OAuth · Capability
OAuth 2.0 Authorization Server
OpenAPI specification for OAuth 2.0 authorization server endpoints as defined in RFC 6749 (The OAuth 2.0 Authorization Framework) and RFC 6750 (Bearer Token Usage). Covers the token endpoint, authorization endpoint, and token revocation endpoint (RFC 7009).
What You Can Do
GET
Authorize
— Authorization Endpoint
/authorize
POST
Requesttoken
— Token Endpoint
/token
POST
Revoketoken
— Token Revocation Endpoint
/revoke
MCP Tools
authorize
Authorization Endpoint
read-only
idempotent
requesttoken
Token Endpoint
revoketoken
Token Revocation Endpoint
Capability Spec
naftiko: 1.0.0-alpha2
info:
label: OAuth 2.0 Authorization Server
description: OpenAPI specification for OAuth 2.0 authorization server endpoints as defined in RFC 6749 (The OAuth 2.0 Authorization
Framework) and RFC 6750 (Bearer Token Usage). Covers the token endpoint, authorization endpoint, and token revocation
endpoint (RFC 7009).
tags:
- Oauth
- API
created: '2026-05-06'
modified: '2026-05-06'
capability:
consumes:
- type: http
namespace: oauth
baseUri: https://authorization-server.example.com
description: OAuth 2.0 Authorization Server HTTP API.
authentication:
type: basic
username: '{{OAUTH_USERNAME}}'
password: '{{OAUTH_PASSWORD}}'
resources:
- name: authorize
path: /authorize
operations:
- name: authorize
method: GET
description: Authorization Endpoint
inputParameters:
- name: response_type
in: query
type: string
required: true
description: The value MUST be "code" for requesting an authorization code or "token" for requesting an access token
(implicit grant).
- name: client_id
in: query
type: string
required: true
description: The client identifier issued to the client during registration.
- name: redirect_uri
in: query
type: string
description: The URI to which the authorization server will redirect the user-agent after authorization is granted
or denied.
- name: scope
in: query
type: string
description: The scope of the access request as a space-delimited list of values.
- name: state
in: query
type: string
description: An opaque value used by the client to maintain state between the request and callback. Used to prevent
cross-site request forgery.
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: token
path: /token
operations:
- name: requesttoken
method: POST
description: Token Endpoint
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
- name: revoke
path: /revoke
operations:
- name: revoketoken
method: POST
description: Token Revocation Endpoint
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
exposes:
- type: rest
port: 8080
namespace: oauth-rest
description: REST adapter for OAuth 2.0 Authorization Server.
resources:
- path: /authorize
name: authorize
operations:
- method: GET
name: authorize
description: Authorization Endpoint
call: oauth.authorize
outputParameters:
- type: object
mapping: $.
- path: /token
name: requesttoken
operations:
- method: POST
name: requesttoken
description: Token Endpoint
call: oauth.requesttoken
outputParameters:
- type: object
mapping: $.
- path: /revoke
name: revoketoken
operations:
- method: POST
name: revoketoken
description: Token Revocation Endpoint
call: oauth.revoketoken
outputParameters:
- type: object
mapping: $.
- type: mcp
port: 9090
namespace: oauth-mcp
transport: http
description: MCP adapter for OAuth 2.0 Authorization Server for AI agent use.
tools:
- name: authorize
description: Authorization Endpoint
hints:
readOnly: true
destructive: false
idempotent: true
call: oauth.authorize
with:
response_type: tools.response_type
client_id: tools.client_id
redirect_uri: tools.redirect_uri
scope: tools.scope
state: tools.state
inputParameters:
- name: response_type
type: string
description: The value MUST be "code" for requesting an authorization code or "token" for requesting an access token
(implicit grant).
required: true
- name: client_id
type: string
description: The client identifier issued to the client during registration.
required: true
- name: redirect_uri
type: string
description: The URI to which the authorization server will redirect the user-agent after authorization is granted
or denied.
- name: scope
type: string
description: The scope of the access request as a space-delimited list of values.
- name: state
type: string
description: An opaque value used by the client to maintain state between the request and callback. Used to prevent
cross-site request forgery.
outputParameters:
- type: object
mapping: $.
- name: requesttoken
description: Token Endpoint
hints:
readOnly: false
destructive: false
idempotent: false
call: oauth.requesttoken
outputParameters:
- type: object
mapping: $.
- name: revoketoken
description: Token Revocation Endpoint
hints:
readOnly: false
destructive: false
idempotent: false
call: oauth.revoketoken
outputParameters:
- type: object
mapping: $.
binds:
- namespace: env
keys:
OAUTH_USERNAME: OAUTH_USERNAME
OAUTH_PASSWORD: OAUTH_PASSWORD