Kepler Dev Portal
Access the Kepler developer portal — API client registration, documentation, and tooling.
Requires a portal grant and a verified GitHub email on an approved domain.
Loopback only. Uses sample data and does not call protected API endpoints.
Choose your setup path
Use the API path for scripts and services. Use the MCP path to connect an assistant through the managed MCP gateway.
Create an OAuth client with the scopes you need. Not sure which scopes? Pick a preset below.
Exchange your client credentials for a Bearer token. Copy and run this command:
curl -s -X POST https://api.kepler.rip/v1/auth/service-token \
-H "Content-Type: application/json" \
-d '{"client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_SECRET"}'Then export the token:
export TOKEN="paste-your-access_token-here"Try one of these requests based on your scopes:
Use your service client credentials from an agent process. No extra write scope is required.
Your API client is registered and you've made your first call.
What Kepler provides for agent builders and platform consumers. Every feature below is backed by live infrastructure, tests, and documentation.
No clients registered yet.
| Name | Client ID | Scopes | Created | Last Used | Status |
|---|
Create a scoped `X-API-Key` credential with a custom expiration. Save it immediately — it cannot be retrieved later.
No API keys minted yet.
| Name | Key ID | Scopes | Created | Expires | Last Used |
|---|
Account must be associated with an @postman.com email domain.
Search all known portal grants. Portal allowlist rows can be removed here; GitHub and super-admin rows are read-only.
No matching grants.
| Subject | Source | Status | Domain | Last Seen |
|---|
Admin model provider
Connect a ChatGPT Codex OAuth session to Kepler. Tokens stay server-side in AWS Secrets Manager; the portal only handles PKCE login and status.
OpenAI opens in a new tab and redirects this Codex client to http://localhost:1455/auth/callback. Keep this tab open during sign-in.
If the OpenAI tab cannot reach localhost after login, copy its full URL here.
Cerebras remains the default for ask_communications. Codex is linked here for explicit future routing and graph enrichment.
| Model | Name | Context | Max Output | Capabilities |
|---|
Select an endpoint from the sidebar to see scoped curl snippets.
Paste a JWT token or select a client to see its granted scopes and what endpoints are accessible.
Tests API behavior correctness: rate limit headers, search edge cases, and concurrent request handling.
For uptime monitoring, use the Platform Status tab.
Select the HTTP status code you're seeing to get resolution steps.
Common operational commands for incident response and debugging. Replace placeholder variables before running.
Live health check against /v1/health. Auto-refreshes every 30 seconds.
Service Level Objectives and current status. Click "Run Checks" to measure live latency against targets.
| Budget Consumed | Action |
|---|---|
| < 50% | Normal operations. Deploy freely. |
| 50–75% | Reduce deploy frequency. Prioritize reliability. |
| 75–90% | Feature freeze. Only reliability and bug fixes. |
| > 90% | Incident mode. All hands on reliability. |
Select a document from the sidebar to get started.
MCP lets Cursor, Claude Code, Codex CLI, or any agent call Kepler tools directly. This page configures the high-level Kepler surface at mcp.kepler.rip/mcp — accounts, communications, and Salesforce context.
Most agents should use service client credentials. The gateway mints a fresh scoped token per request, so no bearer tokens live on disk. Static API keys are simpler for one-off scripts.
Generate credentials for a new MCP client, or find the named client and rotate it because service-client secrets cannot be retrieved.
Default TTL 90 days. MCP read scopes for /mcp are applied automatically.
Pick your client. Copy and paste this config after credentials are generated or rotated.
Run the curl below. Expected: a JSON-RPC response listing the available tools.
Once that returns 200, try a real call:
Most common cause: stale or wrong client secret. Click Find existing client to locate the named client and rotate it, then restart your assistant. Service-client requests must include both x-kepler-client-id and x-kepler-client-secret.
Your principal is missing one of the five read scopes. The Generate flow always issues all five; if you scoped down manually on the Access tab, return there and tick the boxes.
Per-principal rate limit hit. Backoff and retry. See mcp-gateway docs for rate limits and logs.
All currently in-scope clients (Claude Code CLI, Cursor, Codex CLI) speak streamable-http in 2026. If yours genuinely doesn't, see the gateway repo README.
Hashed principal, method, status, and timing. Raw API key substrings and client secrets are not logged. See gateway docs.
client_id and client_secret securely — not the token.
Request a new token on 401 responses. A 55-minute cache window avoids boundary-condition failures.
Are you sure you want to revoke this credential: ? This action cannot be undone.
This credential cannot be shown again. Rotating revokes
<credential_id>
immediately, then issues a replacement. Running assistants will return 401 until restarted with the new value.
Remove portal access for ? This also disables service clients and managed API keys previously created by the user's known GitHub logins.