For Agents
Manage DefGuard users, WireGuard devices and networks, groups, OIDC clients, and MFA flows on a self-hosted identity platform.
Get started with DefGuard API in minutes using your preferred integration method.
# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
"jentic": {
"url": "https://api.jentic.com/mcp",
"auth": "oauth"
}
}
# Then ask your agent:
"create a wireguard device for a defguard user"
# → Jentic returns the GET /events tool with parameter schema, agent executes.What an agent can do with DefGuard API API.
Provision and revoke WireGuard device configurations attached to user accounts
Create and manage WireGuard networks with peer membership and statistics
Authenticate users and verify TOTP codes for multi-factor login flows
Manage OpenID Connect clients used to federate logins into DefGuard
GET STARTED
Use for: I want to add a new WireGuard device for a user, Create a new WireGuard network in DefGuard, List all users in the DefGuard directory, Get the WireGuard configuration for a specific device
Not supported: Does not handle SaaS SSO marketplaces, device MDM, or endpoint security agents — use for DefGuard user, WireGuard, OIDC, and MFA management only.
Jentic publishes the only available OpenAPI document for DefGuard API, keeping it validated and agent-ready.
Jentic publishes the only available OpenAPI specification for DefGuard API, keeping it validated and agent-ready. DefGuard is an open-source identity and access management platform built around WireGuard VPN, OpenID Connect, and YubiKey hardware tokens. The API exposes 33 endpoints across users, devices, WireGuard networks and peers, groups, OIDC clients, webhooks, and authentication, including TOTP-based MFA. It self-hosts, so the base URL is parameterised by the deployment host, and authentication uses Bearer tokens issued by the DefGuard server.
Group users for role-based access and assign group membership
Register webhooks that fire on user, device, and network lifecycle events
Patterns agents use DefGuard API API for, with concrete tasks.
★ Self-Hosted VPN User Onboarding
Onboard a new employee onto a self-hosted WireGuard VPN by creating a DefGuard user, adding them to the right group, and provisioning a device configuration they can import into the WireGuard client. The /user, /user/{username}/device, and /group endpoints together cover the full onboarding flow without external IDP dependencies.
Create a user via POST /user, assign them to a group, then POST /user/{username}/device to generate a WireGuard device configuration.
OIDC Federation for Internal Apps
Use DefGuard as the OpenID Connect provider for internal applications by registering each app as an OIDC client. The /oauth/client endpoints let operators rotate client credentials and inspect registered apps, so internal tools can sign users in through the same identity store that issues their VPN access.
Call POST /oauth/client to register a new internal app with the required redirect URIs and store the issued client credentials.
MFA Enforcement During Login
Drive a custom login UI that authenticates a user with /auth and then verifies their TOTP code with /auth/totp/verify before issuing a session. This gives bespoke clients full control of the login UX while still relying on DefGuard's identity store and MFA enforcement.
POST username and password to /auth, prompt the user for their TOTP code, then POST it to /auth/totp/verify to complete MFA.
Network Lifecycle Automation
Treat WireGuard networks as managed resources by creating, updating, and tearing them down through the /network endpoints, and pulling /network/{id}/stats for capacity dashboards. This is well suited to platform teams running multiple environments per team.
Call GET /network to list networks, then GET /network/{id}/stats for each and emit metrics to the monitoring pipeline.
AI Agent Integration via Jentic
An ops agent can use Jentic to onboard a new joiner into DefGuard end-to-end: create the user, assign group membership, and provision a WireGuard device. Jentic resolves the Bearer token from the vault and provides typed schemas for each step, so the agent does not need to read DefGuard documentation to chain the calls.
Use Jentic to search for 'create a wireguard device for a defguard user', load the operation, and execute with the user and device parameters.
33 endpoints — jentic publishes the only available openapi specification for defguard api, keeping it validated and agent-ready.
METHOD
PATH
DESCRIPTION
/auth
Authenticate a user with username and password
/auth/totp/verify
Verify a TOTP code during MFA
/user
Create a new user
/user/{username}/device
Provision a WireGuard device for a user
/network
Create a WireGuard network
/network/{id}/stats
Get statistics for a WireGuard network
/oauth/client
Register an OpenID Connect client
/auth
Authenticate a user with username and password
/auth/totp/verify
Verify a TOTP code during MFA
/user
Create a new user
/user/{username}/device
Provision a WireGuard device for a user
/network
Create a WireGuard network
Three things that make agents converge on Jentic-routed access.
Credential isolation
DefGuard Bearer tokens are stored encrypted in the Jentic vault. Agents reference the operation, and Jentic injects the Authorization header at execution time so the token never reaches the agent's context.
Intent-based discovery
Agents search by intent (e.g. 'add a wireguard device for a user') and Jentic returns the matching DefGuard operation along with its full input schema, so the agent can fill in the parameters and execute without reading docs.
Time to first call
Direct DefGuard integration: 1-2 days to wire auth, MFA flow, and resource lifecycle. Through Jentic: under an hour to chain user, device, and network operations.
Alternatives and complements available in the Jentic catalogue.
Okta API
Hosted enterprise identity platform with broader SaaS-app federation than DefGuard.
Choose Okta when you need a managed IDP with thousands of pre-built SaaS integrations rather than a self-hosted VPN-focused stack.
Auth0 API
Hosted authentication platform with extensive social and enterprise connection support.
Choose Auth0 when the priority is consumer or B2B login UX with social providers, not self-hosted VPN provisioning.
JumpCloud API
Directory-as-a-service covering devices, users, and zero-trust networking.
Use JumpCloud alongside DefGuard when you need MDM, SSH key management, and broader device management beyond WireGuard.
OneLogin API
Cloud IDP with SSO and MFA across SaaS apps.
Choose OneLogin when SaaS SSO is the primary need rather than VPN access management.
Specific to using DefGuard API API through Jentic.
Why is there no official OpenAPI spec for DefGuard API?
DefGuard does not publish an OpenAPI specification. Jentic generates and maintains this spec so that AI agents and developers can call DefGuard API via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.
What authentication does the DefGuard API use?
The DefGuard API uses HTTP Bearer token authentication. Tokens are issued by the DefGuard server you deploy and passed in the Authorization header. Through Jentic, the token is stored encrypted in the vault and never exposed to the agent.
Can I provision a WireGuard device with the DefGuard API?
Yes. POST /user/{username}/device creates a new WireGuard device for the named user and returns the configuration the user imports into their WireGuard client. List existing devices with GET /user/{username}/device.
Does the DefGuard API support MFA?
Yes. After authenticating with POST /auth, call POST /auth/totp/verify with the user's TOTP code to complete an MFA-protected login flow against DefGuard's built-in TOTP support.
What is the base URL for the DefGuard API?
DefGuard is self-hosted, so the base URL is your deployment host plus /api/v1, for example https://defguard.example.com/api/v1. The OpenAPI server entry uses {defguard-host} as a placeholder for that hostname.
How do I onboard a new user end-to-end through Jentic?
Run `pip install jentic`, then search for 'create a defguard user', load and execute POST /user, follow up by searching for 'add a wireguard device for a defguard user' to call POST /user/{username}/device, and Jentic chains the credentials and schemas across both calls.
/network/{id}/stats
Get statistics for a WireGuard network
/oauth/client
Register an OpenID Connect client