Skip to content
Last updated on

OAuth 2.0 Scopes

Okta OpenID Connect & OAuth 2.0

ScopeDescription
addressRequests access to the address claim
device_ssoRequests a device secret used to obtain a new set of tokens without re-prompting the user for authentication. See Native SSO.
emailRequests access to the email and email_verified claims
groupsRequests access to the groups claim
offline_accessRequests a refresh token used to obtain more access tokens without re-prompting the user for authentication
okta.clients.manageAllows the app to manage clients in your Okta org
okta.clients.readAllows the app to read information about clients in your Okta org
okta.clients.registerAllows the app to register new clients in your Okta org
okta.universalLogout.manageAllows an admin or a service to initiate Universal Logout and revoke all tokens and sessions associated with a specific user
okta.workflows.invoke.manageAllows the app to trigger an OAuth 2.0 protected flow
openidIdentifies the request as an OpenID Connect request
phoneRequests access to the phone_number and phone_number_verified claims
profileRequests access to the end user's default profile claims

Okta Admin Management API

ScopeDescription
okta.agentPools.manageAllows the app to create and manage agent pools in your Okta organization
okta.agentPools.readAllows the app to read agent pools in your Okta organization
okta.apiTokens.manageAllows the app to manage API Tokens in your Okta organization
okta.apiTokens.readAllows the app to read API Tokens in your Okta organization
okta.appGrants.manageAllows the app to create and manage grants in your Okta organization
okta.appGrants.readAllows the app to read grants in your Okta organization
okta.apps.interclientTrust.manageAllows the app to manage trusted relationship for native to web SSO
okta.apps.interclientTrust.readAllows the app to read configured trusted relationship for native to web SSO
okta.apps.manageAllows the app to create and manage Apps in your Okta organization
okta.apps.readAllows the app to read information about Apps in your Okta organization
okta.authenticators.manageAllows the app to manage all authenticators. For example, enrollments or resets.
okta.authenticators.manage.selfAllows the app to manage a user's own authenticators. For example, enrollments or resets.
okta.authenticators.readAllows the app to read org authenticators information
okta.authorizationServers.manageAllows the app to create and manage Authorization Servers in your Okta organization
okta.authorizationServers.readAllows the app to read information about Authorization Servers in your Okta organization
okta.behaviors.manageAllows the app to create and manage behavior detection rules in your Okta organization
okta.behaviors.readAllows the app to read behavior detection rules in your Okta org
okta.botProtection.manageAllows the app to manage bot protection configuration in your Okta org
okta.botProtection.readAllows the app to read bot protection configuration in your Okta org
okta.brands.manageAllows the app to create and manage Brands and Themes in your Okta organization
okta.brands.readAllows the app to read information about Brands and Themes in your Okta organization
okta.captchas.manageAllows the app to create and manage CAPTCHAs in your Okta organization
okta.captchas.readAllows the app to read information about CAPTCHAs in your Okta organization
okta.customTelephonyProvider.manageAllows the app to create and manage custom telephony provider credentials
okta.customTelephonyProvider.readAllows the app to read custom telephony provider credentials
okta.deviceAssurance.manageAllows the app to manage device assurances
okta.deviceAssurance.readAllows the app to read device assurances
okta.deviceIntegrations.manageAllows the app to manage device integrations
okta.deviceIntegrations.readAllows the app to read device integrations
okta.devicePostureChecks.manageAllows the app to manage device posture checks
okta.devicePostureChecks.readAllows the app to read device posture checks
okta.devices.manageAllows the app to manage device status transitions and delete a device
okta.devices.readAllows the app to read the existing device's profile and search devices
okta.directories.groups.manageAllows the app to manage AD/LDAP groups for your Okta organization
okta.directories.groups.readAllows the app to read AD/LDAP groups for your Okta organization
okta.domains.manageAllows the app to manage custom Domains for your Okta organization
okta.domains.readAllows the app to read information about custom Domains for your Okta organization
okta.dr.manageAllows the app to manage disaster recovery
okta.dr.readAllows the app to read the disaster recovery status
okta.emailDomains.manageAllows the app to manage Email Domains for your Okta organization
okta.emailDomains.readAllows the app to read information about Email Domains for your Okta organization
okta.emailServers.manageAllows the app to manage Email Servers for your Okta organization
okta.emailServers.readAllows the app to read information about Email Servers for your Okta organization
okta.eventHooks.manageAllows the app to create and manage Event Hooks in your Okta organization
okta.eventHooks.readAllows the app to read information about Event Hooks in your Okta organization
okta.features.manageAllows the app to create and manage Features in your Okta organization
okta.features.readAllows the app to read information about Features in your Okta organization
okta.groups.manageAllows the app to create and manage groups in your Okta organization
okta.groups.readAllows the app to read information about groups and their members in your Okta organization
okta.identitySources.manageAllows the custom identity sources to manage user entities in your Okta organization
okta.identitySources.readAllows to read session information for custom identity sources in your Okta organization
okta.idps.manageAllows the app to create and manage Identity Providers in your Okta organization
okta.idps.readAllows the app to read information about Identity Providers in your Okta organization
okta.inlineHooks.manageAllows the app to create and manage Inline Hooks in your Okta organization
okta.inlineHooks.readAllows the app to read information about Inline Hooks in your Okta organization
okta.linkedObjects.manageAllows the app to manage linked object definitions in your Okta organization
okta.linkedObjects.readAllows the app to read linked object definitions in your Okta organization
okta.logStreams.manageAllows the app to create and manage log streams in your Okta organization
okta.logStreams.readAllows the app to read information about log streams in your Okta organization
okta.logs.readAllows the app to read information about System Log entries in your Okta organization
okta.manifests.manageAllows the app to manage OIN submissions in your Okta organization
okta.manifests.readAllows the app to read OIN submissions in your Okta organization
okta.networkZones.manageAllows the app to create and manage Network Zones in your Okta organization
okta.networkZones.readAllows the app to read Network Zones in your Okta organization
okta.oauthIntegrations.manageAllows the app to create and manage API service Integration instances in your Okta organization
okta.oauthIntegrations.readAllows the app to read API service Integration instances in your Okta organization
okta.operations.readAllows the app to read the status of asynchronous operations in your Okta organization
okta.orgs.manageAllows the app to manage organization-specific details for your Okta organization
okta.orgs.readAllows the app to read organization-specific details about your Okta organization
okta.personal.adminSettings.manageAllows the app to manage the personal admin settings for the signed-in user
okta.personal.adminSettings.readAllows the app to read the personal admin settings for the signed-in user
okta.policies.manageAllows the app to manage policies in your Okta organization
okta.policies.readAllows the app to read information about policies in your Okta organization
okta.principalRateLimits.manageAllows the app to create and manage Principal Rate Limits in your Okta organization
okta.principalRateLimits.readAllows the app to read information about Principal Rate Limits in your Okta organization
okta.privilegedResources.manageAllows the app to create privileged resources and manage their details
okta.privilegedResources.readAllows the app to read the details of existing privileged resources
okta.profileMappings.manageAllows the app to manage user profile mappings in your Okta organization
okta.profileMappings.readAllows the app to read user profile mappings in your Okta organization
okta.pushProviders.manageAllows the app to create and manage push notification providers such as APNs and FCM
okta.pushProviders.readAllows the app to read push notification providers such as APNs and FCM
okta.rateLimits.manageAllows the app to create and manage rate limits in your Okta organization
okta.rateLimits.readAllows the app to read information about rate limits in your Okta organization
okta.realmAssignments.manageAllows a user to manage realm assignments
okta.realmAssignments.readAllows a user to read realm assignments
okta.realms.manageAllows the app to create new realms and to manage their details
okta.realms.readAllows the app to read the existing realms and their details
okta.riskEvents.manage(Deprecated) Allows the app to publish risk events to your Okta organization
okta.riskProviders.manage(Deprecated) Allows the app to create and manage risk provider integrations in your Okta organization
okta.riskProviders.read(Deprecated) Allows the app to read all risk provider integrations in your Okta organization
okta.roles.manageAllows the app to manage administrative role assignments for users in your Okta organization. Delegated admins with this permission can only manage user credential fields and not the credential values themselves.
okta.roles.readAllows the app to read administrative role assignments for users in your Okta organization. Delegated admins with this permission can only read user credential fields and not the credential values themselves.
okta.schemas.manageAllows the app to create and manage Schemas in your Okta organization
okta.schemas.readAllows the app to read information about Schemas in your Okta organization
okta.securityEventsProviders.manageAllows the app to create and manage Security Events Providers in your Okta organization
okta.securityEventsProviders.readAllows the app to read information about Security Events Providers in your Okta organization
okta.serviceAccounts.manageAllows the app to manage service accounts in your Okta organization
okta.serviceAccounts.okta.manageAllows the app to manage Okta managed user accounts in your Okta org
okta.serviceAccounts.okta.readAllows the app to read Okta managed user accounts in your Okta org
okta.serviceAccounts.readAllows the app to read service accounts in your Okta organization
okta.sessions.manageAllows the app to manage all sessions in your Okta organization
okta.sessions.readAllows the app to read all sessions in your Okta organization
okta.templates.manageAllows the app to manage all custom templates in your Okta organization
okta.templates.readAllows the app to read all custom templates in your Okta organization
okta.threatInsights.manageAllows the app to manage all ThreatInsight configurations in your Okta organization
okta.threatInsights.readAllows the app to read all ThreatInsight configurations in your Okta organization
okta.trustedOrigins.manageAllows the app to manage all Trusted Origins in your Okta organization
okta.trustedOrigins.readAllows the app to read all Trusted Origins in your Okta organization
okta.uischemas.manageAllows the app to manage all the UI Schemas in your Okta organization
okta.uischemas.readAllows the app to read all the UI Schemas in your Okta organization
okta.userRisk.manageAllows the app to manage a user's risk in your Okta org
okta.userRisk.readAllows the app to read a user's risk in your Okta org
okta.userTypes.manageAllows the app to manage user types in your Okta org
okta.userTypes.readAllows the app to read user types in your Okta org
okta.users.manageAllows the app to create new users and to manage all users' profile and credentials information
okta.users.manage.selfAllows the app to manage the signed-in user's profile and credentials
okta.users.readAllows the app to read the existing users' profiles and credentials
okta.users.read.selfAllows the app to read the signed-in user's profile and credentials
ssf.manageAllows the app to create and manage Shared Signals Framework (SSF) in your Okta organization
ssf.readAllows the app to read information about Shared Signals Framework (SSF) in your Okta organization

MyAccount Management

ScopeDescription
okta.myAccount.appAuthenticator.maintenance.manageWrite access to non-sensitive attributes of user app authenticator enrollments
okta.myAccount.appAuthenticator.maintenance.readRead access to non-sensitive attributes of user app authenticator enrollments
okta.myAccount.appAuthenticator.manageWrite access to user app authenticator enrollments
okta.myAccount.appAuthenticator.readRead access to user app authenticator enrollments
okta.myAccount.authenticators.manageWrite access to user authenticator enrollments
okta.myAccount.authenticators.readRead access to user authenticator configurations and enrollments
okta.myAccount.email.manageWrite access to user emails
okta.myAccount.email.readRead access to user emails
okta.myAccount.oktaApplications.readRead access to the Okta apps list
okta.myAccount.organization.readRead access to org details
okta.myAccount.password.manageWrite access to user password
okta.myAccount.password.readRead access to user password metadata
okta.myAccount.phone.manageWrite access to user phones
okta.myAccount.phone.readRead access to user phones
okta.myAccount.profile.manageWrite access to user profile and schema
okta.myAccount.profile.readRead access to user profile and schema
okta.myAccount.sessions.manageWrite access to user sessions
okta.myAccount.webauthn.manageWrite access to user WebAuthn enrollments
okta.myAccount.webauthn.readRead access to user WebAuthn enrollments

Okta Aerial

ScopeDescription
okta.accounts.manageGrants full access to Aerial operations
okta.accounts.readGrants read access to Aerial operations
Previous page
Next page