Documentation Index
Fetch the complete documentation index at: https://docs.kontext.security/llms.txt
Use this file to discover all available pages before exploring further.
Endpoints
| Method | Path | Purpose |
|---|
POST | /applications | Create application |
GET | /applications | List applications |
GET | /applications/access-graph | Access graph for policy visualization (dashboard/admin) |
GET | /applications/:id | Get application |
PATCH | /applications/:id | Update application |
DELETE | /applications/:id | Archive application |
POST | /applications/:id/rotate-secret | Rotate client secret |
GET | /applications/:id/oauth | Get OAuth config |
PATCH | /applications/:id/oauth | Update OAuth config |
GET | /applications/:id/integrations | List attached integrations |
PUT | /applications/:id/integrations | Replace all integrations |
POST | /applications/:id/integrations/:integrationId | Attach integration |
DELETE | /applications/:id/integrations/:integrationId | Detach integration |
id and integrationId path params are UUIDs.
Create application
curl -X POST https://api.kontext.security/api/v1/applications \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "My App",
"oauth": {
"type": "public",
"redirectUris": ["http://localhost:3000/callback"],
"pkceRequired": true,
"scopes": [],
"allowedResources": []
}
}'
Request body
| Field | Type | Required | Description |
|---|
name | string | Yes | Display name for the application |
oauth | object | Yes | OAuth configuration (see below) |
OAuth object
| Field | Type | Required | Description |
|---|
type | string | Yes | "public" or "confidential" |
redirectUris | string[] | Yes | Allowed OAuth redirect URIs |
pkceRequired | boolean | No | Require PKCE for auth code flow (default true) |
scopes | string[] | No | Allowed OAuth scopes |
allowedResources | string[] | No | Allowed resource indicators |
Response
The create response includes the full application object. The oauth.clientSecret field is only present in create and rotate-secret responses — store it immediately.
List applications
curl "https://api.kontext.security/api/v1/applications?limit=20" \
-H "Authorization: Bearer $TOKEN"
limit and cursor query parameters.
Privileged users (admin/owner) can add all=true to list applications across the organization.
Get access graph
Admin-only endpoint used by the dashboard to visualize app ↔ integration access edges.
curl "https://api.kontext.security/api/v1/applications/access-graph?includePolicy=true" \
-H "Authorization: Bearer $TOKEN"
| Parameter | Type | Description |
|---|
includePolicy | boolean | Include computed policy overlays in the graph response |
Get application
curl https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000 \
-H "Authorization: Bearer $TOKEN"
Response fields
Response shape: { "application": { ... } }
| Field | Type | Description |
|---|
id | string | Application ID |
name | string | Display name |
ownerUserId | string | ID of the user who created the application |
createdAt | string | ISO 8601 timestamp |
updatedAt | string | ISO 8601 timestamp |
archivedAt | string | null | Set when the application is archived |
canModify | boolean | Whether the current user can edit this application |
activeSessionCount | number | Sessions currently active |
idleSessionCount | number | Sessions idle but not expired |
liveSessionCount | number | Sessions connected right now |
totalSessionCount | number | All sessions (any state) |
mcpUrlTemplate | string | null | MCP URL template generated for the application |
integrations | object[] | Attached integrations |
oauth | object | null | OAuth configuration |
Update application
curl -X PATCH https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000 \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{ "name": "Renamed App" }'
Archive application
curl -X DELETE https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000 \
-H "Authorization: Bearer $TOKEN"
archivedAt and revokes all active sessions. This does not permanently delete the application. Returns HTTP 204 with no response body.
Rotate client secret
curl -X POST https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/rotate-secret \
-H "Authorization: Bearer $TOKEN"
oauth.clientSecret. The previous secret is invalidated immediately. Store the new secret — it will not be shown again.
Get OAuth config
curl https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/oauth \
-H "Authorization: Bearer $TOKEN"
Update OAuth config
curl -X PATCH https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/oauth \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{ "redirectUris": ["https://myapp.com/callback"] }'
List attached integrations
curl https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/integrations \
-H "Authorization: Bearer $TOKEN"
Replace all integrations
curl -X PUT https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/integrations \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{ "integrationIds": ["11111111-1111-4111-8111-111111111111", "22222222-2222-4222-8222-222222222222"] }'
Attach integration
curl -X POST https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/integrations/11111111-1111-4111-8111-111111111111 \
-H "Authorization: Bearer $TOKEN"
Detach integration
curl -X DELETE https://api.kontext.security/api/v1/applications/550e8400-e29b-41d4-a716-446655440000/integrations/11111111-1111-4111-8111-111111111111 \
-H "Authorization: Bearer $TOKEN"
