Skip to main content

Endpoints

MethodPathPurpose
POST/applicationsCreate application
GET/applicationsList applications
GET/applications/access-graphAccess graph for policy visualization (dashboard/admin)
GET/applications/:idGet application
PATCH/applications/:idUpdate application
DELETE/applications/:idArchive application
POST/applications/:id/rotate-secretRotate client secret
GET/applications/:id/oauthGet OAuth config
PATCH/applications/:id/oauthUpdate OAuth config
GET/applications/:id/integrationsList attached integrations
PUT/applications/:id/integrationsReplace all integrations
POST/applications/:id/integrations/:integrationIdAttach integration
DELETE/applications/:id/integrations/:integrationIdDetach integration
id and integrationId path params are UUIDs.

Create application

curl -X POST https://api.kontext.dev/api/v1/applications \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "My App",
    "oauth": {
      "type": "public",
      "redirectUris": ["http://localhost:3000/callback"],
      "pkceRequired": true,
      "scopes": [],
      "allowedResources": []
    }
  }'

Request body

FieldTypeRequiredDescription
namestringYesDisplay name for the application
oauthobjectYesOAuth configuration (see below)

OAuth object

FieldTypeRequiredDescription
typestringYes"public" or "confidential"
redirectUrisstring[]YesAllowed OAuth redirect URIs
pkceRequiredbooleanNoRequire PKCE for auth code flow (default true)
scopesstring[]NoAllowed OAuth scopes
allowedResourcesstring[]NoAllowed resource indicators

Response

The create response includes the full application object. The oauth.clientSecret field is only present in create and rotate-secret responses — store it immediately.

List applications

curl "https://api.kontext.dev/api/v1/applications?limit=20" \
  -H "Authorization: Bearer $TOKEN"
Returns a paginated list. Supports limit and cursor query parameters. Privileged users (admin/owner) can add all=true to list applications across the organization.

Get access graph

Admin-only endpoint used by the dashboard to visualize app ↔ integration access edges. 
curl "https://api.kontext.dev/api/v1/applications/access-graph?includePolicy=true" \
  -H "Authorization: Bearer $TOKEN"
Query parameter:
ParameterTypeDescription
includePolicybooleanInclude computed policy overlays in the graph response

Get application

curl https://api.kontext.dev/api/v1/applications/550e8400-e29b-41d4-a716-446655440000 \
  -H "Authorization: Bearer $TOKEN"

Response fields

Response shape: { "application": { ... } }
FieldTypeDescription
idstringApplication ID
namestringDisplay name
ownerUserIdstringID of the user who created the application
createdAtstringISO 8601 timestamp
updatedAtstringISO 8601 timestamp
archivedAtstring | nullSet when the application is archived
canModifybooleanWhether the current user can edit this application
activeSessionCountnumberSessions currently active
idleSessionCountnumberSessions idle but not expired
liveSessionCountnumberSessions connected right now
totalSessionCountnumberAll sessions (any state)
mcpUrlTemplatestring | nullMCP URL template generated for the application
integrationsobject[]Attached integrations
oauthobject | nullOAuth configuration

Update application

curl -X PATCH https://api.kontext.dev/api/v1/applications/550e8400-e29b-41d4-a716-446655440000 \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "name": "Renamed App" }'
Send only the fields you want to change. Omitted fields are left unchanged.

Archive application

curl -X DELETE https://api.kontext.dev/api/v1/applications/550e8400-e29b-41d4-a716-446655440000 \
  -H "Authorization: Bearer $TOKEN"
Archiving sets archivedAt and revokes all active sessions. This does not permanently delete the application. Returns HTTP 204 with no response body.

Rotate client secret

curl -X POST https://api.kontext.dev/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/rotate-secret \
  -H "Authorization: Bearer $TOKEN"
Returns the application with a new oauth.clientSecret. The previous secret is invalidated immediately. Store the new secret — it will not be shown again.

Get OAuth config

curl https://api.kontext.dev/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/oauth \
  -H "Authorization: Bearer $TOKEN"

Update OAuth config

curl -X PATCH https://api.kontext.dev/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/oauth \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "redirectUris": ["https://myapp.com/callback"] }'
Partial update — send only the fields you want to change.

List attached integrations

curl https://api.kontext.dev/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/integrations \
  -H "Authorization: Bearer $TOKEN"
Returns the integrations currently attached to this application.

Replace all integrations

curl -X PUT https://api.kontext.dev/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/integrations \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "integrationIds": ["11111111-1111-4111-8111-111111111111", "22222222-2222-4222-8222-222222222222"] }'
Replaces the entire integration set. Any previously attached integration not in the list is detached.

Attach integration

curl -X POST https://api.kontext.dev/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/integrations/11111111-1111-4111-8111-111111111111 \
  -H "Authorization: Bearer $TOKEN"
Adds a single integration to the application. No-ops if already attached.

Detach integration

curl -X DELETE https://api.kontext.dev/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/integrations/11111111-1111-4111-8111-111111111111 \
  -H "Authorization: Bearer $TOKEN"
Removes the integration from this application. Existing user connections to that integration remain intact but will no longer be usable through this application.