OpenStack · Capability

OpenStack Identity (Keystone) API v3

Keystone is the OpenStack Identity service that provides authentication, authorization, and a service catalog for an OpenStack cloud. Tokens issued by Keystone are required to call any other OpenStack service API. The v3 API exposes endpoints for tokens, users, groups, projects, domains, roles, role assignments, services, endpoints, and the service catalog.

Run with Naftiko OpenstackAPI

What You Can Do

POST
Issuetoken — Issue an authentication token
/auth/tokens
GET
Validatetoken — Validate token
/auth/tokens
DELETE
Revoketoken — Revoke token
/auth/tokens
GET
Listusers — List users
/users
POST
Createuser — Create user
/users
GET
Getuser — Get user
/users/{user_id}
PATCH
Updateuser — Update user
/users/{user_id}
DELETE
Deleteuser — Delete user
/users/{user_id}
GET
Listgroups — List groups
/groups
POST
Creategroup — Create group
/groups
GET
Listprojects — List projects
/projects
POST
Createproject — Create project
/projects
GET
Getproject — Get project
/projects/{project_id}
PATCH
Updateproject — Update project
/projects/{project_id}
DELETE
Deleteproject — Delete project
/projects/{project_id}
GET
Listdomains — List domains
/domains
POST
Createdomain — Create domain
/domains
GET
Listroles — List roles
/roles
POST
Createrole — Create role
/roles
GET
Listroleassignments — List role assignments
/role_assignments
GET
Listservices — List services in catalog
/services
POST
Createservice — Create service
/services
GET
Listendpoints — List service endpoints
/endpoints
POST
Createendpoint — Create endpoint
/endpoints

MCP Tools

issuetoken

Issue an authentication token

validatetoken

Validate token

read-only idempotent
revoketoken

Revoke token

idempotent
listusers

List users

read-only idempotent
createuser

Create user

getuser

Get user

read-only idempotent
updateuser

Update user

deleteuser

Delete user

idempotent
listgroups

List groups

read-only idempotent
creategroup

Create group

listprojects

List projects

read-only idempotent
createproject

Create project

getproject

Get project

read-only idempotent
updateproject

Update project

deleteproject

Delete project

idempotent
listdomains

List domains

read-only idempotent
createdomain

Create domain

listroles

List roles

read-only idempotent
createrole

Create role

listroleassignments

List role assignments

read-only idempotent
listservices

List services in catalog

read-only idempotent
createservice

Create service

listendpoints

List service endpoints

read-only idempotent
createendpoint

Create endpoint

Capability Spec

openstack-capability.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: OpenStack Identity (Keystone) API v3
  description: Keystone is the OpenStack Identity service that provides authentication, authorization, and a service catalog
    for an OpenStack cloud. Tokens issued by Keystone are required to call any other OpenStack service API. The v3 API exposes
    endpoints for tokens, users, groups, projects, domains, roles, role assignments, services, endpoints, and the service
    catalog.
  tags:
  - Openstack
  - API
  created: '2026-05-06'
  modified: '2026-05-06'
capability:
  consumes:
  - type: http
    namespace: openstack
    baseUri: https://keystone.example.com:5000/v3
    description: OpenStack Identity (Keystone) API v3 HTTP API.
    authentication:
      type: apikey
      in: header
      name: X-Auth-Token
      value: '{{OPENSTACK_TOKEN}}'
    resources:
    - name: auth-tokens
      path: /auth/tokens
      operations:
      - name: issuetoken
        method: POST
        description: Issue an authentication token
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: validatetoken
        method: GET
        description: Validate token
        inputParameters:
        - name: X-Subject-Token
          in: header
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: revoketoken
        method: DELETE
        description: Revoke token
        inputParameters:
        - name: X-Subject-Token
          in: header
          type: string
          required: true
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: users
      path: /users
      operations:
      - name: listusers
        method: GET
        description: List users
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: createuser
        method: POST
        description: Create user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: users-user-id
      path: /users/{user_id}
      operations:
      - name: getuser
        method: GET
        description: Get user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: updateuser
        method: PATCH
        description: Update user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: deleteuser
        method: DELETE
        description: Delete user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: groups
      path: /groups
      operations:
      - name: listgroups
        method: GET
        description: List groups
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: creategroup
        method: POST
        description: Create group
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: projects
      path: /projects
      operations:
      - name: listprojects
        method: GET
        description: List projects
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: createproject
        method: POST
        description: Create project
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: projects-project-id
      path: /projects/{project_id}
      operations:
      - name: getproject
        method: GET
        description: Get project
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: updateproject
        method: PATCH
        description: Update project
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: deleteproject
        method: DELETE
        description: Delete project
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: domains
      path: /domains
      operations:
      - name: listdomains
        method: GET
        description: List domains
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: createdomain
        method: POST
        description: Create domain
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: roles
      path: /roles
      operations:
      - name: listroles
        method: GET
        description: List roles
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: createrole
        method: POST
        description: Create role
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: role-assignments
      path: /role_assignments
      operations:
      - name: listroleassignments
        method: GET
        description: List role assignments
        inputParameters:
        - name: scope.project.id
          in: query
          type: string
        - name: scope.domain.id
          in: query
          type: string
        - name: user.id
          in: query
          type: string
        - name: group.id
          in: query
          type: string
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: services
      path: /services
      operations:
      - name: listservices
        method: GET
        description: List services in catalog
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: createservice
        method: POST
        description: Create service
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: endpoints
      path: /endpoints
      operations:
      - name: listendpoints
        method: GET
        description: List service endpoints
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
      - name: createendpoint
        method: POST
        description: Create endpoint
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
  exposes:
  - type: rest
    port: 8080
    namespace: openstack-rest
    description: REST adapter for OpenStack Identity (Keystone) API v3.
    resources:
    - path: /auth/tokens
      name: issuetoken
      operations:
      - method: POST
        name: issuetoken
        description: Issue an authentication token
        call: openstack.issuetoken
        outputParameters:
        - type: object
          mapping: $.
    - path: /auth/tokens
      name: validatetoken
      operations:
      - method: GET
        name: validatetoken
        description: Validate token
        call: openstack.validatetoken
        outputParameters:
        - type: object
          mapping: $.
    - path: /auth/tokens
      name: revoketoken
      operations:
      - method: DELETE
        name: revoketoken
        description: Revoke token
        call: openstack.revoketoken
        outputParameters:
        - type: object
          mapping: $.
    - path: /users
      name: listusers
      operations:
      - method: GET
        name: listusers
        description: List users
        call: openstack.listusers
        outputParameters:
        - type: object
          mapping: $.
    - path: /users
      name: createuser
      operations:
      - method: POST
        name: createuser
        description: Create user
        call: openstack.createuser
        outputParameters:
        - type: object
          mapping: $.
    - path: /users/{user_id}
      name: getuser
      operations:
      - method: GET
        name: getuser
        description: Get user
        call: openstack.getuser
        outputParameters:
        - type: object
          mapping: $.
    - path: /users/{user_id}
      name: updateuser
      operations:
      - method: PATCH
        name: updateuser
        description: Update user
        call: openstack.updateuser
        outputParameters:
        - type: object
          mapping: $.
    - path: /users/{user_id}
      name: deleteuser
      operations:
      - method: DELETE
        name: deleteuser
        description: Delete user
        call: openstack.deleteuser
        outputParameters:
        - type: object
          mapping: $.
    - path: /groups
      name: listgroups
      operations:
      - method: GET
        name: listgroups
        description: List groups
        call: openstack.listgroups
        outputParameters:
        - type: object
          mapping: $.
    - path: /groups
      name: creategroup
      operations:
      - method: POST
        name: creategroup
        description: Create group
        call: openstack.creategroup
        outputParameters:
        - type: object
          mapping: $.
    - path: /projects
      name: listprojects
      operations:
      - method: GET
        name: listprojects
        description: List projects
        call: openstack.listprojects
        outputParameters:
        - type: object
          mapping: $.
    - path: /projects
      name: createproject
      operations:
      - method: POST
        name: createproject
        description: Create project
        call: openstack.createproject
        outputParameters:
        - type: object
          mapping: $.
    - path: /projects/{project_id}
      name: getproject
      operations:
      - method: GET
        name: getproject
        description: Get project
        call: openstack.getproject
        outputParameters:
        - type: object
          mapping: $.
    - path: /projects/{project_id}
      name: updateproject
      operations:
      - method: PATCH
        name: updateproject
        description: Update project
        call: openstack.updateproject
        outputParameters:
        - type: object
          mapping: $.
    - path: /projects/{project_id}
      name: deleteproject
      operations:
      - method: DELETE
        name: deleteproject
        description: Delete project
        call: openstack.deleteproject
        outputParameters:
        - type: object
          mapping: $.
    - path: /domains
      name: listdomains
      operations:
      - method: GET
        name: listdomains
        description: List domains
        call: openstack.listdomains
        outputParameters:
        - type: object
          mapping: $.
    - path: /domains
      name: createdomain
      operations:
      - method: POST
        name: createdomain
        description: Create domain
        call: openstack.createdomain
        outputParameters:
        - type: object
          mapping: $.
    - path: /roles
      name: listroles
      operations:
      - method: GET
        name: listroles
        description: List roles
        call: openstack.listroles
        outputParameters:
        - type: object
          mapping: $.
    - path: /roles
      name: createrole
      operations:
      - method: POST
        name: createrole
        description: Create role
        call: openstack.createrole
        outputParameters:
        - type: object
          mapping: $.
    - path: /role_assignments
      name: listroleassignments
      operations:
      - method: GET
        name: listroleassignments
        description: List role assignments
        call: openstack.listroleassignments
        outputParameters:
        - type: object
          mapping: $.
    - path: /services
      name: listservices
      operations:
      - method: GET
        name: listservices
        description: List services in catalog
        call: openstack.listservices
        outputParameters:
        - type: object
          mapping: $.
    - path: /services
      name: createservice
      operations:
      - method: POST
        name: createservice
        description: Create service
        call: openstack.createservice
        outputParameters:
        - type: object
          mapping: $.
    - path: /endpoints
      name: listendpoints
      operations:
      - method: GET
        name: listendpoints
        description: List service endpoints
        call: openstack.listendpoints
        outputParameters:
        - type: object
          mapping: $.
    - path: /endpoints
      name: createendpoint
      operations:
      - method: POST
        name: createendpoint
        description: Create endpoint
        call: openstack.createendpoint
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    port: 9090
    namespace: openstack-mcp
    transport: http
    description: MCP adapter for OpenStack Identity (Keystone) API v3 for AI agent use.
    tools:
    - name: issuetoken
      description: Issue an authentication token
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: openstack.issuetoken
      outputParameters:
      - type: object
        mapping: $.
    - name: validatetoken
      description: Validate token
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: openstack.validatetoken
      outputParameters:
      - type: object
        mapping: $.
    - name: revoketoken
      description: Revoke token
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: openstack.revoketoken
      outputParameters:
      - type: object
        mapping: $.
    - name: listusers
      description: List users
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: openstack.listusers
      outputParameters:
      - type: object
        mapping: $.
    - name: createuser
      description: Create user
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: openstack.createuser
      outputParameters:
      - type: object
        mapping: $.
    - name: getuser
      description: Get user
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: openstack.getuser
      outputParameters:
      - type: object
        mapping: $.
    - name: updateuser
      description: Update user
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: openstack.updateuser
      outputParameters:
      - type: object
        mapping: $.
    - name: deleteuser
      description: Delete user
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: openstack.deleteuser
      outputParameters:
      - type: object
        mapping: $.
    - name: listgroups
      description: List groups
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: openstack.listgroups
      outputParameters:
      - type: object
        mapping: $.
    - name: creategroup
      description: Create group
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: openstack.creategroup
      outputParameters:
      - type: object
        mapping: $.
    - name: listprojects
      description: List projects
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: openstack.listprojects
      outputParameters:
      - type: object
        mapping: $.
    - name: createproject
      description: Create project
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: openstack.createproject
      outputParameters:
      - type: object
        mapping: $.
    - name: getproject
      description: Get project
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: openstack.getproject
      outputParameters:
      - type: object
        mapping: $.
    - name: updateproject
      description: Update project
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: openstack.updateproject
      outputParameters:
      - type: object
        mapping: $.
    - name: deleteproject
      description: Delete project
      hints:
        readOnly: false
        destructive: true
        idempotent: true
      call: openstack.deleteproject
      outputParameters:
      - type: object
        mapping: $.
    - name: listdomains
      description: List domains
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: openstack.listdomains
      outputParameters:
      - type: object
        mapping: $.
    - name: createdomain
      description: Create domain
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: openstack.createdomain
      outputParameters:
      - type: object
        mapping: $.
    - name: listroles
      description: List roles
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: openstack.listroles
      outputParameters:
      - type: object
        mapping: $.
    - name: createrole
      description: Create role
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: openstack.createrole
      outputParameters:
      - type: object
        mapping: $.
    - name: listroleassignments
      description: List role assignments
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: openstack.listroleassignments
      with:
        scope.project.id: tools.scope.project.id
        scope.domain.id: tools.scope.domain.id
        user.id: tools.user.id
        group.id: tools.group.id
      inputParameters:
      - name: scope.project.id
        type: string
        description: scope.project.id
      - name: scope.domain.id
        type: string
        description: scope.domain.id
      - name: user.id
        type: string
        description: user.id
      - name: group.id
        type: string
        description: group.id
      outputParameters:
      - type: object
        mapping: $.
    - name: listservices
      description: List services in catalog
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: openstack.listservices
      outputParameters:
      - type: object
        mapping: $.
    - name: createservice
      description: Create service
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: openstack.createservice
      outputParameters:
      - type: object
        mapping: $.
    - name: listendpoints
      description: List service endpoints
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: openstack.listendpoints
      outputParameters:
      - type: object
        mapping: $.
    - name: createendpoint
      description: Create endpoint
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: openstack.createendpoint
      outputParameters:
      - type: object
        mapping: $.
binds:
- namespace: env
  keys:
    OPENSTACK_TOKEN: OPENSTACK_TOKEN