Application Public Keys

The Application Public Keys API provides a set of operations to manage public JSON keys used for OAuth 2.0 client authentication as described in Client authentication methods or for encrypting ID tokens. Encrypting ID tokens is self-service Early Access.

List all the OAuth 2.0 client JSON Web Keys
OAuth 2.0 scopes:
  • okta.apps.read

Lists all JSON Web Keys for an OAuth 2.0 client app

Request
path Parameters
appId
required
string

Application ID

Example: 0oafxqCAJWWGELFTYASJ
Responses
200

OK

401

Unauthorized

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/apps/{appId}/credentials/jwks
Request samples 
Response samples 
application/json
{}
Add a JSON Web Key
OAuth 2.0 scopes: 
  • okta.apps.manage
Adds a new JSON Web Key to the client`s JSON Web Keys.




Note: This API doesn't allow you to add a key if the existing key doesn't have a kid. This is also consistent with how the Dynamic Client Registration or Applications APIs behave, as they don't allow the creation of multiple keys without kids. Use the Replace an Application or the Replace a Client Application operation to update the JWKS or Delete an OAuth 2.0 Client JSON Web Key and re-add the key with a kid.




Request 
path Parameters
appId
required
string
Application ID


 
 Example:  0oafxqCAJWWGELFTYASJ
Request Body schema: application/json
required
One of:
A JSON Web Key (JWK) is a JSON representation of a cryptographic key. Okta uses signing keys to verify the signature of a JWT when provided for the private_key_jwt client authentication method or for a signed authorize request object. Okta supports both RSA and Elliptic Curve (EC) keys for signing tokens.


One of:
An RSA signing key


e
string
RSA key value (exponent) for key binding


 
kty
string
Cryptographic algorithm family for the certificate's key pair


 Value: "RSA"  
n
string
RSA key value (modulus) for key binding


 
kid
string or null
Unique identifier of the JSON Web Key in the OAUth 2.0 client's JWKS


 
status
string
 Default:  "ACTIVE"
Status of the OAuth 2.0 client JSON Web Key


 Enum: "ACTIVE" "INACTIVE"  
alg
string
Algorithm used in the key


 
use
string
Acceptable use of the JSON Web Key


 Value: "sig"  
Responses 
201
Created


400
Bad Request


401
Unauthorized


403
Forbidden


429
Too Many Requests


post/api/v1/apps/{appId}/credentials/jwks
Request samples 
application/json
{
  • "id": "pks2f50kZB0cITmYU0g4",
  • "kid": "ASHJHGasa782333-Sla3x3POBiIxDreBCdZuFs5B",
  • "kty": "RSA",
  • "alg": "RS256",
  • "use": "sig",
  • "e": "AQAB",
  • "n": "AJncrzOrouIUCSMlRL0HU.....Kuine49_CEVR4GPn=",
  • "status": "ACTIVE"
}
Response samples 
application/json
{}
Retrieve an OAuth 2.0 client JSON Web Key
OAuth 2.0 scopes: 
  • okta.apps.read
Retrieves an OAuth 2.0 Client JSON Web Key by keyId.


Request 
path Parameters
appId
required
string
Application ID


 
 Example:  0oafxqCAJWWGELFTYASJ
keyId
required
string
Unique id of the Custom Authorization Server JSON Web Key


 
 Example:  apk2f4zrZbs8nUa7p0g4
Responses 
200
OK


401
Unauthorized


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/apps/{appId}/credentials/jwks/{keyId}
Request samples 
Response samples 
application/json
{}
Delete an OAuth 2.0 client JSON Web Key
OAuth 2.0 scopes: 
  • okta.apps.manage
Deletes an OAuth 2.0 Client JSON Web Key by keyId. You can only delete an inactive key.


Request 
path Parameters
appId
required
string
Application ID


 
 Example:  0oafxqCAJWWGELFTYASJ
keyId
required
string
Unique id of the Custom Authorization Server JSON Web Key


 
 Example:  apk2f4zrZbs8nUa7p0g4
Responses 
204
No Content


400
Bad Request


401
Unauthorized


403
Forbidden


404
Not Found


429
Too Many Requests


delete/api/v1/apps/{appId}/credentials/jwks/{keyId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000001",
  • "errorSummary": "Api validation failed: JsonWebKey",
  • "errorLink": "E0000001",
  • "errorId": "sampleQPivGUj_ND5v78vbYWW",
  • "errorCauses": [
    • {
      }
    ]
}
Activate an OAuth 2.0 client JSON Web Key
OAuth 2.0 scopes: 
  • okta.apps.manage
Activates an OAuth 2.0 Client JSON Web Key by keyId




Note: You can have only one active encryption key at any given time for app. When you activate an inactive key, the current active key is automatically deactivated.




Request 
path Parameters
appId
required
string
Application ID


 
 Example:  0oafxqCAJWWGELFTYASJ
keyId
required
string
Unique id of the Custom Authorization Server JSON Web Key


 
 Example:  apk2f4zrZbs8nUa7p0g4
Responses 
200
OK


401
Unauthorized


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/apps/{appId}/credentials/jwks/{keyId}/lifecycle/activate
Request samples 
Response samples 
application/json
{}
Deactivate an OAuth 2.0 client JSON Web Key
OAuth 2.0 scopes: 
  • okta.apps.manage
Deactivates an OAuth 2.0 Client JSON Web Key by keyId.




Note: You can only deactivate signing keys. Deactivating the active encryption key isn't allowed if the client has ID token encryption enabled. You can activate another encryption key, which makes the current key inactive.




Request 
path Parameters
appId
required
string
Application ID


 
 Example:  0oafxqCAJWWGELFTYASJ
keyId
required
string
Unique id of the Custom Authorization Server JSON Web Key


 
 Example:  apk2f4zrZbs8nUa7p0g4
Responses 
200
OK


400
Bad Request


401
Unauthorized


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/apps/{appId}/credentials/jwks/{keyId}/lifecycle/deactivate
Request samples 
Response samples 
application/json
{}
List all OAuth 2.0 client secrets
OAuth 2.0 scopes: 
  • okta.apps.read
Lists all client secrets for an OAuth 2.0 client app


Request 
path Parameters
appId
required
string
Application ID


 
 Example:  0oafxqCAJWWGELFTYASJ
Responses 
200
OK


401
Unauthorized


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/apps/{appId}/credentials/secrets
Request samples 
Response samples 
application/json
[]
Create an OAuth 2.0 client secret
OAuth 2.0 scopes: 
  • okta.apps.manage
Creates an OAuth 2.0 Client Secret object with a new active client secret. You can create up to two Secret objects. An error is returned if you attempt to create more than two Secret objects.




Note: This API lets you bring your own secret. If token_endpoint_auth_method of the app is client_secret_jwt, then the minimum length of client_secret is 32 characters. If no secret is specified in the request, Okta adds a new system-generated secret.




Request 
path Parameters
appId
required
string
Application ID


 
 Example:  0oafxqCAJWWGELFTYASJ
Request Body schema: application/json
client_secret
string
The OAuth 2.0 client secret string


 
status
string
Status of the OAuth 2.0 Client Secret


 Enum: "ACTIVE" "INACTIVE"  
Responses 
201
Created


400
Bad Request


401
Unauthorized


403
Forbidden


429
Too Many Requests


post/api/v1/apps/{appId}/credentials/secrets
Request samples 
application/json
{ }
Response samples 
application/json
{}
Retrieve an OAuth 2.0 client secret
OAuth 2.0 scopes: 
  • okta.apps.read
Retrieves an OAuth 2.0 Client Secret by secretId


Request 
path Parameters
appId
required
string
Application ID


 
 Example:  0oafxqCAJWWGELFTYASJ
secretId
required
string
Unique id of the OAuth 2.0 Client Secret


 
 Example:  ocs2f4zrZbs8nUa7p0g4
Responses 
200
OK


401
Unauthorized


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/apps/{appId}/credentials/secrets/{secretId}
Request samples 
Response samples 
application/json
{}
Delete an OAuth 2.0 client secret
OAuth 2.0 scopes: 
  • okta.apps.manage
Deletes an OAuth 2.0 Client Secret by secretId. You can only delete an inactive Secret.


Request 
path Parameters
appId
required
string
Application ID


 
 Example:  0oafxqCAJWWGELFTYASJ
secretId
required
string
Unique id of the OAuth 2.0 Client Secret


 
 Example:  ocs2f4zrZbs8nUa7p0g4
Responses 
204
No Content


400
Bad Request


401
Unauthorized


403
Forbidden


404
Not Found


429
Too Many Requests


delete/api/v1/apps/{appId}/credentials/secrets/{secretId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000001",
  • "errorSummary": "Api validation failed: OAuth2ClientSecretMediated",
  • "errorLink": "E0000001",
  • "errorId": "sampleQPivGUj_ND5v78vbYWW",
  • "errorCauses": [
    • {
      }
    ]
}
Activate an OAuth 2.0 client secret
OAuth 2.0 scopes: 
  • okta.apps.manage
Activates an OAuth 2.0 Client Secret by secretId


Request 
path Parameters
appId
required
string
Application ID


 
 Example:  0oafxqCAJWWGELFTYASJ
secretId
required
string
Unique id of the OAuth 2.0 Client Secret


 
 Example:  ocs2f4zrZbs8nUa7p0g4
Responses 
200
OK


401
Unauthorized


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/activate
Request samples 
Response samples 
application/json
{}
Deactivate an OAuth 2.0 client secret
OAuth 2.0 scopes: 
  • okta.apps.manage
Deactivates an OAuth 2.0 Client Secret by secretId. You can't deactivate a secret if it's the only secret of the client.


Request 
path Parameters
appId
required
string
Application ID


 
 Example:  0oafxqCAJWWGELFTYASJ
secretId
required
string
Unique id of the OAuth 2.0 Client Secret


 
 Example:  ocs2f4zrZbs8nUa7p0g4
Responses 
200
OK


400
Bad Request


401
Unauthorized


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/apps/{appId}/credentials/secrets/{secretId}/lifecycle/deactivate
Request samples 
Response samples 
application/json
{}