Kepler Dev Portal
Access the Kepler developer portal — API client registration, documentation, and tooling.
Requires a portal grant and a verified GitHub email on an approved domain.
Loopback only. Uses sample data and does not call protected API endpoints.
Choose your setup path
Use the API path for scripts and services. Use the MCP path to connect an assistant through the managed MCP gateway.
Create an OAuth client with the scopes you need. Not sure which scopes? Pick a preset below.
Exchange your client credentials for a Bearer token. Copy and run this command:
curl -s -X POST https://api.keplr.sh/v1/auth/service-token \
-H "Content-Type: application/json" \
-d '{"client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_SECRET"}'Then export the token:
export TOKEN="paste-your-access_token-here"Try one of these requests based on your scopes:
Use your service client credentials from an agent process. No extra write scope is required.
Your API client is registered and you've made your first call.
Admin
Control who can reach the portal and which model provider Kepler links. Visible to portal admins only.
Grant or revoke portal access. Accounts must use an @postman.com email; GitHub and super-admin rows are read-only.
No matching grants.
| Subject | Source | Status | Domain | Last Seen | Actions |
|---|
Link a ChatGPT Codex OAuth session. Tokens stay server-side in AWS Secrets Manager; the portal only handles PKCE login and status. OpenAI opens in a new tab and redirects to http://localhost:1455/auth/callback — keep this tab open during sign-in.
If the OpenAI tab cannot reach localhost after login, copy its full URL here.
| Model | Name | Context | Max Output | Capabilities |
|---|
Paste a JWT token or select a client to see its granted scopes and what endpoints are accessible.
Tests API behavior correctness: rate limit headers, search edge cases, and concurrent request handling.
Select the HTTP status code you're seeing to get resolution steps.
Common operational commands for incident response and debugging. Replace placeholder variables before running.
Select a document from the sidebar to get started.
Credentials
Set up a coding assistant over MCP with the steps below, or jump to Clients & keys to mint and manage the OAuth service clients and API keys that authenticate scripts and services. MCP lets Cursor, Claude Code, Codex CLI, or any agent call Kepler tools at mcp.keplr.sh/mcp — accounts, communications, and Salesforce context.
Most agents should use service client credentials. The gateway mints a fresh scoped token per request, so no bearer tokens live on disk. Static API keys are simpler for one-off scripts.
Generate credentials for a new MCP client, or find the named client and rotate it because service-client secrets cannot be retrieved.
Default TTL 90 days. MCP read scopes for /mcp are applied automatically.
Pick your client. Copy and paste this config after credentials are generated or rotated.
Run the curl below. Expected: a JSON-RPC response listing the available tools.
Once that returns 200, try a real call:
Mint and manage the credentials that authenticate non-interactive callers. Service clients are an OAuth client-id and secret pair — the same primitive the MCP setup above issues. API keys are a single X-API-Key string with a custom expiry. Both carry explicit read scopes and can be revoked here.
No clients registered yet.
| Name | Client ID | Scopes | Created | Last Used | Status | Actions |
|---|
Scoped X-API-Key credential with a custom expiration. Save it immediately — it cannot be retrieved later.
No API keys minted yet.
| Name | Key ID | Scopes | Created | Expires | Last Used | Actions |
|---|
Most common cause: stale or wrong client secret. Click Find existing client to locate the named client and rotate it, then restart your assistant. Service-client requests must include both x-kepler-client-id and x-kepler-client-secret.
Your principal is missing one of the five read scopes. The Generate flow always issues all five; if you scoped down manually under Clients & keys below, re-mint with all boxes ticked.
Per-principal rate limit hit. Backoff and retry. See mcp-gateway docs for rate limits and logs.
All currently in-scope clients (Claude Code CLI, Cursor, Codex CLI) speak streamable-http in 2026. If yours genuinely doesn't, see the gateway repo README.
Hashed principal, method, status, and timing. Raw API key substrings and client secrets are not logged. See gateway docs.
client_id and client_secret securely — not the token.
Request a new token on 401 responses. A 55-minute cache window avoids boundary-condition failures.
Are you sure you want to revoke this credential: ? This action cannot be undone.
This credential cannot be shown again. Rotating revokes
<credential_id>
immediately, then issues a replacement. Running assistants will return 401 until restarted with the new value.
Remove portal access for ? This also disables service clients and managed API keys previously created by the user's known GitHub logins.