Strapi · Capability

Strapi Users and Permissions API — Authentication

Strapi Users and Permissions API — Authentication. 8 operations. Lead operation: Change user password. Self-contained Naftiko capability covering one Strapi business surface.

Run with Naftiko StrapiAuthentication

What You Can Do

POST
Changepassword — Change user password
/v1/api/auth/change-password
GET
Confirmemail — Confirm a user email
/v1/api/auth/email-confirmation
POST
Forgotpassword — Request a password reset
/v1/api/auth/forgot-password
POST
Loginuser — Login with local credentials
/v1/api/auth/local
POST
Registeruser — Register a new user
/v1/api/auth/local/register
POST
Resetpassword — Reset a user password
/v1/api/auth/reset-password
POST
Sendemailconfirmation — Resend email confirmation
/v1/api/auth/send-email-confirmation
GET
Providercallback — Social provider authentication callback
/v1/api/auth/{provider}/callback

MCP Tools

change-user-password

Change user password

confirm-user-email

Confirm a user email

read-only idempotent
request-password-reset

Request a password reset

login-local-credentials

Login with local credentials

register-new-user

Register a new user

reset-user-password

Reset a user password

resend-email-confirmation

Resend email confirmation

social-provider-authentication-callback

Social provider authentication callback

read-only idempotent

Capability Spec

users-and-permissions-authentication.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: Strapi Users and Permissions API — Authentication
  description: 'Strapi Users and Permissions API — Authentication. 8 operations. Lead operation: Change user password. Self-contained
    Naftiko capability covering one Strapi business surface.'
  tags:
  - Strapi
  - Authentication
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    STRAPI_API_KEY: STRAPI_API_KEY
capability:
  consumes:
  - type: http
    namespace: users-and-permissions-authentication
    baseUri: https://{host}
    description: Strapi Users and Permissions API — Authentication business capability. Self-contained, no shared references.
    resources:
    - name: api-auth-change-password
      path: /api/auth/change-password
      operations:
      - name: changepassword
        method: POST
        description: Change user password
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-auth-email-confirmation
      path: /api/auth/email-confirmation
      operations:
      - name: confirmemail
        method: GET
        description: Confirm a user email
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: confirmation
          in: query
          type: string
          description: The email confirmation token
          required: true
    - name: api-auth-forgot-password
      path: /api/auth/forgot-password
      operations:
      - name: forgotpassword
        method: POST
        description: Request a password reset
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-auth-local
      path: /api/auth/local
      operations:
      - name: loginuser
        method: POST
        description: Login with local credentials
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-auth-local-register
      path: /api/auth/local/register
      operations:
      - name: registeruser
        method: POST
        description: Register a new user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-auth-reset-password
      path: /api/auth/reset-password
      operations:
      - name: resetpassword
        method: POST
        description: Reset a user password
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-auth-send-email-confirmation
      path: /api/auth/send-email-confirmation
      operations:
      - name: sendemailconfirmation
        method: POST
        description: Resend email confirmation
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-auth-provider-callback
      path: /api/auth/{provider}/callback
      operations:
      - name: providercallback
        method: GET
        description: Social provider authentication callback
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: provider
          in: path
          type: string
          description: The name of the authentication provider (e.g., google, github, facebook, twitter)
          required: true
        - name: access_token
          in: query
          type: string
          description: The access token from the authentication provider
    authentication:
      type: bearer
      token: '{{env.STRAPI_API_KEY}}'
  exposes:
  - type: rest
    namespace: users-and-permissions-authentication-rest
    port: 8080
    description: REST adapter for Strapi Users and Permissions API — Authentication. One Spectral-compliant resource per consumed
      operation, prefixed with /v1.
    resources:
    - path: /v1/api/auth/change-password
      name: api-auth-change-password
      description: REST surface for api-auth-change-password.
      operations:
      - method: POST
        name: changepassword
        description: Change user password
        call: users-and-permissions-authentication.changepassword
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/auth/email-confirmation
      name: api-auth-email-confirmation
      description: REST surface for api-auth-email-confirmation.
      operations:
      - method: GET
        name: confirmemail
        description: Confirm a user email
        call: users-and-permissions-authentication.confirmemail
        with:
          confirmation: rest.confirmation
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/auth/forgot-password
      name: api-auth-forgot-password
      description: REST surface for api-auth-forgot-password.
      operations:
      - method: POST
        name: forgotpassword
        description: Request a password reset
        call: users-and-permissions-authentication.forgotpassword
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/auth/local
      name: api-auth-local
      description: REST surface for api-auth-local.
      operations:
      - method: POST
        name: loginuser
        description: Login with local credentials
        call: users-and-permissions-authentication.loginuser
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/auth/local/register
      name: api-auth-local-register
      description: REST surface for api-auth-local-register.
      operations:
      - method: POST
        name: registeruser
        description: Register a new user
        call: users-and-permissions-authentication.registeruser
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/auth/reset-password
      name: api-auth-reset-password
      description: REST surface for api-auth-reset-password.
      operations:
      - method: POST
        name: resetpassword
        description: Reset a user password
        call: users-and-permissions-authentication.resetpassword
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/auth/send-email-confirmation
      name: api-auth-send-email-confirmation
      description: REST surface for api-auth-send-email-confirmation.
      operations:
      - method: POST
        name: sendemailconfirmation
        description: Resend email confirmation
        call: users-and-permissions-authentication.sendemailconfirmation
        with:
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/auth/{provider}/callback
      name: api-auth-provider-callback
      description: REST surface for api-auth-provider-callback.
      operations:
      - method: GET
        name: providercallback
        description: Social provider authentication callback
        call: users-and-permissions-authentication.providercallback
        with:
          provider: rest.provider
          access_token: rest.access_token
        outputParameters:
        - type: object
          mapping: $.
  - type: mcp
    namespace: users-and-permissions-authentication-mcp
    port: 9090
    transport: http
    description: MCP adapter for Strapi Users and Permissions API — Authentication. One tool per consumed operation, routed
      inline through this capability's consumes block.
    tools:
    - name: change-user-password
      description: Change user password
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: users-and-permissions-authentication.changepassword
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: confirm-user-email
      description: Confirm a user email
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: users-and-permissions-authentication.confirmemail
      with:
        confirmation: tools.confirmation
      outputParameters:
      - type: object
        mapping: $.
    - name: request-password-reset
      description: Request a password reset
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: users-and-permissions-authentication.forgotpassword
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: login-local-credentials
      description: Login with local credentials
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: users-and-permissions-authentication.loginuser
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: register-new-user
      description: Register a new user
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: users-and-permissions-authentication.registeruser
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: reset-user-password
      description: Reset a user password
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: users-and-permissions-authentication.resetpassword
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: resend-email-confirmation
      description: Resend email confirmation
      hints:
        readOnly: false
        destructive: false
        idempotent: false
      call: users-and-permissions-authentication.sendemailconfirmation
      with:
        body: tools.body
      outputParameters:
      - type: object
        mapping: $.
    - name: social-provider-authentication-callback
      description: Social provider authentication callback
      hints:
        readOnly: true
        destructive: false
        idempotent: true
      call: users-and-permissions-authentication.providercallback
      with:
        provider: tools.provider
        access_token: tools.access_token
      outputParameters:
      - type: object
        mapping: $.