amazon KMS Decrypt
/v1/decrypt
POST
Generatedatakey — Amazon KMS Generate Data Key
/v1/keys/{keyid}/data-key
POST
Encrypt — Amazon KMS Encrypt
/v1/keys/{keyid}/encrypt
POST
Sign — Amazon KMS Sign
/v1/keys/{keyid}/sign
POST
Verify — Amazon KMS Verify
/v1/keys/{keyid}/verify

MCP Tools

amazon-kms-decrypt

Amazon KMS Decrypt

amazon-kms-generate-data-key

Amazon KMS Generate Data Key

amazon-kms-encrypt

Amazon KMS Encrypt

amazon-kms-sign

Amazon KMS Sign

amazon-kms-verify

Amazon KMS Verify

Capability Spec

amazon-kms-cryptographic-operations.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: Amazon KMS API — Cryptographic Operations
  description: 'Amazon KMS API — Cryptographic Operations. 5 operations. Lead operation: Amazon KMS Decrypt. Self-contained
    Naftiko capability covering one Amazon Kms business surface.'
  tags:
  - Amazon Kms
  - Cryptographic Operations
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    AMAZON_KMS_API_KEY: AMAZON_KMS_API_KEY
capability:
  consumes:
  - type: http
    namespace: amazon-kms-cryptographic-operations
    baseUri: https://kms.us-east-1.amazonaws.com
    description: Amazon KMS API — Cryptographic Operations business capability. Self-contained, no shared references.
    resources:
    - name: decrypt
      path: /decrypt
      operations:
      - name: decrypt
        method: POST
        description: Amazon KMS Decrypt
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: keys-KeyId-data-key
      path: /keys/{KeyId}/data-key
      operations:
      - name: generatedatakey
        method: POST
        description: Amazon KMS Generate Data Key
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: KeyId
          in: path
          type: string
          description: Identifies the KMS key.
          required: true
    - name: keys-KeyId-encrypt
      path: /keys/{KeyId}/encrypt
      operations:
      - name: encrypt
        method: POST
        description: Amazon KMS Encrypt
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: KeyId
          in: path
          type: string
          description: Identifies the KMS key.
          required: true
    - name: keys-KeyId-sign
      path: /keys/{KeyId}/sign
      operations:
      - name: sign
        method: POST
        description: Amazon KMS Sign
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: KeyId
          in: path
          type: string
          description: Identifies the KMS key.
          required: true
    - name: keys-KeyId-verify
      path: /keys/{KeyId}/verify
      operations:
      - name: verify
        method: POST
        description: Amazon KMS Verify
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: KeyId
          in: path
          type: string
          description: Identifies the KMS key.
          required: true
    authentication:
      type: apikey
      key: Authorization
      value: '{{env.AMAZON_KMS_API_KEY}}'
      placement: header
  exposes:
  - type: rest
    namespace: amazon-kms-cryptographic-operations-rest
    port: 8080
    description: REST adapter for Amazon KMS API — Cryptographic Operations. One Spectral-compliant resource per consumed
      operation, prefixed with /v1.
    resources:
    - path: /v1/decrypt
      name: decrypt
      description: REST surface for decrypt.
      operations:
      - method: POST
        name: decrypt
        description: Amazon KMS Decrypt
        call: amazon-kms-cryptographic-operations.decrypt
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/keys/{keyid}/data-key
      name: keys-keyid-data-key
      description: REST surface for keys-KeyId-data-key.
      operations:
      - method: POST
        name: generatedatakey
        description: Amazon KMS Generate Data Key
        call: amazon-kms-cryptographic-operations.generatedatakey
        with:
          KeyId: rest.KeyId
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/keys/{keyid}/encrypt
      name: keys-keyid-encrypt
      description: REST surface for keys-KeyId-encrypt.
      operations:
      - method: POST
        name: encrypt
        description: Amazon KMS Encrypt
        call: amazon-kms-cryptographic-operations.encrypt
        with:
          KeyId: rest.KeyId
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/keys/{keyid}/sign
      name: keys-keyid-sign
      description: REST surface for keys-KeyId-sign.
      operations:
      - method: POST
        name: sign
        description: Amazon KMS Sign
        call: amazon-kms-cryptographic-operations.sign
        with:
          KeyId: rest.KeyId
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/keys/{keyid}/verify
      name: keys-keyid-verify
      description: REST surface for keys-KeyId-verify.
      operations:
      - method: POST
        name: verify
        description: Amazon KMS Verify
        call: amazon-kms-cryptographic-operations.verify
        with:
          KeyId: rest.KeyId
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: amazon-kms-cryptographic-operations-mcp
    port: 9090
    transport: http
    description: MCP adapter for Amazon KMS API — Cryptographic Operations. One tool per consumed operation, routed inline
      through this capability's consumes block.
    tools:
    - name: amazon-kms-decrypt
      description: Amazon KMS Decrypt
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: amazon-kms-cryptographic-operations.decrypt
      outputParameters:
      - type: object
        mapping: $.
    - name: amazon-kms-generate-data-key
      description: Amazon KMS Generate Data Key
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: amazon-kms-cryptographic-operations.generatedatakey
      with:
        KeyId: tools.KeyId
      outputParameters:
      - type: object
        mapping: $.
    - name: amazon-kms-encrypt
      description: Amazon KMS Encrypt
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: amazon-kms-cryptographic-operations.encrypt
      with:
        KeyId: tools.KeyId
      outputParameters:
      - type: object
        mapping: $.
    - name: amazon-kms-sign
      description: Amazon KMS Sign
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: amazon-kms-cryptographic-operations.sign
      with:
        KeyId: tools.KeyId
      outputParameters:
      - type: object
        mapping: $.
    - name: amazon-kms-verify
      description: Amazon KMS Verify
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: amazon-kms-cryptographic-operations.verify
      with:
        KeyId: tools.KeyId
      outputParameters:
      - type: object
        mapping: $.