How can I accept a list of strings with

Tool.Arg

? I am not able to find something like a

list()

method?

val pathsArg =
  Tool.Arg.string().required("collectionPath", "List of Absolute paths")

I want Cursor to call my MCP with argument like this:

{
  "paths": [
    "../..",
    "/.."
  ]
}

Is there any trick for how to create an empty RoutingHttpHandler? When I try to anything like

routes(emptyList())

I get:

Exception in thread "main" java.lang.IllegalArgumentException: No routes added!

at org.http4k.routing.RoutingHandler.<init>(RoutingHandler.kt:19)

at org.http4k.routing.RoutingHttpHandler.<init>(http.kt:23)

What serialization lib is most popular with you all: kotlinx, moshi, kotshi, jackson, or <some other lib>?

Is there a preferred way to handle a mutable collection of routes (in this case a map)? This is my initial solution but I feel like there may be a cleaner solution that I've overlooked.

Let's say I have a backend server written in http4k. In addition to my API, I want to offer clients a Kotlin SDK. How would I go about doing this? Is it possible to just create some kind of client based on the functions that I use in the server directly? Does anyone have experience doing this? What would the folder structure look like? Or better yet, does anyone have an example of this that I can take a look at and learn from?

DatastarFragmentRenderer strips newlines from templates with

String.replace("\n", "")

. This silently breaks with template files using CRLF. A simple solution could be to change it to

String.replace("\r\n", "").replace("\n", "")

.

Hi http4k fans! Happy weekend! We've got an update on the #C5AL3AKUY MCP SDK. 🚀 With all the various news around about new MCP attack vectors (Tool Poisoning, DNS rebind attacks, malicious Chrome extensions), we decided to prioritise our efforts to make the http4k SDK as secure-by-default as possible. Read about what we've been thinking (and releasing!). (And be sure get in touch if your team needs a guiding hand in producing MCPs on the JVM platforms with enterprise grade testability, observability and security. 🙃) Finally, we have a big surprise coming up soon around this space... we're busy working on it and will be dropping a bit of a preview next week! https://www.http4k.org/news/simplifying-mcp/

I was following the OpenAPI example, and sending an invalid request body to the echo endpoint (e.g.

Request(Method.POST, "/echoJson").body("""{"name": "Test"}""")

) returns this rather generic

{"message":"Missing/invalid parameters","params":[{"name":"body","type":"body","datatype":"object","required":true,"reason":"Invalid"}]}

. Is there an easy (or hard) way to get a more detailed error message? I tried adding a CatchLensFilter, but it looks like the contract renderer(?) already catches and handles that. the closest I've found to an answer is this 2023 slack thread

🚀 Happy #C4J6927RR week everyone! And yes - http4k is back for the fourth time at your favourite Kevent. 🚀 This year, @s4nchez will be on the main (quite large actually!) stage on day 1 of the conf and presenting Full Stream Ahead: Breaking the protocol barrier with http4k , where he'll be covering the history of the web browser (just to make you feel old/young!), how http4k functionally models realtime protocols like WebSockets and SSE, and to show off our pick of the latest lightweight hypermedia frameworks that are taking on the industrial SPA ecosystem. If you can't make it to Copehagen (alas I'm in that group this year 😞) then you can catch the live-stream at 1615 CET on Thursday 22nd May @ . And if you are going to be there, then please come and say hello! https://kotlinconf.com/schedule/?day=2025-05-22&session=5060f354-1a10-5355-92cc-ea277e547ab4 #C4J6927RR

Question: does anyone (know how to) do reversible routes (routes that can also be used to build links from) in http4k? I found [Krouton](https://github.com/npryce/krouton), bit old, unmaintained, but certainly interesting. But that was about it. Just in case "reverse routing" is not understood (it's a bit of a lesser know concept, sometimes called "type-safe link building from routes"), some examples in other frameworks: KTor (explained here: https://ktor.io/docs/server-resources.html#resource_links) and Revel (explained here: https://revel.github.io/manual/routing.html#reverse_routing).

Another update on the http4k MCP SDK . We've now added support for typesafe tool responses (ie. structured JSON from beans) as it's made it's way into the Draft MCP specification. What this basically means is that just by adding an example to the MCP tool definition, it will automatically generate JSON schema which the LLM can use to generate and parse Tool requests and responses. You can also use the lens system to extract and inject typesafe objects to/from Tool messages! It's out now in the latest version of http4k (v6.9.1.0) - available now in both Maven Central and the Toolbox. 🙂

I'm working on a production-ready implementation of OAuthPersistence to support OIDC, and I'd like to keep all values server-side in a single session. I was surprised to find that all the assign* methods on the OAuthPersistence interface don't have access to the request, so I wouldn't be able to retrieve a shared session to reference all the values together. I could follow the pattern in the example here: https://github.com/http4k/http4k-by-example/blob/master/src/main/kotlin/verysecuresystems/oauth/InMemoryOAuthPersistence.kt and use separate cookies for each value, but that means effectively creating and managing a separate session for each OAuthPersistence value, which feels tedious and error-prone. I noticed that in every place the assign* methods of OAuthPersistence are used (i.e. OAuthRedirectionFilter and OAuthCallback), the request is available in scope. Is there a good reason why the request isn't included in the assign* method signatures? Is there some design constraint or security consideration behind this, or would it make sense to add the request so a single session can be referenced to help manage this sensitive state server-side with a single session?

Anyone wanting to watch the live stream of @s4nchez at KotlinConf - it's T - 2 minutes! 🙂

Is there a way to take an existing openapi spec and use that to implement a server in http4k? I see that the OpenApi module encourages generating the spec from the code, but is there a way to do it the other way around?

Hello, last week I attended the http4k talk at KotlinConf. It was excellent and I am hoping to find an example of a http4k x Datastar integration. I tried visiting the URL at the end of the slide deck (https://github.com/http4k/full-stream-ahead), but it returns a 404. Was this URL meant to point to an example or is there perhaps somewhere else I should look?

Hi Team, I see the MCP Client in http4k currently doesn't have a way to connect to LLM. Do I understand it right? What I understand is that it's currently only a means to call the MCP Capability directly. Isn't it different from the MCP standard client, which takes Natural language input from the user and uses LLM to figure out the right tool to call?

I have a project that has

val itemIds = request.form().map<Parameter, String> { it.first }
        .mapNotNull<String, ID<Item>> { ID<Item>(it) }
        .toSet<ID<Item>>()

I have sometimes seen warnings, or maybe errors, that

Parameter

isn’t visible, but it has always compiled eventually. Upgrading Kotlin to 2.1.20 it now won’t compile at all, although, it has to be said, the type parameters aren’t now required (I don’t know if or why they were previously). Asking here in case anyone else has this issue. Was

Parameter

ever non-internal? If not does anyone know how this code compiled in the past?

I want to deserialize a form submission from a

www-form-urlencoded

POST body received by a http4k server to a

data class

, preferably with

kotlinx.serialization

. I've done this before (when not using http4k) with Jackson, using quite some self written code, to (1) create a little language for adding structure to the form's

name

values (this allowed me to have nested data structures, and list/arrays, like

.user.permissions[5]

) and to parse the data directly to Jackson's internal JSON representation (in order to skip a JSON format step: Jackson was mainly used for it's "type coercion" since all values are received in one big

www-form-urlencoded

string). Is there anything in http4k to make this easier? I've seen the body lens feature, but I have not been able to use it for form submissions.

Saw these errors in my logs today - what is PROPFIND? Well it appears to be an obscure HTTP verb for getting info from a WebDav server. In other words, these requests are most likely hackers poking around. I could catch the IllegalArgumentException however this is likely to be universal - I think it would be preferable for http4k to return a 501 or 404 (without raising an error) if it doesn't recognize the HTTP method. Thoughts?

Small demo. I created a small SSR web application PoC for using http4k with Supabase and Jdbi. It uses Supabase's authentication (JWT+refresh token), stored in cookies (so they can effectively be used in an SSR setup. I've decided to only use RLS for the reads (all writes are supposed to be blocked through RLS for the

authenticated

role, you simply need the

service_role

for writes); this to keep RLS dead simple and still useful (as an extra safety against data leaks and to allow Supabase goodness like GraphQL and realtime to be used later on). Both JWT-from-cookie and db-connection-with-supabase-auth are implemented as http4k `Filter`s. The idea is: start SSR, because it is just waaay simpler, then add little browser apps on top later where it adds maximum value (and for that Supabase is really nice with GraphQL and realtime). It used kotlinx.html for template rendering (with a layouting system) and Konform for FormDto validation. Jdbi was chosen as I want to be able to write "just SQL". I might one day convert it to terpal-sql (the basis of ExoQuery) but it did not work out of the box, so I went with time-tested Jdbi. Feel free to AMA, and if you have a look at the code and see any room for improvement: please let me know! I'm really hungry for feedback. https://github.com/cies/supabase-http4k-ssr-jdbi

Hey, I'm running into issues while deployment when using

helidon

as server. In my service I have multiple calls to upstream services (using

okhttp

). But during deployment in k8s I'm facing that

helidon

will kill all running requests (

Closed by interrupt

) even when I sleep first in my shutdown hook. So far I understand

helidon

has it's own shutdown hook registered by default. Would be nice to support in addition graceful stopmode to overcome that kind of issue.

Any good suggestions for a light weight (many JWT libs depend on kotlin-reflect and/or jackson!) JWT lib that supports the

hs256

algorithm that Supabase uses?

Or should I just parse it myself (I've learned to lean on established libs when it comes to auth stuff, but decrypting a JSON string cannot be thát hard...)

Hello, Because the company I’m working for is looking to do some operations on CloudWatch that are not supported (yet), I’m working on a PR to include a new CloudWatch module for http4k-connect to support some of those operations. I’ve written functionality in particular for alarms, metric data and metric streams (considering these look like the most common use cases and/or are the operations we need to have), but I’m running into a couple of issues for the fake implementations and the tests. Please see 🧵 for a list of the issues I’m running into. What would be a good approach for them?

Hi, I'm struggling using http4k-connect. I try to use S3 with an ARN role based authentication but failing with a lens error of a missing AWS_ACCESS_KEY_ID. Wondering where I miss something?

const val USE_REAL_CLIENT = false
fun main() {
    val env = Environment.defaults(
        AWS_REGION of Region.EU_WEST_1,
        AWS_ROLE_ARN of ARN.of("arn:aws:sts:us-east-1:000000000001:role:myrole")
    )
    val http: HttpHandler = if (USE_REAL_CLIENT) JavaHttpClient() else FakeS3().debug()
    val credentialsProvider = CredentialsProvider.STS(env, FakeSTS().debug())
    val s3 = S3.Http(credentialsProvider = credentialsProvider, http)

    val sourceName = BucketName.of("source-bucket")
    val targetName = BucketName.of("target-bucket")
    s3.createBucket(sourceName, env[AWS_REGION]).recover(RemoteFailure::throwIt) // <<< fails here: env 'AWS_ACCESS_KEY_ID' is required
    s3.createBucket(targetName, env[AWS_REGION]).recover(RemoteFailure::throwIt)

    val source = S3Bucket.Http(sourceName, env[AWS_REGION], credentialsProvider, http)
    source.putObject(BucketKey.of("hello"), "hello ".byteInputStream()).recover(RemoteFailure::throwIt)

    val target = S3Bucket.Http(targetName, env[AWS_REGION], credentialsProvider, http)
    target.copyObject(source.bucketName, BucketKey.of("hello"), BucketKey.of("copy"))
        .recover(RemoteFailure::throwIt)
}

Stupid question incoming: if http4k is a pure kotlin framework, why doesn’t it support kotlin/native or js/wasm as targets? Context: I’m looking into enabling our experienced mobile devs to reach and contribute to “the server”. We’re already supporting both Android & iOS platforms with a KMP shared module for business logic, networking & sqlite, so we’re experimenting what’s the smoothest path to enable feature contributions to the server too. We’re using the Ktor client on mobile, but I always had a soft spot for arrow & sane fp patterns so I’m seriously looking at http4k, ktor or smth full-blown like Quarkus. Our current server stack is dotnet-core, don’t ask why 😅.

👋 Happy Wednesday to all you http4k fans! We've got some news about what we've been cooking up at http4k towers... https://http4k.org/news/ai_without_tests_is_just_expensive_random_number_generation/

For those of you that didn't catch the livestream at KotlinConf, @s4nchez's great talk about http4k's support fo Streaming Protocols (and a history of the web browser) is now available: (as a bonus: @dmcg and @Dmitry Kandalov’s refactoring talk is also amazing 🙂 )

Can the

singlePageApp

helper be used on a subpath? When it's configured on the root path, it works as expected. But when it's configured on a subpath, it still seems to match any path, even ones outside the subpath.

Hi, I am trying to understand whether the oauth module does provide a way to fetch the authenticated user information somehow (e.g.

<http://whatever/me>

) or propagate the token down the handlers chain/stack once the authFilter is satisfied.