Logto · Capability

Logto API references — Roles

Logto API references — Roles. 14 operations. Lead operation: Get roles. Self-contained Naftiko capability covering one Logto business surface.

Run with Naftiko LogtoRoles

What You Can Do

GET
Listroles — Get roles
/v1/api/roles
POST
Createrole — Create a role
/v1/api/roles
GET
Getrole — Get role
/v1/api/roles/{id}
PATCH
Updaterole — Update role
/v1/api/roles/{id}
DELETE
Deleterole — Delete role
/v1/api/roles/{id}
GET
Listroleapplications — Get role applications
/v1/api/roles/{id}/applications
POST
Createroleapplication — Assign role to applications
/v1/api/roles/{id}/applications
DELETE
Deleteroleapplication — Remove role from application
/v1/api/roles/{id}/applications/{applicationid}
GET
Listrolescopes — Get role scopes
/v1/api/roles/{id}/scopes
POST
Createrolescope — Link scopes to role
/v1/api/roles/{id}/scopes
DELETE
Deleterolescope — Unlink scope from role
/v1/api/roles/{id}/scopes/{scopeid}
GET
Listroleusers — Get role users
/v1/api/roles/{id}/users
POST
Createroleuser — Assign role to users
/v1/api/roles/{id}/users
DELETE
Deleteroleuser — Remove role from user
/v1/api/roles/{id}/users/{userid}

MCP Tools

get-roles

Get roles

read-only idempotent
create-role

Create a role

get-role

Get role

read-only idempotent
update-role

Update role

idempotent
delete-role

Delete role

idempotent
get-role-applications

Get role applications

read-only idempotent
assign-role-applications

Assign role to applications

remove-role-application

Remove role from application

idempotent
get-role-scopes

Get role scopes

read-only idempotent
link-scopes-role

Link scopes to role

unlink-scope-role

Unlink scope from role

idempotent
get-role-users

Get role users

read-only idempotent
assign-role-users

Assign role to users

remove-role-user

Remove role from user

idempotent

Capability Spec

logto-roles.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: Logto API references — Roles
  description: 'Logto API references — Roles. 14 operations. Lead operation: Get roles. Self-contained Naftiko capability
    covering one Logto business surface.'
  tags:
  - Logto
  - Roles
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    LOGTO_API_KEY: LOGTO_API_KEY
capability:
  consumes:
  - type: http
    namespace: logto-roles
    baseUri: https://[tenant_id].logto.app
    description: Logto API references — Roles business capability. Self-contained, no shared references.
    resources:
    - name: api-roles
      path: /api/roles
      operations:
      - name: listroles
        method: GET
        description: Get roles
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: excludeUserId
          in: query
          type: string
          description: Exclude roles assigned to a user.
        - name: excludeApplicationId
          in: query
          type: string
          description: Exclude roles assigned to an application.
        - name: type
          in: query
          type: string
          description: Filter by role type.
        - name: page
          in: query
          type: integer
          description: Page number (starts from 1).
        - name: page_size
          in: query
          type: integer
          description: Entries per page.
        - name: search_params
          in: query
          type: object
          description: Search query parameters.
      - name: createrole
        method: POST
        description: Create a role
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-roles-id
      path: /api/roles/{id}
      operations:
      - name: getrole
        method: GET
        description: Get role
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: updaterole
        method: PATCH
        description: Update role
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: deleterole
        method: DELETE
        description: Delete role
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-roles-id-applications
      path: /api/roles/{id}/applications
      operations:
      - name: listroleapplications
        method: GET
        description: Get role applications
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: page
          in: query
          type: integer
          description: Page number (starts from 1).
        - name: page_size
          in: query
          type: integer
          description: Entries per page.
        - name: search_params
          in: query
          type: object
          description: Search query parameters.
      - name: createroleapplication
        method: POST
        description: Assign role to applications
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-roles-id-applications-applicationId
      path: /api/roles/{id}/applications/{applicationId}
      operations:
      - name: deleteroleapplication
        method: DELETE
        description: Remove role from application
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-roles-id-scopes
      path: /api/roles/{id}/scopes
      operations:
      - name: listrolescopes
        method: GET
        description: Get role scopes
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: page
          in: query
          type: integer
          description: Page number (starts from 1).
        - name: page_size
          in: query
          type: integer
          description: Entries per page.
        - name: search_params
          in: query
          type: object
          description: Search query parameters.
      - name: createrolescope
        method: POST
        description: Link scopes to role
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-roles-id-scopes-scopeId
      path: /api/roles/{id}/scopes/{scopeId}
      operations:
      - name: deleterolescope
        method: DELETE
        description: Unlink scope from role
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: api-roles-id-users
      path: /api/roles/{id}/users
      operations:
      - name: listroleusers
        method: GET
        description: Get role users
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: page
          in: query
          type: integer
          description: Page number (starts from 1).
        - name: page_size
          in: query
          type: integer
          description: Entries per page.
        - name: search_params
          in: query
          type: object
          description: Search query parameters.
      - name: createroleuser
        method: POST
        description: Assign role to users
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-roles-id-users-userId
      path: /api/roles/{id}/users/{userId}
      operations:
      - name: deleteroleuser
        method: DELETE
        description: Remove role from user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    authentication:
      type: bearer
      token: '{{env.LOGTO_API_KEY}}'
  exposes:
  - type: rest
    namespace: logto-roles-rest
    port: 8080
    description: REST adapter for Logto API references — Roles. One Spectral-compliant resource per consumed operation, prefixed
      with /v1.
    resources:
    - path: /v1/api/roles
      name: api-roles
      description: REST surface for api-roles.
      operations:
      - method: GET
        name: listroles
        description: Get roles
        call: logto-roles.listroles
        with:
          excludeUserId: rest.excludeUserId
          excludeApplicationId: rest.excludeApplicationId
          type: rest.type
          page: rest.page
          page_size: rest.page_size
          search_params: rest.search_params
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: createrole
        description: Create a role
        call: logto-roles.createrole
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/roles/{id}
      name: api-roles-id
      description: REST surface for api-roles-id.
      operations:
      - method: GET
        name: getrole
        description: Get role
        call: logto-roles.getrole
        outputParameters:
        - type: object
          mapping: $.
      - method: PATCH
        name: updaterole
        description: Update role
        call: logto-roles.updaterole
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
      - method: DELETE
        name: deleterole
        description: Delete role
        call: logto-roles.deleterole
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/roles/{id}/applications
      name: api-roles-id-applications
      description: REST surface for api-roles-id-applications.
      operations:
      - method: GET
        name: listroleapplications
        description: Get role applications
        call: logto-roles.listroleapplications
        with:
          page: rest.page
          page_size: rest.page_size
          search_params: rest.search_params
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: createroleapplication
        description: Assign role to applications
        call: logto-roles.createroleapplication
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/roles/{id}/applications/{applicationid}
      name: api-roles-id-applications-applicationid
      description: REST surface for api-roles-id-applications-applicationId.
      operations:
      - method: DELETE
        name: deleteroleapplication
        description: Remove role from application
        call: logto-roles.deleteroleapplication
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/roles/{id}/scopes
      name: api-roles-id-scopes
      description: REST surface for api-roles-id-scopes.
      operations:
      - method: GET
        name: listrolescopes
        description: Get role scopes
        call: logto-roles.listrolescopes
        with:
          page: rest.page
          page_size: rest.page_size
          search_params: rest.search_params
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: createrolescope
        description: Link scopes to role
        call: logto-roles.createrolescope
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/roles/{id}/scopes/{scopeid}
      name: api-roles-id-scopes-scopeid
      description: REST surface for api-roles-id-scopes-scopeId.
      operations:
      - method: DELETE
        name: deleterolescope
        description: Unlink scope from role
        call: logto-roles.deleterolescope
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/roles/{id}/users
      name: api-roles-id-users
      description: REST surface for api-roles-id-users.
      operations:
      - method: GET
        name: listroleusers
        description: Get role users
        call: logto-roles.listroleusers
        with:
          page: rest.page
          page_size: rest.page_size
          search_params: rest.search_params
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: createroleuser
        description: Assign role to users
        call: logto-roles.createroleuser
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/roles/{id}/users/{userid}
      name: api-roles-id-users-userid
      description: REST surface for api-roles-id-users-userId.
      operations:
      - method: DELETE
        name: deleteroleuser
        description: Remove role from user
        call: logto-roles.deleteroleuser
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: logto-roles-mcp
    port: 9090
    transport: http
    description: MCP adapter for Logto API references — Roles. One tool per consumed operation, routed inline through this
      capability's consumes block.
    tools:
    - name: get-roles
      description: Get roles
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: logto-roles.listroles
      with:
        excludeUserId: tools.excludeUserId
        excludeApplicationId: tools.excludeApplicationId
        type: tools.type
        page: tools.page
        page_size: tools.page_size
        search_params: tools.search_params
      outputParameters:
      - type: object
        mapping: $.
    - name: create-role
      description: Create a role
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: logto-roles.createrole
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: get-role
      description: Get role
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: logto-roles.getrole
      outputParameters:
      - type: object
        mapping: $.
    - name: update-role
      description: Update role
      hints:
        readOnly: false
        destructive: false
        idempotent: true
      call: logto-roles.updaterole
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: delete-role
      description: Delete role
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: logto-roles.deleterole
      outputParameters:
      - type: object
        mapping: $.
    - name: get-role-applications
      description: Get role applications
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: logto-roles.listroleapplications
      with:
        page: tools.page
        page_size: tools.page_size
        search_params: tools.search_params
      outputParameters:
      - type: object
        mapping: $.
    - name: assign-role-applications
      description: Assign role to applications
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: logto-roles.createroleapplication
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: remove-role-application
      description: Remove role from application
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: logto-roles.deleteroleapplication
      outputParameters:
      - type: object
        mapping: $.
    - name: get-role-scopes
      description: Get role scopes
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: logto-roles.listrolescopes
      with:
        page: tools.page
        page_size: tools.page_size
        search_params: tools.search_params
      outputParameters:
      - type: object
        mapping: $.
    - name: link-scopes-role
      description: Link scopes to role
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: logto-roles.createrolescope
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: unlink-scope-role
      description: Unlink scope from role
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: logto-roles.deleterolescope
      outputParameters:
      - type: object
        mapping: $.
    - name: get-role-users
      description: Get role users
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: logto-roles.listroleusers
      with:
        page: tools.page
        page_size: tools.page_size
        search_params: tools.search_params
      outputParameters:
      - type: object
        mapping: $.
    - name: assign-role-users
      description: Assign role to users
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: logto-roles.createroleuser
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: remove-role-user
      description: Remove role from user
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: logto-roles.deleteroleuser
      outputParameters:
      - type: object
        mapping: $.