naftiko: "1.0.0-alpha2"
info:
title: Gravitee Access Management Bridge
description: >-
Manages Gravitee Access Management (security domains, OAuth2 / OIDC
applications, identity providers, MFA factors, users, roles) from
Naftiko spec. Lets a Naftiko capability declare its identity
requirements and have Gravitee AM provision the matching domain +
application + IdP wiring — Naftiko brings the integration layer,
Gravitee AM brings the IAM.
tags:
- Naftiko
- Gravitee
- Partnership
- Access-Management
- OAuth
- IAM
- Identity
created: '2026-05-15'
modified: '2026-05-15'
binds:
- namespace: gravitee-am-env
description: Gravitee AM Management endpoint + token.
keys:
GRAVITEE_AM_BASE: GRAVITEE_AM_BASE
GRAVITEE_AM_TOKEN: GRAVITEE_AM_TOKEN
capability:
consumes:
- namespace: gravitee-am
type: http
baseUri: '{{GRAVITEE_AM_BASE}}'
authentication:
type: bearer
token: '{{GRAVITEE_AM_TOKEN}}'
resources:
- name: list-domains
path: '/management/organizations/{{org_id}}/environments/{{env_id}}/domains'
operations:
- name: list-domains
method: GET
inputParameters:
- { name: org_id, in: path, required: true }
- { name: env_id, in: path, required: true }
- name: create-domain
method: POST
inputParameters:
- { name: org_id, in: path, required: true }
- { name: env_id, in: path, required: true }
- name: domain
path: '/management/organizations/{{org_id}}/environments/{{env_id}}/domains/{{domain_id}}'
operations:
- name: get-domain
method: GET
inputParameters:
- { name: org_id, in: path, required: true }
- { name: env_id, in: path, required: true }
- { name: domain_id, in: path, required: true }
- name: delete-domain
method: DELETE
inputParameters:
- { name: org_id, in: path, required: true }
- { name: env_id, in: path, required: true }
- { name: domain_id, in: path, required: true }
- name: domain-applications
path: '/management/organizations/{{org_id}}/environments/{{env_id}}/domains/{{domain_id}}/applications'
operations:
- name: list-applications
method: GET
inputParameters:
- { name: org_id, in: path, required: true }
- { name: env_id, in: path, required: true }
- { name: domain_id, in: path, required: true }
- name: create-application
method: POST
inputParameters:
- { name: org_id, in: path, required: true }
- { name: env_id, in: path, required: true }
- { name: domain_id, in: path, required: true }
- name: domain-identity-providers
path: '/management/organizations/{{org_id}}/environments/{{env_id}}/domains/{{domain_id}}/identities'
operations:
- name: list-identity-providers
method: GET
inputParameters:
- { name: org_id, in: path, required: true }
- { name: env_id, in: path, required: true }
- { name: domain_id, in: path, required: true }
- name: create-identity-provider
method: POST
inputParameters:
- { name: org_id, in: path, required: true }
- { name: env_id, in: path, required: true }
- { name: domain_id, in: path, required: true }
exposes:
- type: rest
address: 0.0.0.0
port: 8080
namespace: gravitee-am-bridge-rest
description: REST surface for managing Gravitee Access Management from Naftiko spec.
resources:
- name: domains
path: '/orgs/{org_id}/envs/{env_id}/domains'
operations:
- name: list-domains
method: GET
inputParameters:
- { name: org_id, in: path, type: string, required: true }
- { name: env_id, in: path, type: string, required: true }
call: gravitee-am.list-domains
- name: create-domain
method: POST
inputParameters:
- { name: org_id, in: path, type: string, required: true }
- { name: env_id, in: path, type: string, required: true }
call: gravitee-am.create-domain
- name: domain
path: '/orgs/{org_id}/envs/{env_id}/domains/{domain_id}'
operations:
- name: get-domain
method: GET
inputParameters:
- { name: org_id, in: path, type: string, required: true }
- { name: env_id, in: path, type: string, required: true }
- { name: domain_id, in: path, type: string, required: true }
call: gravitee-am.get-domain
- name: delete-domain
method: DELETE
inputParameters:
- { name: org_id, in: path, type: string, required: true }
- { name: env_id, in: path, type: string, required: true }
- { name: domain_id, in: path, type: string, required: true }
call: gravitee-am.delete-domain
- name: domain-applications
path: '/orgs/{org_id}/envs/{env_id}/domains/{domain_id}/applications'
operations:
- name: list-applications
method: GET
inputParameters:
- { name: org_id, in: path, type: string, required: true }
- { name: env_id, in: path, type: string, required: true }
- { name: domain_id, in: path, type: string, required: true }
call: gravitee-am.list-applications
- name: create-application
method: POST
inputParameters:
- { name: org_id, in: path, type: string, required: true }
- { name: env_id, in: path, type: string, required: true }
- { name: domain_id, in: path, type: string, required: true }
call: gravitee-am.create-application
- name: domain-identity-providers
path: '/orgs/{org_id}/envs/{env_id}/domains/{domain_id}/identity-providers'
operations:
- name: list-identity-providers
method: GET
inputParameters:
- { name: org_id, in: path, type: string, required: true }
- { name: env_id, in: path, type: string, required: true }
- { name: domain_id, in: path, type: string, required: true }
call: gravitee-am.list-identity-providers
- name: create-identity-provider
method: POST
inputParameters:
- { name: org_id, in: path, type: string, required: true }
- { name: env_id, in: path, type: string, required: true }
- { name: domain_id, in: path, type: string, required: true }
call: gravitee-am.create-identity-provider
- type: mcp
address: 0.0.0.0
port: 3010
namespace: gravitee-am-bridge-mcp
description: MCP server for managing Gravitee Access Management from Naftiko-built agents.
tools:
- name: list-domains
description: List Gravitee AM security domains in an environment.
hints: { readOnly: true }
inputParameters:
- { name: org_id, type: string, required: true }
- { name: env_id, type: string, required: true }
call: gravitee-am.list-domains
- name: create-domain
description: Create a new Gravitee AM security domain.
hints: { destructiveHint: false }
inputParameters:
- { name: org_id, type: string, required: true }
- { name: env_id, type: string, required: true }
call: gravitee-am.create-domain
- name: get-domain
description: Get a single Gravitee AM security domain.
hints: { readOnly: true }
inputParameters:
- { name: org_id, type: string, required: true }
- { name: env_id, type: string, required: true }
- { name: domain_id, type: string, required: true }
call: gravitee-am.get-domain
- name: delete-domain
description: Delete a Gravitee AM security domain.
hints: { destructiveHint: true }
inputParameters:
- { name: org_id, type: string, required: true }
- { name: env_id, type: string, required: true }
- { name: domain_id, type: string, required: true }
call: gravitee-am.delete-domain
- name: list-applications
description: List OAuth2 / OIDC applications in a Gravitee AM domain.
hints: { readOnly: true }
inputParameters:
- { name: org_id, type: string, required: true }
- { name: env_id, type: string, required: true }
- { name: domain_id, type: string, required: true }
call: gravitee-am.list-applications
- name: create-application
description: Create a new OAuth2 / OIDC application in a Gravitee AM domain.
hints: { destructiveHint: false }
inputParameters:
- { name: org_id, type: string, required: true }
- { name: env_id, type: string, required: true }
- { name: domain_id, type: string, required: true }
call: gravitee-am.create-application
- name: list-identity-providers
description: List identity providers in a Gravitee AM domain.
hints: { readOnly: true }
inputParameters:
- { name: org_id, type: string, required: true }
- { name: env_id, type: string, required: true }
- { name: domain_id, type: string, required: true }
call: gravitee-am.list-identity-providers
- name: create-identity-provider
description: Create a new identity provider in a Gravitee AM domain (LDAP / OIDC / SAML / Google / Azure / etc.).
hints: { destructiveHint: false }
inputParameters:
- { name: org_id, type: string, required: true }
- { name: env_id, type: string, required: true }
- { name: domain_id, type: string, required: true }
call: gravitee-am.create-identity-provider