Authorization Server Claims

Provides operations to manage custom token claims for the given authServerId and claimId

List all custom token claims
API Access Management
OAuth 2.0: okta.authorizationServers.read

Lists all custom token Claims defined for a specified custom authorization server

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/claims
Request samples
Response samples
application/json
[]

Create a custom token claim
API Access Management
OAuth 2.0: okta.authorizationServers.manage

Creates a custom token Claim for a custom authorization server

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
Request Body schema: application/json
required
alwaysIncludeInToken
boolean

Specifies whether to include Claims in the token. The value is always TRUE for access token Claims. If the value is set to FALSE for an ID token claim, the Claim isn't included in the ID token when the token is requested with the access token or with the authorization_code. The client instead uses the access token to get Claims from the /userinfo endpoint.

claimType
string (OAuth2ClaimType)

Specifies whether the Claim is for an access token (RESOURCE) or an ID token (IDENTITY)

Enum: "IDENTITY" "RESOURCE"
object (OAuth2ClaimConditions)

Specifies the scopes for the Claim

scopes
Array of strings
group_filter_type
string (OAuth2ClaimGroupFilterType)

Specifies the type of group filter if valueType is GROUPS

If valueType is GROUPS, then the groups returned are filtered according to the value of group_filter_type.

If you have complex filters for Groups, you can create a Groups allowlist to put them all in a Claim.

Enum: Description
STARTS_WITH

Group names start with value (not case-sensitive). For example, if value is group1, then group123 and Group123 are included.

EQUALS

Group name is the same as value (not case-sensitive). For example, if value is group1, then group1 and Group1 are included, but group123 isn't.

CONTAINS

Group names contain value (not case-sensitive). For example, if value is group1, then MyGroup123 and group1 are included.

REGEX

Group names match the regular expression in value (case-sensitive). For example if value is /^[a-z0-9_-]{3,16}$/, then any Group name that has at least three letters, no more than 16, and contains lowercase letters, a hyphen, or numbers is a match.

name
string

Name of the Claim

status
string (LifecycleStatus)
Enum: "ACTIVE" "INACTIVE"
system
boolean

When true, indicates that Okta created the Claim

value
string

Specifies the value of the Claim. This value must be a string literal if valueType is GROUPS, and the string literal is matched with the selected group_filter_type. The value must be an Okta EL expression if valueType is EXPRESSION.

valueType
string (OAuth2ClaimValueType)

Specifies whether the Claim is an Okta Expression Language (EL) expression (EXPRESSION), a set of groups (GROUPS), or a system claim (SYSTEM)

Enum: "EXPRESSION" "GROUPS" "SYSTEM"
Responses
201

Success

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/authorizationServers/{authServerId}/claims
Request samples
application/json
[
  • {
    • "alwaysIncludeInToken": true,
    • "claimType": "IDENTITY",
    • "conditions": {
      },
    • "group_filter_type": "CONTAINS",
    • "name": "Support",
    • "status": "ACTIVE",
    • "system": false,
    • "value": "Support",
    • "valueType": "GROUPS"
    }
]
Response samples
application/json
[]

Retrieve a custom token claim
API Access Management
OAuth 2.0: okta.authorizationServers.read

Retrieves a custom token Claim by the specified claimId

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
claimId
required
string

id of Claim

Example: hNJ3Uk76xLagWkGx5W3N
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/claims/{claimId}
Request samples
Response samples
application/json
[]

Replace a custom token claim
API Access Management
OAuth 2.0: okta.authorizationServers.manage

Replaces a custom token Claim specified by the claimId

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
claimId
required
string

id of Claim

Example: hNJ3Uk76xLagWkGx5W3N
Request Body schema: application/json
required
alwaysIncludeInToken
boolean

Specifies whether to include Claims in the token. The value is always TRUE for access token Claims. If the value is set to FALSE for an ID token claim, the Claim isn't included in the ID token when the token is requested with the access token or with the authorization_code. The client instead uses the access token to get Claims from the /userinfo endpoint.

claimType
string (OAuth2ClaimType)

Specifies whether the Claim is for an access token (RESOURCE) or an ID token (IDENTITY)

Enum: "IDENTITY" "RESOURCE"
object (OAuth2ClaimConditions)

Specifies the scopes for the Claim

scopes
Array of strings
group_filter_type
string (OAuth2ClaimGroupFilterType)

Specifies the type of group filter if valueType is GROUPS

If valueType is GROUPS, then the groups returned are filtered according to the value of group_filter_type.

If you have complex filters for Groups, you can create a Groups allowlist to put them all in a Claim.

Enum: Description
STARTS_WITH

Group names start with value (not case-sensitive). For example, if value is group1, then group123 and Group123 are included.

EQUALS

Group name is the same as value (not case-sensitive). For example, if value is group1, then group1 and Group1 are included, but group123 isn't.

CONTAINS

Group names contain value (not case-sensitive). For example, if value is group1, then MyGroup123 and group1 are included.

REGEX

Group names match the regular expression in value (case-sensitive). For example if value is /^[a-z0-9_-]{3,16}$/, then any Group name that has at least three letters, no more than 16, and contains lowercase letters, a hyphen, or numbers is a match.

name
string

Name of the Claim

status
string (LifecycleStatus)
Enum: "ACTIVE" "INACTIVE"
system
boolean

When true, indicates that Okta created the Claim

value
string

Specifies the value of the Claim. This value must be a string literal if valueType is GROUPS, and the string literal is matched with the selected group_filter_type. The value must be an Okta EL expression if valueType is EXPRESSION.

valueType
string (OAuth2ClaimValueType)

Specifies whether the Claim is an Okta Expression Language (EL) expression (EXPRESSION), a set of groups (GROUPS), or a system claim (SYSTEM)

Enum: "EXPRESSION" "GROUPS" "SYSTEM"
Responses
200

Success

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

put/api/v1/authorizationServers/{authServerId}/claims/{claimId}
Request samples
application/json
[
  • {
    • "alwaysIncludeInToken": true,
    • "claimType": "IDENTITY",
    • "conditions": {
      },
    • "group_filter_type": "CONTAINS",
    • "name": "Knowledge_Base",
    • "status": "ACTIVE",
    • "system": false,
    • "value": "Knowledge Base",
    • "valueType": "GROUPS"
    }
]
Response samples
application/json
[]

Delete a custom token claim
API Access Management
OAuth 2.0: okta.authorizationServers.manage

Deletes a custom token Claim specified by the claimId

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
claimId
required
string

id of Claim

Example: hNJ3Uk76xLagWkGx5W3N
Responses
204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/authorizationServers/{authServerId}/claims/{claimId}
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}