Naftiko · Capability

Okta Auth0 Obo Token Propagation Capability

A capability that propagates Okta/Auth0 on-behalf-of (OBO) tokens through the Naftiko proxy so upstream APIs see the original user identity.

Run with Naftiko NaftikoOktaAuth0OBO

What You Can Do

POST
Exchange obo token
/token/exchange

MCP Tools

exchange-obo-token

introspect-token

Capability Spec

okta-auth0-obo-token-propagation-capability.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  title: Okta Auth0 Obo Token Propagation Capability
  description: A capability that propagates Okta/Auth0 on-behalf-of (OBO) tokens through the Naftiko proxy so upstream APIs see the original user identity.
  tags: [Naftiko, Okta, Auth0, OBO]
  created: '2026-05-01'
  modified: '2026-05-04'
binds:
- namespace: okta-env
  keys: {OKTA_DOMAIN: OKTA_DOMAIN, OKTA_TOKEN: OKTA_TOKEN}
capability:
  consumes:
  - namespace: okta
    type: http
    baseUri: https://{{OKTA_DOMAIN}}
    authentication: {type: bearer, token: '{{OKTA_TOKEN}}'}
    resources:
    - {name: token, path: /oauth2/v1/token, operations: [{name: exchange-obo-token, method: POST, description: RFC 8693 token exchange for OBO.}]}
    - {name: introspect, path: /oauth2/v1/introspect, operations: [{name: introspect-token, method: POST}]}
  exposes:
  - type: rest
    address: 0.0.0.0
    port: 8080
    namespace: okta-auth0-obo-token-propagation-capability-rest
    description: REST surface for OBO token exchange.
    resources:
    - {name: exchange, path: /token/exchange, operations: [{method: POST, name: exchange-obo-token, call: okta.exchange-obo-token}]}
  - type: mcp
    address: 0.0.0.0
    port: 3010
    namespace: okta-auth0-obo-token-propagation-capability-mcp
    description: MCP for OBO token exchange.
    tools:
    - {name: exchange-obo-token, call: okta.exchange-obo-token}
    - {name: introspect-token, call: okta.introspect-token}
  - type: skill
    address: 0.0.0.0
    port: 3011
    namespace: okta-auth0-obo-token-propagation-capability-skills
    description: Skill for OBO propagation.
    skills:
    - name: okta-auth0-obo-token-propagation-capability
      description: Okta/Auth0 OBO token propagation.
      location: file:///opt/naftiko/skills/okta-auth0-obo-token-propagation-capability
      allowed-tools: exchange-obo-token,introspect-token
      tools:
      - {name: exchange-obo-token, from: {sourceNamespace: okta-auth0-obo-token-propagation-capability-mcp, action: exchange-obo-token}}
      - {name: introspect-token, from: {sourceNamespace: okta-auth0-obo-token-propagation-capability-mcp, action: introspect-token}}