OAuth 2.0 access token
You can access Okta APIs with scoped OAuth 2.0 access tokens. Each access token enables the bearer to perform specific actions on specific Okta endpoints, with that ability controlled by the scopes that the access token contains. See OAuth 2.0 for Okta APIs.
API key (deprecated)
Note: API keys aren't scoped and has full access to all Okta APIs matching the permissions of the administrator that created the key. It's recommended that you use a scoped OAuth 2.0 access token instead.
The Okta API can be acessed with the custom HTTP authentication scheme
SSWS for authentication. All requests must have a valid API key specified in the HTTP
Authorization header with the
Authorization: SSWS 00QCjAl4MlV-WPXM...0HmjFx-vbGua
Note: See Obtaining a token for instructions on how to get an API key for your organization.
The API key (API token) isn't interchangeable with an Okta session token, access tokens, or ID tokens used with OAuth 2.0 and OpenID Connect.