On this page
Okta Identity Governance API release notes (2025)
Okta Identity Governance is available for both Okta Classic and Identity Engine.
September
Weekly release 2025.09.1
| Change | Expected in Preview Orgs |
|---|---|
| Bugs fixed in 2025.09.1 | September 17, 2025 |
Bugs fixed in 2025.09.1
- The list entitlement bundles request (
GET /governance/api/v1/entitlement-bundles) returned an error when thenamefilter had a single quote. (OKTA-1007878) - The retrieve principal entitlements request (
GET /governance/api/v1/principal-entitlements) returned an invalid-condition error when a resource ORN was used in the filter. (OKTA-928086)
Monthly release 2025.09.0
| Change | Expected in Preview Orgs |
|---|---|
| Auditor reporting package is self-service EA | August 13, 2025 |
| Entitlement bundle documented response updates | September 10, 2025 |
| Resource Owners API is Beta | September 10, 2025 |
| Governance Labels API is Beta | September 10, 2025 |
| ORN property included in collections | September 10, 2025 |
| ORN property included in entitlement bundles and values | September 10, 2025 |
| Org Governance Settings API is Beta | September 10, 2025 |
| Security Access Reviews API is EA | September 10, 2025 |
| Developer documentation updates in 2025.09.0 | September 10, 2025 |
Auditor reporting package is self-service EA
You can now generate access certification campaign reports that are tailored to meet auditor requirements. These reports make preparing for compliance audits faster and easier by reducing the time and manual effort required for assembling and exporting campaign and user access data.
Access certification campaign reports are generated from the auditor reporting package, which is triggered post-campaign completion when the createReportingPackageEnabled parameter is true. See reportingSettings.createReportingPackageEnabled (opens new window) in the Create a campaign (opens new window) resource.
Entitlement bundle documented response updates
The documented response for List all entitlement bundles (opens new window) and Retrieve an entitlement bundle (opens new window) has been updated to remove the One of (oneOf) payload structure. The documented response payload is now flattened to include properties for both entitlement-bundles-list and entitlement-bundles-list-with-entitlements schemas. This is backward-compatible because the expected returned response schema is the same as before.
Resource Owners API is Beta
Drive automation and simplify Okta Identity Governance (OIG) configuration by assigning owners to resources, such as apps, groups, and entitlements. You can automatically assign reviewers for access certifications or requests that are scoped with specific owner-assigned resources. See the Resource Owners (opens new window) API to manage assigning owners to resources in your OIG org.
Governance Labels API is Beta
The Labels API enables you to categorize and organize resources, such as apps, groups, entitlements, and collections. You can create, update, and assign key-value labels to resources to support automation, streamline configuration, and simplify the management of access reviews and requests. See Labels (opens new window) API.
ORN property included in collections
Collection resources now include their Okta resource name (ORN) (opens new window) in the response payload. See the orn property in the collection resource (opens new window).
ORN property included in entitlement bundles and values
The entitlement bundle and value resources now include their Okta resource name (ORN) (opens new window) in the response payload. See the orn property in the entitlement value response (opens new window) and in the entitlement bundles response (opens new window) payloads.
Org Governance Settings API is Beta
To complement the Governance delegates feature, admins can now configure whether end users can set their own delegates with the Org Governance Settings API. See delegates.enduser.permissions (opens new window) in the Update the org settings (opens new window) API.
End users can also view their delegate permissions in the My Settings API. See delegates.permissions (opens new window) in the Retrieve the settings (opens new window) API.
Security Access Reviews API is EA
Security Access Reviews are a new, security-focused type of access review that can be automatically triggered by events. These reviews provide a unified view of a user's access and contextual information about their access history. Also included is an AI-generated access summary, allowing you to investigate and take immediate remediation actions like revoking access. See Security Access Reviews (opens new window) in the product documentation.
See the Security Access Reviews (opens new window) API and Launch a security access review guide for details on how to trigger security access reviews through the API.
Developer documentation updates in 2025.09.0
Best practice implementations of API use cases are now available for Identity Governance. See Identity Governance in the Guides sidebar.
Okta Identity Governance campaigns and entitlements can now be managed using the Okta Terraform Provider. This enables customers to manage their governance tasks and configure other resources in their Okta org that are maintained through the Terraform Infrastructure-as-Code tool. For more information, refer to Terraform Provider for Okta (opens new window) and the Terraform Registry (opens new window) documentation.
August
Weekly release 2025.08.2
| Change | Expected in Preview Orgs |
|---|---|
| Bug fixed in 2025.08.2 | August 20, 2025 |
Bug fixed in 2025.08.2
The List all grants API operation ( GET /governance/api/v1/grants) returned an incorrect number of objects. (OKTA-995619)
Monthly release 2025.08.0
| Change | Expected in Preview Orgs |
|---|---|
| Governance delegates APIs are Beta | August 7, 2025 |
| List all access request catalog entries for a user is GA | July 16, 2025 |
| Unified requester experience is EA | July 16, 2025 |
| Developer documentation updates in 2025.08.0 | August 7, 2025 |
| Bug fixed in 2025.08.0 | August 7, 2025 |
Governance delegates APIs are Beta
BetaSuper admins and users can assign delegates to complete governance tasks. These include access certification campaign reviews and access request approvals, questions, and tasks. When approvers are unavailable, their tasks can be assigned to different stakeholders ( delegates) for a period of time to ensure that governance processes don't stall. This also reduces the time admins and users spend reassigning requests and reviews manually.
The following APIs support the governance delegates flow and are available as Beta:
- Principal Settings API > Update the principal settings (opens new window)
- Delegates > List all delegate appointments (opens new window)
- My Settings > Retrieve the settings (opens new window)
- My Settings > Update the settings (opens new window)
- My Settings > List the eligible delegate users (opens new window)
List all access request catalog entries for a user is GA
The List all access request catalog entries for a user (opens new window) (GET /governance/api/v2/catalogs/default/user/{userId}/entries) operation is now included in the Access Requests - V2 > Catalogs (opens new window) API. As an admin, use this operation to list access request catalog entries for a user. A filter expression query parameter is required to specify the set of entries in the response.
Unified requester experience is EA
Use this feature to create a consistent and unified experience for initiating requests in End-User Dashboard, Slack, and Microsoft Teams regardless of whether the request is managed by conditions or request types. This gives you the flexibility to use either or both methods together to manage resource access without altering the requester experience.
- Request types now appear as tiles in the End-User Dashboard's resource catalog alongside other resources. Your settings for a request type's audience continue to govern which users can view the request type on their dashboard and request access.
- In Slack and Microsoft Teams, users can now request access to resources that are governed by access request conditions, and the user experience for requesting resources that are managed by request types has also been changed.
Additionally, in the Okta Access Requests app, the Access requests page has been renamed to Resource catalog and clicking it redirects requesters to the resource catalog on the End-User Dashboard. The Request types section in the web app is only visible to admins and team members who own the request type. See Create requests (opens new window).
This is an Early Access feature. See Enable self-service features (opens new window).
The following Access Request API updates have been made to support the unified requester experience:
- New
REQUEST_TYPEoption for accessScopeType (opens new window) in the Requests (opens new window) API - New validRequestOnBehalfOfSettings (opens new window) property for Request Settings (opens new window) API
- Related entry link updates for catalog entry responses
- List all access request catalog entries for a user (opens new window)
Developer documentation updates in 2025.08.0
The Archived Okta Identity Governance API changelog (2023-2024) has been removed.
Bug fixed in 2025.08.0
The filtered entitlement bundles request (GET /governance/api/v1/entitlement-bundles) with the contains (co) operator didn't sort results by the substring's location within the name field.
July
Weekly release 2025.07.2
| Change | Expected in Preview Orgs |
|---|---|
| Related entity link updates for catalog entry responses | July 16, 2025 |
| Bug fixed in 2025.07.2 | July 16, 2025 |
Related entity link updates for catalog entry responses
The _links.relatedEntity (or data._links.relatedEntity) property is now returned for parent catalog entries, in addition to child entries, for the following operations:
- List all entries for the default access request catalog (opens new window)
- Retrieve a catalog entry (opens new window)
- List all of my entries for the default access request catalog (opens new window)
- Retrieve an entry from my catalog (opens new window)
- List all of my catalog entry users (opens new window)
Bug fixed in 2025.07.2
A null pointer exception occurred when a PUT /governance/api/v1/collections/{collecionId}/resources/{resourceId} request was made on a collection without resources. (OKTA-970817)
Monthly release 2025.07.0
| Change | Expected in Preview Orgs |
|---|---|
| Changes to Okta app API responses | July 7, 2025 |
Changes to Okta app API responses
The following Okta apps won't be returned in the API response for endpoints that list apps (such as the List all applications (opens new window) GET /api/vi/apps endpoint):
- Okta Access Certifications (key name:
okta_iga) - Okta Access Requests Admin (key name:
okta_access_requests_admin) - Okta Entitlement Management (key name:
okta_entitlement_management)
In addition, a single app retrieval endpoint won't return these apps either. For example: GET /api/v1/apps/{appId} won't return the app object if {appId} is the ID for the okta_iga, okta_access_requests_admin, or okta_entitlement_management apps in your org.
June
Weekly release 2025.06.1
| Change | Expected in Preview Orgs |
|---|---|
| List all access request catalog entries for a user is Beta | June 17, 2025 |
List all access request catalog entries for a user is Beta
BetaThe List all access request catalog entries for a user (opens new window) (GET /governance/api/v2/catalogs/default/user/{userId}/entries) operation is now included in the Access Requests - V2 > Catalogs (opens new window) API. As an admin, use this operation to list access request catalog entries for a particular user. A filter expression query parameter is required to specify the set of entries in the response.
May
Weekly release 2025.05.3
| Change | Expected in Preview Orgs |
|---|---|
| Request condition name length increase | May 29, 2025 |
Request condition name length increase
The Request Condition API (opens new window) has increased the length of the request condition name from 50 to 255 characters.
Weekly release 2025.05.1
| Change | Expected in Preview Orgs |
|---|---|
| New variable for Access Certification campaign emails | May 14, 2025 |
| Generate a risk assessment is Beta | May 14, 2025 |
New variable for Access Certification campaign emails
You can now include the campaign description in your customized Access Certification campaign email notifications. See the new ${campaign.campaignDescription} variable in Use VTL variables (opens new window).
Generate a risk assessment is Beta
BetaThe Generate a risk assessment (opens new window) operation is now included in the Risk Rules API (opens new window). This operation requires the okta.governance.riskRule.read OAuth 2.0 scope. Use this resource to evaluate potential separation of duties (SOD) violations when a user requests entitlements.
April
Monthly release 2025.04.0
| Change | Expected in Preview Orgs |
|---|---|
| Risk Rules API is Beta | April 2, 2025 |
Risk Rules API is Beta
BetaThe Risk Rules API (opens new window) is now available in Beta and includes the following new scopes:
okta.governance.riskRule.manageokta.governance.riskRule.read
Use this API to define risk rules to support separation of duties (SOD) in Access Certifications and Access Requests.
The following new properties were added to support the SOD feature in existing Identity Governance resources:
Campaigns resource:
principalScopeSettings.onlyIncludeUsersWithSODConflicts(opens new window)Reviews resource:
riskRuleConflicts(opens new window)Request Settings:
validRiskSettings(opens new window) andriskSettings(opens new window)
See Separation of duties (opens new window) in the product documentation.
March
Weekly release 2025.03.2
| Change | Expected in Preview Orgs |
|---|---|
| Collections API is Beta | March 19, 2025 |
Collections API is Beta
BetaThe Collections API (opens new window) is available in Beta. This API allows you to manage sets of apps and entitlements. See Resource collections (opens new window).
Weekly release 2025.03.1
| Change | Expected in Preview Orgs |
|---|---|
| Bug fixed in 2025.03.1 | March 12, 2025 |
Bug fixed in 2025.03.1
The requestOnBehalfOfSettings property wasn’t validated for DIRECT_REPORT when a user calls the Retrieve an entry’s request fields (opens new window) (GET /governance/api/v2/my/catalogs/default/entries/{entryId}/request-fields). (OKTA-807528)
Monthly release 2025.03.0
| Change | Expected in Preview Orgs |
|---|---|
| Entitlements and Entitlement Bundles APIs are GA | March 5, 2025 |
| New Access Certifications campaign | March 5, 2025 |
| Bug fixed in 2025.03.0 | March 5, 2025 |
Entitlements and Entitlement Bundles APIs are GA
The following APIs have transitioned from Beta to GA:
New Access Certifications campaign
A new property, resourceSettings.includeAdminRoles, has been added to the access certification campaign schema in the Campaigns API . This property indicates that the user-centric access certification campaign includes users’ admin role assignments.
Bug fixed in 2025.03.0
The remediationSettings.autoRemediationSettings and principalScopeSettings.predefinedInactiveUsersScope properties were missing from the Access Certification campaign schema in the Campaigns API reference. (OKTA-880900)
February
Weekly release 2025.02.1
| Change | Expected in Preview Orgs |
|---|---|
| List all entitlements API response update | February 13, 2025 |
List all entitlements API response update
BetaBreaking change: The List all entitlement (opens new window) response no longer returns a values object. Previously, this response returned an empty array for this property after the following update in 2024.04.0: List all entitlements will no longer return values. To fetch values for a given entitlement, use List all values for an entitlement (opens new window) or List all entitlement values (opens new window).
Monthly release 2025.02.0
| Change | Expected in Preview Orgs |
|---|---|
| New System Log event | February 6, 2025 |
New system log event
An access.request.settings.update System Log event now appears when a Request of behalf of setting is toggled on or off in the Admin Console, or when you set or change the requestOnBehalfOfSettings object for Requests Settings (opens new window). The event's debugData property includes the app for which the setting was updated and the changeDetails property includes the previous and new state of the setting.
January
Weekly release 2025.01.2
| Change | Expected in Preview Orgs |
|---|---|
| Bug fixed in 2025.01.2 | January 29, 2025 |
Bug fixed in 2025.01.2
- The
okta.accessRequests.catalog.readscope was missing from the Okta Identity Governance APIs. (OKTA-846162)
Monthly release 2025.01.0
| Change | Expected in Preview Orgs |
|---|---|
| Selected Okta Identity Governance APIs are now GA | January 8, 2025 |
Selected Okta Identity Governance APIs are now GA
The following Okta Identity Governance APIs are GA:
- Campaigns (opens new window)
- Reviews (opens new window)
- Access Requests - V2 (opens new window)
- My Catalogs (opens new window)
- My Requests (opens new window)
The following Access Requests - V2 administrative APIs are now EA:
- List all entries for the default access request catalog (opens new window)
- Retrieve a catalog entry by an ID (opens new window)
For further information, see Identity Governance (opens new window) and Okta Identity Governance API (opens new window).
