OWASP ZAP · Capability

ZAP API — oast

ZAP API — oast. 11 operations. Lead operation: oast. Self-contained Naftiko capability covering one Owasp Zap business surface.

Run with Naftiko Owasp Zapoast

What You Can Do

GET
Oastactionsetactivescanservice — Sets the service used with the active scanner.
/v1/json/oast/action/setactivescanservice
GET
Oastactionsetboastoptions — Sets the BOAST options.
/v1/json/oast/action/setboastoptions
GET
Oastactionsetcallbackoptions — Sets the Callback options.
/v1/json/oast/action/setcallbackoptions
GET
Oastactionsetdaystokeeprecords — Sets the number of days the OAST records will be kept for.
/v1/json/oast/action/setdaystokeeprecords
GET
Oastactionsetinteractshoptions — Sets the Interactsh options.
/v1/json/oast/action/setinteractshoptions
GET
Oastviewgetactivescanservice — Gets the service used with the active scanner, if any.
/v1/json/oast/view/getactivescanservice
GET
Oastviewgetboastoptions — Gets the BOAST options.
/v1/json/oast/view/getboastoptions
GET
Oastviewgetcallbackoptions — Gets the Callback options.
/v1/json/oast/view/getcallbackoptions
GET
Oastviewgetdaystokeeprecords — Gets the number of days the OAST records will be kept for.
/v1/json/oast/view/getdaystokeeprecords
GET
Oastviewgetinteractshoptions — Gets the Interactsh options.
/v1/json/oast/view/getinteractshoptions
GET
Oastviewgetservices — Gets all of the services.
/v1/json/oast/view/getservices

MCP Tools

sets-service-used-active-scanner

Sets the service used with the active scanner.

read-only idempotent
sets-boast-options

Sets the BOAST options.

read-only idempotent
sets-callback-options

Sets the Callback options.

read-only idempotent
sets-number-days-oast-records

Sets the number of days the OAST records will be kept for.

read-only idempotent
sets-interactsh-options

Sets the Interactsh options.

read-only idempotent
gets-service-used-active-scanner

Gets the service used with the active scanner, if any.

read-only idempotent
gets-boast-options

Gets the BOAST options.

read-only idempotent
gets-callback-options

Gets the Callback options.

read-only idempotent
gets-number-days-oast-records

Gets the number of days the OAST records will be kept for.

read-only idempotent
gets-interactsh-options

Gets the Interactsh options.

read-only idempotent
gets-all-services

Gets all of the services.

read-only idempotent

Capability Spec

owasp-zap-oast.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: ZAP API — oast
  description: 'ZAP API — oast. 11 operations. Lead operation: oast. Self-contained Naftiko capability covering one Owasp
    Zap business surface.'
  tags:
  - Owasp Zap
  - oast
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    OWASP_ZAP_API_KEY: OWASP_ZAP_API_KEY
capability:
  consumes:
  - type: http
    namespace: owasp-zap-oast
    baseUri: http://zap
    description: ZAP API — oast business capability. Self-contained, no shared references.
    resources:
    - name: JSON-oast-action-setActiveScanService
      path: /JSON/oast/action/setActiveScanService/
      operations:
      - name: oastactionsetactivescanservice
        method: GET
        description: Sets the service used with the active scanner.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-oast-action-setBoastOptions
      path: /JSON/oast/action/setBoastOptions/
      operations:
      - name: oastactionsetboastoptions
        method: GET
        description: Sets the BOAST options.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-oast-action-setCallbackOptions
      path: /JSON/oast/action/setCallbackOptions/
      operations:
      - name: oastactionsetcallbackoptions
        method: GET
        description: Sets the Callback options.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-oast-action-setDaysToKeepRecords
      path: /JSON/oast/action/setDaysToKeepRecords/
      operations:
      - name: oastactionsetdaystokeeprecords
        method: GET
        description: Sets the number of days the OAST records will be kept for.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-oast-action-setInteractshOptions
      path: /JSON/oast/action/setInteractshOptions/
      operations:
      - name: oastactionsetinteractshoptions
        method: GET
        description: Sets the Interactsh options.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-oast-view-getActiveScanService
      path: /JSON/oast/view/getActiveScanService/
      operations:
      - name: oastviewgetactivescanservice
        method: GET
        description: Gets the service used with the active scanner, if any.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-oast-view-getBoastOptions
      path: /JSON/oast/view/getBoastOptions/
      operations:
      - name: oastviewgetboastoptions
        method: GET
        description: Gets the BOAST options.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-oast-view-getCallbackOptions
      path: /JSON/oast/view/getCallbackOptions/
      operations:
      - name: oastviewgetcallbackoptions
        method: GET
        description: Gets the Callback options.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-oast-view-getDaysToKeepRecords
      path: /JSON/oast/view/getDaysToKeepRecords/
      operations:
      - name: oastviewgetdaystokeeprecords
        method: GET
        description: Gets the number of days the OAST records will be kept for.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-oast-view-getInteractshOptions
      path: /JSON/oast/view/getInteractshOptions/
      operations:
      - name: oastviewgetinteractshoptions
        method: GET
        description: Gets the Interactsh options.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-oast-view-getServices
      path: /JSON/oast/view/getServices/
      operations:
      - name: oastviewgetservices
        method: GET
        description: Gets all of the services.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    authentication:
      type: apikey
      key: X-ZAP-API-Key
      value: '{{env.OWASP_ZAP_API_KEY}}'
      placement: header
  exposes:
  - type: rest
    namespace: owasp-zap-oast-rest
    port: 8080
    description: REST adapter for ZAP API — oast. One Spectral-compliant resource per consumed operation, prefixed with /v1.
    resources:
    - path: /v1/json/oast/action/setactivescanservice
      name: json-oast-action-setactivescanservice
      description: REST surface for JSON-oast-action-setActiveScanService.
      operations:
      - method: GET
        name: oastactionsetactivescanservice
        description: Sets the service used with the active scanner.
        call: owasp-zap-oast.oastactionsetactivescanservice
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/oast/action/setboastoptions
      name: json-oast-action-setboastoptions
      description: REST surface for JSON-oast-action-setBoastOptions.
      operations:
      - method: GET
        name: oastactionsetboastoptions
        description: Sets the BOAST options.
        call: owasp-zap-oast.oastactionsetboastoptions
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/oast/action/setcallbackoptions
      name: json-oast-action-setcallbackoptions
      description: REST surface for JSON-oast-action-setCallbackOptions.
      operations:
      - method: GET
        name: oastactionsetcallbackoptions
        description: Sets the Callback options.
        call: owasp-zap-oast.oastactionsetcallbackoptions
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/oast/action/setdaystokeeprecords
      name: json-oast-action-setdaystokeeprecords
      description: REST surface for JSON-oast-action-setDaysToKeepRecords.
      operations:
      - method: GET
        name: oastactionsetdaystokeeprecords
        description: Sets the number of days the OAST records will be kept for.
        call: owasp-zap-oast.oastactionsetdaystokeeprecords
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/oast/action/setinteractshoptions
      name: json-oast-action-setinteractshoptions
      description: REST surface for JSON-oast-action-setInteractshOptions.
      operations:
      - method: GET
        name: oastactionsetinteractshoptions
        description: Sets the Interactsh options.
        call: owasp-zap-oast.oastactionsetinteractshoptions
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/oast/view/getactivescanservice
      name: json-oast-view-getactivescanservice
      description: REST surface for JSON-oast-view-getActiveScanService.
      operations:
      - method: GET
        name: oastviewgetactivescanservice
        description: Gets the service used with the active scanner, if any.
        call: owasp-zap-oast.oastviewgetactivescanservice
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/oast/view/getboastoptions
      name: json-oast-view-getboastoptions
      description: REST surface for JSON-oast-view-getBoastOptions.
      operations:
      - method: GET
        name: oastviewgetboastoptions
        description: Gets the BOAST options.
        call: owasp-zap-oast.oastviewgetboastoptions
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/oast/view/getcallbackoptions
      name: json-oast-view-getcallbackoptions
      description: REST surface for JSON-oast-view-getCallbackOptions.
      operations:
      - method: GET
        name: oastviewgetcallbackoptions
        description: Gets the Callback options.
        call: owasp-zap-oast.oastviewgetcallbackoptions
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/oast/view/getdaystokeeprecords
      name: json-oast-view-getdaystokeeprecords
      description: REST surface for JSON-oast-view-getDaysToKeepRecords.
      operations:
      - method: GET
        name: oastviewgetdaystokeeprecords
        description: Gets the number of days the OAST records will be kept for.
        call: owasp-zap-oast.oastviewgetdaystokeeprecords
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/oast/view/getinteractshoptions
      name: json-oast-view-getinteractshoptions
      description: REST surface for JSON-oast-view-getInteractshOptions.
      operations:
      - method: GET
        name: oastviewgetinteractshoptions
        description: Gets the Interactsh options.
        call: owasp-zap-oast.oastviewgetinteractshoptions
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/oast/view/getservices
      name: json-oast-view-getservices
      description: REST surface for JSON-oast-view-getServices.
      operations:
      - method: GET
        name: oastviewgetservices
        description: Gets all of the services.
        call: owasp-zap-oast.oastviewgetservices
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: owasp-zap-oast-mcp
    port: 9090
    transport: http
    description: MCP adapter for ZAP API — oast. One tool per consumed operation, routed inline through this capability's
      consumes block.
    tools:
    - name: sets-service-used-active-scanner
      description: Sets the service used with the active scanner.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-oast.oastactionsetactivescanservice
      outputParameters:
      - type: object
        mapping: $.
    - name: sets-boast-options
      description: Sets the BOAST options.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-oast.oastactionsetboastoptions
      outputParameters:
      - type: object
        mapping: $.
    - name: sets-callback-options
      description: Sets the Callback options.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-oast.oastactionsetcallbackoptions
      outputParameters:
      - type: object
        mapping: $.
    - name: sets-number-days-oast-records
      description: Sets the number of days the OAST records will be kept for.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-oast.oastactionsetdaystokeeprecords
      outputParameters:
      - type: object
        mapping: $.
    - name: sets-interactsh-options
      description: Sets the Interactsh options.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-oast.oastactionsetinteractshoptions
      outputParameters:
      - type: object
        mapping: $.
    - name: gets-service-used-active-scanner
      description: Gets the service used with the active scanner, if any.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-oast.oastviewgetactivescanservice
      outputParameters:
      - type: object
        mapping: $.
    - name: gets-boast-options
      description: Gets the BOAST options.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-oast.oastviewgetboastoptions
      outputParameters:
      - type: object
        mapping: $.
    - name: gets-callback-options
      description: Gets the Callback options.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-oast.oastviewgetcallbackoptions
      outputParameters:
      - type: object
        mapping: $.
    - name: gets-number-days-oast-records
      description: Gets the number of days the OAST records will be kept for.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-oast.oastviewgetdaystokeeprecords
      outputParameters:
      - type: object
        mapping: $.
    - name: gets-interactsh-options
      description: Gets the Interactsh options.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-oast.oastviewgetinteractshoptions
      outputParameters:
      - type: object
        mapping: $.
    - name: gets-all-services
      description: Gets all of the services.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-oast.oastviewgetservices
      outputParameters:
      - type: object
        mapping: $.