OWASP ZAP · Capability

ZAP API — httpSessions

ZAP API — httpSessions. 16 operations. Lead operation: httpSessions. Self-contained Naftiko capability covering one Owasp Zap business surface.

Run with Naftiko Owasp ZaphttpSessions

What You Can Do

GET
Httpsessionsactionadddefaultsessiontoken — Adds a default session token with the given name and enabled state.
/v1/json/httpsessions/action/adddefaultsessiontoken
GET
Httpsessionsactionaddsessiontoken — Adds the session token to the given site.
/v1/json/httpsessions/action/addsessiontoken
GET
Httpsessionsactioncreateemptysession — Creates an empty session for the given site. Optionally with the given name.
/v1/json/httpsessions/action/createemptysession
GET
Httpsessionsactionremovedefaultsessiontoken — Removes the default session token with the given name.
/v1/json/httpsessions/action/removedefaultsessiontoken
GET
Httpsessionsactionremovesession — Removes the session from the given site.
/v1/json/httpsessions/action/removesession
GET
Httpsessionsactionremovesessiontoken — Removes the session token from the given site.
/v1/json/httpsessions/action/removesessiontoken
GET
Httpsessionsactionrenamesession — Renames the session of the given site.
/v1/json/httpsessions/action/renamesession
GET
Httpsessionsactionsetactivesession — Sets the given session as active for the given site.
/v1/json/httpsessions/action/setactivesession
GET
Httpsessionsactionsetdefaultsessiontokenenabled — Sets whether or not the default session token with the given name is enabled.
/v1/json/httpsessions/action/setdefaultsessiontokenenabled
GET
Httpsessionsactionsetsessiontokenvalue — Sets the value of the session token of the given session for the given site.
/v1/json/httpsessions/action/setsessiontokenvalue
GET
Httpsessionsactionunsetactivesession — Unsets the active session of the given site.
/v1/json/httpsessions/action/unsetactivesession
GET
Httpsessionsviewactivesession — Gets the name of the active session for the given site.
/v1/json/httpsessions/view/activesession
GET
Httpsessionsviewdefaultsessiontokens — Gets the default session tokens.
/v1/json/httpsessions/view/defaultsessiontokens
GET
Httpsessionsviewsessiontokens — Gets the names of the session tokens for the given site.
/v1/json/httpsessions/view/sessiontokens
GET
Httpsessionsviewsessions — Gets the sessions for the given site. Optionally returning just the session with the given name.
/v1/json/httpsessions/view/sessions
GET
Httpsessionsviewsites — Gets all of the sites that have sessions.
/v1/json/httpsessions/view/sites

MCP Tools

adds-default-session-token-given

Adds a default session token with the given name and enabled state.

read-only idempotent
adds-session-token-given-site

Adds the session token to the given site.

read-only idempotent
creates-empty-session-given-site

Creates an empty session for the given site. Optionally with the given name.

read-only idempotent
removes-default-session-token-given

Removes the default session token with the given name.

read-only idempotent
removes-session-given-site

Removes the session from the given site.

read-only idempotent
removes-session-token-given-site

Removes the session token from the given site.

read-only idempotent
renames-session-given-site

Renames the session of the given site.

read-only idempotent
sets-given-session-active-given

Sets the given session as active for the given site.

read-only idempotent
sets-whether-not-default-session

Sets whether or not the default session token with the given name is enabled.

read-only idempotent
sets-value-session-token-given

Sets the value of the session token of the given session for the given site.

read-only idempotent
unsets-active-session-given-site

Unsets the active session of the given site.

read-only idempotent
gets-name-active-session-given

Gets the name of the active session for the given site.

read-only idempotent
gets-default-session-tokens

Gets the default session tokens.

read-only idempotent
gets-names-session-tokens-given

Gets the names of the session tokens for the given site.

read-only idempotent
gets-sessions-given-site-optionally

Gets the sessions for the given site. Optionally returning just the session with the given name.

read-only idempotent
gets-all-sites-that-have

Gets all of the sites that have sessions.

read-only idempotent

Capability Spec

owasp-zap-httpsessions.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: ZAP API — httpSessions
  description: 'ZAP API — httpSessions. 16 operations. Lead operation: httpSessions. Self-contained Naftiko capability covering
    one Owasp Zap business surface.'
  tags:
  - Owasp Zap
  - httpSessions
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    OWASP_ZAP_API_KEY: OWASP_ZAP_API_KEY
capability:
  consumes:
  - type: http
    namespace: owasp-zap-httpsessions
    baseUri: http://zap
    description: ZAP API — httpSessions business capability. Self-contained, no shared references.
    resources:
    - name: JSON-httpSessions-action-addDefaultSessionToken
      path: /JSON/httpSessions/action/addDefaultSessionToken/
      operations:
      - name: httpsessionsactionadddefaultsessiontoken
        method: GET
        description: Adds a default session token with the given name and enabled state.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-httpSessions-action-addSessionToken
      path: /JSON/httpSessions/action/addSessionToken/
      operations:
      - name: httpsessionsactionaddsessiontoken
        method: GET
        description: Adds the session token to the given site.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-httpSessions-action-createEmptySession
      path: /JSON/httpSessions/action/createEmptySession/
      operations:
      - name: httpsessionsactioncreateemptysession
        method: GET
        description: Creates an empty session for the given site. Optionally with the given name.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-httpSessions-action-removeDefaultSessionToken
      path: /JSON/httpSessions/action/removeDefaultSessionToken/
      operations:
      - name: httpsessionsactionremovedefaultsessiontoken
        method: GET
        description: Removes the default session token with the given name.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-httpSessions-action-removeSession
      path: /JSON/httpSessions/action/removeSession/
      operations:
      - name: httpsessionsactionremovesession
        method: GET
        description: Removes the session from the given site.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-httpSessions-action-removeSessionToken
      path: /JSON/httpSessions/action/removeSessionToken/
      operations:
      - name: httpsessionsactionremovesessiontoken
        method: GET
        description: Removes the session token from the given site.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-httpSessions-action-renameSession
      path: /JSON/httpSessions/action/renameSession/
      operations:
      - name: httpsessionsactionrenamesession
        method: GET
        description: Renames the session of the given site.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-httpSessions-action-setActiveSession
      path: /JSON/httpSessions/action/setActiveSession/
      operations:
      - name: httpsessionsactionsetactivesession
        method: GET
        description: Sets the given session as active for the given site.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-httpSessions-action-setDefaultSessionTokenEnabled
      path: /JSON/httpSessions/action/setDefaultSessionTokenEnabled/
      operations:
      - name: httpsessionsactionsetdefaultsessiontokenenabled
        method: GET
        description: Sets whether or not the default session token with the given name is enabled.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-httpSessions-action-setSessionTokenValue
      path: /JSON/httpSessions/action/setSessionTokenValue/
      operations:
      - name: httpsessionsactionsetsessiontokenvalue
        method: GET
        description: Sets the value of the session token of the given session for the given site.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-httpSessions-action-unsetActiveSession
      path: /JSON/httpSessions/action/unsetActiveSession/
      operations:
      - name: httpsessionsactionunsetactivesession
        method: GET
        description: Unsets the active session of the given site.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-httpSessions-view-activeSession
      path: /JSON/httpSessions/view/activeSession/
      operations:
      - name: httpsessionsviewactivesession
        method: GET
        description: Gets the name of the active session for the given site.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-httpSessions-view-defaultSessionTokens
      path: /JSON/httpSessions/view/defaultSessionTokens/
      operations:
      - name: httpsessionsviewdefaultsessiontokens
        method: GET
        description: Gets the default session tokens.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-httpSessions-view-sessionTokens
      path: /JSON/httpSessions/view/sessionTokens/
      operations:
      - name: httpsessionsviewsessiontokens
        method: GET
        description: Gets the names of the session tokens for the given site.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-httpSessions-view-sessions
      path: /JSON/httpSessions/view/sessions/
      operations:
      - name: httpsessionsviewsessions
        method: GET
        description: Gets the sessions for the given site. Optionally returning just the session with the given name.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-httpSessions-view-sites
      path: /JSON/httpSessions/view/sites/
      operations:
      - name: httpsessionsviewsites
        method: GET
        description: Gets all of the sites that have sessions.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    authentication:
      type: apikey
      key: X-ZAP-API-Key
      value: '{{env.OWASP_ZAP_API_KEY}}'
      placement: header
  exposes:
  - type: rest
    namespace: owasp-zap-httpsessions-rest
    port: 8080
    description: REST adapter for ZAP API — httpSessions. One Spectral-compliant resource per consumed operation, prefixed
      with /v1.
    resources:
    - path: /v1/json/httpsessions/action/adddefaultsessiontoken
      name: json-httpsessions-action-adddefaultsessiontoken
      description: REST surface for JSON-httpSessions-action-addDefaultSessionToken.
      operations:
      - method: GET
        name: httpsessionsactionadddefaultsessiontoken
        description: Adds a default session token with the given name and enabled state.
        call: owasp-zap-httpsessions.httpsessionsactionadddefaultsessiontoken
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/httpsessions/action/addsessiontoken
      name: json-httpsessions-action-addsessiontoken
      description: REST surface for JSON-httpSessions-action-addSessionToken.
      operations:
      - method: GET
        name: httpsessionsactionaddsessiontoken
        description: Adds the session token to the given site.
        call: owasp-zap-httpsessions.httpsessionsactionaddsessiontoken
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/httpsessions/action/createemptysession
      name: json-httpsessions-action-createemptysession
      description: REST surface for JSON-httpSessions-action-createEmptySession.
      operations:
      - method: GET
        name: httpsessionsactioncreateemptysession
        description: Creates an empty session for the given site. Optionally with the given name.
        call: owasp-zap-httpsessions.httpsessionsactioncreateemptysession
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/httpsessions/action/removedefaultsessiontoken
      name: json-httpsessions-action-removedefaultsessiontoken
      description: REST surface for JSON-httpSessions-action-removeDefaultSessionToken.
      operations:
      - method: GET
        name: httpsessionsactionremovedefaultsessiontoken
        description: Removes the default session token with the given name.
        call: owasp-zap-httpsessions.httpsessionsactionremovedefaultsessiontoken
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/httpsessions/action/removesession
      name: json-httpsessions-action-removesession
      description: REST surface for JSON-httpSessions-action-removeSession.
      operations:
      - method: GET
        name: httpsessionsactionremovesession
        description: Removes the session from the given site.
        call: owasp-zap-httpsessions.httpsessionsactionremovesession
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/httpsessions/action/removesessiontoken
      name: json-httpsessions-action-removesessiontoken
      description: REST surface for JSON-httpSessions-action-removeSessionToken.
      operations:
      - method: GET
        name: httpsessionsactionremovesessiontoken
        description: Removes the session token from the given site.
        call: owasp-zap-httpsessions.httpsessionsactionremovesessiontoken
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/httpsessions/action/renamesession
      name: json-httpsessions-action-renamesession
      description: REST surface for JSON-httpSessions-action-renameSession.
      operations:
      - method: GET
        name: httpsessionsactionrenamesession
        description: Renames the session of the given site.
        call: owasp-zap-httpsessions.httpsessionsactionrenamesession
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/httpsessions/action/setactivesession
      name: json-httpsessions-action-setactivesession
      description: REST surface for JSON-httpSessions-action-setActiveSession.
      operations:
      - method: GET
        name: httpsessionsactionsetactivesession
        description: Sets the given session as active for the given site.
        call: owasp-zap-httpsessions.httpsessionsactionsetactivesession
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/httpsessions/action/setdefaultsessiontokenenabled
      name: json-httpsessions-action-setdefaultsessiontokenenabled
      description: REST surface for JSON-httpSessions-action-setDefaultSessionTokenEnabled.
      operations:
      - method: GET
        name: httpsessionsactionsetdefaultsessiontokenenabled
        description: Sets whether or not the default session token with the given name is enabled.
        call: owasp-zap-httpsessions.httpsessionsactionsetdefaultsessiontokenenabled
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/httpsessions/action/setsessiontokenvalue
      name: json-httpsessions-action-setsessiontokenvalue
      description: REST surface for JSON-httpSessions-action-setSessionTokenValue.
      operations:
      - method: GET
        name: httpsessionsactionsetsessiontokenvalue
        description: Sets the value of the session token of the given session for the given site.
        call: owasp-zap-httpsessions.httpsessionsactionsetsessiontokenvalue
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/httpsessions/action/unsetactivesession
      name: json-httpsessions-action-unsetactivesession
      description: REST surface for JSON-httpSessions-action-unsetActiveSession.
      operations:
      - method: GET
        name: httpsessionsactionunsetactivesession
        description: Unsets the active session of the given site.
        call: owasp-zap-httpsessions.httpsessionsactionunsetactivesession
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/httpsessions/view/activesession
      name: json-httpsessions-view-activesession
      description: REST surface for JSON-httpSessions-view-activeSession.
      operations:
      - method: GET
        name: httpsessionsviewactivesession
        description: Gets the name of the active session for the given site.
        call: owasp-zap-httpsessions.httpsessionsviewactivesession
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/httpsessions/view/defaultsessiontokens
      name: json-httpsessions-view-defaultsessiontokens
      description: REST surface for JSON-httpSessions-view-defaultSessionTokens.
      operations:
      - method: GET
        name: httpsessionsviewdefaultsessiontokens
        description: Gets the default session tokens.
        call: owasp-zap-httpsessions.httpsessionsviewdefaultsessiontokens
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/httpsessions/view/sessiontokens
      name: json-httpsessions-view-sessiontokens
      description: REST surface for JSON-httpSessions-view-sessionTokens.
      operations:
      - method: GET
        name: httpsessionsviewsessiontokens
        description: Gets the names of the session tokens for the given site.
        call: owasp-zap-httpsessions.httpsessionsviewsessiontokens
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/httpsessions/view/sessions
      name: json-httpsessions-view-sessions
      description: REST surface for JSON-httpSessions-view-sessions.
      operations:
      - method: GET
        name: httpsessionsviewsessions
        description: Gets the sessions for the given site. Optionally returning just the session with the given name.
        call: owasp-zap-httpsessions.httpsessionsviewsessions
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/httpsessions/view/sites
      name: json-httpsessions-view-sites
      description: REST surface for JSON-httpSessions-view-sites.
      operations:
      - method: GET
        name: httpsessionsviewsites
        description: Gets all of the sites that have sessions.
        call: owasp-zap-httpsessions.httpsessionsviewsites
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: owasp-zap-httpsessions-mcp
    port: 9090
    transport: http
    description: MCP adapter for ZAP API — httpSessions. One tool per consumed operation, routed inline through this capability's
      consumes block.
    tools:
    - name: adds-default-session-token-given
      description: Adds a default session token with the given name and enabled state.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-httpsessions.httpsessionsactionadddefaultsessiontoken
      outputParameters:
      - type: object
        mapping: $.
    - name: adds-session-token-given-site
      description: Adds the session token to the given site.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-httpsessions.httpsessionsactionaddsessiontoken
      outputParameters:
      - type: object
        mapping: $.
    - name: creates-empty-session-given-site
      description: Creates an empty session for the given site. Optionally with the given name.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-httpsessions.httpsessionsactioncreateemptysession
      outputParameters:
      - type: object
        mapping: $.
    - name: removes-default-session-token-given
      description: Removes the default session token with the given name.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-httpsessions.httpsessionsactionremovedefaultsessiontoken
      outputParameters:
      - type: object
        mapping: $.
    - name: removes-session-given-site
      description: Removes the session from the given site.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-httpsessions.httpsessionsactionremovesession
      outputParameters:
      - type: object
        mapping: $.
    - name: removes-session-token-given-site
      description: Removes the session token from the given site.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-httpsessions.httpsessionsactionremovesessiontoken
      outputParameters:
      - type: object
        mapping: $.
    - name: renames-session-given-site
      description: Renames the session of the given site.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-httpsessions.httpsessionsactionrenamesession
      outputParameters:
      - type: object
        mapping: $.
    - name: sets-given-session-active-given
      description: Sets the given session as active for the given site.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-httpsessions.httpsessionsactionsetactivesession
      outputParameters:
      - type: object
        mapping: $.
    - name: sets-whether-not-default-session
      description: Sets whether or not the default session token with the given name is enabled.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-httpsessions.httpsessionsactionsetdefaultsessiontokenenabled
      outputParameters:
      - type: object
        mapping: $.
    - name: sets-value-session-token-given
      description: Sets the value of the session token of the given session for the given site.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-httpsessions.httpsessionsactionsetsessiontokenvalue
      outputParameters:
      - type: object
        mapping: $.
    - name: unsets-active-session-given-site
      description: Unsets the active session of the given site.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-httpsessions.httpsessionsactionunsetactivesession
      outputParameters:
      - type: object
        mapping: $.
    - name: gets-name-active-session-given
      description: Gets the name of the active session for the given site.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-httpsessions.httpsessionsviewactivesession
      outputParameters:
      - type: object
        mapping: $.
    - name: gets-default-session-tokens
      description: Gets the default session tokens.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-httpsessions.httpsessionsviewdefaultsessiontokens
      outputParameters:
      - type: object
        mapping: $.
    - name: gets-names-session-tokens-given
      description: Gets the names of the session tokens for the given site.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-httpsessions.httpsessionsviewsessiontokens
      outputParameters:
      - type: object
        mapping: $.
    - name: gets-sessions-given-site-optionally
      description: Gets the sessions for the given site. Optionally returning just the session with the given name.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-httpsessions.httpsessionsviewsessions
      outputParameters:
      - type: object
        mapping: $.
    - name: gets-all-sites-that-have
      description: Gets all of the sites that have sessions.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-httpsessions.httpsessionsviewsites
      outputParameters:
      - type: object
        mapping: $.