Authorization Servers

Authorization Servers generate OAuth 2.0 and OpenID Connect tokens, including access tokens and ID tokens. The Okta Management API gives you the ability to configure and manage Authorization Servers and the security policies that are attached to them.

List all Authorization Servers
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

Lists all authorization servers

Request

query Parameters

q	string
limit	integer <int32> Default: 200
after	string

Responses

200

Success

403

Forbidden

429

Too Many Requests

get/api/v1/authorizationServers

Request samples

Response samples

application/json

[{"audiences": ["string"
],
"created": "2019-08-24T14:15:22Z",
"credentials": {"signing": {"kid": "string",
"lastRotated": "2019-08-24T14:15:22Z",
"nextRotation": "2019-08-24T14:15:22Z",
"rotationMode": "AUTO",
"use": "sig"
}
},
"description": "string",
"id": "string",
"issuer": "string",
"issuerMode": "CUSTOM_URL",
"lastUpdated": "2019-08-24T14:15:22Z",
"name": "string",
"status": "ACTIVE",
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"type": "string"
}
}
}
]

Create an Authorization Server
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Creates an authorization server

Request

Request Body schema: application/json

audiences

Array of strings

object (AuthorizationServerCredentials)

object (AuthorizationServerCredentialsSigningConfig)

kid	string
rotationMode	string (AuthorizationServerCredentialsRotationMode) Enum: "AUTO" "MANUAL"
use	string (AuthorizationServerCredentialsUse) Value: "sig"

description

string

issuer

string

issuerMode

string (IssuerMode)

Enum: "CUSTOM_URL" "DYNAMIC" "ORG_URL"

name

string

status

string (LifecycleStatus)

Enum: "ACTIVE" "INACTIVE"

Responses

201

Created

400

Bad Request

403

Forbidden

429

Too Many Requests

post/api/v1/authorizationServers

Request samples

application/json

{"audiences": ["string"
],
"credentials": {"signing": {"kid": "string",
"rotationMode": "AUTO",
"use": "sig"
}
},
"description": "string",
"issuer": "string",
"issuerMode": "CUSTOM_URL",
"name": "string",
"status": "ACTIVE"
}

Response samples

application/json

{"audiences": ["string"
],
"created": "2019-08-24T14:15:22Z",
"credentials": {"signing": {"kid": "string",
"lastRotated": "2019-08-24T14:15:22Z",
"nextRotation": "2019-08-24T14:15:22Z",
"rotationMode": "AUTO",
"use": "sig"
}
},
"description": "string",
"id": "string",
"issuer": "string",
"issuerMode": "CUSTOM_URL",
"lastUpdated": "2019-08-24T14:15:22Z",
"name": "string",
"status": "ACTIVE",
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"type": "string"
}
}
}

Retrieve an Authorization Server
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

Retrieves an authorization server

Request

path Parameters

authServerId

required

string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22

Responses

200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}

Request samples

Response samples

application/json

{"audiences": ["string"
],
"created": "2019-08-24T14:15:22Z",
"credentials": {"signing": {"kid": "string",
"lastRotated": "2019-08-24T14:15:22Z",
"nextRotation": "2019-08-24T14:15:22Z",
"rotationMode": "AUTO",
"use": "sig"
}
},
"description": "string",
"id": "string",
"issuer": "string",
"issuerMode": "CUSTOM_URL",
"lastUpdated": "2019-08-24T14:15:22Z",
"name": "string",
"status": "ACTIVE",
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"type": "string"
}
}
}

Replace an Authorization Server
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Replaces an authorization server

Request

path Parameters

authServerId

required

string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22

Request Body schema: application/json

audiences

Array of strings

object (AuthorizationServerCredentials)

object (AuthorizationServerCredentialsSigningConfig)

kid	string
rotationMode	string (AuthorizationServerCredentialsRotationMode) Enum: "AUTO" "MANUAL"
use	string (AuthorizationServerCredentialsUse) Value: "sig"

description

string

issuer

string

issuerMode

string (IssuerMode)

Enum: "CUSTOM_URL" "DYNAMIC" "ORG_URL"

name

string

status

string (LifecycleStatus)

Enum: "ACTIVE" "INACTIVE"

Responses

200

Success

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

put/api/v1/authorizationServers/{authServerId}

Request samples

application/json

{"audiences": ["string"
],
"credentials": {"signing": {"kid": "string",
"rotationMode": "AUTO",
"use": "sig"
}
},
"description": "string",
"issuer": "string",
"issuerMode": "CUSTOM_URL",
"name": "string",
"status": "ACTIVE"
}

Response samples

application/json

{"audiences": ["string"
],
"created": "2019-08-24T14:15:22Z",
"credentials": {"signing": {"kid": "string",
"lastRotated": "2019-08-24T14:15:22Z",
"nextRotation": "2019-08-24T14:15:22Z",
"rotationMode": "AUTO",
"use": "sig"
}
},
"description": "string",
"id": "string",
"issuer": "string",
"issuerMode": "CUSTOM_URL",
"lastUpdated": "2019-08-24T14:15:22Z",
"name": "string",
"status": "ACTIVE",
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"type": "string"
}
}
}

Delete an Authorization Server
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Deletes an authorization server

Request

path Parameters

authServerId

required

string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22

Responses

204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/authorizationServers/{authServerId}

Request samples

Response samples

application/json

{"errorCode": "E0000006",
"errorSummary": "You do not have permission to perform the requested action",
"errorLink": "E0000006",
"errorId": "sampleNUSD_8fdkFd8fs8SDBK",
"errorCauses": [ ]
}

List all Associated Authorization Servers
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

Lists all associated authorization servers by trusted type for the given authServerId

Request

path Parameters

authServerId

required

string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22

query Parameters

trusted	boolean Searches trusted authorization servers when true, or searches untrusted authorization servers when false
q	string Searches the name or audience of the associated authorization servers
limit	integer <int32> Default: 200 Specifies the number of results for a page
after	string Specifies the pagination cursor for the next page of the associated authorization servers

Responses

200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/associatedServers

Request samples

Response samples

application/json

[{"audiences": ["string"
],
"created": "2019-08-24T14:15:22Z",
"credentials": {"signing": {"kid": "string",
"lastRotated": "2019-08-24T14:15:22Z",
"nextRotation": "2019-08-24T14:15:22Z",
"rotationMode": "AUTO",
"use": "sig"
}
},
"description": "string",
"id": "string",
"issuer": "string",
"issuerMode": "CUSTOM_URL",
"lastUpdated": "2019-08-24T14:15:22Z",
"name": "string",
"status": "ACTIVE",
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"type": "string"
}
}
}
]

Create the Associated Authorization Servers
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Creates the trusted relationships between the given authorization server and other authorization servers

Request

path Parameters

authServerId

required

string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22

Request Body schema: application/json

trusted

Array of strings

A list of the authorization server IDs

Responses

200

Success

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/authorizationServers/{authServerId}/associatedServers

Request samples

application/json

{"trusted": ["string"
]
}

Response samples

application/json

[{"audiences": ["string"
],
"created": "2019-08-24T14:15:22Z",
"credentials": {"signing": {"kid": "string",
"lastRotated": "2019-08-24T14:15:22Z",
"nextRotation": "2019-08-24T14:15:22Z",
"rotationMode": "AUTO",
"use": "sig"
}
},
"description": "string",
"id": "string",
"issuer": "string",
"issuerMode": "CUSTOM_URL",
"lastUpdated": "2019-08-24T14:15:22Z",
"name": "string",
"status": "ACTIVE",
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"type": "string"
}
}
}
]

Delete an Associated Authorization Server
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Deletes an associated authorization server

Request

path Parameters

authServerId required	string `id` of the Authorization Server Example: GeGRTEr7f3yu2n7grw22
associatedServerId required	string `id` of the associated Authorization Server Example: aus6xt9jKPmCyn6kg0g4

Responses

204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/authorizationServers/{authServerId}/associatedServers/{associatedServerId}

Request samples

Response samples

application/json

{"errorCode": "E0000006",
"errorSummary": "You do not have permission to perform the requested action",
"errorLink": "E0000006",
"errorId": "sampleNUSD_8fdkFd8fs8SDBK",
"errorCauses": [ ]
}

List all Custom Token Claims
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

Lists all custom token claims

Request

path Parameters

authServerId

required

string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22

Responses

200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/claims

Request samples

Response samples

application/json

[{"alwaysIncludeInToken": true,
"claimType": "IDENTITY",
"conditions": {"scopes": ["string"
]
},
"group_filter_type": "CONTAINS",
"id": "string",
"name": "string",
"status": "ACTIVE",
"system": true,
"value": "string",
"valueType": "EXPRESSION",
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"type": "string"
}
}
}
]

Create a Custom Token Claim
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Creates a custom token claim

Request

path Parameters

authServerId

required

string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22

Request Body schema: application/json

alwaysIncludeInToken

boolean

claimType

string (OAuth2ClaimType)

Enum: "IDENTITY" "RESOURCE"

object (OAuth2ClaimConditions)

scopes

Array of strings

group_filter_type

string (OAuth2ClaimGroupFilterType)

Enum: "CONTAINS" "EQUALS" "REGEX" "STARTS_WITH"

name

string

status

string (LifecycleStatus)

Enum: "ACTIVE" "INACTIVE"

system

boolean

value

string

valueType

string (OAuth2ClaimValueType)

Enum: "EXPRESSION" "GROUPS" "SYSTEM"

Responses

201

Success

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/authorizationServers/{authServerId}/claims

Request samples

application/json

{"alwaysIncludeInToken": true,
"claimType": "IDENTITY",
"conditions": {"scopes": ["string"
]
},
"group_filter_type": "CONTAINS",
"name": "string",
"status": "ACTIVE",
"system": true,
"value": "string",
"valueType": "EXPRESSION"
}

Response samples

application/json

{"alwaysIncludeInToken": true,
"claimType": "IDENTITY",
"conditions": {"scopes": ["string"
]
},
"group_filter_type": "CONTAINS",
"id": "string",
"name": "string",
"status": "ACTIVE",
"system": true,
"value": "string",
"valueType": "EXPRESSION",
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"type": "string"
}
}
}

Retrieve a Custom Token Claim
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

Retrieves a custom token claim

Request

path Parameters

authServerId required	string `id` of the Authorization Server Example: GeGRTEr7f3yu2n7grw22
claimId required	string `id` of Claim Example: hNJ3Uk76xLagWkGx5W3N

Responses

200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/claims/{claimId}

Request samples

Response samples

application/json

{"alwaysIncludeInToken": true,
"claimType": "IDENTITY",
"conditions": {"scopes": ["string"
]
},
"group_filter_type": "CONTAINS",
"id": "string",
"name": "string",
"status": "ACTIVE",
"system": true,
"value": "string",
"valueType": "EXPRESSION",
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"type": "string"
}
}
}

Replace a Custom Token Claim
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Replaces a custom token claim

Request

path Parameters

authServerId required	string `id` of the Authorization Server Example: GeGRTEr7f3yu2n7grw22
claimId required	string `id` of Claim Example: hNJ3Uk76xLagWkGx5W3N

Request Body schema: application/json

alwaysIncludeInToken

boolean

claimType

string (OAuth2ClaimType)

Enum: "IDENTITY" "RESOURCE"

object (OAuth2ClaimConditions)

scopes

Array of strings

group_filter_type

string (OAuth2ClaimGroupFilterType)

Enum: "CONTAINS" "EQUALS" "REGEX" "STARTS_WITH"

name

string

status

string (LifecycleStatus)

Enum: "ACTIVE" "INACTIVE"

system

boolean

value

string

valueType

string (OAuth2ClaimValueType)

Enum: "EXPRESSION" "GROUPS" "SYSTEM"

Responses

200

Success

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

put/api/v1/authorizationServers/{authServerId}/claims/{claimId}

Request samples

application/json

{"alwaysIncludeInToken": true,
"claimType": "IDENTITY",
"conditions": {"scopes": ["string"
]
},
"group_filter_type": "CONTAINS",
"name": "string",
"status": "ACTIVE",
"system": true,
"value": "string",
"valueType": "EXPRESSION"
}

Response samples

application/json

{"alwaysIncludeInToken": true,
"claimType": "IDENTITY",
"conditions": {"scopes": ["string"
]
},
"group_filter_type": "CONTAINS",
"id": "string",
"name": "string",
"status": "ACTIVE",
"system": true,
"value": "string",
"valueType": "EXPRESSION",
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"type": "string"
}
}
}

Delete a Custom Token Claim
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Deletes a custom token claim

Request

path Parameters

authServerId required	string `id` of the Authorization Server Example: GeGRTEr7f3yu2n7grw22
claimId required	string `id` of Claim Example: hNJ3Uk76xLagWkGx5W3N

Responses

204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/authorizationServers/{authServerId}/claims/{claimId}

Request samples

Response samples

application/json

{"errorCode": "E0000006",
"errorSummary": "You do not have permission to perform the requested action",
"errorLink": "E0000006",
"errorId": "sampleNUSD_8fdkFd8fs8SDBK",
"errorCauses": [ ]
}

List all Clients
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

Lists all clients

Request

path Parameters

authServerId

required

string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22

Responses

200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/clients

Request samples

Response samples

application/json

[{"client_id": "string",
"client_name": "string",
"client_uri": "string",
"logo_uri": "string",
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"type": "string"
}
}
}
]

List all Refresh Tokens for a Client
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

Lists all refresh tokens for a client

Request

path Parameters

authServerId required	string `id` of the Authorization Server Example: GeGRTEr7f3yu2n7grw22
clientId required	string `client_id` of the app Example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD

query Parameters

expand	string
after	string
limit	integer <int32> Default: -1

Responses

200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens

Request samples

Response samples

application/json

[{"clientId": "string",
"created": "2019-08-24T14:15:22Z",
"expiresAt": "2019-08-24T14:15:22Z",
"id": "string",
"issuer": "string",
"lastUpdated": "2019-08-24T14:15:22Z",
"scopes": ["string"
],
"status": "ACTIVE",
"userId": "string",
"_embedded": {"scopes": [{"description": "string",
"displayName": "string",
"id": "string",
"name": "string",
"_links": {"scope": {"hints": {"allow": [ ]
},
"href": "string",
"title": "string",
"type": "string"
}
}
}
]
},
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"type": "string"
},
"app": {"hints": {"allow": ["string"
]
},
"href": "string",
"title": "string",
"type": "string"
},
"revoke": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"title": "string",
"type": "string"
},
"client": {"hints": {"allow": ["string"
]
},
"href": "string",
"title": "string",
"type": "string"
},
"user": {"hints": {"allow": ["string"
]
},
"href": "string",
"title": "string",
"type": "string"
},
"authorizationServer": {"hints": {"allow": ["string"
]
},
"href": "string",
"title": "string",
"type": "string"
}
}
}
]

Revoke all Refresh Tokens for a Client
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Revokes all refresh tokens for a client

Request

path Parameters

authServerId required	string `id` of the Authorization Server Example: GeGRTEr7f3yu2n7grw22
clientId required	string `client_id` of the app Example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD

Responses

204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens

Request samples

Response samples

application/json

{"errorCode": "E0000006",
"errorSummary": "You do not have permission to perform the requested action",
"errorLink": "E0000006",
"errorId": "sampleNUSD_8fdkFd8fs8SDBK",
"errorCauses": [ ]
}

Retrieve a Refresh Token for a Client
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

Retrieves a refresh token for a client

Request

path Parameters

authServerId required	string `id` of the Authorization Server Example: GeGRTEr7f3yu2n7grw22
clientId required	string `client_id` of the app Example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD
tokenId required	string `id` of Token Example: sHHSth53yJAyNSTQKDJZ

query Parameters

expand

string

Responses

200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens/{tokenId}

Request samples

Response samples

application/json

{"clientId": "string",
"created": "2019-08-24T14:15:22Z",
"expiresAt": "2019-08-24T14:15:22Z",
"id": "string",
"issuer": "string",
"lastUpdated": "2019-08-24T14:15:22Z",
"scopes": ["string"
],
"status": "ACTIVE",
"userId": "string",
"_embedded": {"scopes": [{"description": "string",
"displayName": "string",
"id": "string",
"name": "string",
"_links": {"scope": {"hints": {"allow": [null
]
},
"href": "string",
"title": "string",
"type": "string"
}
}
}
]
},
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"type": "string"
},
"app": {"hints": {"allow": ["string"
]
},
"href": "string",
"title": "string",
"type": "string"
},
"revoke": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"title": "string",
"type": "string"
},
"client": {"hints": {"allow": ["string"
]
},
"href": "string",
"title": "string",
"type": "string"
},
"user": {"hints": {"allow": ["string"
]
},
"href": "string",
"title": "string",
"type": "string"
},
"authorizationServer": {"hints": {"allow": ["string"
]
},
"href": "string",
"title": "string",
"type": "string"
}
}
}

Revoke a Refresh Token for a Client
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Revokes a refresh token for a client

Request

path Parameters

authServerId required	string `id` of the Authorization Server Example: GeGRTEr7f3yu2n7grw22
clientId required	string `client_id` of the app Example: 52Uy4BUWVBOjFItcg2jWsmnd83Ad8dD
tokenId required	string `id` of Token Example: sHHSth53yJAyNSTQKDJZ

Responses

204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/authorizationServers/{authServerId}/clients/{clientId}/tokens/{tokenId}

Request samples

Response samples

application/json

{"errorCode": "E0000006",
"errorSummary": "You do not have permission to perform the requested action",
"errorLink": "E0000006",
"errorId": "sampleNUSD_8fdkFd8fs8SDBK",
"errorCauses": [ ]
}

List all Credential Keys
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

Lists all credential keys

Request

path Parameters

authServerId

required

string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22

Responses

200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/credentials/keys

Request samples

Response samples

application/json

[{"alg": "string",
"created": "2019-08-24T14:15:22Z",
"e": "string",
"expiresAt": "2019-08-24T14:15:22Z",
"key_ops": ["string"
],
"kid": "string",
"kty": "string",
"lastUpdated": "2019-08-24T14:15:22Z",
"n": "string",
"status": "string",
"use": "string",
"x5c": ["string"
],
"x5t": "string",
"x5t#S256": "string",
"x5u": "string",
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"type": "string"
}
}
}
]

Rotate all Credential Keys
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Rotates all credential keys

Request

path Parameters

authServerId

required

string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22

Request Body schema: application/json

use	string (JwkUseType) Value: "sig"

Responses

200

Success

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/authorizationServers/{authServerId}/credentials/lifecycle/keyRotate

Request samples

application/json

{"use": "sig"
}

Response samples

application/json

[{"alg": "string",
"created": "2019-08-24T14:15:22Z",
"e": "string",
"expiresAt": "2019-08-24T14:15:22Z",
"key_ops": ["string"
],
"kid": "string",
"kty": "string",
"lastUpdated": "2019-08-24T14:15:22Z",
"n": "string",
"status": "string",
"use": "string",
"x5c": ["string"
],
"x5t": "string",
"x5t#S256": "string",
"x5u": "string",
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"type": "string"
}
}
}
]

Activate an Authorization Server
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Activates an authorization server

Request

path Parameters

authServerId

required

string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22

Responses

204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/authorizationServers/{authServerId}/lifecycle/activate

Request samples

Response samples

application/json

{"errorCode": "E0000006",
"errorSummary": "You do not have permission to perform the requested action",
"errorLink": "E0000006",
"errorId": "sampleNUSD_8fdkFd8fs8SDBK",
"errorCauses": [ ]
}

Deactivate an Authorization Server
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Deactivates an authorization server

Request

path Parameters

authServerId

required

string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22

Responses

204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/authorizationServers/{authServerId}/lifecycle/deactivate

Request samples

Response samples

application/json

{"errorCode": "E0000006",
"errorSummary": "You do not have permission to perform the requested action",
"errorLink": "E0000006",
"errorId": "sampleNUSD_8fdkFd8fs8SDBK",
"errorCauses": [ ]
}

List all Policies
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

Lists all policies

Request

path Parameters

authServerId

required

string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22

Responses

200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/policies

Request samples

Response samples

application/json

[{"created": "2019-08-24T14:15:22Z",
"description": "string",
"id": "string",
"lastUpdated": "2019-08-24T14:15:22Z",
"name": "string",
"priority": 0,
"status": "ACTIVE",
"system": true,
"type": "ACCESS_POLICY",
"_embedded": {"property1": { },
"property2": { }
},
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"type": "string"
}
},
"conditions": {"app": {"exclude": [{"id": "string",
"name": "string",
"type": "APP"
}
],
"include": [{"id": "string",
"name": "string",
"type": "APP"
}
]
},
"apps": {"exclude": ["string"
],
"include": ["string"
]
},
"authContext": {"authType": "ANY"
},
"authProvider": {"include": ["string"
],
"provider": "ACTIVE_DIRECTORY"
},
"beforeScheduledAction": {"duration": {"number": 0,
"unit": "string"
},
"lifecycleAction": {"status": "ACTIVATING"
}
},
"clients": {"include": ["string"
]
},
"context": {"migrated": true,
"platform": {"supportedMDMFrameworks": ["AFW"
],
"types": ["ANDROID"
]
},
"rooted": true,
"trustLevel": "ANY",
"expression": "string"
},
"device": {"migrated": true,
"platform": {"supportedMDMFrameworks": ["AFW"
],
"types": ["ANDROID"
]
},
"rooted": true,
"trustLevel": "ANY"
},
"grantTypes": {"include": ["string"
]
},
"groups": {"exclude": ["string"
],
"include": ["string"
]
},
"identityProvider": {"idpIds": ["string"
],
"provider": "ANY"
},
"mdmEnrollment": {"blockNonSafeAndroid": true,
"enrollment": "ANY_OR_NONE"
},
"network": {"connection": "ANYWHERE",
"exclude": ["string"
],
"include": ["string"
]
},
"people": {"groups": {"exclude": ["string"
],
"include": ["string"
]
},
"users": {"exclude": ["string"
],
"include": ["string"
]
}
},
"platform": {"exclude": [{"os": {"expression": "string",
"type": "ANDROID",
"version": {"matchType": null,
"value": null
}
},
"type": "ANY"
}
],
"include": [{"os": {"expression": "string",
"type": "ANDROID",
"version": {"matchType": null,
"value": null
}
},
"type": "ANY"
}
]
},
"risk": {"behaviors": ["string"
]
},
"riskScore": {"level": "string"
},
"scopes": {"include": ["string"
]
},
"userIdentifier": {"attribute": "string",
"patterns": [{"matchType": "CONTAINS",
"value": "string"
}
],
"type": "ATTRIBUTE"
},
"users": {"exclude": ["string"
],
"inactivity": {"number": 0,
"unit": "string"
},
"include": ["string"
],
"lifecycleExpiration": {"lifecycleStatus": "string",
"number": 0,
"unit": "string"
},
"passwordExpiration": {"number": 0,
"unit": "string"
},
"userLifecycleAttribute": {"attributeName": "string",
"matchingValue": "string"
}
},
"userStatus": {"value": "ACTIVATING"
}
}
}
]

Create a Policy
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Creates a policy

Request

path Parameters

authServerId

required

string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22

Request Body schema: application/json

description

string

name

string

priority

integer

status

string (LifecycleStatus)

Enum: "ACTIVE" "INACTIVE"

system

boolean

type

string (PolicyType)

object (PolicyRuleConditions)

object (AppAndInstancePolicyRuleCondition)

	Array of objects (AppAndInstanceConditionEvaluatorAppOrInstance)
	Array of objects (AppAndInstanceConditionEvaluatorAppOrInstance)

object (AppInstancePolicyRuleCondition)

exclude	Array of strings
include	Array of strings

object (PolicyRuleAuthContextCondition)

authType

string (PolicyRuleAuthContextType)

Enum: "ANY" "RADIUS"

object (PasswordPolicyAuthenticationProviderCondition)

include	Array of strings
provider	string (PasswordPolicyAuthenticationProviderType) Enum: "ACTIVE_DIRECTORY" "ANY" "LDAP" "OKTA"

object (BeforeScheduledActionPolicyRuleCondition)

	object (Duration)
	object (ScheduledUserLifecycleAction)

object (ClientPolicyCondition)

include

Array of strings

object (ContextPolicyRuleCondition)

migrated	boolean
	object (DevicePolicyRuleConditionPlatform)
rooted	boolean
trustLevel	string (DevicePolicyTrustLevel) Enum: "ANY" "TRUSTED"
expression	string

object (DevicePolicyRuleCondition)

migrated	boolean
	object (DevicePolicyRuleConditionPlatform)
rooted	boolean
trustLevel	string (DevicePolicyTrustLevel) Enum: "ANY" "TRUSTED"

object (GrantTypePolicyRuleCondition)

include

Array of strings

object (GroupPolicyRuleCondition)

exclude	Array of strings
include	Array of strings

object (IdentityProviderPolicyRuleCondition)

idpIds	Array of strings
provider	string (IdentityProviderPolicyProvider) Enum: "ANY" "OKTA" "SPECIFIC_IDP"

object (MDMEnrollmentPolicyRuleCondition)

blockNonSafeAndroid	boolean
enrollment	string (MDMEnrollmentPolicyEnrollment) Enum: "ANY_OR_NONE" "OMM"

object (PolicyNetworkCondition)

connection	string (PolicyNetworkConnection) Enum: "ANYWHERE" "ZONE"
exclude	Array of strings
include	Array of strings

object (PolicyPeopleCondition)

	object (GroupCondition)
	object (UserCondition)

object (PlatformPolicyRuleCondition)

	Array of objects (PlatformConditionEvaluatorPlatform)
	Array of objects (PlatformConditionEvaluatorPlatform)

object (RiskPolicyRuleCondition)

behaviors

Array of strings unique

object (RiskScorePolicyRuleCondition)

level

string

object (OAuth2ScopesMediationPolicyRuleCondition)

include

Array of strings

object (UserIdentifierPolicyRuleCondition)

attribute	string
	Array of objects (UserIdentifierConditionEvaluatorPattern)
type	string (UserIdentifierType) Enum: "ATTRIBUTE" "IDENTIFIER"

object (UserPolicyRuleCondition)

exclude	Array of strings
	object (InactivityPolicyRuleCondition)
include	Array of strings
	object (LifecycleExpirationPolicyRuleCondition)
	object (PasswordExpirationPolicyRuleCondition)
	object (UserLifecycleAttributePolicyRuleCondition)

object (UserStatusPolicyRuleCondition)

value

string (PolicyUserStatus)

Enum: "ACTIVATING" "ACTIVE" "DELETED" "DELETING" "EXPIRED_PASSWORD" "INACTIVE" "PENDING" "SUSPENDED"

Responses

201

Created

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/authorizationServers/{authServerId}/policies

Request samples

application/json

{"description": "string",
"name": "string",
"priority": 0,
"status": "ACTIVE",
"system": true,
"type": "ACCESS_POLICY",
"conditions": {"app": {"exclude": [{"name": "string",
"type": "APP"
}
],
"include": [{"name": "string",
"type": "APP"
}
]
},
"apps": {"exclude": ["string"
],
"include": ["string"
]
},
"authContext": {"authType": "ANY"
},
"authProvider": {"include": ["string"
],
"provider": "ACTIVE_DIRECTORY"
},
"beforeScheduledAction": {"duration": {"number": 0,
"unit": "string"
},
"lifecycleAction": {"status": "ACTIVATING"
}
},
"clients": {"include": ["string"
]
},
"context": {"migrated": true,
"platform": {"supportedMDMFrameworks": ["AFW"
],
"types": ["ANDROID"
]
},
"rooted": true,
"trustLevel": "ANY",
"expression": "string"
},
"device": {"migrated": true,
"platform": {"supportedMDMFrameworks": ["AFW"
],
"types": ["ANDROID"
]
},
"rooted": true,
"trustLevel": "ANY"
},
"grantTypes": {"include": ["string"
]
},
"groups": {"exclude": ["string"
],
"include": ["string"
]
},
"identityProvider": {"idpIds": ["string"
],
"provider": "ANY"
},
"mdmEnrollment": {"blockNonSafeAndroid": true,
"enrollment": "ANY_OR_NONE"
},
"network": {"connection": "ANYWHERE",
"exclude": ["string"
],
"include": ["string"
]
},
"people": {"groups": {"exclude": ["string"
],
"include": ["string"
]
},
"users": {"exclude": ["string"
],
"include": ["string"
]
}
},
"platform": {"exclude": [{"os": {"expression": "string",
"type": "ANDROID",
"version": {"matchType": "EXPRESSION",
"value": "string"
}
},
"type": "ANY"
}
],
"include": [{"os": {"expression": "string",
"type": "ANDROID",
"version": {"matchType": "EXPRESSION",
"value": "string"
}
},
"type": "ANY"
}
]
},
"risk": {"behaviors": ["string"
]
},
"riskScore": {"level": "string"
},
"scopes": {"include": ["string"
]
},
"userIdentifier": {"attribute": "string",
"patterns": [{"matchType": "CONTAINS",
"value": "string"
}
],
"type": "ATTRIBUTE"
},
"users": {"exclude": ["string"
],
"inactivity": {"number": 0,
"unit": "string"
},
"include": ["string"
],
"lifecycleExpiration": {"lifecycleStatus": "string",
"number": 0,
"unit": "string"
},
"passwordExpiration": {"number": 0,
"unit": "string"
},
"userLifecycleAttribute": {"attributeName": "string",
"matchingValue": "string"
}
},
"userStatus": {"value": "ACTIVATING"
}
}
}

Response samples

application/json

{"created": "2019-08-24T14:15:22Z",
"description": "string",
"id": "string",
"lastUpdated": "2019-08-24T14:15:22Z",
"name": "string",
"priority": 0,
"status": "ACTIVE",
"system": true,
"type": "ACCESS_POLICY",
"_embedded": {"property1": { },
"property2": { }
},
"_links": {"self": {"hints": {"allow": ["DELETE"
]
},
"href": "string",
"name": "string",
"type": "string"
}
},
"conditions": {"app": {"exclude": [{"id": "string",
"name": "string",
"type": "APP"
}
],
"include": [{"id": "string",
"name": "string",
"type": "APP"
}
]
},
"apps": {"exclude": ["string"
],
"include": ["string"
]
},
"authContext": {"authType": "ANY"
},
"authProvider": {"include": ["string"
],
"provider": "ACTIVE_DIRECTORY"
},
"beforeScheduledAction": {"duration": {"number": 0,
"unit": "string"
},
"lifecycleAction": {"status": "ACTIVATING"
}
},
"clients": {"include": ["string"
]
},
"context": {"migrated": true,
"platform": {"supportedMDMFrameworks": ["AFW"
],
"types": ["ANDROID"
]
},
"rooted": true,
"trustLevel": "ANY",
"expression": "string"
},
"device": {"migrated": true,
"platform": {"supportedMDMFrameworks": ["AFW"
],
"types": ["ANDROID"
]
},
"rooted": true,
"trustLevel": "ANY"
},
"grantTypes": {"include": ["string"
]
},
"groups": {"exclude": ["string"
],
"include": ["string"
]
},
"identityProvider": {"idpIds": ["string"
],
"provider": "ANY"
},
"mdmEnrollment": {"blockNonSafeAndroid": true,
"enrollment": "ANY_OR_NONE"
},
"network": {"connection": "ANYWHERE",
"exclude": ["string"
],
"include": ["string"
]
},
"people": {"groups": {"exclude": ["string"
],
"include": ["string"
]
},
"users": {"exclude": ["string"
],
"include": ["string"
]
}
},
"platform": {"exclude": [{"os": {"expression": "string",
"type": "ANDROID",
"version": {"matchType": "EXPRESSION",
"value": "string"
}
},
"type": "ANY"
}
],

Authorization Servers

List all Authorization ServersAPI Access ManagementOAuth 2.0: okta.authorizationServers.read

query Parameters

Create an Authorization ServerAPI Access ManagementOAuth 2.0: okta.authorizationServers.manage

Request Body schema: application/json

Retrieve an Authorization ServerAPI Access ManagementOAuth 2.0: okta.authorizationServers.read

path Parameters

Replace an Authorization ServerAPI Access ManagementOAuth 2.0: okta.authorizationServers.manage

path Parameters

Request Body schema: application/json

Delete an Authorization ServerAPI Access ManagementOAuth 2.0: okta.authorizationServers.manage

path Parameters

List all Associated Authorization ServersAPI Access ManagementOAuth 2.0: okta.authorizationServers.read

path Parameters

query Parameters

Create the Associated Authorization ServersAPI Access ManagementOAuth 2.0: okta.authorizationServers.manage

path Parameters

Request Body schema: application/json

Delete an Associated Authorization ServerAPI Access ManagementOAuth 2.0: okta.authorizationServers.manage

path Parameters

List all Custom Token ClaimsAPI Access ManagementOAuth 2.0: okta.authorizationServers.read

path Parameters

Create a Custom Token ClaimAPI Access ManagementOAuth 2.0: okta.authorizationServers.manage

path Parameters

Request Body schema: application/json

Retrieve a Custom Token ClaimAPI Access ManagementOAuth 2.0: okta.authorizationServers.read

path Parameters

Replace a Custom Token ClaimAPI Access ManagementOAuth 2.0: okta.authorizationServers.manage

path Parameters

Request Body schema: application/json

Delete a Custom Token ClaimAPI Access ManagementOAuth 2.0: okta.authorizationServers.manage

path Parameters

List all ClientsAPI Access ManagementOAuth 2.0: okta.authorizationServers.read

path Parameters

List all Refresh Tokens for a ClientAPI Access ManagementOAuth 2.0: okta.authorizationServers.read

path Parameters

query Parameters

Revoke all Refresh Tokens for a ClientAPI Access ManagementOAuth 2.0: okta.authorizationServers.manage

path Parameters

Retrieve a Refresh Token for a ClientAPI Access ManagementOAuth 2.0: okta.authorizationServers.read

path Parameters

query Parameters

Revoke a Refresh Token for a ClientAPI Access ManagementOAuth 2.0: okta.authorizationServers.manage

path Parameters

List all Credential KeysAPI Access ManagementOAuth 2.0: okta.authorizationServers.read

path Parameters

Rotate all Credential KeysAPI Access ManagementOAuth 2.0: okta.authorizationServers.manage

path Parameters

Request Body schema: application/json

Activate an Authorization ServerAPI Access ManagementOAuth 2.0: okta.authorizationServers.manage

path Parameters

Deactivate an Authorization ServerAPI Access ManagementOAuth 2.0: okta.authorizationServers.manage

path Parameters

List all PoliciesAPI Access ManagementOAuth 2.0: okta.authorizationServers.read

path Parameters

Create a PolicyAPI Access ManagementOAuth 2.0: okta.authorizationServers.manage

path Parameters

Request Body schema: application/json

List all Authorization Servers
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

Create an Authorization Server
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Retrieve an Authorization Server
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

Replace an Authorization Server
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Delete an Authorization Server
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

List all Associated Authorization Servers
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

Create the Associated Authorization Servers
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Delete an Associated Authorization Server
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

List all Custom Token Claims
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

Create a Custom Token Claim
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Retrieve a Custom Token Claim
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

Replace a Custom Token Claim
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Delete a Custom Token Claim
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

List all Clients
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

List all Refresh Tokens for a Client
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

Revoke all Refresh Tokens for a Client
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Retrieve a Refresh Token for a Client
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

Revoke a Refresh Token for a Client
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

List all Credential Keys
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

Rotate all Credential Keys
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Activate an Authorization Server
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

Deactivate an Authorization Server
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`

List all Policies
API Access Management
OAuth 2.0: `okta.authorizationServers.read`

Create a Policy
API Access Management
OAuth 2.0: `okta.authorizationServers.manage`