The Authenticators Administration API provides operations to configure which authenticators are available to end users for use when they sign in to apps.
End users are required to use one or more authenticators based on the security requirements of the authentication policy.
Okta Identity Engine currently supports authenticators for the following factors:
Knowledge-based:
Possession-based:
Retrieves the well-known app authenticator configuration. Includes an app authenticator's settings, supported methods, and other details.
Success
Bad Request
Too Many Requests
[- {
- "authenticatorId": "aut22f6xzargnJZYE3l7",
- "orgId": "00o1vhf34q20MfCFC3l7",
- "type": "app",
- "key": "custom_app",
- "name": "EnergyAus Authenticator",
- "createdDate": "2022-10-11T08:56:45.000Z",
- "lastUpdated": "2023-09-07T11:31:35.000Z",
- "settings": {
- "userVerification": "PREFERRED"
}, - "supportedMethods": [
- {
- "type": "push",
- "status": "ACTIVE",
- "settings": {
- "algorithms": [
- "RS256",
- "ES256"
], - "keyProtection": "ANY"
}
}
],
}
]
okta.authenticators.read
Lists all authenticators
Success
Forbidden
Too Many Requests
[- {
- "type": "email",
- "id": "aut1nbsPHh7jNjjyP0g4",
- "key": "okta_email",
- "status": "ACTIVE",
- "name": "Email",
- "created": "2020-07-26T21:05:23.000Z",
- "lastUpdated": "2020-07-28T21:45:52.000Z",
- "settings": {
- "allowedFor": "any",
- "tokenLifetimeInMinutes": 5
}, - "_links": {
- "self": {
- "hints": {
- "allow": [
- "GET",
- "PUT"
]
}
}, - "methods": {
- "hints": {
- "allow": [
- "GET"
]
}
}, - "deactivate": {
- "hints": {
- "allow": [
- "POST"
]
}
}
}
}, - {
- "type": "password",
- "id": "aut1nbtrJKKA9m45a0g4",
- "key": "okta_password",
- "status": "ACTIVE",
- "name": "Password",
- "created": "2020-07-26T21:05:23.000Z",
- "lastUpdated": "2020-07-26T21:05:23.000Z",
- "_links": {
- "self": {
- "hints": {
- "allow": [
- "GET",
- "PUT"
]
}
}, - "methods": {
- "hints": {
- "allow": [
- "GET"
]
}
}
}
}, - {
- "type": "phone",
- "id": "aut1nbuyD8m1ckAYc0g4",
- "key": "phone_number",
- "status": "INACTIVE",
- "name": "Phone",
- "created": "2020-07-26T21:05:23.000Z",
- "lastUpdated": "2020-07-29T00:21:29.000Z",
- "settings": {
- "allowedFor": "none"
}, - "_links": {
- "self": {
- "hints": {
- "allow": [
- "GET",
- "PUT"
]
}
}, - "methods": {
- "hints": {
- "allow": [
- "GET"
]
}
}, - "activate": {
- "hints": {
- "allow": [
- "POST"
]
}
}
}
}, - {
- "type": "security_key",
- "id": "aut1nd8PQhGcQtSxB0g4",
- "key": "webauthn",
- "status": "ACTIVE",
- "name": "Security Key or Biometric",
- "created": "2020-07-26T21:16:37.000Z",
- "lastUpdated": "2020-07-27T18:59:30.000Z",
- "_links": {
- "self": {
- "hints": {
- "allow": [
- "GET",
- "PUT"
]
}
}, - "methods": {
- "hints": {
- "allow": [
- "GET"
]
}
}, - "deactivate": {
- "hints": {
- "allow": [
- "POST"
]
}
}
}
}
]
okta.authenticators.manage
Creates an authenticator
key | string (AuthenticatorKeyEnum) A human-readable string that identifies the authenticator | ||||
name | string Display name of the authenticator | ||||
status | string (LifecycleStatus) Enum: "ACTIVE" "INACTIVE" | ||||
type | string (AuthenticatorType) The type of authenticator | ||||
agreeToTerms | boolean A value of | ||||
object | |||||
object | |||||
|
OK
Bad Request
Forbidden
Too Many Requests
{- "key": "duo",
- "name": "Duo Security",
- "provider": {
- "type": "DUO",
- "configuration": {
- "userNameTemplate": {
- "template": "oktaId"
}, - "integrationKey": "testIntegrationKey",
- "secretKey": "testSecretKey",
}
}
}
{- "type": "app",
- "id": "aut9gnvcjUHIWb37J0g4",
- "key": "duo",
- "status": "ACTIVE",
- "name": "Duo Security",
- "created": "2022-07-15T21:14:02.000Z",
- "lastUpdated": "2022-07-15T21:14:02.000Z",
- "settings": { },
- "provider": {
- "type": "DUO",
- "configuration": {
- "userNameTemplate": {
- "template": "oktaId"
}
}
}, - "_links": {
- "self": {
- "hints": {
- "allow": [
- "GET",
- "PUT"
]
}
}, - "deactivate": {
- "hints": {
- "allow": [
- "POST"
]
}
}, - "methods": {
- "hints": {
- "allow": [
- "GET"
]
}
}
}
}
okta.authenticators.read
Retrieves an authenticator from your Okta organization by authenticatorId
OK
Forbidden
Not Found
Too Many Requests
{- "type": "app",
- "id": "aut9gnvcjUHIWb37J0g4",
- "key": "duo",
- "status": "ACTIVE",
- "name": "Duo Security",
- "created": "2022-07-15T21:14:02.000Z",
- "lastUpdated": "2022-07-15T21:14:02.000Z",
- "settings": { },
- "provider": {
- "type": "DUO",
- "configuration": {
- "userNameTemplate": {
- "template": "oktaId"
}
}
}, - "_links": {
- "self": {
- "hints": {
- "allow": [
- "GET",
- "PUT"
]
}
}, - "deactivate": {
- "hints": {
- "allow": [
- "POST"
]
}
}, - "methods": {
- "hints": {
- "allow": [
- "GET"
]
}
}
}
}
okta.authenticators.manage
Replaces the properties for an authenticator identified by authenticatorId
key | string (AuthenticatorKeyEnum) A human-readable string that identifies the authenticator | ||||
name | string Display name of the authenticator | ||||
status | string (LifecycleStatus) Enum: "ACTIVE" "INACTIVE" | ||||
type | string (AuthenticatorType) The type of authenticator | ||||
agreeToTerms | boolean A value of | ||||
object | |||||
object | |||||
|
OK
Bad Request
Forbidden
Not Found
Too Many Requests
{- "key": "duo",
- "name": "Duo Security",
- "provider": {
- "type": "DUO",
- "configuration": {
- "userNameTemplate": {
- "template": "oktaId"
}, - "integrationKey": "testIntegrationKey",
- "secretKey": "testSecretKey",
}
}
}
{- "type": "app",
- "id": "aut9gnvcjUHIWb37J0g4",
- "key": "duo",
- "status": "ACTIVE",
- "name": "Duo Security",
- "created": "2022-07-15T21:14:02.000Z",
- "lastUpdated": "2022-07-15T21:14:02.000Z",
- "settings": { },
- "provider": {
- "type": "DUO",
- "configuration": {
- "userNameTemplate": {
- "template": "oktaId"
}
}
}, - "_links": {
- "self": {
- "hints": {
- "allow": [
- "GET",
- "PUT"
]
}
}, - "deactivate": {
- "hints": {
- "allow": [
- "POST"
]
}
}, - "methods": {
- "hints": {
- "allow": [
- "GET"
]
}
}
}
}
okta.authenticators.manage
Activates an authenticator by authenticatorId
OK
Forbidden
Not Found
Too Many Requests
{- "type": "app",
- "id": "aut9gnvcjUHIWb37J0g4",
- "key": "duo",
- "status": "ACTIVE",
- "name": "Duo Security",
- "created": "2022-07-15T21:14:02.000Z",
- "lastUpdated": "2022-07-15T21:14:02.000Z",
- "settings": { },
- "provider": {
- "type": "DUO",
- "configuration": {
- "userNameTemplate": {
- "template": "oktaId"
}
}
}, - "_links": {
- "self": {
- "hints": {
- "allow": [
- "GET",
- "PUT"
]
}
}, - "deactivate": {
- "hints": {
- "allow": [
- "POST"
]
}
}, - "methods": {
- "hints": {
- "allow": [
- "GET"
]
}
}
}
}
okta.authenticators.manage
Deactivates an authenticator by authenticatorId
OK
Forbidden
Not Found
Too Many Requests
{- "type": "security_key",
- "id": "aut1nd8PQhGcQtSxB0g4",
- "key": "webauthn",
- "status": "INACTIVE",
- "name": "Security Key or Biometric",
- "created": "2020-07-26T21:16:37.000Z",
- "lastUpdated": "2020-07-27T18:59:30.000Z",
- "_links": {
- "self": {
- "hints": {
- "allow": [
- "GET",
- "PUT"
]
}
}, - "methods": {
- "hints": {
- "allow": [
- "GET"
]
}
}, - "deactivate": {
- "hints": {
- "allow": [
- "POST"
]
}
}
}
}
okta.authenticators.read
Lists all methods of an authenticator identified by authenticatorId
Note:
The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the Settings > Features page in the Admin Console. This feature has several limitations when enrolling a security key:
- Enrollment is currently unsupported on Firefox.
- Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key.
- If prompted during enrollment, users must allow Okta to see the make and model of the security key.
Success
Forbidden
Not Found
Too Many Requests
[- {
- "type": "sms",
- "status": "ACTIVE",
- "_links": {
- "self": {
- "hints": {
- "allow": [
- "GET",
- "PUT"
]
}
}, - "deactivate": {
- "hints": {
- "allow": [
- "POST"
]
}
}
}
}, - {
- "type": "voice",
- "status": "INACTIVE",
- "_links": {
- "self": {
- "hints": {
- "allow": [
- "GET",
- "PUT"
]
}
}, - "activate": {
- "hints": {
- "allow": [
- "POST"
]
}
}
}
}
]
okta.authenticators.read
Retrieves a method identified by methodType
of an authenticator identified by authenticatorId
Note:
The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the Settings > Features page in the Admin Console. This feature has several limitations when enrolling a security key:
- Enrollment is currently unsupported on Firefox.
- Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key.
- If prompted during enrollment, users must allow Okta to see the make and model of the security key.
Success
Forbidden
Not Found
Too Many Requests
{- "type": "sms",
- "status": "ACTIVE",
- "_links": {
- "self": {
- "hints": {
- "allow": [
- "GET",
- "PUT"
]
}
}, - "deactivate": {
- "hints": {
- "allow"": [
- "POST"
]
}
}
}
}
okta.authenticators.manage
Replaces a method of methodType
for an authenticator identified by authenticatorId
Note:
The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the Settings > Features page in the Admin Console. This feature has several limitations when enrolling a security key:
- Enrollment is currently unsupported on Firefox.
- Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key.
- If prompted during enrollment, users must allow Okta to see the make and model of the security key.
Success
Bad Request
Forbidden
Not Found
Too Many Requests
{- "status": "ACTIVE",
- "type": "sms"
}
{- "type": "sms",
- "status": "ACTIVE",
- "_links": {
- "self": {
- "hints": {
- "allow": [
- "GET",
- "PUT"
]
}
}, - "deactivate": {
- "hints": {
- "allow"": [
- "POST"
]
}
}
}
}
okta.authenticators.manage
Activates a method for an authenticator identified by authenticatorId
and methodType
Note:
The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the Settings > Features page in the Admin Console. This feature has several limitations when enrolling a security key:
- Enrollment is currently unsupported on Firefox.
- Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key.
- If prompted during enrollment, users must allow Okta to see the make and model of the security key.
Success
Forbidden
Not Found
Too Many Requests
{- "type": "sms",
- "status": "ACTIVE",
- "_links": {
- "self": {
- "hints": {
- "allow": [
- "GET",
- "PUT"
]
}
}, - "deactivate": {
- "hints": {
- "allow"": [
- "POST"
]
}
}
}
}
okta.authenticators.manage
Deactivates a method for an authenticator identified by authenticatorId
and methodType
Note:
The AAGUID Group object supports the Early Access (Self-Service) Allow List for FIDO2 (WebAuthn) Authenticators feature. Enable the feature for your org from the Settings > Features page in the Admin Console. This feature has several limitations when enrolling a security key:
- Enrollment is currently unsupported on Firefox.
- Enrollment is currently unsupported on Chrome if User Verification is set to DISCOURAGED and a PIN is set on the security key.
- If prompted during enrollment, users must allow Okta to see the make and model of the security key.
Success
Forbidden
Not Found
Too Many Requests
{- "type": "voice",
- "status": "INACTIVE",
- "_links": {
- "self": {
- "hints": {
- "allow": [
- "GET",
- "PUT"
]
}
}, - "activate": {
- "hints": {
- "allow": [
- "POST"
]
}
}
}
}