Trusted Origins

The Trusted Origins API provides operations to manage Trusted Origins and sources.

When external URLs are requested during sign-in, sign-out, or recovery operations, Okta checks those URLs against the allowed list of Trusted Origins. Trusted Origins also enable browser-based applications to access Okta APIs from JavaScript (CORS). If the origins aren't specified, the related operation (redirect or Okta API access) isn't permitted.

You can also configure Trusted Origins to allow iFrame embedding of Okta resources, such as Okta sign-in pages and the Okta End-User Dashboard, within that origin.

Notes:

  • This feature is supported for Okta domains only. It isn't currently supported for custom domains.
  • Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See Okta API authentication methods.

List all trusted origins
OAuth 2.0:
  • okta.trustedOrigins.read

Lists all trusted origins

Request
query Parameters
q
string

A search string that prefix matches against the name and origin

filter
string

Filter trusted origins with a supported expression for a subset of properties. You can filter on the following properties: name, origin, status, and type (type of scopes).

Examples:
filter=name eq "Example trusted origin"
after
string

After cursor provided by a prior request

limit
integer <int32> <= 200
Default: 20

Specifies the number of results

Responses
200

Success

403

Forbidden

429

Too Many Requests

get/api/v1/trustedOrigins
Request samples 
Response samples 
application/json
[]
Create a trusted origin
OAuth 2.0: 
  • okta.trustedOrigins.manage
Creates a trusted origin


Request 
Request Body schema: application/json
required
name
string (TrustedOriginName)   <= 255 
Unique name for the trusted origin


 
origin
string (TrustedOriginOrigin)   <= 255 
Unique origin URL for the trusted origin. The supported schemes for this attribute are HTTP, HTTPS, FTP, Ionic 2, and Capacitor.


 
Array of objects (TrustedOriginScopes)   <= 3 
Array of scope types that this trusted origin is used for


 
 Array 
allowedOktaApps
Array of strings (IframeEmbedScopeAllowedApps) 
The allowed Okta apps for the trusted origin scope


Items Value: "OKTA_ENDUSER"  
type
string (TrustedOriginScopeType) 
The scope type. Supported values: When you use IFRAME_EMBED as the scope type, leave the allowedOktaApps property empty to allow iFrame embedding of only Okta sign-in pages. Include OKTA_ENDUSER as a value for the allowedOktaApps property to allow iFrame embedding of both Okta sign-in pages and the Okta End-User Dashboard.


 Enum: "CORS" "IFRAME_EMBED" "REDIRECT"  
Responses 
200
Success


400
Bad Request


403
Forbidden


429
Too Many Requests


post/api/v1/trustedOrigins
Request samples 
application/json
{
  • "name": "New trusted origin",
  • "origin": "http://example.com",
  • "scopes": [
    • {
      },
    • {
      }
    ]
}
Response samples 
application/json
{}
Retrieve a trusted origin
OAuth 2.0: 
  • okta.trustedOrigins.read
Retrieves a trusted origin


Request 
path Parameters
trustedOriginId
required
string
id of the trusted origin


 
 Example:  7j2PkU1nyNIDe26ZNufR
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/trustedOrigins/{trustedOriginId}
Request samples 
Response samples 
application/json
{}
Replace a trusted origin
OAuth 2.0: 
  • okta.trustedOrigins.manage
Replaces a trusted origin


Request 
path Parameters
trustedOriginId
required
string
id of the trusted origin


 
 Example:  7j2PkU1nyNIDe26ZNufR
Request Body schema: application/json
required
createdBy
string
The ID of the user who created the trusted origin


 
lastUpdatedBy
string
The ID of the user who last updated the trusted origin


 
name
string (TrustedOriginName)   <= 255 
Unique name for the trusted origin


 
origin
string (TrustedOriginOrigin)   <= 255 
Unique origin URL for the trusted origin. The supported schemes for this attribute are HTTP, HTTPS, FTP, Ionic 2, and Capacitor.


 
Array of objects (TrustedOriginScopes)   <= 3 
Array of scope types that this trusted origin is used for


 
 Array 
allowedOktaApps
Array of strings (IframeEmbedScopeAllowedApps) 
The allowed Okta apps for the trusted origin scope


Items Value: "OKTA_ENDUSER"  
type
string (TrustedOriginScopeType) 
The scope type. Supported values: When you use IFRAME_EMBED as the scope type, leave the allowedOktaApps property empty to allow iFrame embedding of only Okta sign-in pages. Include OKTA_ENDUSER as a value for the allowedOktaApps property to allow iFrame embedding of both Okta sign-in pages and the Okta End-User Dashboard.


 Enum: "CORS" "IFRAME_EMBED" "REDIRECT"  
status
string (LifecycleStatus) 
 Enum: "ACTIVE" "INACTIVE"  
Responses 
200
Success


400
Bad Request


403
Forbidden


404
Not Found


429
Too Many Requests


put/api/v1/trustedOrigins/{trustedOriginId}
Request samples 
application/json
{}
Response samples 
application/json
{}
Delete a trusted origin
OAuth 2.0: 
  • okta.trustedOrigins.manage
Deletes a trusted origin


Request 
path Parameters
trustedOriginId
required
string
id of the trusted origin


 
 Example:  7j2PkU1nyNIDe26ZNufR
Responses 
204
Success


403
Forbidden


404
Not Found


429
Too Many Requests


delete/api/v1/trustedOrigins/{trustedOriginId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}
Activate a trusted origin
OAuth 2.0: 
  • okta.trustedOrigins.manage
Activates a trusted origin. Sets the status to ACTIVE.


Request 
path Parameters
trustedOriginId
required
string
id of the trusted origin


 
 Example:  7j2PkU1nyNIDe26ZNufR
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/trustedOrigins/{trustedOriginId}/lifecycle/activate
Request samples 
Response samples 
application/json
{}
Deactivate a trusted origin
OAuth 2.0: 
  • okta.trustedOrigins.manage
Deactivates a trusted origin. Sets the status to INACTIVE.


Request 
path Parameters
trustedOriginId
required
string
id of the trusted origin


 
 Example:  7j2PkU1nyNIDe26ZNufR
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


post/api/v1/trustedOrigins/{trustedOriginId}/lifecycle/deactivate
Request samples 
Response samples 
application/json
{}