OpenFGA · Capability

OpenFGA — AuthZenService

OpenFGA — AuthZenService. 6 operations. Lead operation: [Experimental] Get AuthZEN PDP configuration and capabilities. Self-contained Naftiko capability covering one Openfga business surface.

Run with Naftiko OpenfgaAuthZenService

What You Can Do

GET
Getconfiguration — [Experimental] Get AuthZEN PDP configuration and capabilities
/v1/well-known/authzen-configuration/{store-id}
POST
Evaluation — [Experimental] Evaluate whether a subject can perform an action on a resource
/v1/stores/{store-id}/access/v1/evaluation
POST
Evaluations — [Experimental] Check whether one or more users are authorized to access resources
/v1/stores/{store-id}/access/v1/evaluations
POST
Actionsearch — [Experimental] Search for actions a subject can perform on a resource
/v1/stores/{store-id}/access/v1/search/action
POST
Resourcesearch — [Experimental] Search for resources a subject has access to
/v1/stores/{store-id}/access/v1/search/resource
POST
Subjectsearch — [Experimental] Search for subjects with access to a resource
/v1/stores/{store-id}/access/v1/search/subject

MCP Tools

experimental-get-authzen-pdp-configuration

[Experimental] Get AuthZEN PDP configuration and capabilities

read-only idempotent
experimental-evaluate-whether-subject-can

[Experimental] Evaluate whether a subject can perform an action on a resource

experimental-check-whether-one-more

[Experimental] Check whether one or more users are authorized to access resources

read-only
experimental-search-actions-subject-can

[Experimental] Search for actions a subject can perform on a resource

read-only
experimental-search-resources-subject-has

[Experimental] Search for resources a subject has access to

read-only
experimental-search-subjects-access-resource

[Experimental] Search for subjects with access to a resource

read-only

Capability Spec

openfga-authzenservice.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: OpenFGA — AuthZenService
  description: 'OpenFGA — AuthZenService. 6 operations. Lead operation: [Experimental] Get AuthZEN PDP configuration and capabilities.
    Self-contained Naftiko capability covering one Openfga business surface.'
  tags:
  - Openfga
  - AuthZenService
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    OPENFGA_API_KEY: OPENFGA_API_KEY
capability:
  consumes:
  - type: http
    namespace: openfga-authzenservice
    baseUri: ''
    description: OpenFGA — AuthZenService business capability. Self-contained, no shared references.
    resources:
    - name: .well-known-authzen-configuration-store_id
      path: /.well-known/authzen-configuration/{store_id}
      operations:
      - name: getconfiguration
        method: GET
        description: '[Experimental] Get AuthZEN PDP configuration and capabilities'
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: store_id
          in: path
          type: string
          description: The store ID for which to retrieve configuration.
          required: true
    - name: stores-store_id-access-v1-evaluation
      path: /stores/{store_id}/access/v1/evaluation
      operations:
      - name: evaluation
        method: POST
        description: '[Experimental] Evaluate whether a subject can perform an action on a resource'
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: store_id
          in: path
          type: string
          required: true
        - name: body
          in: body
          type: object
          required: true
    - name: stores-store_id-access-v1-evaluations
      path: /stores/{store_id}/access/v1/evaluations
      operations:
      - name: evaluations
        method: POST
        description: '[Experimental] Check whether one or more users are authorized to access resources'
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: store_id
          in: path
          type: string
          required: true
        - name: body
          in: body
          type: object
          required: true
    - name: stores-store_id-access-v1-search-action
      path: /stores/{store_id}/access/v1/search/action
      operations:
      - name: actionsearch
        method: POST
        description: '[Experimental] Search for actions a subject can perform on a resource'
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: store_id
          in: path
          type: string
          required: true
        - name: body
          in: body
          type: object
          required: true
    - name: stores-store_id-access-v1-search-resource
      path: /stores/{store_id}/access/v1/search/resource
      operations:
      - name: resourcesearch
        method: POST
        description: '[Experimental] Search for resources a subject has access to'
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: store_id
          in: path
          type: string
          required: true
        - name: body
          in: body
          type: object
          required: true
    - name: stores-store_id-access-v1-search-subject
      path: /stores/{store_id}/access/v1/search/subject
      operations:
      - name: subjectsearch
        method: POST
        description: '[Experimental] Search for subjects with access to a resource'
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: store_id
          in: path
          type: string
          required: true
        - name: body
          in: body
          type: object
          required: true
  exposes:
  - type: rest
    namespace: openfga-authzenservice-rest
    port: 8080
    description: REST adapter for OpenFGA — AuthZenService. One Spectral-compliant resource per consumed operation, prefixed
      with /v1.
    resources:
    - path: /v1/well-known/authzen-configuration/{store-id}
      name: well-known-authzen-configuration-store-id
      description: REST surface for .well-known-authzen-configuration-store_id.
      operations:
      - method: GET
        name: getconfiguration
        description: '[Experimental] Get AuthZEN PDP configuration and capabilities'
        call: openfga-authzenservice.getconfiguration
        with:
          store_id: rest.store_id
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/stores/{store-id}/access/v1/evaluation
      name: stores-store-id-access-v1-evaluation
      description: REST surface for stores-store_id-access-v1-evaluation.
      operations:
      - method: POST
        name: evaluation
        description: '[Experimental] Evaluate whether a subject can perform an action on a resource'
        call: openfga-authzenservice.evaluation
        with:
          store_id: rest.store_id
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/stores/{store-id}/access/v1/evaluations
      name: stores-store-id-access-v1-evaluations
      description: REST surface for stores-store_id-access-v1-evaluations.
      operations:
      - method: POST
        name: evaluations
        description: '[Experimental] Check whether one or more users are authorized to access resources'
        call: openfga-authzenservice.evaluations
        with:
          store_id: rest.store_id
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/stores/{store-id}/access/v1/search/action
      name: stores-store-id-access-v1-search-action
      description: REST surface for stores-store_id-access-v1-search-action.
      operations:
      - method: POST
        name: actionsearch
        description: '[Experimental] Search for actions a subject can perform on a resource'
        call: openfga-authzenservice.actionsearch
        with:
          store_id: rest.store_id
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/stores/{store-id}/access/v1/search/resource
      name: stores-store-id-access-v1-search-resource
      description: REST surface for stores-store_id-access-v1-search-resource.
      operations:
      - method: POST
        name: resourcesearch
        description: '[Experimental] Search for resources a subject has access to'
        call: openfga-authzenservice.resourcesearch
        with:
          store_id: rest.store_id
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/stores/{store-id}/access/v1/search/subject
      name: stores-store-id-access-v1-search-subject
      description: REST surface for stores-store_id-access-v1-search-subject.
      operations:
      - method: POST
        name: subjectsearch
        description: '[Experimental] Search for subjects with access to a resource'
        call: openfga-authzenservice.subjectsearch
        with:
          store_id: rest.store_id
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: openfga-authzenservice-mcp
    port: 9090
    transport: http
    description: MCP adapter for OpenFGA — AuthZenService. One tool per consumed operation, routed inline through this capability's
      consumes block.
    tools:
    - name: experimental-get-authzen-pdp-configuration
      description: '[Experimental] Get AuthZEN PDP configuration and capabilities'
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: openfga-authzenservice.getconfiguration
      with:
        store_id: tools.store_id
      outputParameters:
      - type: object
        mapping: $.
    - name: experimental-evaluate-whether-subject-can
      description: '[Experimental] Evaluate whether a subject can perform an action on a resource'
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: openfga-authzenservice.evaluation
      with:
        store_id: tools.store_id
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: experimental-check-whether-one-more
      description: '[Experimental] Check whether one or more users are authorized to access resources'
      hints:
        readOnly: true
        destructive: false
        idempotent: false
      call: openfga-authzenservice.evaluations
      with:
        store_id: tools.store_id
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: experimental-search-actions-subject-can
      description: '[Experimental] Search for actions a subject can perform on a resource'
      hints:
        readOnly: true
        destructive: false
        idempotent: false
      call: openfga-authzenservice.actionsearch
      with:
        store_id: tools.store_id
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: experimental-search-resources-subject-has
      description: '[Experimental] Search for resources a subject has access to'
      hints:
        readOnly: true
        destructive: false
        idempotent: false
      call: openfga-authzenservice.resourcesearch
      with:
        store_id: tools.store_id
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: experimental-search-subjects-access-resource
      description: '[Experimental] Search for subjects with access to a resource'
      hints:
        readOnly: true
        destructive: false
        idempotent: false
      call: openfga-authzenservice.subjectsearch
      with:
        store_id: tools.store_id
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.