The Application Public Keys API provides a set of operations to manage public JSON keys used for OAuth 2.0 client authentication as described in Client authentication methods or for encrypting ID tokens. Encrypting ID tokens is self-service Early Access.
Lists all JSON Web Keys for an OAuth 2.0 client app
OK
Unauthorized
Forbidden
Not Found
Too Many Requests
{- "jwks": {
- "keys": [
- {
- "id": "pks2f4zrZbs8nUa7p0g4",
- "kid": "DRUFXGF9XbLnS9k-Sla3x3POBiIxDreBCdZuFs5B",
- "kty": "RSA",
- "alg": "RS256",
- "use": "sig",
- "e": "AQAB",
- "n": "AJncrKuine49_CEVR4GPn.....zOrouIUCSMlRL0HU=",
- "status": "INACTIVE",
- "created": "2023-02-21T20:08:24.000Z",
- "lastUpdated": "2023-02-21T20:08:24.000Z",
- "_links": {
- "activate": {
- "hints": {
- "allow": [
- "POST"
]
}
}, - "delete": {
- "hints": {
- "allow": [
- "DELETE"
]
}
}
}
}, - {
- "id": "pks2f50kZB0cITmYU0g4",
- "kid": "ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B",
- "kty": "RSA",
- "alg": "RS256",
- "use": "sig",
- "e": "AQAB",
- "n": "AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn=",
- "status": "ACTIVE",
- "created": "2023-04-06T21:32:33.000Z",
- "lastUpdated": "2023-04-06T21:32:33.000Z",
- "_links": {
- "deactivate": {
- "hints": {
- "allow": [
- "POST"
]
}
}
}
}
]
}
}
Adds a new JSON Web Key to the client`s JSON Web Keys.
Note: This API doesn't allow you to add a key if the existing key doesn't have a
kid
. This is also consistent with how the Dynamic Client Registration or Applications APIs behave, as they don't allow the creation of multiple keys withoutkids
. Use the Replace an Application or the Replace a Client Application operation to update the JWKS or Delete an OAuth 2.0 Client JSON Web Key and re-add the key with akid
.
A JSON Web Key (JWK) is a JSON representation of a cryptographic key. Okta uses signing keys to verify the signature of a JWT when provided for the private_key_jwt
client authentication method or for a signed authorize request object. Okta supports both RSA and Elliptic Curve (EC) keys for signing tokens.
An RSA signing key
Created
Bad Request
Unauthorized
Forbidden
Too Many Requests
{- "id": "pks2f50kZB0cITmYU0g4",
- "kid": "ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B",
- "kty": "RSA",
- "alg": "RS256",
- "use": "sig",
- "e": "AQAB",
- "n": "AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn=",
- "status": "ACTIVE"
}
{- "id": "pks2f50kZB0cITmYU0g4",
- "kid": "ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B",
- "kty": "RSA",
- "alg": "RS256",
- "use": "sig",
- "e": "AQAB",
- "n": "AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn=",
- "status": "ACTIVE",
- "created": "2023-04-06T21:32:33.000Z",
- "lastUpdated": "2023-04-06T21:32:33.000Z",
- "_links": {
- "deactivate": {
- "hints": {
- "allow": [
- "POST"
]
}
}
}
}
Retrieves an OAuth 2.0 Client JSON Web Key by keyId
.
OK
Unauthorized
Forbidden
Not Found
Too Many Requests
{- "id": "pks2f50kZB0cITmYU0g4",
- "kid": "ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B",
- "kty": "RSA",
- "alg": "RS256",
- "use": "sig",
- "e": "AQAB",
- "n": "AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn=",
- "status": "ACTIVE",
- "created": "2023-04-06T21:32:33.000Z",
- "lastUpdated": "2023-04-06T21:32:33.000Z",
- "_links": {
- "deactivate": {
- "hints": {
- "allow": [
- "POST"
]
}
}
}
}
Deletes an OAuth 2.0 Client JSON Web Key by keyId
. You can only delete an inactive key.
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Too Many Requests
{- "errorCode": "E0000001",
- "errorSummary": "Api validation failed: JsonWebKey",
- "errorLink": "E0000001",
- "errorId": "sampleQPivGUj_ND5v78vbYWW",
- "errorCauses": [
- {
- "errorSummary": "''ACTIVE'' keys cannot be deleted. Activate another key before deleting this one."
}
]
}
Activates an OAuth 2.0 Client JSON Web Key by keyId
Note: You can have only one active encryption key at any given time for app. When you activate an inactive key, the current active key is automatically deactivated.
OK
Unauthorized
Forbidden
Not Found
Too Many Requests
{- "id": "pks2f50kZB0cITmYU0g4",
- "kid": "ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B",
- "kty": "RSA",
- "alg": "RS256",
- "use": "sig",
- "e": "AQAB",
- "n": "AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn=",
- "status": "ACTIVE",
- "created": "2023-04-06T21:32:33.000Z",
- "lastUpdated": "2023-04-06T21:32:33.000Z",
- "_links": {
- "deactivate": {
- "hints": {
- "allow": [
- "POST"
]
}
}
}
}
Deactivates an OAuth 2.0 Client JSON Web Key by keyId
.
Note: You can only deactivate signing keys. Deactivating the active encryption key isn't allowed if the client has ID token encryption enabled. You can activate another encryption key, which makes the current key inactive.
OK
Bad Request
Unauthorized
Forbidden
Not Found
Too Many Requests
{- "id": "pks2f50kZB0cITmYU0g4",
- "kid": "ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B",
- "kty": "RSA",
- "alg": "RS256",
- "use": "sig",
- "e": "AQAB",
- "n": "AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn=",
- "status": "INACTIVE",
- "created": "2023-04-06T21:32:33.000Z",
- "lastUpdated": "2023-04-06T21:32:33.000Z",
- "_links": {
- "activate": {
- "hints": {
- "allow": [
- "POST"
]
}
}
}
}
Lists all client secrets for an OAuth 2.0 client app
OK
Unauthorized
Forbidden
Not Found
Too Many Requests
[- {
- "id": "ocs2f4zrZbs8nUa7p0g4",
- "status": "INACTIVE",
- "client_secret": "DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B",
- "secret_hash": "yk4SVx4sUWVJVbHt6M-UPA",
- "created": "2023-02-21T20:08:24.000Z",
- "lastUpdated": "2023-02-21T20:08:24.000Z",
- "_links": {
- "activate": {
- "hints": {
- "allow": [
- "POST"
]
}
}, - "delete": {
- "hints": {
- "allow": [
- "DELETE"
]
}
}
}
}, - {
- "id": "ocs2f50kZB0cITmYU0g4",
- "status": "ACTIVE",
- "client_secret": "HAGDTYU9XbLnS......3xasFDDwecdZuFs5B",
- "secret_hash": "0WOOvBSzV9clc4Nr7Rbaug",
- "created": "2023-04-06T21:32:33.000Z",
- "lastUpdated": "2023-04-06T21:32:33.000Z",
- "_links": {
- "deactivate": {
- "hints": {
- "allow": [
- "POST"
]
}
}
}
}
]
Creates an OAuth 2.0 Client Secret object with a new active client secret. You can create up to two Secret objects. An error is returned if you attempt to create more than two Secret objects.
Note: This API lets you bring your own secret. If token_endpoint_auth_method of the app is
client_secret_jwt
, then the minimum length ofclient_secret
is 32 characters. If no secret is specified in the request, Okta adds a new system-generated secret.
Created
Bad Request
Unauthorized
Forbidden
Too Many Requests
{ }
{- "id": "ocs2f50kZB0cITmYU0g4",
- "status": "ACTIVE",
- "client_secret": "DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B",
- "secret_hash": "FpCwXwSjTRQNtEI11I00-g",
- "created": "2023-04-06T21:32:33.000Z",
- "lastUpdated": "2023-04-06T21:32:33.000Z",
- "_links": {
- "deactivate": {
- "hints": {
- "allow": [
- "POST"
]
}
}
}
}
Retrieves an OAuth 2.0 Client Secret by secretId
OK
Unauthorized
Forbidden
Not Found
Too Many Requests
{- "id": "ocs2f50kZB0cITmYU0g4",
- "status": "ACTIVE",
- "client_secret": "DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B",
- "secret_hash": "FpCwXwSjTRQNtEI11I00-g",
- "created": "2023-04-06T21:32:33.000Z",
- "lastUpdated": "2023-04-06T21:32:33.000Z",
- "_links": {
- "deactivate": {
- "hints": {
- "allow": [
- "POST"
]
}
}
}
}
Deletes an OAuth 2.0 Client Secret by secretId
. You can only delete an inactive Secret.
No Content
Bad Request
Unauthorized
Forbidden
Not Found
Too Many Requests
{- "errorCode": "E0000001",
- "errorSummary": "Api validation failed: OAuth2ClientSecretMediated",
- "errorLink": "E0000001",
- "errorId": "sampleQPivGUj_ND5v78vbYWW",
- "errorCauses": [
- {
- "errorSummary": "You can't delete an active client secret. Deactivate the secret before deleting it."
}
]
}
Activates an OAuth 2.0 Client Secret by secretId
OK
Unauthorized
Forbidden
Not Found
Too Many Requests
{- "id": "ocs2f50kZB0cITmYU0g4",
- "status": "ACTIVE",
- "client_secret": "DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B",
- "secret_hash": "0WOOvBSzV9clc4Nr7Rbaug",
- "created": "2023-04-06T21:32:33.000Z",
- "lastUpdated": "2023-04-06T21:32:33.000Z",
- "_links": {
- "deactivate": {
- "hints": {
- "allow": [
- "POST"
]
}
}
}
}
Deactivates an OAuth 2.0 Client Secret by secretId
. You can't deactivate a secret if it's the only secret of the client.
OK
Bad Request
Unauthorized
Forbidden
Not Found
Too Many Requests
{- "id": "ocs2f4zrZbs8nUa7p0g4",
- "status": "INACTIVE",
- "client_secret": "DRUFXGF9XbLn......a3x3POBiIxDreBCdZuFs5B",
- "secret_hash": "yk4SVx4sUWVJVbHt6M-UPA",
- "created": "2023-02-21T20:08:24.000Z",
- "lastUpdated": "2023-02-21T20:08:24.000Z",
- "_links": {
- "activate": {
- "hints": {
- "allow": [
- "POST"
]
}
}, - "delete": {
- "hints": {
- "allow": [
- "DELETE"
]
}
}
}
}