Authorization Server Claims

Provides operations to manage custom token claims for the given authServerId and claimId

List all custom token claims
API Access Management
OAuth 2.0 scopes:
  • okta.authorizationServers.read

Lists all custom token Claims defined for a specified custom authorization server

Request
path Parameters
authServerId
required
string

id of the Authorization Server

Example: GeGRTEr7f3yu2n7grw22
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/authorizationServers/{authServerId}/claims
Request samples 
Response samples 
application/json
[]
Create a custom token claim
API Access Management
OAuth 2.0 scopes: 
  • okta.authorizationServers.manage
Creates a custom token Claim for a custom authorization server


Request 
path Parameters
authServerId
required
string
id of the Authorization Server


 
 Example:  GeGRTEr7f3yu2n7grw22
Request Body schema: application/json
required
alwaysIncludeInToken
boolean
Specifies whether to include Claims in the token. The value is always TRUE for access token Claims. If the value is set to FALSE for an ID token claim, the Claim isn't included in the ID token when the token is requested with the access token or with the authorization_code. The client instead uses the access token to get Claims from the /userinfo endpoint.


 
claimType
string (OAuth2ClaimType) 
Specifies whether the Claim is for an access token (RESOURCE) or an ID token (IDENTITY)


 Enum: "IDENTITY" "RESOURCE"  
object (OAuth2ClaimConditions) 
Specifies the scopes for the Claim


 
scopes
Array of strings
 
group_filter_type
string (OAuth2ClaimGroupFilterType) 
Specifies the type of group filter if valueType is GROUPS


If valueType is GROUPS, then the groups returned are filtered according to the value of group_filter_type.


If you have complex filters for Groups, you can create a Groups allowlist to put them all in a Claim.


 Enum: Description
STARTS_WITH
Group names start with value (not case-sensitive). For example, if value is group1, then group123 and Group123 are included.


EQUALS
Group name is the same as value (not case-sensitive). For example, if value is group1, then group1 and Group1 are included, but group123 isn't.


CONTAINS
Group names contain value (not case-sensitive). For example, if value is group1, then MyGroup123 and group1 are included.


REGEX
Group names match the regular expression in value (case-sensitive). For example if value is /^[a-z0-9_-]{3,16}$/, then any Group name that has at least three letters, no more than 16, and contains lowercase letters, a hyphen, or numbers is a match.


 
name
string
Name of the Claim


 
status
string (LifecycleStatus) 
 Enum: "ACTIVE" "INACTIVE"  
system
boolean
When true, indicates that Okta created the Claim


 
value
string
Specifies the value of the Claim. This value must be a string literal if valueType is GROUPS, and the string literal is matched with the selected group_filter_type. The value must be an Okta EL expression if valueType is EXPRESSION.


 
valueType
string (OAuth2ClaimValueType) 
Specifies whether the Claim is an Okta Expression Language (EL) expression (EXPRESSION), a set of groups (GROUPS), or a system claim (SYSTEM)


 Enum: "EXPRESSION" "GROUPS" "SYSTEM"  
Responses 
201
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/authorizationServers/{authServerId}/claims
Request samples 
application/json
[
  • {
    • "alwaysIncludeInToken": true,
    • "claimType": "IDENTITY",
    • "conditions": {
      },
    • "group_filter_type": "CONTAINS",
    • "name": "Support",
    • "status": "ACTIVE",
    • "system": false,
    • "value": "Support",
    • "valueType": "GROUPS"
    }
]
Response samples 
application/json
[]
Retrieve a custom token claim
API Access Management
OAuth 2.0 scopes: 
  • okta.authorizationServers.read
Retrieves a custom token Claim by the specified claimId


Request 
path Parameters
authServerId
required
string
id of the Authorization Server


 
 Example:  GeGRTEr7f3yu2n7grw22
claimId
required
string
id of Claim


 
 Example:  hNJ3Uk76xLagWkGx5W3N
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/authorizationServers/{authServerId}/claims/{claimId}
Request samples 
Response samples 
application/json
[]
Replace a custom token claim
API Access Management
OAuth 2.0 scopes: 
  • okta.authorizationServers.manage
Replaces a custom token Claim specified by the claimId


Request 
path Parameters
authServerId
required
string
id of the Authorization Server


 
 Example:  GeGRTEr7f3yu2n7grw22
claimId
required
string
id of Claim


 
 Example:  hNJ3Uk76xLagWkGx5W3N
Request Body schema: application/json
required
alwaysIncludeInToken
boolean
Specifies whether to include Claims in the token. The value is always TRUE for access token Claims. If the value is set to FALSE for an ID token claim, the Claim isn't included in the ID token when the token is requested with the access token or with the authorization_code. The client instead uses the access token to get Claims from the /userinfo endpoint.


 
claimType
string (OAuth2ClaimType) 
Specifies whether the Claim is for an access token (RESOURCE) or an ID token (IDENTITY)


 Enum: "IDENTITY" "RESOURCE"  
object (OAuth2ClaimConditions) 
Specifies the scopes for the Claim


 
scopes
Array of strings
 
group_filter_type
string (OAuth2ClaimGroupFilterType) 
Specifies the type of group filter if valueType is GROUPS


If valueType is GROUPS, then the groups returned are filtered according to the value of group_filter_type.


If you have complex filters for Groups, you can create a Groups allowlist to put them all in a Claim.


 Enum: Description
STARTS_WITH
Group names start with value (not case-sensitive). For example, if value is group1, then group123 and Group123 are included.


EQUALS
Group name is the same as value (not case-sensitive). For example, if value is group1, then group1 and Group1 are included, but group123 isn't.


CONTAINS
Group names contain value (not case-sensitive). For example, if value is group1, then MyGroup123 and group1 are included.


REGEX
Group names match the regular expression in value (case-sensitive). For example if value is /^[a-z0-9_-]{3,16}$/, then any Group name that has at least three letters, no more than 16, and contains lowercase letters, a hyphen, or numbers is a match.


 
name
string
Name of the Claim


 
status
string (LifecycleStatus) 
 Enum: "ACTIVE" "INACTIVE"  
system
boolean
When true, indicates that Okta created the Claim


 
value
string
Specifies the value of the Claim. This value must be a string literal if valueType is GROUPS, and the string literal is matched with the selected group_filter_type. The value must be an Okta EL expression if valueType is EXPRESSION.


 
valueType
string (OAuth2ClaimValueType) 
Specifies whether the Claim is an Okta Expression Language (EL) expression (EXPRESSION), a set of groups (GROUPS), or a system claim (SYSTEM)


 Enum: "EXPRESSION" "GROUPS" "SYSTEM"  
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


put/api/v1/authorizationServers/{authServerId}/claims/{claimId}
Request samples 
application/json
[
  • {
    • "alwaysIncludeInToken": true,
    • "claimType": "IDENTITY",
    • "conditions": {
      },
    • "group_filter_type": "CONTAINS",
    • "name": "Knowledge_Base",
    • "status": "ACTIVE",
    • "system": false,
    • "value": "Knowledge Base",
    • "valueType": "GROUPS"
    }
]
Response samples 
application/json
[]
Delete a custom token claim
API Access Management
OAuth 2.0 scopes: 
  • okta.authorizationServers.manage
Deletes a custom token Claim specified by the claimId


Request 
path Parameters
authServerId
required
string
id of the Authorization Server


 
 Example:  GeGRTEr7f3yu2n7grw22
claimId
required
string
id of Claim


 
 Example:  hNJ3Uk76xLagWkGx5W3N
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


delete/api/v1/authorizationServers/{authServerId}/claims/{claimId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}