Let's Encrypt · Capability

Let's Encrypt ACME API

The ACME (Automatic Certificate Management Environment) protocol API used by Let's Encrypt to automate the issuance, renewal, and revocation of TLS certificates. Implements RFC 8555.

Run with Naftiko LetsEncryptAPI

What You Can Do

GET
Getdirectory — Get ACME directory
/directory
POST
Newaccount — Create or look up an account
/acme/new-acct
POST
Updateaccount — Update or deactivate account
/acme/acct/{accountId}
POST
Neworder — Submit a new certificate order
/acme/new-order
POST
Getorder — Get order status
/acme/order/{orderId}
POST
Finalizeorder — Finalize an order with a CSR
/acme/finalize/{orderId}
POST
Getauthorization — Get authorization status
/acme/authz/{authzId}
POST
Respondchallenge — Respond to a challenge
/acme/chall/{challengeId}
POST
Getcertificate — Download issued certificate
/acme/cert/{certId}
POST
Revokecertificate — Revoke a certificate
/acme/revoke-cert
POST
Keychange — Rotate account key
/acme/key-change

MCP Tools

getdirectory

Get ACME directory

read-only idempotent
newaccount

Create or look up an account

updateaccount

Update or deactivate account

neworder

Submit a new certificate order

getorder

Get order status

finalizeorder

Finalize an order with a CSR

getauthorization

Get authorization status

respondchallenge

Respond to a challenge

getcertificate

Download issued certificate

revokecertificate

Revoke a certificate

keychange

Rotate account key

Capability Spec

lets-encrypt-capability.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: Let's Encrypt ACME API
  description: The ACME (Automatic Certificate Management Environment) protocol API used by Let's Encrypt to automate the
    issuance, renewal, and revocation of TLS certificates. Implements RFC 8555.
  tags:
  - Lets
  - Encrypt
  - API
  created: '2026-05-06'
  modified: '2026-05-06'
capability:
  consumes:
  - type: http
    namespace: lets-encrypt
    baseUri: https://acme-v02.api.letsencrypt.org
    description: Let's Encrypt ACME API HTTP API.
    resources:
    - name: directory
      path: /directory
      operations:
      - name: getdirectory
        method: GET
        description: Get ACME directory
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: acme-new-acct
      path: /acme/new-acct
      operations:
      - name: newaccount
        method: POST
        description: Create or look up an account
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: acme-acct-accountid
      path: /acme/acct/{accountId}
      operations:
      - name: updateaccount
        method: POST
        description: Update or deactivate account
        inputParameters:
        - name: accountId
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: acme-new-order
      path: /acme/new-order
      operations:
      - name: neworder
        method: POST
        description: Submit a new certificate order
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: acme-order-orderid
      path: /acme/order/{orderId}
      operations:
      - name: getorder
        method: POST
        description: Get order status
        inputParameters:
        - name: orderId
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: acme-finalize-orderid
      path: /acme/finalize/{orderId}
      operations:
      - name: finalizeorder
        method: POST
        description: Finalize an order with a CSR
        inputParameters:
        - name: orderId
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: acme-authz-authzid
      path: /acme/authz/{authzId}
      operations:
      - name: getauthorization
        method: POST
        description: Get authorization status
        inputParameters:
        - name: authzId
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: acme-chall-challengeid
      path: /acme/chall/{challengeId}
      operations:
      - name: respondchallenge
        method: POST
        description: Respond to a challenge
        inputParameters:
        - name: challengeId
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: acme-cert-certid
      path: /acme/cert/{certId}
      operations:
      - name: getcertificate
        method: POST
        description: Download issued certificate
        inputParameters:
        - name: certId
          in: path
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: acme-revoke-cert
      path: /acme/revoke-cert
      operations:
      - name: revokecertificate
        method: POST
        description: Revoke a certificate
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: acme-key-change
      path: /acme/key-change
      operations:
      - name: keychange
        method: POST
        description: Rotate account key
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
  exposes:
  - type: rest
    port: 8080
    namespace: lets-encrypt-rest
    description: REST adapter for Let's Encrypt ACME API.
    resources:
    - path: /directory
      name: getdirectory
      operations:
      - method: GET
        name: getdirectory
        description: Get ACME directory
        call: lets-encrypt.getdirectory
        outputParameters:
        - type: object
          mapping: $.
    - path: /acme/new-acct
      name: newaccount
      operations:
      - method: POST
        name: newaccount
        description: Create or look up an account
        call: lets-encrypt.newaccount
        outputParameters:
        - type: object
          mapping: $.
    - path: /acme/acct/{accountId}
      name: updateaccount
      operations:
      - method: POST
        name: updateaccount
        description: Update or deactivate account
        call: lets-encrypt.updateaccount
        with:
          accountId: rest.accountId
        outputParameters:
        - type: object
          mapping: $.
    - path: /acme/new-order
      name: neworder
      operations:
      - method: POST
        name: neworder
        description: Submit a new certificate order
        call: lets-encrypt.neworder
        outputParameters:
        - type: object
          mapping: $.
    - path: /acme/order/{orderId}
      name: getorder
      operations:
      - method: POST
        name: getorder
        description: Get order status
        call: lets-encrypt.getorder
        with:
          orderId: rest.orderId
        outputParameters:
        - type: object
          mapping: $.
    - path: /acme/finalize/{orderId}
      name: finalizeorder
      operations:
      - method: POST
        name: finalizeorder
        description: Finalize an order with a CSR
        call: lets-encrypt.finalizeorder
        with:
          orderId: rest.orderId
        outputParameters:
        - type: object
          mapping: $.
    - path: /acme/authz/{authzId}
      name: getauthorization
      operations:
      - method: POST
        name: getauthorization
        description: Get authorization status
        call: lets-encrypt.getauthorization
        with:
          authzId: rest.authzId
        outputParameters:
        - type: object
          mapping: $.
    - path: /acme/chall/{challengeId}
      name: respondchallenge
      operations:
      - method: POST
        name: respondchallenge
        description: Respond to a challenge
        call: lets-encrypt.respondchallenge
        with:
          challengeId: rest.challengeId
        outputParameters:
        - type: object
          mapping: $.
    - path: /acme/cert/{certId}
      name: getcertificate
      operations:
      - method: POST
        name: getcertificate
        description: Download issued certificate
        call: lets-encrypt.getcertificate
        with:
          certId: rest.certId
        outputParameters:
        - type: object
          mapping: $.
    - path: /acme/revoke-cert
      name: revokecertificate
      operations:
      - method: POST
        name: revokecertificate
        description: Revoke a certificate
        call: lets-encrypt.revokecertificate
        outputParameters:
        - type: object
          mapping: $.
    - path: /acme/key-change
      name: keychange
      operations:
      - method: POST
        name: keychange
        description: Rotate account key
        call: lets-encrypt.keychange
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    port: 9090
    namespace: lets-encrypt-mcp
    transport: http
    description: MCP adapter for Let's Encrypt ACME API for AI agent use.
    tools:
    - name: getdirectory
      description: Get ACME directory
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: lets-encrypt.getdirectory
      outputParameters:
      - type: object
        mapping: $.
    - name: newaccount
      description: Create or look up an account
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: lets-encrypt.newaccount
      outputParameters:
      - type: object
        mapping: $.
    - name: updateaccount
      description: Update or deactivate account
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: lets-encrypt.updateaccount
      with:
        accountId: tools.accountId
      inputParameters:
      - name: accountId
        type: string
        description: accountId
        required: true
      outputParameters:
      - type: object
        mapping: $.
    - name: neworder
      description: Submit a new certificate order
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: lets-encrypt.neworder
      outputParameters:
      - type: object
        mapping: $.
    - name: getorder
      description: Get order status
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: lets-encrypt.getorder
      with:
        orderId: tools.orderId
      inputParameters:
      - name: orderId
        type: string
        description: orderId
        required: true
      outputParameters:
      - type: object
        mapping: $.
    - name: finalizeorder
      description: Finalize an order with a CSR
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: lets-encrypt.finalizeorder
      with:
        orderId: tools.orderId
      inputParameters:
      - name: orderId
        type: string
        description: orderId
        required: true
      outputParameters:
      - type: object
        mapping: $.
    - name: getauthorization
      description: Get authorization status
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: lets-encrypt.getauthorization
      with:
        authzId: tools.authzId
      inputParameters:
      - name: authzId
        type: string
        description: authzId
        required: true
      outputParameters:
      - type: object
        mapping: $.
    - name: respondchallenge
      description: Respond to a challenge
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: lets-encrypt.respondchallenge
      with:
        challengeId: tools.challengeId
      inputParameters:
      - name: challengeId
        type: string
        description: challengeId
        required: true
      outputParameters:
      - type: object
        mapping: $.
    - name: getcertificate
      description: Download issued certificate
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: lets-encrypt.getcertificate
      with:
        certId: tools.certId
      inputParameters:
      - name: certId
        type: string
        description: certId
        required: true
      outputParameters:
      - type: object
        mapping: $.
    - name: revokecertificate
      description: Revoke a certificate
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: lets-encrypt.revokecertificate
      outputParameters:
      - type: object
        mapping: $.
    - name: keychange
      description: Rotate account key
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: lets-encrypt.keychange
      outputParameters:
      - type: object
        mapping: $.