Applications

The Applications API provides operations to manage apps in your org.

To create a custom app integration instance, use the Create an Application operation with the schema provided in the request payload.

To create an app instance from the Okta Integration Network (OIN), use the Create an Application operation with the corresponding OIN app schema in the request body.

Google Workspace

Schema for the Google Workspace app (key name: google)

To create a Google Workspace app, use the Create an Application request with the following parameters in the request body.

Note: The Google Workspace app only supports BROWSER_PLUGIN and SAML_2_0 sign-on modes.

name
required
string

The key name for the OIN app definition

Value: "google"
label
required
string (ApplicationLabel)

User-defined display name for app

required
object (GoogleApplicationSettings)

App settings

required
object (GoogleApplicationSettingsApplication)

Google app instance properties

domain
required
string

Your Google company domain

rpId
string

RPID

identityStoreId
string
implicitAssignment
boolean
inlineHookId
string
object (ApplicationSettingsNotes)
admin
string
enduser
string
object (ApplicationSettingsNotifications)
object (ApplicationSettingsNotificationsVpn)
object (SAML 2.0 settings)

Contains SAML 2.0 sign-on mode attributes.

Note: Set destinationOverride to configure any other SAML 2.0 attributes in this section.

audienceOverride
string

Audience override for CASB configuration. See CASB config guide.

Array of objects (SamlAttributeStatement)
defaultRelayState
string

Identifies a specific application resource in an IdP-initiated SSO scenario

destinationOverride
string

Destination override for CASB configuration. See CASB config guide.

recipientOverride
string

Recipient override for CASB configuration. See CASB config guide.

samlAssertionLifetimeSeconds
integer

Determines the SAML app session lifetimes with Okta

ssoAcsUrlOverride
string

Assertion Consumer Service (ACS) URL override for CASB configuration. See CASB config guide.

object (ApplicationAccessibility)

Specifies access settings for the app

errorRedirectUrl
string

Custom error page URL for the app

loginRedirectUrl
string

Custom login page URL for the app

selfService
boolean

Represents whether the app can be self-assignable by users

object (SchemeApplicationCredentials)

Credentials for the specified signOnMode

object
kid
string
lastRotated
string <date-time>
nextRotation
string <date-time>
rotationMode
string
use
string
Value: "sig"
object (ApplicationCredentialsUsernameTemplate)
pushStatus
string
template
string
type
string
userSuffix
string
object (PasswordCredential)

When a user has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, password: {}). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: Security > Authenticators > Password (or for Okta Classic orgs, use Security > Authentication > Password).

object (PasswordCredentialHash)

Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta directly from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, MD5, and PBKDF2 hash functions for password import. A hashed password may be specified in a Password object when creating or updating a user, but not for other operations. See Create User with Imported Hashed Password for information on using this object when creating a user. When updating a user with a hashed password, the user must be in the STAGED status.

object (PasswordCredentialHook)

Specify a password import inline hook to trigger verification of the user's password the first time the user logs in. This allows an existing password to be imported into Okta directly from some other store. See Create User with Password Hook for information on using this object when creating a user.

value
string <password>

Specifies the password for a user. The Password Policy validates this password.

revealPassword
boolean

Allow users to securely see their password

scheme
string (ApplicationCredentialsScheme)
Enum: "ADMIN_SETS_CREDENTIALS" "EDIT_PASSWORD_ONLY" "EDIT_USERNAME_AND_PASSWORD" "EXTERNAL_PASSWORD_SYNC" "SHARED_USERNAME_AND_PASSWORD"
userName
string
object (ApplicationLicensing)
seatCount
integer

Number of licenses purchased for the app

object

Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps)

property name*
additional property
object
signOnMode
string

Authentication mode for the app

Enum: "BROWSER_PLUGIN" "SAML_2_0"
status
string (ApplicationLifecycleStatus)

App instance status

Enum: "ACTIVE" "DELETED" "INACTIVE"
object (ApplicationVisibility)
object

Links or icons that appear on the End-User Dashboard when they're assigned to the app

property name*
additional property
boolean
autoLaunch
boolean

Automatically signs in to the app when user signs into Okta

autoSubmitToolbar
boolean

Automatically sign in when user lands on the sign-in page

object (ApplicationVisibilityHide)

Hides the app for specific end-user apps

iOS
boolean
web
boolean
{
  • "name": "google",
  • "label": "Sample Google App",
  • "signOnMode": "SAML_2_0",
  • "settings": {
    • "app": {
      }
    }
}

Microsoft Office 365

Schema for the Microsoft Office 365 app (key name: office365)

To create a Microsoft Office 365 app, use the Create an Application request with the following parameters in the request body.

Note: The Office 365 app only supports BROWSER_PLUGIN and SAML_1_1 sign-on modes.

name
required
string

The key name for the OIN app definition

Value: "office365"
label
required
string (ApplicationLabel)

User-defined display name for app

required
object (Office365ApplicationSettings)

App settings

required
object (Office365ApplicationSettingsApplication)

Office365 app instance properties

msftTenant
required
string

Microsoft tenant name

domain
required
string

The domain for your Office 365 account

identityStoreId
string
implicitAssignment
boolean
inlineHookId
string
object (ApplicationSettingsNotes)
admin
string
enduser
string
object (ApplicationSettingsNotifications)
object (ApplicationSettingsNotificationsVpn)
object (SAML 1.1 settings)

Contains SAML 1.1 sign-on mode attributes

audienceOverride
string

Audience override for CASB configuration. See CASB config guide.

defaultRelayState
string

Identifies a specific application resource in an IdP-initiated SSO scenario

recipientOverride
string

Recipient override for CASB configuration. See CASB config guide.

ssoAcsUrlOverride
string

Assertion Consumer Service (ACS) URL override for CASB configuration. See CASB config guide.

object (ApplicationAccessibility)

Specifies access settings for the app

errorRedirectUrl
string

Custom error page URL for the app

loginRedirectUrl
string

Custom login page URL for the app

selfService
boolean

Represents whether the app can be self-assignable by users

object (SchemeApplicationCredentials)

Credentials for the specified signOnMode

object
kid
string
lastRotated
string <date-time>
nextRotation
string <date-time>
rotationMode
string
use
string
Value: "sig"
object (ApplicationCredentialsUsernameTemplate)
pushStatus
string
template
string
type
string
userSuffix
string
object (PasswordCredential)

When a user has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, password: {}). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: Security > Authenticators > Password (or for Okta Classic orgs, use Security > Authentication > Password).

object (PasswordCredentialHash)

Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta directly from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, MD5, and PBKDF2 hash functions for password import. A hashed password may be specified in a Password object when creating or updating a user, but not for other operations. See Create User with Imported Hashed Password for information on using this object when creating a user. When updating a user with a hashed password, the user must be in the STAGED status.

object (PasswordCredentialHook)

Specify a password import inline hook to trigger verification of the user's password the first time the user logs in. This allows an existing password to be imported into Okta directly from some other store. See Create User with Password Hook for information on using this object when creating a user.

value
string <password>

Specifies the password for a user. The Password Policy validates this password.

revealPassword
boolean

Allow users to securely see their password

scheme
string (ApplicationCredentialsScheme)
Enum: "ADMIN_SETS_CREDENTIALS" "EDIT_PASSWORD_ONLY" "EDIT_USERNAME_AND_PASSWORD" "EXTERNAL_PASSWORD_SYNC" "SHARED_USERNAME_AND_PASSWORD"
userName
string
object (ApplicationLicensing)
seatCount
integer

Number of licenses purchased for the app

object

Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps)

property name*
additional property
object
signOnMode
string

Authentication mode for the app

Enum: "BROWSER_PLUGIN" "SAML_1_1"
status
string (ApplicationLifecycleStatus)

App instance status

Enum: "ACTIVE" "DELETED" "INACTIVE"
object (ApplicationVisibility)
object

Links or icons that appear on the End-User Dashboard when they're assigned to the app

property name*
additional property
boolean
autoLaunch
boolean

Automatically signs in to the app when user signs into Okta

autoSubmitToolbar
boolean

Automatically sign in when user lands on the sign-in page

object (ApplicationVisibilityHide)

Hides the app for specific end-user apps

iOS
boolean
web
boolean
{
  • "name": "office365",
  • "label": "Sample Office365 App",
  • "signOnMode": "SAML_1_1",
  • "settings": {
    • "app": {
      }
    }
}

Salesforce

Schema for the Salesforce app (key name: salesforce)

To create a Salesforce app, use the Create an Application request with the following parameters in the request body.

Note: The Salesforce app only supports BROWSER_PLUGIN, BOOKMARK, and SAML_2_0 sign-on modes.

name
required
string

The key name for the OIN app definition

Value: "salesforce"
label
required
string (ApplicationLabel)

User-defined display name for app

required
object (SalesforceApplicationSettings)

App settings

required
object (SalesforceApplicationSettingsApplication)

Salesforce app instance properties

integrationType
required
string

Salesforce integration type

Enum: "STANDARD" "PORTAL" "COMMUNITY"
instanceType
required
string

Salesforce instance that you want to connect to

Enum: "SANDBOX" "PRODUCTION" "GOVERNMENT"
loginUrl
string

The Login URL specified in your Salesforce Single Sign-On settings

logoutUrl
string

Salesforce Logout URL

identityStoreId
string
implicitAssignment
boolean
inlineHookId
string
object (ApplicationSettingsNotes)
admin
string
enduser
string
object (ApplicationSettingsNotifications)
object (ApplicationSettingsNotificationsVpn)
object (SAML 2.0 settings)

Contains SAML 2.0 sign-on mode attributes.

Note: Set destinationOverride to configure any other SAML 2.0 attributes in this section.

audienceOverride
string

Audience override for CASB configuration. See CASB config guide.

Array of objects (SamlAttributeStatement)
defaultRelayState
string

Identifies a specific application resource in an IdP-initiated SSO scenario

destinationOverride
string

Destination override for CASB configuration. See CASB config guide.

recipientOverride
string

Recipient override for CASB configuration. See CASB config guide.

samlAssertionLifetimeSeconds
integer

Determines the SAML app session lifetimes with Okta

ssoAcsUrlOverride
string

Assertion Consumer Service (ACS) URL override for CASB configuration. See CASB config guide.

object (ApplicationAccessibility)

Specifies access settings for the app

errorRedirectUrl
string

Custom error page URL for the app

loginRedirectUrl
string

Custom login page URL for the app

selfService
boolean

Represents whether the app can be self-assignable by users

object (SchemeApplicationCredentials)

Credentials for the specified signOnMode

object
kid
string
lastRotated
string <date-time>
nextRotation
string <date-time>
rotationMode
string
use
string
Value: "sig"
object (ApplicationCredentialsUsernameTemplate)
pushStatus
string
template
string
type
string
userSuffix
string
object (PasswordCredential)

When a user has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, password: {}). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: Security > Authenticators > Password (or for Okta Classic orgs, use Security > Authentication > Password).

object (PasswordCredentialHash)

Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta directly from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, MD5, and PBKDF2 hash functions for password import. A hashed password may be specified in a Password object when creating or updating a user, but not for other operations. See Create User with Imported Hashed Password for information on using this object when creating a user. When updating a user with a hashed password, the user must be in the STAGED status.

object (PasswordCredentialHook)

Specify a password import inline hook to trigger verification of the user's password the first time the user logs in. This allows an existing password to be imported into Okta directly from some other store. See Create User with Password Hook for information on using this object when creating a user.

value
string <password>

Specifies the password for a user. The Password Policy validates this password.

revealPassword
boolean

Allow users to securely see their password

scheme
string (ApplicationCredentialsScheme)
Enum: "ADMIN_SETS_CREDENTIALS" "EDIT_PASSWORD_ONLY" "EDIT_USERNAME_AND_PASSWORD" "EXTERNAL_PASSWORD_SYNC" "SHARED_USERNAME_AND_PASSWORD"
userName
string
object (ApplicationLicensing)
seatCount
integer

Number of licenses purchased for the app

object

Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps)

property name*
additional property
object
signOnMode
string

Authentication mode for the app

Enum: "BROWSER_PLUGIN" "BOOKMARK" "SAML_2_0"
status
string (ApplicationLifecycleStatus)

App instance status

Enum: "ACTIVE" "DELETED" "INACTIVE"
object (ApplicationVisibility)
object

Links or icons that appear on the End-User Dashboard when they're assigned to the app

property name*
additional property
boolean
autoLaunch
boolean

Automatically signs in to the app when user signs into Okta

autoSubmitToolbar
boolean

Automatically sign in when user lands on the sign-in page

object (ApplicationVisibilityHide)

Hides the app for specific end-user apps

iOS
boolean
web
boolean
{
  • "name": "salesforce",
  • "label": "Sample Salesforce App",
  • "signOnMode": "SAML_2_0",
  • "settings": {
    • "app": {
      }
    }
}

Slack

Schema for the Slack app (key name: slack)

To create a Slack app, use the Create an Application request with the following parameters in the request body.

Note: The Slack app only supports BROWSER_PLUGIN and SAML_2_0 sign-on modes.

name
required
string

The key name for the OIN app definition

Value: "slack"
label
required
string (ApplicationLabel)

User-defined display name for app

required
object (SlackApplicationSettings)

App settings

required
object (SlackApplicationSettingsApplication)

Slack app instance properties

domain
required
string

The Slack app domain name

userEmailValue
string

The User.Email attribute value

identityStoreId
string
implicitAssignment
boolean
inlineHookId
string
object (ApplicationSettingsNotes)
admin
string
enduser
string
object (ApplicationSettingsNotifications)
object (ApplicationSettingsNotificationsVpn)
object (SAML 2.0 settings)

Contains SAML 2.0 sign-on mode attributes.

Note: Set destinationOverride to configure any other SAML 2.0 attributes in this section.

audienceOverride
string

Audience override for CASB configuration. See CASB config guide.

Array of objects (SamlAttributeStatement)
defaultRelayState
string

Identifies a specific application resource in an IdP-initiated SSO scenario

destinationOverride
string

Destination override for CASB configuration. See CASB config guide.

recipientOverride
string

Recipient override for CASB configuration. See CASB config guide.

samlAssertionLifetimeSeconds
integer

Determines the SAML app session lifetimes with Okta

ssoAcsUrlOverride
string

Assertion Consumer Service (ACS) URL override for CASB configuration. See CASB config guide.

object (ApplicationAccessibility)

Specifies access settings for the app

errorRedirectUrl
string

Custom error page URL for the app

loginRedirectUrl
string

Custom login page URL for the app

selfService
boolean

Represents whether the app can be self-assignable by users

object (SchemeApplicationCredentials)

Credentials for the specified signOnMode

object
kid
string
lastRotated
string <date-time>
nextRotation
string <date-time>
rotationMode
string
use
string
Value: "sig"
object (ApplicationCredentialsUsernameTemplate)
pushStatus
string
template
string
type
string
userSuffix
string
object (PasswordCredential)

When a user has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, password: {}). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: Security > Authenticators > Password (or for Okta Classic orgs, use Security > Authentication > Password).

object (PasswordCredentialHash)

Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta directly from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, MD5, and PBKDF2 hash functions for password import. A hashed password may be specified in a Password object when creating or updating a user, but not for other operations. See Create User with Imported Hashed Password for information on using this object when creating a user. When updating a user with a hashed password, the user must be in the STAGED status.

object (PasswordCredentialHook)

Specify a password import inline hook to trigger verification of the user's password the first time the user logs in. This allows an existing password to be imported into Okta directly from some other store. See Create User with Password Hook for information on using this object when creating a user.

value
string <password>

Specifies the password for a user. The Password Policy validates this password.

revealPassword
boolean

Allow users to securely see their password

scheme
string (ApplicationCredentialsScheme)
Enum: "ADMIN_SETS_CREDENTIALS" "EDIT_PASSWORD_ONLY" "EDIT_USERNAME_AND_PASSWORD" "EXTERNAL_PASSWORD_SYNC" "SHARED_USERNAME_AND_PASSWORD"
userName
string
object (ApplicationLicensing)
seatCount
integer

Number of licenses purchased for the app

object

Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps)

property name*
additional property
object
signOnMode
string

Authentication mode for the app

Enum: "BROWSER_PLUGIN" "SAML_2_0"
status
string (ApplicationLifecycleStatus)

App instance status

Enum: "ACTIVE" "DELETED" "INACTIVE"
object (ApplicationVisibility)
object

Links or icons that appear on the End-User Dashboard when they're assigned to the app

property name*
additional property
boolean
autoLaunch
boolean

Automatically signs in to the app when user signs into Okta

autoSubmitToolbar
boolean

Automatically sign in when user lands on the sign-in page

object (ApplicationVisibilityHide)

Hides the app for specific end-user apps

iOS
boolean
web
boolean
{
  • "name": "slack",
  • "label": "Sample Slack App",
  • "signOnMode": "SAML_2_0",
  • "settings": {
    • "app": {
      }
    }
}

Trend Micro Apex One Service

Schema for Trend Micro Apex One as a Service app (key name: trendmicroapexoneservice)

To create a Trend Micro Apex One as a Service app, use the Create an Application request with the following parameters in the request body.

Note: The Trend Micro Apex One as a Service app only supports SAML_2_0 sign-on mode.

name
required
string

The key name for the OIN app definition

Value: "trendmicroapexoneservice"
label
required
string (ApplicationLabel)

User-defined display name for app

required
object (TrendMicroApexOneServiceApplicationSettings)

App settings

required
object (TrendMicroApexOneServiceApplicationSettingsApplication)

Trend Micro Apex One as a Service app instance properties

baseURL
required
string

Base Trend Micro Apex One Service URL

identityStoreId
string
implicitAssignment
boolean
inlineHookId
string
object (ApplicationSettingsNotes)
admin
string
enduser
string
object (ApplicationSettingsNotifications)
object (ApplicationSettingsNotificationsVpn)
object (SAML 2.0 settings)

Contains SAML 2.0 sign-on mode attributes.

Note: Set destinationOverride to configure any other SAML 2.0 attributes in this section.

audienceOverride
string

Audience override for CASB configuration. See CASB config guide.

Array of objects (SamlAttributeStatement)
defaultRelayState
string

Identifies a specific application resource in an IdP-initiated SSO scenario

destinationOverride
string

Destination override for CASB configuration. See CASB config guide.

recipientOverride
string

Recipient override for CASB configuration. See CASB config guide.

samlAssertionLifetimeSeconds
integer

Determines the SAML app session lifetimes with Okta

ssoAcsUrlOverride
string

Assertion Consumer Service (ACS) URL override for CASB configuration. See CASB config guide.

object (ApplicationAccessibility)

Specifies access settings for the app

errorRedirectUrl
string

Custom error page URL for the app

loginRedirectUrl
string

Custom login page URL for the app

selfService
boolean

Represents whether the app can be self-assignable by users

object (SchemeApplicationCredentials)

Credentials for the specified signOnMode

object
kid
string
lastRotated
string <date-time>
nextRotation
string <date-time>
rotationMode
string
use
string
Value: "sig"
object (ApplicationCredentialsUsernameTemplate)
pushStatus
string
template
string
type
string
userSuffix
string
object (PasswordCredential)

When a user has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, password: {}). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: Security > Authenticators > Password (or for Okta Classic orgs, use Security > Authentication > Password).

object (PasswordCredentialHash)

Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta directly from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, MD5, and PBKDF2 hash functions for password import. A hashed password may be specified in a Password object when creating or updating a user, but not for other operations. See Create User with Imported Hashed Password for information on using this object when creating a user. When updating a user with a hashed password, the user must be in the STAGED status.

object (PasswordCredentialHook)

Specify a password import inline hook to trigger verification of the user's password the first time the user logs in. This allows an existing password to be imported into Okta directly from some other store. See Create User with Password Hook for information on using this object when creating a user.

value
string <password>

Specifies the password for a user. The Password Policy validates this password.

revealPassword
boolean

Allow users to securely see their password

scheme
string (ApplicationCredentialsScheme)
Enum: "ADMIN_SETS_CREDENTIALS" "EDIT_PASSWORD_ONLY" "EDIT_USERNAME_AND_PASSWORD" "EXTERNAL_PASSWORD_SYNC" "SHARED_USERNAME_AND_PASSWORD"
userName
string
object (ApplicationLicensing)
seatCount
integer

Number of licenses purchased for the app

object

Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps)

property name*
additional property
object
signOnMode
string

Authentication mode for the app

Value: "SAML_2_0"
status
string (ApplicationLifecycleStatus)

App instance status

Enum: "ACTIVE" "DELETED" "INACTIVE"
object (ApplicationVisibility)
object

Links or icons that appear on the End-User Dashboard when they're assigned to the app

property name*
additional property
boolean
autoLaunch
boolean

Automatically signs in to the app when user signs into Okta

autoSubmitToolbar
boolean

Automatically sign in when user lands on the sign-in page

object (ApplicationVisibilityHide)

Hides the app for specific end-user apps

iOS
boolean
web
boolean
{
  • "name": "trendmicroapexoneservice",
  • "label": "Sample Trend Micro Apex One as a Service App",
  • "signOnMode": "SAML_2_0",
  • "settings": {}
}

Zoom

Schema for the Zoom app (key name: zoomus)

To create a Zoom app, use the Create an Application request with the following parameters in the request body.

Note: The Zoom app only supports SAML_2_0 sign-on mode.

name
required
string

The key name for the OIN app definition

Value: "zoomus"
label
required
string (ApplicationLabel)

User-defined display name for app

required
object (ZoomUsApplicationSettings)

App settings

required
object (ZoomUsApplicationSettingsApplication)

Zoom app instance properties

subDomain
required
string

Your Zoom subdomain

identityStoreId
string
implicitAssignment
boolean
inlineHookId
string
object (ApplicationSettingsNotes)
admin
string
enduser
string
object (ApplicationSettingsNotifications)
object (ApplicationSettingsNotificationsVpn)
object (SAML 2.0 settings)

Contains SAML 2.0 sign-on mode attributes.

Note: Set destinationOverride to configure any other SAML 2.0 attributes in this section.

audienceOverride
string

Audience override for CASB configuration. See CASB config guide.

Array of objects (SamlAttributeStatement)
defaultRelayState
string

Identifies a specific application resource in an IdP-initiated SSO scenario

destinationOverride
string

Destination override for CASB configuration. See CASB config guide.

recipientOverride
string

Recipient override for CASB configuration. See CASB config guide.

samlAssertionLifetimeSeconds
integer

Determines the SAML app session lifetimes with Okta

ssoAcsUrlOverride
string

Assertion Consumer Service (ACS) URL override for CASB configuration. See CASB config guide.

object (ApplicationAccessibility)

Specifies access settings for the app

errorRedirectUrl
string

Custom error page URL for the app

loginRedirectUrl
string

Custom login page URL for the app

selfService
boolean

Represents whether the app can be self-assignable by users

object (SchemeApplicationCredentials)

Credentials for the specified signOnMode

object
kid
string
lastRotated
string <date-time>
nextRotation
string <date-time>
rotationMode
string
use
string
Value: "sig"
object (ApplicationCredentialsUsernameTemplate)
pushStatus
string
template
string
type
string
userSuffix
string
object (PasswordCredential)

When a user has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, password: {}). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: Security > Authenticators > Password (or for Okta Classic orgs, use Security > Authentication > Password).

object (PasswordCredentialHash)

Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta directly from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, MD5, and PBKDF2 hash functions for password import. A hashed password may be specified in a Password object when creating or updating a user, but not for other operations. See Create User with Imported Hashed Password for information on using this object when creating a user. When updating a user with a hashed password, the user must be in the STAGED status.

object (PasswordCredentialHook)

Specify a password import inline hook to trigger verification of the user's password the first time the user logs in. This allows an existing password to be imported into Okta directly from some other store. See Create User with Password Hook for information on using this object when creating a user.

value
string <password>

Specifies the password for a user. The Password Policy validates this password.

revealPassword
boolean

Allow users to securely see their password

scheme
string (ApplicationCredentialsScheme)
Enum: "ADMIN_SETS_CREDENTIALS" "EDIT_PASSWORD_ONLY" "EDIT_USERNAME_AND_PASSWORD" "EXTERNAL_PASSWORD_SYNC" "SHARED_USERNAME_AND_PASSWORD"
userName
string
object (ApplicationLicensing)
seatCount
integer

Number of licenses purchased for the app

object

Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps)

property name*
additional property
object
signOnMode
string

Authentication mode for the app

Value: "SAML_2_0"
status
string (ApplicationLifecycleStatus)

App instance status

Enum: "ACTIVE" "DELETED" "INACTIVE"
object (ApplicationVisibility)
object

Links or icons that appear on the End-User Dashboard when they're assigned to the app

property name*
additional property
boolean
autoLaunch
boolean

Automatically signs in to the app when user signs into Okta

autoSubmitToolbar
boolean

Automatically sign in when user lands on the sign-in page

object (ApplicationVisibilityHide)

Hides the app for specific end-user apps

iOS
boolean
web
boolean
{
  • "name": "zoomus",
  • "label": "Sample Zoom App",
  • "signOnMode": "SAML_2_0",
  • "settings": {
    • "app": {
      }
    }
}

Zscaler 2.0

Schema for the Zscaler 2.0 app (key name: zscalerbyz)

To create a Zscaler 2.0 app, use the Create an Application request with the following parameters in the request body.

Note: The Zscaler 2.0 app only supports BROWSER_PLUGIN and SAML_2_0 sign-on modes.

name
required
string

The key name for the OIN app definition

Value: "zscalerbyz"
label
required
string (ApplicationLabel)

User-defined display name for app

required
object (ZscalerbyzApplicationSettings)

App settings

required
object (ZscalerbyzApplicationSettingsApplication)

Zscaler app instance properties

siteDomain
string

Your Zscaler domain

identityStoreId
string
implicitAssignment
boolean
inlineHookId
string
object (ApplicationSettingsNotes)
admin
string
enduser
string
object (ApplicationSettingsNotifications)
object (ApplicationSettingsNotificationsVpn)
object (SAML 2.0 settings)

Contains SAML 2.0 sign-on mode attributes.

Note: Set destinationOverride to configure any other SAML 2.0 attributes in this section.

audienceOverride
string

Audience override for CASB configuration. See CASB config guide.

Array of objects (SamlAttributeStatement)
defaultRelayState
string

Identifies a specific application resource in an IdP-initiated SSO scenario

destinationOverride
string

Destination override for CASB configuration. See CASB config guide.

recipientOverride
string

Recipient override for CASB configuration. See CASB config guide.

samlAssertionLifetimeSeconds
integer

Determines the SAML app session lifetimes with Okta

ssoAcsUrlOverride
string

Assertion Consumer Service (ACS) URL override for CASB configuration. See CASB config guide.

object (ApplicationAccessibility)

Specifies access settings for the app

errorRedirectUrl
string

Custom error page URL for the app

loginRedirectUrl
string

Custom login page URL for the app

selfService
boolean

Represents whether the app can be self-assignable by users

object (SchemeApplicationCredentials)

Credentials for the specified signOnMode

object
kid
string
lastRotated
string <date-time>
nextRotation
string <date-time>
rotationMode
string
use
string
Value: "sig"
object (ApplicationCredentialsUsernameTemplate)
pushStatus
string
template
string
type
string
userSuffix
string
object (PasswordCredential)

When a user has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, password: {}). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: Security > Authenticators > Password (or for Okta Classic orgs, use Security > Authentication > Password).

object (PasswordCredentialHash)

Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta directly from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, MD5, and PBKDF2 hash functions for password import. A hashed password may be specified in a Password object when creating or updating a user, but not for other operations. See Create User with Imported Hashed Password for information on using this object when creating a user. When updating a user with a hashed password, the user must be in the STAGED status.

object (PasswordCredentialHook)

Specify a password import inline hook to trigger verification of the user's password the first time the user logs in. This allows an existing password to be imported into Okta directly from some other store. See Create User with Password Hook for information on using this object when creating a user.

value
string <password>

Specifies the password for a user. The Password Policy validates this password.

revealPassword
boolean

Allow users to securely see their password

scheme
string (ApplicationCredentialsScheme)
Enum: "ADMIN_SETS_CREDENTIALS" "EDIT_PASSWORD_ONLY" "EDIT_USERNAME_AND_PASSWORD" "EXTERNAL_PASSWORD_SYNC" "SHARED_USERNAME_AND_PASSWORD"
userName
string
object (ApplicationLicensing)
seatCount
integer

Number of licenses purchased for the app

object

Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps)

property name*
additional property
object
signOnMode
string

Authentication mode for the app

Enum: "BROWSER_PLUGIN" "SAML_2_0"
status
string (ApplicationLifecycleStatus)

App instance status

Enum: "ACTIVE" "DELETED" "INACTIVE"
object (ApplicationVisibility)
object

Links or icons that appear on the End-User Dashboard when they're assigned to the app

property name*
additional property
boolean
autoLaunch
boolean

Automatically signs in to the app when user signs into Okta

autoSubmitToolbar
boolean

Automatically sign in when user lands on the sign-in page

object (ApplicationVisibilityHide)

Hides the app for specific end-user apps

iOS
boolean
web
boolean
{
  • "name": "zscalerbyz",
  • "label": "Sample Zscaler 2.0 App",
  • "signOnMode": "SAML_2_0"
}

List all Applications
OAuth 2.0: okta.apps.read

Lists all applications with pagination. A subset of apps can be returned that match a supported filter expression or query.

Request
query Parameters
q
string
after
string

Specifies the pagination cursor for the next page of apps

limit
integer <int32>
Default: -1

Specifies the number of results for a page

filter
string

Filters apps by status, user.id, group.id or credentials.signing.kid expression

expand
string

An optional parameter used for link expansion to embed more resources in the response. Only supports expand=user/{userId} and must be used with the user.id eq "{userId}" filter query for the same user. Returns the assigned Application User in the _embedded property.

Example: expand=user/{userId}
includeNonDeleted
boolean
Default: false
Responses
200

Success

403

Forbidden

429

Too Many Requests

get/api/v1/apps
Request samples 
Response samples 
application/json
[
  • {
    • "accessibility": {
      },
    • "created": "2019-08-24T14:15:22Z",
    • "features": [
      ],
    • "id": "string",
    • "label": "string",
    • "lastUpdated": "2019-08-24T14:15:22Z",
    • "licensing": {
      },
    • "profile": { },
    • "signOnMode": "AUTO_LOGIN",
    • "status": "ACTIVE",
    • "visibility": {
      },
    • "_embedded": {
      },
    • "_links": {
      }
    }
]
Create an Application
OAuth 2.0: okta.apps.manage
Creates a new application to your Okta organization


Request 
query Parameters
activate
boolean
 Default:  true
Executes activation lifecycle operation when creating the app


 
header Parameters
OktaAccessGateway-Agent
string
 
Request Body schema: application/json
required
signOnMode
required
string (ApplicationSignOnMode) 
Authentication mode for the app


 
label
required
string (ApplicationLabel) 
User-defined display name for app


 
object (ApplicationAccessibility) 
Specifies access settings for the app


 
errorRedirectUrl
string
Custom error page URL for the app


 
loginRedirectUrl
string
Custom login page URL for the app


 
selfService
boolean
Represents whether the app can be self-assignable by users


 
features
Array of strings
Enabled app features


 
object (ApplicationLicensing) 
 
seatCount
integer
Number of licenses purchased for the app


 
object
Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps)


 
property name*
additional property
any
 
object (ApplicationVisibility) 
 
object
Links or icons that appear on the End-User Dashboard when they're assigned to the app


 
property name*
additional property
boolean
 
autoLaunch
boolean
Automatically signs in to the app when user signs into Okta


 
autoSubmitToolbar
boolean
Automatically sign in when user lands on the sign-in page


 
object (ApplicationVisibilityHide) 
Hides the app for specific end-user apps


 
iOS
boolean
 
web
boolean
 
object (ApplicationLinks) 
Discoverable resources related to the app


 
Array of objects (Link Object) 
 
 Array 
href
required
string
Link URI


 
object (HrefHints) 
Describes allowed HTTP verbs for the href


 
name
string
Link name


 
templated
boolean
Indicates whether the Link Object's href property is a URI template.


 
type
string
The media type of the link. If omitted, it is implicitly application/json.


 
property name*
additional property
any
 
object (SchemeApplicationCredentials) 
Credentials for the specified signOnMode


 
object
 
kid
string
 
rotationMode
string
 
use
string
 Value: "sig"  
object (ApplicationCredentialsUsernameTemplate) 
 
pushStatus
string
 
template
string
 
type
string
 
userSuffix
string
 
object (PasswordCredential) 
When a user has a valid password, imported hashed password, or password hook, and a response object contains
a password credential, then the password object is a bare object without the value property defined (for example, password: {}). This 
indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password
authenticator:  Security > Authenticators > Password (or for Okta Classic orgs, use Security > Authentication > Password).


 
object (PasswordCredentialHash) 
Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta directly
from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, MD5, and PBKDF2 hash functions for password import.
 A hashed password may be specified in a Password object when creating or updating a user, but not for other operations.
 See Create User with Imported Hashed Password
 for information on using this object when creating a user. When updating a user with a hashed password, the user must be in the STAGED status.


 
object (PasswordCredentialHook) 
Specify a password import inline hook to trigger verification of the user's password
the first time the user logs in. This allows an existing password to be imported into Okta directly from some other store.
See Create User with Password Hook for information on using this object when creating a user.


 
value
string <password> 
Specifies the password for a user. The Password Policy validates this password.


 
revealPassword
boolean
Allow users to securely see their password


 
scheme
string (ApplicationCredentialsScheme) 
 Enum: "ADMIN_SETS_CREDENTIALS" "EDIT_PASSWORD_ONLY" "EDIT_USERNAME_AND_PASSWORD" "EXTERNAL_PASSWORD_SYNC" "SHARED_USERNAME_AND_PASSWORD"  
userName
string
 
object (AutoLoginApplicationSettings) 
App settings


 
identityStoreId
string
 
implicitAssignment
boolean
 
inlineHookId
string
 
object (ApplicationSettingsNotes) 
 
admin
string
 
enduser
string
 
object (ApplicationSettingsNotifications) 
 
object (ApplicationSettingsNotificationsVpn) 
 
object (AutoLoginApplicationSettingsSignOn) 
 
loginUrl
required
string
Primary URL of the sign-in page for this app


 
redirectUrl
string
Secondary URL of the sign-in page for this app


 
Responses 
200
Success


400
Bad Request


403
Forbidden


429
Too Many Requests


post/api/v1/apps
Request samples 
application/json
{}
Response samples 
application/json
{}
Retrieve an Application
OAuth 2.0: okta.apps.read
Retrieves an application from your Okta organization by id


Request 
path Parameters
appId
required
string
Application ID


 
 Example:  0oafxqCAJWWGELFTYASJ
query Parameters
expand
string
 
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/apps/{appId}
Request samples 
Response samples 
application/json
{
  • "accessibility": {
    • "errorRedirectUrl": "string",
    • "loginRedirectUrl": "string",
    • "selfService": true
    },
  • "created": "2019-08-24T14:15:22Z",
  • "features": [
    • "string"
    ],
  • "id": "string",
  • "label": "string",
  • "lastUpdated": "2019-08-24T14:15:22Z",
  • "licensing": {
    • "seatCount": 0
    },
  • "profile": { },
  • "signOnMode": "AUTO_LOGIN",
  • "status": "ACTIVE",
  • "visibility": {
    • "appLinks": {
      },
    • "autoLaunch": true,
    • "autoSubmitToolbar": true,
    • "hide": {
      }
    },
  • "_embedded": {
    • "property1": { },
    • "property2": { }
    },
  • "_links": {
    • "accessPolicy": {
      },
    • "activate": {
      },
    • "deactivate": {
      },
    • "groups": {
      },
    • "logo": [
      ],
    • "metadata": {
      },
    • "self": {
      },
    • "users": {
      }
    },
  • "credentials": {
    • "signing": {
      },
    • "userNameTemplate": {
      },
    • "password": {
      },
    • "revealPassword": true,
    • "scheme": "ADMIN_SETS_CREDENTIALS",
    • "userName": "string"
    },
  • "name": "string",
  • "settings": {
    • "identityStoreId": "string",
    • "implicitAssignment": true,
    • "inlineHookId": "string",
    • "notes": {
      },
    • "notifications": {
      },
    • "signOn": {
      }
    }
}
Replace an Application
OAuth 2.0: okta.apps.manage
Replaces properties for an application




Notes:


    

  • All required properties must be specified in the request body
    • 

  • You can't modify system-assigned properties, such as id, name, status, created, and lastUpdated. The values for these properties in the PUT request body are ignored.
    • 





Request 
path Parameters
appId
required
string
Application ID


 
 Example:  0oafxqCAJWWGELFTYASJ
Request Body schema: application/json
required
signOnMode
required
string (ApplicationSignOnMode) 
Authentication mode for the app


 
label
required
string (ApplicationLabel) 
User-defined display name for app


 
object (ApplicationAccessibility) 
Specifies access settings for the app


 
errorRedirectUrl
string
Custom error page URL for the app


 
loginRedirectUrl
string
Custom login page URL for the app


 
selfService
boolean
Represents whether the app can be self-assignable by users


 
features
Array of strings
Enabled app features


 
object (ApplicationLicensing) 
 
seatCount
integer
Number of licenses purchased for the app


 
object
Contains any valid JSON schema for specifying properties that can be referenced from a request (only available to OAuth 2.0 client apps)


 
property name*
additional property
any
 
object (ApplicationVisibility) 
 
object
Links or icons that appear on the End-User Dashboard when they're assigned to the app


 
property name*
additional property
boolean
 
autoLaunch
boolean
Automatically signs in to the app when user signs into Okta


 
autoSubmitToolbar
boolean
Automatically sign in when user lands on the sign-in page


 
object (ApplicationVisibilityHide) 
Hides the app for specific end-user apps


 
iOS
boolean
 
web
boolean
 
object (ApplicationLinks) 
Discoverable resources related to the app


 
Array of objects (Link Object) 
 
 Array 
href
required
string
Link URI


 
object (HrefHints) 
Describes allowed HTTP verbs for the href


 
name
string
Link name


 
templated
boolean
Indicates whether the Link Object's href property is a URI template.


 
type
string
The media type of the link. If omitted, it is implicitly application/json.


 
property name*
additional property
any
 
object (SchemeApplicationCredentials) 
Credentials for the specified signOnMode


 
object
 
kid
string
 
rotationMode
string
 
use
string
 Value: "sig"  
object (ApplicationCredentialsUsernameTemplate) 
 
pushStatus
string
 
template
string
 
type
string
 
userSuffix
string
 
object (PasswordCredential) 
When a user has a valid password, imported hashed password, or password hook, and a response object contains
a password credential, then the password object is a bare object without the value property defined (for example, password: {}). This 
indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password
authenticator:  Security > Authenticators > Password (or for Okta Classic orgs, use Security > Authentication > Password).


 
object (PasswordCredentialHash) 
Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta directly
from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, MD5, and PBKDF2 hash functions for password import.
 A hashed password may be specified in a Password object when creating or updating a user, but not for other operations.
 See Create User with Imported Hashed Password
 for information on using this object when creating a user. When updating a user with a hashed password, the user must be in the STAGED status.


 
object (PasswordCredentialHook) 
Specify a password import inline hook to trigger verification of the user's password
the first time the user logs in. This allows an existing password to be imported into Okta directly from some other store.
See Create User with Password Hook for information on using this object when creating a user.


 
value
string <password> 
Specifies the password for a user. The Password Policy validates this password.


 
revealPassword
boolean
Allow users to securely see their password


 
scheme
string (ApplicationCredentialsScheme) 
 Enum: "ADMIN_SETS_CREDENTIALS" "EDIT_PASSWORD_ONLY" "EDIT_USERNAME_AND_PASSWORD" "EXTERNAL_PASSWORD_SYNC" "SHARED_USERNAME_AND_PASSWORD"  
userName
string
 
object (AutoLoginApplicationSettings) 
App settings


 
identityStoreId
string
 
implicitAssignment
boolean
 
inlineHookId
string
 
object (ApplicationSettingsNotes) 
 
admin
string
 
enduser
string
 
object (ApplicationSettingsNotifications) 
 
object (ApplicationSettingsNotificationsVpn) 
 
object (AutoLoginApplicationSettingsSignOn) 
 
loginUrl
required
string
Primary URL of the sign-in page for this app


 
redirectUrl
string
Secondary URL of the sign-in page for this app


 
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


put/api/v1/apps/{appId}
Request samples 
application/json
{
  • "name": "bookmark",
  • "label": "Sample Bookmark App updated",
  • "signOnMode": "BOOKMARK",
  • "settings": {}
}
Response samples 
application/json
{}
Delete an Application
OAuth 2.0: okta.apps.manage
Deletes an inactive application


Request 
path Parameters
appId
required
string
Application ID


 
 Example:  0oafxqCAJWWGELFTYASJ
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


delete/api/v1/apps/{appId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
Activate an Application
OAuth 2.0: okta.apps.manage
Activates an inactive application


Request 
path Parameters
appId
required
string
Application ID


 
 Example:  0oafxqCAJWWGELFTYASJ
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/apps/{appId}/lifecycle/activate
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
Deactivate an Application
OAuth 2.0: okta.apps.manage
Deactivates an active application


Request 
path Parameters
appId
required
string
Application ID


 
 Example:  0oafxqCAJWWGELFTYASJ
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/apps/{appId}/lifecycle/deactivate
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}