Duo Security · Capability

Duo Admin API — Users

Duo Admin API — Users. 24 operations. Lead operation: List users. Self-contained Naftiko capability covering one Duo Security business surface.

Run with Naftiko Duo SecurityUsers

What You Can Do

GET
Listusers — List users
/v1/admin/v1/users
POST
Createuser — Create user
/v1/admin/v1/users
POST
Bulkcreateusers — Bulk create users
/v1/admin/v1/users/bulk-create
POST
Bulkrestoreusers — Bulk restore users
/v1/admin/v1/users/bulk-restore
POST
Bulksenduserstotrash — Bulk send users to Trash
/v1/admin/v1/users/bulk-send-to-trash
GET
Listuserdirectorysyncs — List user directory syncs
/v1/admin/v1/users/directorysync
POST
Syncdirectoryuser — Sync directory user
/v1/admin/v1/users/directorysync/{directory-key}/syncuser
POST
Enrolluser — Enroll user
/v1/admin/v1/users/enroll
GET
Getuser — Get user
/v1/admin/v1/users/{user-id}
POST
Updateuser — Update user
/v1/admin/v1/users/{user-id}
DELETE
Deleteuser — Delete user
/v1/admin/v1/users/{user-id}
GET
Listuserdesktopauthenticators — List desktop authenticators for user
/v1/admin/v1/users/{user-id}/desktopauthenticators
GET
Listusergroups — List user groups
/v1/admin/v1/users/{user-id}/groups
POST
Associateusergroup — Associate group with user
/v1/admin/v1/users/{user-id}/groups
DELETE
Disassociateusergroup — Disassociate group from user
/v1/admin/v1/users/{user-id}/groups/{group-id}
GET
Listuserphones — List user phones
/v1/admin/v1/users/{user-id}/phones
POST
Associateuserphone — Associate phone with user
/v1/admin/v1/users/{user-id}/phones
DELETE
Disassociateuserphone — Disassociate phone from user
/v1/admin/v1/users/{user-id}/phones/{phone-id}
POST
Sendverificationpush — Send verification Duo Push
/v1/admin/v1/users/{user-id}/send-verification-push
GET
Listusertokens — List user hardware tokens
/v1/admin/v1/users/{user-id}/tokens
POST
Associateusertoken — Associate hardware token with user
/v1/admin/v1/users/{user-id}/tokens
DELETE
Disassociateusertoken — Disassociate hardware token from user
/v1/admin/v1/users/{user-id}/tokens/{token-id}
GET
Getverificationpushresponse — Retrieve verification push result
/v1/admin/v1/users/{user-id}/verification-push-response
GET
Listuserwebauthncredentials — List WebAuthn credentials for user
/v1/admin/v1/users/{user-id}/webauthncredentials

MCP Tools

list-users

List users

read-only idempotent
create-user

Create user

bulk-create-users

Bulk create users

bulk-restore-users

Bulk restore users

bulk-send-users-trash

Bulk send users to Trash

list-user-directory-syncs

List user directory syncs

read-only idempotent
sync-directory-user

Sync directory user

enroll-user

Enroll user

get-user

Get user

read-only idempotent
update-user

Update user

delete-user

Delete user

idempotent
list-desktop-authenticators-user

List desktop authenticators for user

read-only idempotent
list-user-groups

List user groups

read-only idempotent
associate-group-user

Associate group with user

disassociate-group-user

Disassociate group from user

idempotent
list-user-phones

List user phones

read-only idempotent
associate-phone-user

Associate phone with user

disassociate-phone-user

Disassociate phone from user

idempotent
send-verification-duo-push

Send verification Duo Push

list-user-hardware-tokens

List user hardware tokens

read-only idempotent
associate-hardware-token-user

Associate hardware token with user

disassociate-hardware-token-user

Disassociate hardware token from user

idempotent
retrieve-verification-push-result

Retrieve verification push result

read-only idempotent
list-webauthn-credentials-user

List WebAuthn credentials for user

read-only idempotent

Capability Spec

duo-admin-users.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: Duo Admin API — Users
  description: 'Duo Admin API — Users. 24 operations. Lead operation: List users. Self-contained Naftiko capability covering
    one Duo Security business surface.'
  tags:
  - Duo Security
  - Users
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    DUO_SECURITY_API_KEY: DUO_SECURITY_API_KEY
capability:
  consumes:
  - type: http
    namespace: duo-admin-users
    baseUri: https://api-XXXXXXXX.duosecurity.com
    description: Duo Admin API — Users business capability. Self-contained, no shared references.
    resources:
    - name: admin-v1-users
      path: /admin/v1/users
      operations:
      - name: listusers
        method: GET
        description: List users
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: username
          in: query
          type: string
        - name: limit
          in: query
          type: integer
        - name: offset
          in: query
          type: integer
      - name: createuser
        method: POST
        description: Create user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: admin-v1-users-bulk_create
      path: /admin/v1/users/bulk_create
      operations:
      - name: bulkcreateusers
        method: POST
        description: Bulk create users
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: admin-v1-users-bulk_restore
      path: /admin/v1/users/bulk_restore
      operations:
      - name: bulkrestoreusers
        method: POST
        description: Bulk restore users
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: admin-v1-users-bulk_send_to_trash
      path: /admin/v1/users/bulk_send_to_trash
      operations:
      - name: bulksenduserstotrash
        method: POST
        description: Bulk send users to Trash
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: admin-v1-users-directorysync
      path: /admin/v1/users/directorysync
      operations:
      - name: listuserdirectorysyncs
        method: GET
        description: List user directory syncs
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: admin-v1-users-directorysync-directory_key-syncuser
      path: /admin/v1/users/directorysync/{directory_key}/syncuser
      operations:
      - name: syncdirectoryuser
        method: POST
        description: Sync directory user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: admin-v1-users-enroll
      path: /admin/v1/users/enroll
      operations:
      - name: enrolluser
        method: POST
        description: Enroll user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: admin-v1-users-user_id
      path: /admin/v1/users/{user_id}
      operations:
      - name: getuser
        method: GET
        description: Get user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: updateuser
        method: POST
        description: Update user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: deleteuser
        method: DELETE
        description: Delete user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: admin-v1-users-user_id-desktopauthenticators
      path: /admin/v1/users/{user_id}/desktopauthenticators
      operations:
      - name: listuserdesktopauthenticators
        method: GET
        description: List desktop authenticators for user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: admin-v1-users-user_id-groups
      path: /admin/v1/users/{user_id}/groups
      operations:
      - name: listusergroups
        method: GET
        description: List user groups
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: associateusergroup
        method: POST
        description: Associate group with user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: admin-v1-users-user_id-groups-group_id
      path: /admin/v1/users/{user_id}/groups/{group_id}
      operations:
      - name: disassociateusergroup
        method: DELETE
        description: Disassociate group from user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: admin-v1-users-user_id-phones
      path: /admin/v1/users/{user_id}/phones
      operations:
      - name: listuserphones
        method: GET
        description: List user phones
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: associateuserphone
        method: POST
        description: Associate phone with user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: admin-v1-users-user_id-phones-phone_id
      path: /admin/v1/users/{user_id}/phones/{phone_id}
      operations:
      - name: disassociateuserphone
        method: DELETE
        description: Disassociate phone from user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: admin-v1-users-user_id-send_verification_push
      path: /admin/v1/users/{user_id}/send_verification_push
      operations:
      - name: sendverificationpush
        method: POST
        description: Send verification Duo Push
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: admin-v1-users-user_id-tokens
      path: /admin/v1/users/{user_id}/tokens
      operations:
      - name: listusertokens
        method: GET
        description: List user hardware tokens
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: associateusertoken
        method: POST
        description: Associate hardware token with user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: admin-v1-users-user_id-tokens-token_id
      path: /admin/v1/users/{user_id}/tokens/{token_id}
      operations:
      - name: disassociateusertoken
        method: DELETE
        description: Disassociate hardware token from user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: admin-v1-users-user_id-verification_push_response
      path: /admin/v1/users/{user_id}/verification_push_response
      operations:
      - name: getverificationpushresponse
        method: GET
        description: Retrieve verification push result
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: admin-v1-users-user_id-webauthncredentials
      path: /admin/v1/users/{user_id}/webauthncredentials
      operations:
      - name: listuserwebauthncredentials
        method: GET
        description: List WebAuthn credentials for user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    authentication:
      type: basic
      username: '{{env.DUO_SECURITY_USER}}'
      password: '{{env.DUO_SECURITY_PASS}}'
  exposes:
  - type: rest
    namespace: duo-admin-users-rest
    port: 8080
    description: REST adapter for Duo Admin API — Users. One Spectral-compliant resource per consumed operation, prefixed
      with /v1.
    resources:
    - path: /v1/admin/v1/users
      name: admin-v1-users
      description: REST surface for admin-v1-users.
      operations:
      - method: GET
        name: listusers
        description: List users
        call: duo-admin-users.listusers
        with:
          username: rest.username
          limit: rest.limit
          offset: rest.offset
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: createuser
        description: Create user
        call: duo-admin-users.createuser
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/v1/users/bulk-create
      name: admin-v1-users-bulk-create
      description: REST surface for admin-v1-users-bulk_create.
      operations:
      - method: POST
        name: bulkcreateusers
        description: Bulk create users
        call: duo-admin-users.bulkcreateusers
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/v1/users/bulk-restore
      name: admin-v1-users-bulk-restore
      description: REST surface for admin-v1-users-bulk_restore.
      operations:
      - method: POST
        name: bulkrestoreusers
        description: Bulk restore users
        call: duo-admin-users.bulkrestoreusers
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/v1/users/bulk-send-to-trash
      name: admin-v1-users-bulk-send-to-trash
      description: REST surface for admin-v1-users-bulk_send_to_trash.
      operations:
      - method: POST
        name: bulksenduserstotrash
        description: Bulk send users to Trash
        call: duo-admin-users.bulksenduserstotrash
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/v1/users/directorysync
      name: admin-v1-users-directorysync
      description: REST surface for admin-v1-users-directorysync.
      operations:
      - method: GET
        name: listuserdirectorysyncs
        description: List user directory syncs
        call: duo-admin-users.listuserdirectorysyncs
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/v1/users/directorysync/{directory-key}/syncuser
      name: admin-v1-users-directorysync-directory-key-syncuser
      description: REST surface for admin-v1-users-directorysync-directory_key-syncuser.
      operations:
      - method: POST
        name: syncdirectoryuser
        description: Sync directory user
        call: duo-admin-users.syncdirectoryuser
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/v1/users/enroll
      name: admin-v1-users-enroll
      description: REST surface for admin-v1-users-enroll.
      operations:
      - method: POST
        name: enrolluser
        description: Enroll user
        call: duo-admin-users.enrolluser
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/v1/users/{user-id}
      name: admin-v1-users-user-id
      description: REST surface for admin-v1-users-user_id.
      operations:
      - method: GET
        name: getuser
        description: Get user
        call: duo-admin-users.getuser
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: updateuser
        description: Update user
        call: duo-admin-users.updateuser
        outputParameters:
        - type: object
          mapping: $.
      - method: DELETE
        name: deleteuser
        description: Delete user
        call: duo-admin-users.deleteuser
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/v1/users/{user-id}/desktopauthenticators
      name: admin-v1-users-user-id-desktopauthenticators
      description: REST surface for admin-v1-users-user_id-desktopauthenticators.
      operations:
      - method: GET
        name: listuserdesktopauthenticators
        description: List desktop authenticators for user
        call: duo-admin-users.listuserdesktopauthenticators
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/v1/users/{user-id}/groups
      name: admin-v1-users-user-id-groups
      description: REST surface for admin-v1-users-user_id-groups.
      operations:
      - method: GET
        name: listusergroups
        description: List user groups
        call: duo-admin-users.listusergroups
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: associateusergroup
        description: Associate group with user
        call: duo-admin-users.associateusergroup
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/v1/users/{user-id}/groups/{group-id}
      name: admin-v1-users-user-id-groups-group-id
      description: REST surface for admin-v1-users-user_id-groups-group_id.
      operations:
      - method: DELETE
        name: disassociateusergroup
        description: Disassociate group from user
        call: duo-admin-users.disassociateusergroup
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/v1/users/{user-id}/phones
      name: admin-v1-users-user-id-phones
      description: REST surface for admin-v1-users-user_id-phones.
      operations:
      - method: GET
        name: listuserphones
        description: List user phones
        call: duo-admin-users.listuserphones
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: associateuserphone
        description: Associate phone with user
        call: duo-admin-users.associateuserphone
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/v1/users/{user-id}/phones/{phone-id}
      name: admin-v1-users-user-id-phones-phone-id
      description: REST surface for admin-v1-users-user_id-phones-phone_id.
      operations:
      - method: DELETE
        name: disassociateuserphone
        description: Disassociate phone from user
        call: duo-admin-users.disassociateuserphone
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/v1/users/{user-id}/send-verification-push
      name: admin-v1-users-user-id-send-verification-push
      description: REST surface for admin-v1-users-user_id-send_verification_push.
      operations:
      - method: POST
        name: sendverificationpush
        description: Send verification Duo Push
        call: duo-admin-users.sendverificationpush
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/v1/users/{user-id}/tokens
      name: admin-v1-users-user-id-tokens
      description: REST surface for admin-v1-users-user_id-tokens.
      operations:
      - method: GET
        name: listusertokens
        description: List user hardware tokens
        call: duo-admin-users.listusertokens
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: associateusertoken
        description: Associate hardware token with user
        call: duo-admin-users.associateusertoken
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/v1/users/{user-id}/tokens/{token-id}
      name: admin-v1-users-user-id-tokens-token-id
      description: REST surface for admin-v1-users-user_id-tokens-token_id.
      operations:
      - method: DELETE
        name: disassociateusertoken
        description: Disassociate hardware token from user
        call: duo-admin-users.disassociateusertoken
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/v1/users/{user-id}/verification-push-response
      name: admin-v1-users-user-id-verification-push-response
      description: REST surface for admin-v1-users-user_id-verification_push_response.
      operations:
      - method: GET
        name: getverificationpushresponse
        description: Retrieve verification push result
        call: duo-admin-users.getverificationpushresponse
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/admin/v1/users/{user-id}/webauthncredentials
      name: admin-v1-users-user-id-webauthncredentials
      description: REST surface for admin-v1-users-user_id-webauthncredentials.
      operations:
      - method: GET
        name: listuserwebauthncredentials
        description: List WebAuthn credentials for user
        call: duo-admin-users.listuserwebauthncredentials
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: duo-admin-users-mcp
    port: 9090
    transport: http
    description: MCP adapter for Duo Admin API — Users. One tool per consumed operation, routed inline through this capability's
      consumes block.
    tools:
    - name: list-users
      description: List users
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: duo-admin-users.listusers
      with:
        username: tools.username
        limit: tools.limit
        offset: tools.offset
      outputParameters:
      - type: object
        mapping: $.
    - name: create-user
      description: Create user
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: duo-admin-users.createuser
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: bulk-create-users
      description: Bulk create users
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: duo-admin-users.bulkcreateusers
      outputParameters:
      - type: object
        mapping: $.
    - name: bulk-restore-users
      description: Bulk restore users
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: duo-admin-users.bulkrestoreusers
      outputParameters:
      - type: object
        mapping: $.
    - name: bulk-send-users-trash
      description: Bulk send users to Trash
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: duo-admin-users.bulksenduserstotrash
      outputParameters:
      - type: object
        mapping: $.
    - name: list-user-directory-syncs
      description: List user directory syncs
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: duo-admin-users.listuserdirectorysyncs
      outputParameters:
      - type: object
        mapping: $.
    - name: sync-directory-user
      description: Sync directory user
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: duo-admin-users.syncdirectoryuser
      outputParameters:
      - type: object
        mapping: $.
    - name: enroll-user
      description: Enroll user
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: duo-admin-users.enrolluser
      outputParameters:
      - type: object
        mapping: $.
    - name: get-user
      description: Get user
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: duo-admin-users.getuser
      outputParameters:
      - type: object
        mapping: $.
    - name: update-user
      description: Update user
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: duo-admin-users.updateuser
      outputParameters:
      - type: object
        mapping: $.
    - name: delete-user
      description: Delete user
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: duo-admin-users.deleteuser
      outputParameters:
      - type: object
        mapping: $.
    - name: list-desktop-authenticators-user
      description: List desktop authenticators for user
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: duo-admin-users.listuserdesktopauthenticators
      outputParameters:
      - type: object
        mapping: $.
    - name: list-user-groups
      description: List user groups
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: duo-admin-users.listusergroups
      outputParameters:
      - type: object
        mapping: $.
    - name: associate-group-user
      description: Associate group with user
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: duo-admin-users.associateusergroup
      outputParameters:
      - type: object
        mapping: $.
    - name: disassociate-group-user
      description: Disassociate group from user
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: duo-admin-users.disassociateusergroup
      outputParameters:
      - type: object
        mapping: $.
    - name: list-user-phones
      description: List user phones
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: duo-admin-users.listuserphones
      outputParameters:
      - type: object
        mapping: $.
    - name: associate-phone-user
      description: Associate phone with user
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: duo-admin-users.associateuserphone
      outputParameters:
      - type: object
        mapping: $.
    - name: disassociate-phone-user
      description: Disassociate phone from user
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: duo-admin-users.disassociateuserphone
      outputParameters:
      - type: object
        mapping: $.
    - name: send-verification-duo-push
      description: Send verification Duo Push
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: duo-admin-users.sendverificationpush
      outputParameters:
      - type: object
        mapping: $.
    - name: list-user-hardware-tokens
      description: List user hardware tokens
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: duo-admin-users.listusertokens
      outputParameters:
      - type: object
        mapping: $.
    - name: associate-hardware-token-user
      description: Associate hardware token with user
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: duo-admin-users.associateusertoken
      outputParameters:
      - type: object
        mapping: $.
    - name: disassociate-hardware-token-user
      description: Disassociate hardware token from user
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: duo-admin-users.disassociateusertoken
      outputParameters:
      - type: object
        mapping: $.
    - name: retrieve-verification-push-result
      description: Retrieve verification push result
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: duo-admin-users.getverificationpushresponse
      outputParameters:
      - type: object
        mapping: $.
    - name: list-webauthn-credentials-user
      description: List WebAuthn credentials for user
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: duo-admin-users.listuserwebauthncredentials
      outputParameters:
      - type: object
        mapping: $.