http4k - the functional toolkit for Kotlin HTTP applications
There's a lot going on around here.
More than just another HTTP library
Servers, clients, serverless, formats, templates, security, testing, AI agents and cloud connectors - 200+ modules across Core, AI, Connect and Pro, all built on one functional idea.
Explore the ecosystem →http4k-core http4k-connect-amazon-s3 http4k-ai-mcp-sdk http4k-security-oauth http4k-format-jackson http4k-testing-approval
Prove your dependencies before they compile
Every artifact ships with SLSA L2 provenance, signed SBOMs and cosign signatures. http4k Verify checks them at build time - getting you ahead of the Cyber Resilience Act deadline.
Explore Verify →$ ./gradlew build > Task :verifyHttp4kArtifacts ✓ http4k-core sig · sbom · slsa-L2 ✓ http4k-connect-amazon sig · sbom · slsa-L2 ✓ all artifacts verified · 0 issues ✓ BUILD SUCCESSFUL in 6s
Premium power tools, same DNA
Wiretap, WebAuthn, MCP, X402 and Server Hot Reload - commercially-licensed modules for teams running http4k for real. Free for individuals and small teams.
Browse Pro →Wiretap - trace & debug WebAuthn - passkeys MCP - agent tools Hot Reload - fast feedback X402 - machine payments
Production peace of mind
Up to 24 months LTS, priority support from the people who wrote it, source access, signed licence reports and every Pro module - in one subscription.
Explore Enterprise →✓ 24-month LTS channel ✓ Priority Slack & email ✓ Signed licence reports ✓ All Pro modules included
Tale of the tape: Claude vs http4k
We ran a proactive, LLM-assisted security audit across nine years of code. Several CVEs surfaced - fixed and disclosed in the open. Here is how it went.
Read the news →proactive LLM security audits public disclosure, full timelines ✓ first CVE: a juicy 9.8
Read it. Test it. Trust it.
Two function types power the entire toolkit. Everything - routing, auth, clients, serverless - composes from them. What you read is exactly what runs.
// 1. a handler is a function typealias HttpHandler = (Request) -> Response // 2. a filter wraps a handler typealias Filter = (HttpHandler) -> HttpHandler
// it's a function - just call it. val res = app(Request(GET, "/?name=ada")) assertThat(res.status, equalTo(OK)) assertThat(res.bodyString(), equalTo("Hello, ada")) // ✓ passes in milliseconds - no server, no @SpringBootTest.
How it stacks up against the framework you're escaping.
Yes, we're biased. No, we're not wrong. Bring your own benchmarks - ours are in the repo.
Open source at the core. We built some serious kit on top of it.
Premium modules, long-term support and verifiable supply-chain security - for the teams running http4k where it really counts. Buying them funds the open source you already depend on.
From Sept 2026, "trust us" stops being a valid answer.
The EU Cyber Resilience Act will demand verifiable provenance and machine-readable SBOMs for everything shipped into Europe. http4k delivers it today - every artifact ships with SLSA L2 provenance, CycloneDX SBOMs, signed licence reports and cosign signatures.
- Cryptographically linked to source commit & CI run
- Machine-readable SBOMs for every module
- Signed, audit-ready licence reports
$ ./gradlew build > Task :verifyHttp4kArtifacts ✓ http4k-core sig · sbom · slsa-L2 ✓ http4k-pro-failsafe sig · sbom · slsa-L2 ✓ http4k-connect-amazon sig · sbom · slsa-L2 ✓ all artifacts verified · 0 issues attestation → build/http4k-verify.json BUILD SUCCESSFUL in 6s
Plays nicely with your entire stack.
200+ modules across servers, clients, formats, cloud, AI and testing - http4k ships a supported integration for each.
Battle-tested where it actually matters.
Not a side project. http4k runs high-volume systems in banking, publishing and government - and has done for the better part of a decade.
Our first-ever CVE was a juicy 9.8. We disclosed it publicly the same day - because that's what you actually do.
We publish our security homework in the open: CVD policy, signed advisories, public signing keys. The big vendors quietly hope you don't ask. We'd rather just show you.
Corporate partners funding continued innovation on the project. Using http4k and want to take part? Get in touch.
Stop fighting your framework.
Start with the free, open-source core. Scale to Pro and Enterprise on the exact same foundation - no rewrite, no lock-in, no surprises.


