Kong · Capability

Kong Consumers Management

Manages Kong Consumers (the consumer-side identity surface — API keys, JWT credentials, OAuth2 clients, basic-auth users, ACL groups) from Naftiko spec. Lets a Naftiko capability provision and revoke consumer access in lockstep with the Service / Route / Plugin chain it ships.

Run with Naftiko NaftikoKongPartnershipConsumersCredentialsIdentity

What You Can Do

GET
List consumers
/consumers
POST
Create consumer
/consumers
GET
Get consumer
/consumers/{consumer_id}
DELETE
Delete consumer
/consumers/{consumer_id}
GET
List key auth
/consumers/{consumer_id}/key-auth
POST
Create key auth
/consumers/{consumer_id}/key-auth
GET
List jwt credentials
/consumers/{consumer_id}/jwt
POST
Create jwt credential
/consumers/{consumer_id}/jwt
GET
List oauth2 credentials
/consumers/{consumer_id}/oauth2
POST
Create oauth2 credential
/consumers/{consumer_id}/oauth2
GET
List acls
/consumers/{consumer_id}/acls
POST
Create acl
/consumers/{consumer_id}/acls

MCP Tools

list-consumers

List Kong Consumers (the consumer-side identity registry).

read-only
create-consumer

Create a new Kong Consumer.

get-consumer

Get a single Kong Consumer.

read-only
delete-consumer

Delete a Kong Consumer.

create-key-auth

Provision a key-auth API key for a Kong Consumer.

create-jwt-credential

Provision a JWT credential for a Kong Consumer.

create-oauth2-credential

Provision an OAuth2 client credential for a Kong Consumer.

create-acl

Add a Kong Consumer to an ACL group (controls Service/Route access).

Capability Spec

kong-consumers-management.yaml Raw ↑ 
naftiko: "1.0.0-alpha2"

info:
  title: Kong Consumers Management
  description: >-
    Manages Kong Consumers (the consumer-side identity surface — API keys,
    JWT credentials, OAuth2 clients, basic-auth users, ACL groups) from
    Naftiko spec. Lets a Naftiko capability provision and revoke consumer
    access in lockstep with the Service / Route / Plugin chain it ships.
  tags:
    - Naftiko
    - Kong
    - Partnership
    - Consumers
    - Credentials
    - Identity
  created: '2026-05-15'
  modified: '2026-05-15'

binds:
  - namespace: kong-admin
    description: Kong Gateway Admin API endpoint + token.
    keys:
      KONG_ADMIN_BASE: KONG_ADMIN_BASE
      KONG_ADMIN_TOKEN: KONG_ADMIN_TOKEN

capability:
  consumes:
    - namespace: kong
      type: http
      baseUri: '{{KONG_ADMIN_BASE}}'
      authentication:
        type: bearer
        token: '{{KONG_ADMIN_TOKEN}}'
      resources:
        - name: consumers
          path: '/consumers'
          operations:
            - name: list-consumers
              method: GET
            - name: create-consumer
              method: POST
        - name: consumer
          path: '/consumers/{{consumer_id}}'
          operations:
            - name: get-consumer
              method: GET
              inputParameters:
                - { name: consumer_id, in: path, required: true }
            - name: delete-consumer
              method: DELETE
              inputParameters:
                - { name: consumer_id, in: path, required: true }
        - name: consumer-key-auth
          path: '/consumers/{{consumer_id}}/key-auth'
          operations:
            - name: list-key-auth
              method: GET
              inputParameters:
                - { name: consumer_id, in: path, required: true }
            - name: create-key-auth
              method: POST
              inputParameters:
                - { name: consumer_id, in: path, required: true }
        - name: consumer-jwt
          path: '/consumers/{{consumer_id}}/jwt'
          operations:
            - name: list-jwt-credentials
              method: GET
              inputParameters:
                - { name: consumer_id, in: path, required: true }
            - name: create-jwt-credential
              method: POST
              inputParameters:
                - { name: consumer_id, in: path, required: true }
        - name: consumer-oauth2
          path: '/consumers/{{consumer_id}}/oauth2'
          operations:
            - name: list-oauth2-credentials
              method: GET
              inputParameters:
                - { name: consumer_id, in: path, required: true }
            - name: create-oauth2-credential
              method: POST
              inputParameters:
                - { name: consumer_id, in: path, required: true }
        - name: consumer-acls
          path: '/consumers/{{consumer_id}}/acls'
          operations:
            - name: list-acls
              method: GET
              inputParameters:
                - { name: consumer_id, in: path, required: true }
            - name: create-acl
              method: POST
              inputParameters:
                - { name: consumer_id, in: path, required: true }

  exposes:
    - type: rest
      address: 0.0.0.0
      port: 8080
      namespace: kong-consumers-management-rest
      description: REST surface for managing Kong Consumers + credentials from Naftiko spec.
      resources:
        - name: consumers
          path: '/consumers'
          operations:
            - name: list-consumers
              method: GET
              call: kong.list-consumers
            - name: create-consumer
              method: POST
              call: kong.create-consumer
        - name: consumer
          path: '/consumers/{consumer_id}'
          operations:
            - name: get-consumer
              method: GET
              inputParameters:
                - { name: consumer_id, in: path, type: string, required: true }
              call: kong.get-consumer
            - name: delete-consumer
              method: DELETE
              inputParameters:
                - { name: consumer_id, in: path, type: string, required: true }
              call: kong.delete-consumer
        - name: consumer-key-auth
          path: '/consumers/{consumer_id}/key-auth'
          operations:
            - name: list-key-auth
              method: GET
              inputParameters:
                - { name: consumer_id, in: path, type: string, required: true }
              call: kong.list-key-auth
            - name: create-key-auth
              method: POST
              inputParameters:
                - { name: consumer_id, in: path, type: string, required: true }
              call: kong.create-key-auth
        - name: consumer-jwt
          path: '/consumers/{consumer_id}/jwt'
          operations:
            - name: list-jwt-credentials
              method: GET
              inputParameters:
                - { name: consumer_id, in: path, type: string, required: true }
              call: kong.list-jwt-credentials
            - name: create-jwt-credential
              method: POST
              inputParameters:
                - { name: consumer_id, in: path, type: string, required: true }
              call: kong.create-jwt-credential
        - name: consumer-oauth2
          path: '/consumers/{consumer_id}/oauth2'
          operations:
            - name: list-oauth2-credentials
              method: GET
              inputParameters:
                - { name: consumer_id, in: path, type: string, required: true }
              call: kong.list-oauth2-credentials
            - name: create-oauth2-credential
              method: POST
              inputParameters:
                - { name: consumer_id, in: path, type: string, required: true }
              call: kong.create-oauth2-credential
        - name: consumer-acls
          path: '/consumers/{consumer_id}/acls'
          operations:
            - name: list-acls
              method: GET
              inputParameters:
                - { name: consumer_id, in: path, type: string, required: true }
              call: kong.list-acls
            - name: create-acl
              method: POST
              inputParameters:
                - { name: consumer_id, in: path, type: string, required: true }
              call: kong.create-acl

    - type: mcp
      address: 0.0.0.0
      port: 3010
      namespace: kong-consumers-management-mcp
      description: MCP server for managing Kong Consumers + credentials from agents.
      tools:
        - name: list-consumers
          description: List Kong Consumers (the consumer-side identity registry).
          hints: { readOnly: true }
          call: kong.list-consumers
        - name: create-consumer
          description: Create a new Kong Consumer.
          hints: { destructiveHint: false }
          call: kong.create-consumer
        - name: get-consumer
          description: Get a single Kong Consumer.
          hints: { readOnly: true }
          inputParameters:
            - { name: consumer_id, type: string, required: true }
          call: kong.get-consumer
        - name: delete-consumer
          description: Delete a Kong Consumer.
          hints: { destructiveHint: true }
          inputParameters:
            - { name: consumer_id, type: string, required: true }
          call: kong.delete-consumer
        - name: create-key-auth
          description: Provision a key-auth API key for a Kong Consumer.
          hints: { destructiveHint: false }
          inputParameters:
            - { name: consumer_id, type: string, required: true }
          call: kong.create-key-auth
        - name: create-jwt-credential
          description: Provision a JWT credential for a Kong Consumer.
          hints: { destructiveHint: false }
          inputParameters:
            - { name: consumer_id, type: string, required: true }
          call: kong.create-jwt-credential
        - name: create-oauth2-credential
          description: Provision an OAuth2 client credential for a Kong Consumer.
          hints: { destructiveHint: false }
          inputParameters:
            - { name: consumer_id, type: string, required: true }
          call: kong.create-oauth2-credential
        - name: create-acl
          description: Add a Kong Consumer to an ACL group (controls Service/Route access).
          hints: { destructiveHint: false }
          inputParameters:
            - { name: consumer_id, type: string, required: true }
          call: kong.create-acl