Kiota API Client Generator: Developer Setup, Auth, and Real Code Examples (2026)
Why Kiota API Client Generator Trips Up So Many Developers
If you've ever stared at a half-broken auto-generated API client , one that's missing half the endpoints, doesn't handle authentication the way your platform expects, or generates so much boilerplate that you'd rather hand-write the HTTP calls yourself , you already understand the problem the Kiota API Client Generator was built to solve. I've worked with dozens of teams who fell into the same trap: they accepted a dependency on a vendor-specific API SDK, then spent weeks fighting against it when the API changed, when auth tokens started expiring differently, or when they needed to call endpoints the SDK simply hadn't implemented.
The root cause is almost always the same. Most API client libraries are written once, by the API provider, and updated on their schedule, not yours. They often wrap only the most popular endpoints, paper over error responses, and make assumptions about your authentication model that don't hold in real enterprise scenarios. When you're integrating with fifteen different APIs across a single backend service, that's fifteen different SDKs, fifteen different mental models, and fifteen different update cycles to track.
The Kiota API client generator takes a completely different approach. Instead of handing you a pre-built library, it reads any OpenAPI description, the machine-readable contract for how an API works, and generates a strongly typed client in your language of choice, using only the endpoints and models you actually need. No dead code. No hidden dependencies. No guessing what that options parameter does.
Where developers run into trouble with Kiota usually falls into three buckets. First, installation: the tool ships in several forms (.NET global tool, Docker image, downloadable binary, VS Code extension) and picking the wrong one for your environment causes immediate friction, especially on CI/CD pipelines where PATH resolution isn't obvious. Second, OpenAPI description quality: Kiota is only as good as the spec you feed it, a malformed or incomplete OpenAPI document produces incomplete or outright broken client code, and the error messages don't always point you at the bad line number. Third, authentication wiring: Kiota generates the client, but connecting it to your identity provider using its built-in middleware pattern is a step that documentation describes but doesn't always show end-to-end with real working code.
This guide covers all three problem areas directly. You'll leave with a working Kiota API client generator install, a repeatable generation command, and actual code showing how to wire up authentication, all grounded in what Microsoft's official documentation actually says. Browse all Microsoft fix guides →
The Quick Fix, Get Kiota Generating Code in Under 5 Minutes
If you have the .NET SDK already installed and you just want to see the Kiota API client generator working right now, this is your fastest path. One command installs the tool globally, and one command generates a client. Here's exactly what you do.
Open a terminal, PowerShell, bash, or the VS Code integrated terminal all work, and run:
dotnet tool install --global Microsoft.OpenApi.KiotaThat's it for installation. The .NET global tools mechanism handles the download, puts the binary on your PATH, and makes kiota available as a command immediately. No environment variable edits, no manual PATH configuration. Once that completes, verify it worked:
kiota --versionYou should see a version string like 1.x.x printed back. If you see command not found or a similar error, the most common cause is that your .NET tools directory isn't on your PATH, jump to Step 1 in the step-by-step section below for the fix.
Now, the fastest way to test actual code generation is to point Kiota at a publicly available OpenAPI description. Here's a real example that generates a TypeScript client for a subset of the Microsoft Graph Mail API:
kiota generate \
--language typescript \
--namespace-name GraphMailClient \
--openapi https://raw.githubusercontent.com/microsoftgraph/msgraph-sdk-powershell/dev/openApiDocs/v1.0/Mail.yml \
--output ./src/mailClientIf this runs cleanly, you'll see a src/mailClient folder appear with strongly typed TypeScript files for every Mail API endpoint in that spec. That's the Kiota API client generator doing exactly what it promises: reading an OpenAPI document and turning it into real, usable code, with no manual SDK hunting required.
kiota info --openapi ./your-spec.yaml. This surfaces spec validation errors before generation even starts, saving you from a cryptic mid-generation failure that points you at the wrong file.
The Kiota API client generator ships in multiple forms, and picking the right one matters, especially in team environments or CI pipelines where one developer's working setup doesn't automatically transfer to everyone else. Here's how to make the right call.
For individual developer machines with .NET SDK installed, the global tool method is the cleanest:
dotnet tool install --global Microsoft.OpenApi.KiotaAfter install, if kiota --version returns "command not found," your .NET tools path isn't in the system PATH. Fix it by adding the tools directory manually. On Windows, the default path is:
%USERPROFILE%\.dotnet\toolsAdd that to your PATH via System Properties → Environment Variables → User variables → Path → Edit → New. On Linux/macOS, add this to your shell profile (~/.bashrc, ~/.zshrc, etc.):
export PATH="$HOME/.dotnet/tools:$PATH"For environments without .NET SDK, common on developer machines that are primarily JavaScript, Python, or Go shops, download the prebuilt binary for your OS directly from the official releases page. The available packages are: linux-x64.zip, osx-arm64.zip, osx-x64.zip, win-x64.zip, and win-x86.zip. Unzip, place the binary somewhere on your PATH, and you're done. No .NET runtime required at all for binary installs.
For VS Code users, there's a dedicated extension available through the VS Code Marketplace, search for "Kiota" in the Extensions panel. Note that as of the official documentation, this extension is in public preview and subject to change, so don't depend on it for production CI workflows. It's excellent for exploring APIs interactively and generating client code through a UI, though.
When it works, kiota --version returns a clean version string and kiota --help prints the full command reference.
The most frustrating Kiota API client generator errors aren't installation errors, they're generation errors caused by OpenAPI specs that have subtle problems Kiota can't silently work around. I've seen teams spend hours debugging generated code only to discover the real issue was a missing $ref in their spec, or a response schema defined inline in one place and referenced from another in an inconsistent way.
Before you run kiota generate, run this first:
kiota info --openapi ./your-api-spec.yamlThis command outputs metadata about the spec, the number of operations found, the API title, and any warnings about spec quality, without actually generating code. If the operation count looks wrong (say, you have 50 endpoints but Kiota only sees 12), that's your signal that paths are malformed or that required fields are missing from request/response schemas.
For specs that reference external documents via $ref URLs, make sure those are reachable from the machine where you're running Kiota. Kiota follows $ref references during parsing, so a broken reference to an internal schema registry produces an error that looks like a Kiota bug but is actually a network or permissions issue.
If you're working with a spec published by a vendor, always prefer downloading a local copy over using the remote URL directly in your generate command. Remote specs change without warning, and tying your build to a live URL means a vendor update can break your CI pipeline at any moment. Pin a specific version of the spec file to your repository the same way you'd pin a package dependency version.
When the info command runs cleanly and the operation count matches your expectations, you're ready to generate. A clean run ends with a summary like: Generation completed successfully. X client files created.
The kiota generate command is where the Kiota API client generator actually does its work. The core flags you need on every run are --language, --namespace-name (or --class-name depending on the language), --openapi pointing at your spec, and --output pointing at where you want the files.
Here are ready-to-run examples for the languages Kiota officially supports:
TypeScript:
kiota generate \
--language typescript \
--namespace-name MyApiClient \
--openapi ./specs/my-api.yaml \
--output ./src/generated/myApiClientC# (.NET):
kiota generate \
--language csharp \
--namespace-name MyCompany.ApiClient \
--openapi ./specs/my-api.yaml \
--output ./Generated/MyApiClientPython:
kiota generate \
--language python \
--namespace-name my_api_client \
--openapi ./specs/my-api.yaml \
--output ./generated/my_api_clientGo:
kiota generate \
--language go \
--namespace-name github.com/myorg/myapiclient \
--openapi ./specs/my-api.yaml \
--output ./generated/myapiclientOne flag that trips up a lot of developers: --include-path. By default, Kiota generates client code for every endpoint in the spec. If your spec is large (think Microsoft Graph, which covers hundreds of API surfaces), you almost certainly don't want that. Use --include-path to scope generation to just the paths you need:
kiota generate \
--language typescript \
--namespace-name MailClient \
--openapi ./specs/graph.yaml \
--output ./src/mailClient \
--include-path "/me/messages/**"This generates only the code for the /me/messages path and all sub-resources, keeping your output directory lean and your compile times fast. When generation succeeds, you'll see output files appear in your target directory, models, request builders, and a root client class.
Generated client code is only useful once it can actually make authenticated requests. The Kiota API client generator doesn't generate authentication logic, that's intentional. Instead, Kiota's architecture separates the generated client from the HTTP middleware stack. You provide an authentication provider; Kiota's core library hooks it in before every request. This separation is what lets a single Kiota client work with OAuth 2.0 today and switch to a different auth scheme without touching the generated code.
For Microsoft APIs specifically, Microsoft publishes the @microsoft/kiota-authentication-azure package (for TypeScript/JavaScript) that works directly with the Azure Identity library. Here's the wiring pattern in TypeScript:
import { AzureIdentityAuthenticationProvider } from "@microsoft/kiota-authentication-azure";
import { FetchRequestAdapter } from "@microsoft/kiota-http-fetchlibrary";
import { ClientSecretCredential } from "@azure/identity";
import { createApiClient } from "./generated/myApiClient";
const credential = new ClientSecretCredential(
process.env.TENANT_ID!,
process.env.CLIENT_ID!,
process.env.CLIENT_SECRET!
);
const authProvider = new AzureIdentityAuthenticationProvider(credential, [
"https://graph.microsoft.com/.default"
]);
const adapter = new FetchRequestAdapter(authProvider);
const client = createApiClient(adapter);For .NET, the equivalent pattern uses the Microsoft.Kiota.Authentication.Azure NuGet package:
using Azure.Identity;
using Microsoft.Kiota.Authentication.Azure;
using Microsoft.Kiota.Http.HttpClientLibrary;
var credential = new ClientSecretCredential(tenantId, clientId, clientSecret);
var authProvider = new AzureIdentityAuthenticationProvider(credential,
scopes: new[] { "https://graph.microsoft.com/.default" });
var adapter = new HttpClientRequestAdapter(authProvider);
var client = new ApiClient(adapter);The key insight is the layered architecture: credential handles token acquisition, authProvider wraps the credential in Kiota's abstraction, adapter is the HTTP transport, and client is your generated code sitting on top. When you see 401 Unauthorized responses at runtime, the problem is almost always in the credential or scope configuration, not in the generated client code itself.
When authentication is wired correctly, your first API call returns actual data and no exception is thrown on the auth middleware layer.
A common trap: you run kiota generate successfully, you look at the output files, and everything looks great, then you try to compile or run the code and get a cascade of missing module errors. This happens because Kiota generates code that depends on a set of core Kiota runtime packages that are not included in the generated output. You need to install them separately, and the exact packages depend on your language.
For TypeScript/Node.js, you need these packages at minimum:
npm install @microsoft/kiota-abstractions \
@microsoft/kiota-http-fetchlibrary \
@microsoft/kiota-serialization-json \
@microsoft/kiota-serialization-textFor .NET, add these NuGet packages:
dotnet add package Microsoft.Kiota.Abstractions
dotnet add package Microsoft.Kiota.Http.HttpClientLibrary
dotnet add package Microsoft.Kiota.Serialization.Json
dotnet add package Microsoft.Kiota.Serialization.TextFor Python:
pip install microsoft-kiota-abstractions \
microsoft-kiota-http \
microsoft-kiota-serialization-jsonOnce runtime dependencies are installed, write a minimal end-to-end test. Don't try to call a complex endpoint first, call the simplest GET endpoint in your API, one that returns a single object with a few fields. If the response deserialization works correctly (you get a typed object back, not a raw string or null), your entire stack is wired correctly. Kiota uses the JSON Schema models in the OpenAPI spec to generate the serialization and deserialization code, so a successful typed response confirms that the spec parsing, code generation, runtime library, and authentication layers are all cooperating correctly.
If the compile step passes but you get a runtime error like No serialization library registered for application/json, you've installed the serialization packages but haven't registered them. Add this to your startup code:
// TypeScript
import { JsonSerializationWriterFactory } from "@microsoft/kiota-serialization-json";
import { SerializationWriterFactoryRegistry } from "@microsoft/kiota-abstractions";
SerializationWriterFactoryRegistry.defaultInstance
.contentTypeAssociatedFactories
.set("application/json", new JsonSerializationWriterFactory());Advanced Kiota API Client Generator Troubleshooting
Running Kiota in Docker for Clean CI Environments
On CI/CD pipelines, especially ones running in containers, installing the .NET SDK just to get access to the Kiota API client generator adds significant image size and build time. The Docker-based approach is the right answer here. Microsoft publishes an official Kiota container at mcr.microsoft.com/openapi/kiota. The basic pattern mounts your output directory and your spec file as Docker volumes:
docker run \
-v /your/output/path:/app/output \
-v /your/spec/openapi.yaml:/app/openapi.yaml \
mcr.microsoft.com/openapi/kiota \
generate --language csharp -n MyNamespaceFor generating from a remote URL without volume-mounting a spec file, use the --openapi flag with a URI directly:
docker run \
-v ${PWD}:/app/output \
mcr.microsoft.com/openapi/kiota \
generate --language typescript -n GraphClient \
-d https://raw.githubusercontent.com/microsoftgraph/msgraph-sdk-powershell/dev/openApiDocs/v1.0/Mail.ymlOne Docker-specific pitfall: file ownership. Files written into the mounted volume by the container are owned by the container's user (usually root), not your host user. On Linux this causes permission errors when your build system tries to read the generated files afterward. Fix it by adding --user $(id -u):$(id -g) to the docker run command.
Automating Client Refresh with GitHub Actions
The Kiota API client generator becomes genuinely powerful when generation is automated. Microsoft publishes a microsoft/setup-kiota GitHub Action that installs Kiota in your workflow. A real-world usage pattern looks like this:
steps:
- uses: actions/checkout@v3
- uses: microsoft/setup-kiota@v0.5.0
- name: Regenerate API clients
run: kiota update -o .
working-directory: srcNote that as of the official documentation, this GitHub Action is in public preview. Pin to a specific version tag (not @latest) in production workflows to avoid unexpected behavior from Action updates.
Extending Kiota for Unsupported Languages
If you're working in a language Kiota doesn't officially support, or if you need to generate clients that follow internal conventions your team has standardized on, Kiota is designed to be extended. The official architecture documentation describes how to add new language support through the code generation abstraction layer. This is not a quick weekend project, but the architecture is genuinely designed for it, and the core library separation means you can add a new language target without touching the OpenAPI parsing or middleware systems.
Prevention & Best Practices for Kiota API Client Generator Workflows
The teams I've seen get the most out of the Kiota API client generator are the ones who treat it like a build tool, automated, versioned, and repeatable, rather than a one-time scaffold they run once and forget. Here's what that looks like in practice.
Version-pin your OpenAPI specs. The moment you generate a Kiota client from a live URL without pinning the spec version, you've introduced a dependency on someone else's release schedule. Store the exact spec file (or a pinned version URL) in your repository. When the API provider releases a new version, review the diff, update intentionally, and regenerate with a clear commit message explaining why.
Commit generated code to source control. I know this is controversial, but for Kiota clients it's the right call. Committing the generated output means your teammates don't need Kiota installed just to build the project, your CI pipeline is faster (no generation step on every build), and diffs between API versions are immediately visible in code review. Use a README in the generated directory and a comment at the top of the client file (// Auto-generated by Kiota, do not edit manually) to make the intent clear.
Use --include-path to scope generation tightly. Generating everything from a large spec produces thousands of files, most of which you'll never call. Tight scoping means faster generation, smaller diffs when you regenerate, and less noise in your codebase. Add a generation script (a shell script or Makefile target) that documents exactly which paths are included and why.
Automate regeneration on spec updates. Set up a GitHub Actions or Azure DevOps pipeline step that detects changes to your pinned spec file and automatically opens a PR with the regenerated client. This makes API version upgrades visible and reviewable rather than silent.
- Run
kiota info --openapi ./spec.yamlbefore every generation to catch spec errors early - Pin the Kiota tool version in your CI pipeline (
dotnet tool install --version x.y.z) to prevent silent generation behavior changes - Keep authentication provider configuration in environment variables, never in generated or committed code
- Add the generated output directory to a
.gitattributesrule marking files as auto-generated, so reviewers know not to nitpick generated code style
Frequently Asked Questions
What is the Kiota API client generator and how is it different from Swagger Codegen?
Kiota is a Microsoft-built command line tool that reads any OpenAPI description and generates a strongly typed API client in your language of choice. Unlike Swagger Codegen, Kiota is designed around a minimal dependency model, it generates only the code for the endpoints you specify, and the generated code depends on a small, consistent set of core runtime packages rather than a different full-framework SDK per language. The result is that Kiota clients feel more like native code and less like a vendor library you're fighting against. Kiota officially supports C#, CLI, Go, Java, PHP, Python, Ruby, and TypeScript.
Do I need the .NET SDK installed to use Kiota?
No, not necessarily. The .NET SDK is required only if you install Kiota as a .NET global tool with dotnet tool install. If you don't have .NET installed, you can download a prebuilt standalone binary for your platform (Windows x64/x86, macOS arm64/x64, Linux x64) directly from the Kiota releases page, no runtime required. Alternatively, the official Docker image mcr.microsoft.com/openapi/kiota works in any environment that can run Docker containers. For macOS developers, the community Homebrew formula (brew install kiota) is another path, though it's community-maintained and not an official Microsoft distribution.
Kiota generated my client but the compile fails with missing package errors, what am I missing?
This is one of the most common Kiota setup stumbles. The generated client code imports from Kiota's core runtime packages, but those packages are not bundled into the generated output, you install them separately as normal package dependencies. For TypeScript you need @microsoft/kiota-abstractions, @microsoft/kiota-http-fetchlibrary, and @microsoft/kiota-serialization-json at minimum. For .NET, the equivalents are Microsoft.Kiota.Abstractions, Microsoft.Kiota.Http.HttpClientLibrary, and Microsoft.Kiota.Serialization.Json on NuGet. Check the official Kiota quickstart guide for your target language for the exact current package names, they follow a consistent naming pattern but the exact versions matter.
Can I use the Kiota API client generator with non-Microsoft APIs?
Absolutely, that's actually the whole point. Kiota works with any API that has a valid OpenAPI (formerly Swagger) description, regardless of who built it. If a third-party API you're integrating with publishes an OpenAPI spec (many do, often as a swagger.json or openapi.yaml file in their developer documentation), you can feed it directly to Kiota. The generated client will be just as strongly typed as one generated for a Microsoft API. The caveat is spec quality: a poorly written or incomplete OpenAPI document will produce an incomplete client, so validating the spec with kiota info first saves time.
How do I generate a client for only some endpoints, not the entire OpenAPI spec?
Use the --include-path flag when running kiota generate. This flag accepts a path pattern and tells Kiota to generate client code only for API paths that match. For example, --include-path "/users/**" generates code for all paths under /users/ and ignores everything else in the spec. You can specify multiple --include-path flags to include several path trees in a single generation run. The opposite flag, --exclude-path, works the same way in reverse. Scoping generation tightly keeps your output directory small, speeds up generation, and makes regeneration diffs much easier to review in code.
The Kiota VS Code extension isn't showing my generated client, is the extension broken?
The Kiota Visual Studio Code extension is currently in public preview according to official documentation, which means its behavior can change between releases and some features may not work as expected in all environments. If the extension isn't reflecting your generated output, first confirm that Kiota itself is installed correctly by running kiota --version in a terminal, the extension depends on the CLI being available on your PATH. If the CLI works but the extension doesn't show your client, try reloading the VS Code window (Ctrl+Shift+P → "Developer: Reload Window") and checking the Output panel for any extension-specific error messages. For production workflows, rely on the CLI directly rather than the extension until the extension reaches general availability.