// THE FUNCTIONAL TOOLKIT FOR KOTLIN  ·  SINCE 2017

Server as a Function.
We meant it literally.

No annotations. No reflection. No container. No magic. Just immutable Kotlin functions you can read, test in-memory in milliseconds, and actually trust in production - from your first endpoint to your hundredth service.

  • 5M+ downloads / month
  • 200+ modules
  • 0 reflection
  • Apache 2.0 core
HelloHttp4k.kt
// a server is just a function. that's the whole trick.
val app: HttpHandler = { request ->
    Response(OK).body("Hello, " + request.query("name"))
}

// filters compose behaviours. no magic required.
val stack = DebuggingFilters.PrintRequest()
    .then(ServerFilters.GZip())
    .then(app)

stack.asServer(SunHttp(9000)).start()
// → up in milliseconds. swap with 1 LOC. 

http4k - the functional toolkit for Kotlin HTTP applications

// MORE THAN A CORE

There's a lot going on around here.

FOUR ECOSYSTEMS

More than just another HTTP library

Servers, clients, serverless, formats, templates, security, testing, AI agents and cloud connectors - 200+ modules across Core, AI, Connect and Pro, all built on one functional idea.

Explore the ecosystem →
200+ modules · one BOM
http4k-core
http4k-connect-amazon-s3
http4k-ai-mcp-sdk
http4k-security-oauth
http4k-format-jackson
http4k-testing-approval
SUPPLY CHAIN · EU CRA 2026

Prove your dependencies before they compile

Every artifact ships with SLSA L2 provenance, signed SBOMs and cosign signatures. http4k Verify checks them at build time - getting you ahead of the Cyber Resilience Act deadline.

Explore Verify →
build · http4k Verify
$ ./gradlew build
> Task :verifyHttp4kArtifacts
✓ http4k-core            sig · sbom · slsa-L2
✓ http4k-connect-amazon  sig · sbom · slsa-L2
✓ all artifacts verified · 0 issues
✓ BUILD SUCCESSFUL in 6s
PRO MODULES

Premium power tools, same DNA

Wiretap, WebAuthn, MCP, X402 and Server Hot Reload - commercially-licensed modules for teams running http4k for real. Free for individuals and small teams.

Browse Pro →
org.http4k.pro
Wiretap      - trace & debug
WebAuthn     - passkeys
MCP          - agent tools
Hot Reload   - fast feedback
X402         - machine payments
ENTERPRISE EDITION

Production peace of mind

Up to 24 months LTS, priority support from the people who wrote it, source access, signed licence reports and every Pro module - in one subscription.

Explore Enterprise →
LTS · support · provenance
✓ 24-month LTS channel
✓ Priority Slack & email
✓ Signed licence reports
✓ All Pro modules included
LATEST FROM THE TEAM

Tale of the tape: Claude vs http4k

We ran a proactive, LLM-assisted security audit across nine years of code. Several CVEs surfaced - fixed and disclosed in the open. Here is how it went.

Read the news →
news · 2026
proactive LLM security audits
public disclosure, full timelines
✓ first CVE: a juicy 9.8

Read it. Test it. Trust it.

Two function types power the entire toolkit. Everything - routing, auth, clients, serverless - composes from them. What you read is exactly what runs.

CoreTypes.kt the two types
// 1. a handler is a function
typealias HttpHandler = (Request) -> Response

// 2. a filter wraps a handler
typealias Filter = (HttpHandler) -> HttpHandler
AppTest.kt no server, no ports
// it's a function - just call it.
val res = app(Request(GET, "/?name=ada"))

assertThat(res.status, equalTo(OK))
assertThat(res.bodyString(),
    equalTo("Hello, ada"))
// ✓ passes in milliseconds - no server, no @SpringBootTest.
No server required. Your whole stack runs in-memory in a unit test. That's not a testing strategy we bolted on - it's just what happens when your app is a function.
// THE TALE OF THE TAPE

How it stacks up against the framework you're escaping.

Yes, we're biased. No, we're not wrong. Bring your own benchmarks - ours are in the repo.

In the ring
http4k
The Usual Framework™
Annotations & reflection
Zero
Everywhere you look
Framework container
What container?
Can't start without it
Test the whole app without a server
In-memory ✓
Spin one up & wait
Move server / platform
Change one line
Re-architect
Lines to a running "hello"
3
…a starter, a wizard, 4 files
After 9 years running it
No regrets
…it's complicated
// SUPPLY CHAIN SECURITY

From Sept 2026, "trust us" stops being a valid answer.

The EU Cyber Resilience Act will demand verifiable provenance and machine-readable SBOMs for everything shipped into Europe. http4k delivers it today - every artifact ships with SLSA L2 provenance, CycloneDX SBOMs, signed licence reports and cosign signatures.

  • Cryptographically linked to source commit & CI run
  • Machine-readable SBOMs for every module
  • Signed, audit-ready licence reports
Explore http4k Verify →
build · http4k Verify
$ ./gradlew build

> Task :verifyHttp4kArtifacts
 http4k-core            sig · sbom · slsa-L2
 http4k-pro-failsafe    sig · sbom · slsa-L2
 http4k-connect-amazon  sig · sbom · slsa-L2
 all artifacts verified · 0 issues
  attestation → build/http4k-verify.json

BUILD SUCCESSFUL in 6s 

Plays nicely with your entire stack.

200+ modules across servers, clients, formats, cloud, AI and testing - http4k ships a supported integration for each.

Browse the ecosystem →
a2aalibabaapacheapprunnerargoawsazurechaos monkeyclaudecloud eventscloudfrontcloudwatchcloudwatch logscognitocontainer credentialsdataframedatastardigestdockerdynamodbeventbridgeevidentlyfailsafefirehosefreemarkerfuelgoogle analyticsgcfgcpgeminigithubgitlabgraphqlgsonhamkresthandlebarshelidonhtmlflowhtmxiamjacksonjakartajdbcjettyjsonrpcjson schemajtek8skafkaklaxonkmskondorkotest
kotlinx serializationktorlambdalangchain4jlm studiomattermostmcpmicrometermicronautmoshinettyoauthokhttpollamaopenaiopenapiopenfeatureopentelemetryopenwhiskpebbleplaywrightpowerassertpug4jratpackredisredocresilience4jrockerroute53s3secrets managerservirtiumservletsesslacksnsspringsqsstriktstsswaggersystems managertencentthymeleaftoontracerbulletundertowvertxwebauthnwebdriverx402xml

Battle-tested where it actually matters.

Not a side project. http4k runs high-volume systems in banking, publishing and government - and has done for the better part of a decade.

5M+
downloads / month
200+
modules & integrations
9 yrs
in production, since 2017
0
magic, ever.
RADICAL TRANSPARENCY

Our first-ever CVE was a juicy 9.8. We disclosed it publicly the same day - because that's what you actually do.

We publish our security homework in the open: CVD policy, signed advisories, public signing keys. The big vendors quietly hope you don't ask. We'd rather just show you.

BACKED & TRUSTED BY
Springer Nature Technology Kotlin Foundation

Corporate partners funding continued innovation on the project. Using http4k and want to take part? Get in touch.

Stop fighting your framework.

Start with the free, open-source core. Scale to Pro and Enterprise on the exact same foundation - no rewrite, no lock-in, no surprises.

scarf