OWASP ZAP · Capability

ZAP API — users

ZAP API — users. 15 operations. Lead operation: users. Self-contained Naftiko capability covering one Owasp Zap business surface.

Run with Naftiko Owasp Zapusers

What You Can Do

GET
Usersactionauthenticateasuser — Tries to authenticate as the identified user, returning the authentication request and whether it appears to have succeeded.
/v1/json/users/action/authenticateasuser
GET
Usersactionnewuser — Creates a new user with the given name for the context with the given ID.
/v1/json/users/action/newuser
GET
Usersactionpollasuser — Tries to poll as the identified user, returning the authentication request and whether it appears to have succeeded. This will only work if the polling verification strategy has been configured.
/v1/json/users/action/pollasuser
GET
Usersactionremoveuser — Removes the user with the given ID that belongs to the context with the given ID.
/v1/json/users/action/removeuser
GET
Usersactionsetauthenticationcredentials — Sets the authentication credentials for the user with the given ID that belongs to the context with the given ID.
/v1/json/users/action/setauthenticationcredentials
GET
Usersactionsetauthenticationstate — Sets fields in the authentication state for the user identified by the Context and User Ids.
/v1/json/users/action/setauthenticationstate
GET
Usersactionsetcookie — Sets the specified cookie for the user identified by the Context and User Ids.
/v1/json/users/action/setcookie
GET
Usersactionsetuserenabled — Sets whether or not the user, with the given ID that belongs to the context with the given ID, should be enabled.
/v1/json/users/action/setuserenabled
GET
Usersactionsetusername — Renames the user with the given ID that belongs to the context with the given ID.
/v1/json/users/action/setusername
GET
Usersviewgetauthenticationcredentials — Gets the authentication credentials of the user with given ID that belongs to the context with the given ID.
/v1/json/users/view/getauthenticationcredentials
GET
Usersviewgetauthenticationcredentialsconfigparams — Gets the configuration parameters for the credentials of the context with the given ID.
/v1/json/users/view/getauthenticationcredentialsconfigparams
GET
Usersviewgetauthenticationsession — Gets the authentication session information for the user identified by the Context and User Ids, e.g. cookies and realm credentials.
/v1/json/users/view/getauthenticationsession
GET
Usersviewgetauthenticationstate — Gets the authentication state information for the user identified by the Context and User Ids.
/v1/json/users/view/getauthenticationstate
GET
Usersviewgetuserbyid — Gets the data of the user with the given ID that belongs to the context with the given ID.
/v1/json/users/view/getuserbyid
GET
Usersviewuserslist — Gets a list of users that belong to the context with the given ID, or all users if none provided.
/v1/json/users/view/userslist

MCP Tools

tries-authenticate-identified-user-returning

Tries to authenticate as the identified user, returning the authentication request and whether it appears to have succeeded.

read-only idempotent
creates-new-user-given-name

Creates a new user with the given name for the context with the given ID.

read-only idempotent
tries-poll-identified-user-returning

Tries to poll as the identified user, returning the authentication request and whether it appears to have succeeded. This will only work if the polling verification strategy has been configured.

read-only idempotent
removes-user-given-id-that

Removes the user with the given ID that belongs to the context with the given ID.

read-only idempotent
sets-authentication-credentials-user-given

Sets the authentication credentials for the user with the given ID that belongs to the context with the given ID.

read-only idempotent
sets-fields-authentication-state-user

Sets fields in the authentication state for the user identified by the Context and User Ids.

read-only idempotent
sets-specified-cookie-user-identified

Sets the specified cookie for the user identified by the Context and User Ids.

read-only idempotent
sets-whether-not-user-given

Sets whether or not the user, with the given ID that belongs to the context with the given ID, should be enabled.

read-only idempotent
renames-user-given-id-that

Renames the user with the given ID that belongs to the context with the given ID.

read-only idempotent
gets-authentication-credentials-user-given

Gets the authentication credentials of the user with given ID that belongs to the context with the given ID.

read-only idempotent
gets-configuration-parameters-credentials-context

Gets the configuration parameters for the credentials of the context with the given ID.

read-only idempotent
gets-authentication-session-information-user

Gets the authentication session information for the user identified by the Context and User Ids, e.g. cookies and realm credentials.

read-only idempotent
gets-authentication-state-information-user

Gets the authentication state information for the user identified by the Context and User Ids.

read-only idempotent
gets-data-user-given-id

Gets the data of the user with the given ID that belongs to the context with the given ID.

read-only idempotent
gets-list-users-that-belong

Gets a list of users that belong to the context with the given ID, or all users if none provided.

read-only idempotent

Capability Spec

owasp-zap-users.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: ZAP API — users
  description: 'ZAP API — users. 15 operations. Lead operation: users. Self-contained Naftiko capability covering one Owasp
    Zap business surface.'
  tags:
  - Owasp Zap
  - users
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    OWASP_ZAP_API_KEY: OWASP_ZAP_API_KEY
capability:
  consumes:
  - type: http
    namespace: owasp-zap-users
    baseUri: http://zap
    description: ZAP API — users business capability. Self-contained, no shared references.
    resources:
    - name: JSON-users-action-authenticateAsUser
      path: /JSON/users/action/authenticateAsUser/
      operations:
      - name: usersactionauthenticateasuser
        method: GET
        description: Tries to authenticate as the identified user, returning the authentication request and whether it appears
          to have succeeded.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-users-action-newUser
      path: /JSON/users/action/newUser/
      operations:
      - name: usersactionnewuser
        method: GET
        description: Creates a new user with the given name for the context with the given ID.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-users-action-pollAsUser
      path: /JSON/users/action/pollAsUser/
      operations:
      - name: usersactionpollasuser
        method: GET
        description: Tries to poll as the identified user, returning the authentication request and whether it appears to
          have succeeded. This will only work if the polling verification strategy has been configured.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-users-action-removeUser
      path: /JSON/users/action/removeUser/
      operations:
      - name: usersactionremoveuser
        method: GET
        description: Removes the user with the given ID that belongs to the context with the given ID.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-users-action-setAuthenticationCredentials
      path: /JSON/users/action/setAuthenticationCredentials/
      operations:
      - name: usersactionsetauthenticationcredentials
        method: GET
        description: Sets the authentication credentials for the user with the given ID that belongs to the context with the
          given ID.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-users-action-setAuthenticationState
      path: /JSON/users/action/setAuthenticationState/
      operations:
      - name: usersactionsetauthenticationstate
        method: GET
        description: Sets fields in the authentication state for the user identified by the Context and User Ids.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-users-action-setCookie
      path: /JSON/users/action/setCookie/
      operations:
      - name: usersactionsetcookie
        method: GET
        description: Sets the specified cookie for the user identified by the Context and User Ids.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-users-action-setUserEnabled
      path: /JSON/users/action/setUserEnabled/
      operations:
      - name: usersactionsetuserenabled
        method: GET
        description: Sets whether or not the user, with the given ID that belongs to the context with the given ID, should
          be enabled.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-users-action-setUserName
      path: /JSON/users/action/setUserName/
      operations:
      - name: usersactionsetusername
        method: GET
        description: Renames the user with the given ID that belongs to the context with the given ID.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-users-view-getAuthenticationCredentials
      path: /JSON/users/view/getAuthenticationCredentials/
      operations:
      - name: usersviewgetauthenticationcredentials
        method: GET
        description: Gets the authentication credentials of the user with given ID that belongs to the context with the given
          ID.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-users-view-getAuthenticationCredentialsConfigParams
      path: /JSON/users/view/getAuthenticationCredentialsConfigParams/
      operations:
      - name: usersviewgetauthenticationcredentialsconfigparams
        method: GET
        description: Gets the configuration parameters for the credentials of the context with the given ID.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-users-view-getAuthenticationSession
      path: /JSON/users/view/getAuthenticationSession/
      operations:
      - name: usersviewgetauthenticationsession
        method: GET
        description: Gets the authentication session information for the user identified by the Context and User Ids, e.g.
          cookies and realm credentials.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-users-view-getAuthenticationState
      path: /JSON/users/view/getAuthenticationState/
      operations:
      - name: usersviewgetauthenticationstate
        method: GET
        description: Gets the authentication state information for the user identified by the Context and User Ids.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-users-view-getUserById
      path: /JSON/users/view/getUserById/
      operations:
      - name: usersviewgetuserbyid
        method: GET
        description: Gets the data of the user with the given ID that belongs to the context with the given ID.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    - name: JSON-users-view-usersList
      path: /JSON/users/view/usersList/
      operations:
      - name: usersviewuserslist
        method: GET
        description: Gets a list of users that belong to the context with the given ID, or all users if none provided.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
    authentication:
      type: apikey
      key: X-ZAP-API-Key
      value: '{{env.OWASP_ZAP_API_KEY}}'
      placement: header
  exposes:
  - type: rest
    namespace: owasp-zap-users-rest
    port: 8080
    description: REST adapter for ZAP API — users. One Spectral-compliant resource per consumed operation, prefixed with /v1.
    resources:
    - path: /v1/json/users/action/authenticateasuser
      name: json-users-action-authenticateasuser
      description: REST surface for JSON-users-action-authenticateAsUser.
      operations:
      - method: GET
        name: usersactionauthenticateasuser
        description: Tries to authenticate as the identified user, returning the authentication request and whether it appears
          to have succeeded.
        call: owasp-zap-users.usersactionauthenticateasuser
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/users/action/newuser
      name: json-users-action-newuser
      description: REST surface for JSON-users-action-newUser.
      operations:
      - method: GET
        name: usersactionnewuser
        description: Creates a new user with the given name for the context with the given ID.
        call: owasp-zap-users.usersactionnewuser
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/users/action/pollasuser
      name: json-users-action-pollasuser
      description: REST surface for JSON-users-action-pollAsUser.
      operations:
      - method: GET
        name: usersactionpollasuser
        description: Tries to poll as the identified user, returning the authentication request and whether it appears to
          have succeeded. This will only work if the polling verification strategy has been configured.
        call: owasp-zap-users.usersactionpollasuser
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/users/action/removeuser
      name: json-users-action-removeuser
      description: REST surface for JSON-users-action-removeUser.
      operations:
      - method: GET
        name: usersactionremoveuser
        description: Removes the user with the given ID that belongs to the context with the given ID.
        call: owasp-zap-users.usersactionremoveuser
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/users/action/setauthenticationcredentials
      name: json-users-action-setauthenticationcredentials
      description: REST surface for JSON-users-action-setAuthenticationCredentials.
      operations:
      - method: GET
        name: usersactionsetauthenticationcredentials
        description: Sets the authentication credentials for the user with the given ID that belongs to the context with the
          given ID.
        call: owasp-zap-users.usersactionsetauthenticationcredentials
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/users/action/setauthenticationstate
      name: json-users-action-setauthenticationstate
      description: REST surface for JSON-users-action-setAuthenticationState.
      operations:
      - method: GET
        name: usersactionsetauthenticationstate
        description: Sets fields in the authentication state for the user identified by the Context and User Ids.
        call: owasp-zap-users.usersactionsetauthenticationstate
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/users/action/setcookie
      name: json-users-action-setcookie
      description: REST surface for JSON-users-action-setCookie.
      operations:
      - method: GET
        name: usersactionsetcookie
        description: Sets the specified cookie for the user identified by the Context and User Ids.
        call: owasp-zap-users.usersactionsetcookie
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/users/action/setuserenabled
      name: json-users-action-setuserenabled
      description: REST surface for JSON-users-action-setUserEnabled.
      operations:
      - method: GET
        name: usersactionsetuserenabled
        description: Sets whether or not the user, with the given ID that belongs to the context with the given ID, should
          be enabled.
        call: owasp-zap-users.usersactionsetuserenabled
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/users/action/setusername
      name: json-users-action-setusername
      description: REST surface for JSON-users-action-setUserName.
      operations:
      - method: GET
        name: usersactionsetusername
        description: Renames the user with the given ID that belongs to the context with the given ID.
        call: owasp-zap-users.usersactionsetusername
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/users/view/getauthenticationcredentials
      name: json-users-view-getauthenticationcredentials
      description: REST surface for JSON-users-view-getAuthenticationCredentials.
      operations:
      - method: GET
        name: usersviewgetauthenticationcredentials
        description: Gets the authentication credentials of the user with given ID that belongs to the context with the given
          ID.
        call: owasp-zap-users.usersviewgetauthenticationcredentials
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/users/view/getauthenticationcredentialsconfigparams
      name: json-users-view-getauthenticationcredentialsconfigparams
      description: REST surface for JSON-users-view-getAuthenticationCredentialsConfigParams.
      operations:
      - method: GET
        name: usersviewgetauthenticationcredentialsconfigparams
        description: Gets the configuration parameters for the credentials of the context with the given ID.
        call: owasp-zap-users.usersviewgetauthenticationcredentialsconfigparams
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/users/view/getauthenticationsession
      name: json-users-view-getauthenticationsession
      description: REST surface for JSON-users-view-getAuthenticationSession.
      operations:
      - method: GET
        name: usersviewgetauthenticationsession
        description: Gets the authentication session information for the user identified by the Context and User Ids, e.g.
          cookies and realm credentials.
        call: owasp-zap-users.usersviewgetauthenticationsession
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/users/view/getauthenticationstate
      name: json-users-view-getauthenticationstate
      description: REST surface for JSON-users-view-getAuthenticationState.
      operations:
      - method: GET
        name: usersviewgetauthenticationstate
        description: Gets the authentication state information for the user identified by the Context and User Ids.
        call: owasp-zap-users.usersviewgetauthenticationstate
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/users/view/getuserbyid
      name: json-users-view-getuserbyid
      description: REST surface for JSON-users-view-getUserById.
      operations:
      - method: GET
        name: usersviewgetuserbyid
        description: Gets the data of the user with the given ID that belongs to the context with the given ID.
        call: owasp-zap-users.usersviewgetuserbyid
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/json/users/view/userslist
      name: json-users-view-userslist
      description: REST surface for JSON-users-view-usersList.
      operations:
      - method: GET
        name: usersviewuserslist
        description: Gets a list of users that belong to the context with the given ID, or all users if none provided.
        call: owasp-zap-users.usersviewuserslist
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: owasp-zap-users-mcp
    port: 9090
    transport: http
    description: MCP adapter for ZAP API — users. One tool per consumed operation, routed inline through this capability's
      consumes block.
    tools:
    - name: tries-authenticate-identified-user-returning
      description: Tries to authenticate as the identified user, returning the authentication request and whether it appears
        to have succeeded.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-users.usersactionauthenticateasuser
      outputParameters:
      - type: object
        mapping: $.
    - name: creates-new-user-given-name
      description: Creates a new user with the given name for the context with the given ID.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-users.usersactionnewuser
      outputParameters:
      - type: object
        mapping: $.
    - name: tries-poll-identified-user-returning
      description: Tries to poll as the identified user, returning the authentication request and whether it appears to have
        succeeded. This will only work if the polling verification strategy has been configured.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-users.usersactionpollasuser
      outputParameters:
      - type: object
        mapping: $.
    - name: removes-user-given-id-that
      description: Removes the user with the given ID that belongs to the context with the given ID.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-users.usersactionremoveuser
      outputParameters:
      - type: object
        mapping: $.
    - name: sets-authentication-credentials-user-given
      description: Sets the authentication credentials for the user with the given ID that belongs to the context with the
        given ID.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-users.usersactionsetauthenticationcredentials
      outputParameters:
      - type: object
        mapping: $.
    - name: sets-fields-authentication-state-user
      description: Sets fields in the authentication state for the user identified by the Context and User Ids.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-users.usersactionsetauthenticationstate
      outputParameters:
      - type: object
        mapping: $.
    - name: sets-specified-cookie-user-identified
      description: Sets the specified cookie for the user identified by the Context and User Ids.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-users.usersactionsetcookie
      outputParameters:
      - type: object
        mapping: $.
    - name: sets-whether-not-user-given
      description: Sets whether or not the user, with the given ID that belongs to the context with the given ID, should be
        enabled.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-users.usersactionsetuserenabled
      outputParameters:
      - type: object
        mapping: $.
    - name: renames-user-given-id-that
      description: Renames the user with the given ID that belongs to the context with the given ID.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-users.usersactionsetusername
      outputParameters:
      - type: object
        mapping: $.
    - name: gets-authentication-credentials-user-given
      description: Gets the authentication credentials of the user with given ID that belongs to the context with the given
        ID.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-users.usersviewgetauthenticationcredentials
      outputParameters:
      - type: object
        mapping: $.
    - name: gets-configuration-parameters-credentials-context
      description: Gets the configuration parameters for the credentials of the context with the given ID.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-users.usersviewgetauthenticationcredentialsconfigparams
      outputParameters:
      - type: object
        mapping: $.
    - name: gets-authentication-session-information-user
      description: Gets the authentication session information for the user identified by the Context and User Ids, e.g. cookies
        and realm credentials.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-users.usersviewgetauthenticationsession
      outputParameters:
      - type: object
        mapping: $.
    - name: gets-authentication-state-information-user
      description: Gets the authentication state information for the user identified by the Context and User Ids.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-users.usersviewgetauthenticationstate
      outputParameters:
      - type: object
        mapping: $.
    - name: gets-data-user-given-id
      description: Gets the data of the user with the given ID that belongs to the context with the given ID.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-users.usersviewgetuserbyid
      outputParameters:
      - type: object
        mapping: $.
    - name: gets-list-users-that-belong
      description: Gets a list of users that belong to the context with the given ID, or all users if none provided.
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: owasp-zap-users.usersviewuserslist
      outputParameters:
      - type: object
        mapping: $.