The Users API provides operations to manage users in your organization.
Note: Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See Okta API authentication methods.
The following diagram shows the flow of user status:
The following table describes the user experience and expectation of user status and welcome screen, depending on which options (security question and answer, password, and activate query) are defined during user creation.
User creation details and outcomes
Security Q & A | Password | Activate Query Parameter | User Status | Login Credential | Welcome Screen |
---|---|---|---|---|---|
FALSE | STAGED |
||||
TRUE | PROVISIONED or ACTIVE |
One-Time Token (Email) or Email | X | ||
X | FALSE | STAGED |
|||
X | TRUE | PROVISIONED or ACTIVE |
One-Time Token (Email) or Email | X | |
X | FALSE | STAGED |
|||
X | TRUE | ACTIVE |
Password | X | |
X | X | FALSE | STAGED |
||
X | X | TRUE | ACTIVE |
Password |
Creating users with a FEDERATION
or SOCIAL
provider sets the user status to either ACTIVE
or STAGED
based on the activate
query parameter since these two providers don't support a password
or recovery_question
credential.
More information about the use cases are in the following sections and in the examples for Create a user.
When Optional Password is enabled, the user status following user creation can be affected by the enrollment policy. See Create an authenticator enrollment policy.
Based on the group memberships that are specified when the user is created, a password may or may not be required to make the user's status ACTIVE
.
If the enrollment policy that applies to the user (as determined by the groups assigned to the user) specifies that the Password authenticator is required
, then in the case where the user is created without a password, the user is in the PROVISIONED
status and
a One-Time Token is sent to the user through email. If the user is created with a password, then their status is set to ACTIVE
, and they can immediately sign in using their Password authenticator.
If the user doesn't have an enrolled authenticator, Okta sets the user to PROVISIONED
and sends an activation link. The user must click the activation link before they can log in. The activation link provides a baseline assurance that can be used to enroll in other authenticators. If the user has one or more enrolled authenticators at activation time, they’re set to ACTIVE
and can log in directly.
Creates a user without a password
or a recovery question & answer
.
If appropriate, when the user is activated, an email is sent to the user with an activation token that the user can use to complete the activation process. This is the default flow for new user registration using the administrator UI.
Creates a user without a password
.
When the user is activated, an email is sent to the user with an activation token that can be used to complete the activation process. This flow is useful if migrating users from an existing user store.
Creates a user without a recovery question & answer
.
The new user is able to sign in after activation with the assigned password. This flow is common when developing a custom user registration experience.
Important: Do not generate or send a one-time activation token when activating users with an assigned password. Users should sign in with their assigned password.
Creates a user with a specified hashed password
.
The new user is able to sign in after activation with the specified password.
This flow is common when migrating users from another data store in cases where we want to allow the users to retain their current passwords.
Important: Do not generate or send a one-time activation token when activating users with an imported password. Users should login with their imported password.
Creates a user with a Password Hook
object specifying that a password inline hook should be used to handle password verification.
The password inline hook is triggered to handle verification of the end user's password the first time the user tries to sign in, with Okta calling the password inline hook to check that the password the user supplied is valid. If the password is valid, Okta stores the hash of the password that was provided and can authenticate the user independently from then on. See Create a password import inline hook for more details.
The new user is able to sign in after activation with the valid password. This flow supports migrating users from another data store in cases where we wish to allow the users to retain their current passwords.
Important: Don't generate or send a one-time activation token when activating users with an password inline hook. Users should sign in with their existing password to be imported using the password import inline hook.
Creates a new user with a password
and recovery question & answer
.
The new user is able to log in with the assigned password after activation. This flow is common when developing a custom user-registration experience.
Important: Don't generate or send a one-time activation token when activating users with an assigned password. Users should login with their assigned password.
Creates a new passwordless user with a SOCIAL
or FEDERATION
authentication provider that must be authenticated via a trusted Identity Provider.
Creates a user that is added to the specified groups upon creation.
Use this in conjunction with other create operations for a Group Administrator that is scoped to create users only in specified groups. The request may specify up to 20 group ids. (This limit applies only when creating a user. The user may later be added to more groups.)
Creates a user with a specified user type (see User Types). The type specification may be included with any of the above Create user operations; this example demonstrates creating a user without credentials. The user type determines which Schema applies to that user. After a user has been created, the user can be assigned a different user type only by an admin via a full replacement PUT operation.
The links object specifies link relations. See _links
.
Note: This links object is different from Linked Objects.
For an individual user result, the links object contains a full set of link relations available for that user as determined by your policies. For a collection of users, the links object contains only the self
link. Operations that return a collection of users include List all users and List all member users.
The following table shows some links that may be available on a user, as determined by your policies:
Link Relation Type | Description |
---|---|
self | A self-referential link to this user |
activate | Lifecycle action to activate the user |
deactivate | Lifecycle action to deactivate the user |
suspend | Lifecycle action to suspend the user |
unsuspend | Lifecycle action to unsuspend the user |
resetPassword | Lifecycle action to trigger a password reset |
expirePassword | Lifecycle action to expire the user's password |
resetFactors | Lifecycle action to reset all MFA factors |
unlock | Lifecycle action to unlock a locked-out user |
forgotPassword | Resets a user's password by validating the user's recovery credential. |
changePassword | Changes a user's password validating the user's current password |
changeRecoveryQuestion | Changes a user's recovery credential by validating the user's current password |
okta.users.read
Lists users in your org, with pagination in most cases.
A subset of users can be returned that match a supported filter expression or search criteria.
q | string Finds users who match the specified query. This doesn't support pagination. This might not deliver optimal performance for large orgs, and is deprecated for such use cases. To ensure optimal performance, use a Use the |
after | string The cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the |
limit | integer <int32> Default: 200 Specifies the number of results returned. Defaults to 10 if |
filter | string Filters users with a supported expression for a subset of properties. This requires URL encoding. For example, Filtering supports the following limited number of properties: Additionally, filtering supports only the equal filter=status eq "LOCKED_OUT" filter=profile.login eq "login@example.com" filter=filter=lastUpdated gt "2013-06-01T00:00:00.000Z" and lastUpdated lt "2014-01-01T00:00:00.000Z" filter=lastUpdated gt "2013-06-01T00:00:00.000Z" and (status eq "LOCKED_OUT" or status eq "RECOVERY") |
search | string Searches for users with a supported filtering expression for most properties. Okta recommends using this parameter for search for best performance. This operation supports pagination. Use an ID lookup for records that you update to ensure your results contain the latest data. Property names in the search parameter are case sensitive, whereas operators (
This operation searches many properties:
You can also use You can search properties that are arrays. If any element matches the search term, the entire array (object) is returned. Okta follows the SCIM Protocol Specification for searching arrays. You can search multiple arrays, multiple values in an array, as well as using the standard logical and filtering operators. See Filter. search=status eq "STAGED" search=lastUpdated gt "2014-01-01T00:00:00.000Z" search=id eq "00u1ero7vZFVEIYLWPBN" search=profile.department eq "Engineering" and (created lt "2014-01-01T00:00:00.000Z" or status eq "ACTIVE") search=profile.arrayAttr eq "arrayAttrVal1" search=classification eq "LITE" |
sortBy | string Specifies field to sort by (for search queries only). This can be any single property, for example |
sortOrder | string Specifies sort order asc or desc (for search queries only). Sorting is done in ASCII sort order (that is, by ASCII character value), but isn't case sensitive. |
expand | string Example: expand=classification |
Success
Forbidden
Too Many Requests
[- {
- "id": "00u118oQYT4TBGuay0g4",
- "status": "ACTIVE",
- "created": "2022-04-04T15:56:05.000Z",
- "activated": null,
- "statusChanged": null,
- "lastLogin": "2022-05-04T19:50:52.000Z",
- "lastUpdated": "2022-05-05T18:15:44.000Z",
- "passwordChanged": "2022-04-04T16:00:22.000Z",
- "type": {
- "id": "oty1162QAr8hJjTaq0g4"
}, - "profile": {
- "firstName": "Alice",
- "lastName": "Smith",
- "mobilePhone": null,
- "secondEmail": null,
- "login": "alice.smith@example.com",
- "email": "alice.smith@example.com"
}, - "realmId": "guo1afiNtSnZYILxO0g4",
- "credentials": {
- "password": { },
- "provider": {
- "type": "OKTA",
- "name": "OKTA"
}
},
}
]
okta.users.manage
Creates a new user in your Okta org with or without credentials.
Legal Disclaimer
After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service, you agreed not to use Okta's service/product to spam and/or send unsolicited messages. Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients.
All responses return the created user. Activation of a user is an asynchronous operation. The system performs group reconciliation during activation and assigns the user to all apps via direct or indirect relationships (group memberships).
transitioningToStatus
property is ACTIVE
during activation to indicate that the user hasn't completed the asynchronous operation.status
is ACTIVE
when the activation process is complete.The user is emailed a one-time activation token if activated without a password.
Note: If the user is assigned to an app that is configured for provisioning, the activation process triggers downstream provisioning to the app. It is possible for a user to sign in before these apps have been successfully provisioned for the user.
Important: Do not generate or send a one-time activation token when activating users with an assigned password. Users should sign in with their assigned password.
For more information about the various scenarios of creating a user listed in the examples, see the User creation scenarios section.
required | object (UserProfile) Specifies the default and custom profile properties for a user. The default user profile is based on the System for Cross-domain Identity Management: Core Schema. The only permitted customizations of the default profile are to update permissions, change whether the You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it. You can use the Profile Editor in the Admin Console or the Schemas API to manage schema extensions. Custom attributes can contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use best-practices to prevent cross-site scripting. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
object (UserCredentialsWritable) Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
groupIds | Array of strings | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
realmId | string | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
object The ID of the user type. Add this value if you want to create a user with a non-default User Type.
The user type determines which schema applies to that user. After a user has been created, the user can
only be assigned a different user type by an administrator through a full replacement ( | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Success
Bad Request
Forbidden
Too Many Requests
See Create user without credentials for description
{- "profile": {
- "firstName": "Isaac",
- "lastName": "Brock",
- "email": "isaac.brock@example.com",
- "login": "isaac.brock@example.com",
- "mobilePhone": "555-415-1337"
}
}
{- "id": "00ub0oNGTSWTBKOLGLNR",
- "status": "STAGED",
- "created": "2013-07-02T21:36:25.344Z",
- "activated": null,
- "statusChanged": null,
- "lastLogin": null,
- "lastUpdated": "2013-07-02T21:36:25.344Z",
- "passwordChanged": null,
- "profile": {
- "firstName": "Isaac",
- "lastName": "Brock",
- "email": "isaac.brock@example.com",
- "login": "isaac.brock@example.com",
- "mobilePhone": "555-415-1337"
}, - "credentials": {
- "provider": {
- "type": "OKTA",
- "name": "OKTA"
}
}, - "_links": {
- "activate": {
},
}
}
okta.users.read
Retrieves a user from your Okta org.
You can substitute me
for the id
to fetch the current user linked to an API token or session cookie.
When fetching a user by login
or login shortname
, URL encode the request parameter to ensure that special characters are escaped properly. Logins with a /
character can only be fetched by id
due to URL issues with escaping the /
character. If you don't know a user's ID, you can use the List all users endpoint to find it.
Note: Some browsers block third-party cookies by default, which disrupts Okta functionality in certain flows. See Mitigate the impact of third-party cookie deprecation.
Content-Type | string Specifies the media type of the resource. Optional Complex DelAuth configurations may degrade performance when fetching specific parts of the response, and passing this parameter can omit these parts, bypassing the bottleneck. Enum values for
application/json; okta-response=omitCredentials,omitCredentialsLinks application/json; okta-response="omitCredentials,omitCredentialsLinks, omitTransitioningToStatus" |
Success
Forbidden
Not Found
Too Many Requests
{- "id": "00ub0oNGTSWTBKOLGLNR",
- "status": "ACTIVE",
- "created": "2013-06-24T16:39:18.000Z",
- "activated": "2013-06-24T16:39:19.000Z",
- "statusChanged": "2013-06-24T16:39:19.000Z",
- "lastLogin": "2013-06-24T17:39:19.000Z",
- "lastUpdated": "2013-07-02T21:36:25.344Z",
- "passwordChanged": "2013-07-02T21:36:25.344Z",
- "profile": {
- "login": "isaac.brock@example.com",
- "firstName": "Isaac",
- "lastName": "Brock",
- "nickName": "issac",
- "displayName": "Isaac Brock",
- "email": "isaac.brock@example.com",
- "secondEmail": "isaac@example.org",
- "preferredLanguage": "en-US",
- "userType": "Employee",
- "organization": "Okta",
- "title": "Director",
- "division": "R&D",
- "department": "Engineering",
- "costCenter": "10",
- "employeeNumber": "187",
- "mobilePhone": "+1-555-415-1337",
- "primaryPhone": "+1-555-514-1337",
- "streetAddress": "301 Brannan St.",
- "city": "San Francisco",
- "state": "CA",
- "zipCode": "94107",
- "countryCode": "US"
}, - "credentials": {
- "password": { },
- "recovery_question": {
- "question": "What's my childhood elementary school?"
}, - "provider": {
- "type": "OKTA",
- "name": "OKTA"
}
},
}
okta.users.manage
Updates a user's profile or credentials with partial update semantics.
Important: Use the
POST
method for partial updates. Unspecified properties are set to null withPUT
.
profile
and credentials
can be updated independently or together with a single request.
Note: Currently, the user type of a user can only be changed via a full replacement PUT operation. If the request parameters of a partial update include the type element from the user object, the value must match the existing type of the user. Only admins are permitted to change the user type of a user; end users are not allowed to change their own user type.
Note: To update a current user's profile with partial semantics, the
/api/v1/users/me
endpoint can be invoked.A user can only update profile properties for which the user has write access. Within the profile, if the user tries to update the primary or the secondary email IDs, verification emails are sent to those email IDs, and the fields are updated only upon verification.
If you are using this endpoint to set a password, it sets a password without validating existing user credentials. This is an administrative operation. For operations that validate credentials, refer to the Reset Password
, Forgot Password
, and Change Password
endpoints.
object (UserCredentials) Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
object (UserProfile) Specifies the default and custom profile properties for a user. The default user profile is based on the System for Cross-domain Identity Management: Core Schema. The only permitted customizations of the default profile are to update permissions, change whether the You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it. You can use the Profile Editor in the Admin Console or the Schemas API to manage schema extensions. Custom attributes can contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use best-practices to prevent cross-site scripting. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
realmId | string |
Success
Bad Request
Forbidden
Not Found
Too Many Requests
{- "profile": {
- "firstName": "Isaac",
- "email": "isaac.brock@update.example.com",
- "mobilePhone": "555-415-1337"
}
}
{- "id": "00ub0oNGTSWTBKOLGLNR",
- "status": "ACTIVE",
- "created": "2013-06-24T16:39:18.000Z",
- "activated": "2013-06-24T16:39:19.000Z",
- "statusChanged": "2013-06-24T16:39:19.000Z",
- "lastLogin": "2013-06-24T17:39:19.000Z",
- "lastUpdated": "2013-07-02T21:36:25.344Z",
- "passwordChanged": "2013-07-02T21:36:25.344Z",
- "profile": {
- "login": "isaac.brock@example.com",
- "firstName": "Isaac",
- "lastName": "Brock",
- "nickName": "issac",
- "displayName": "Isaac Brock",
- "email": "isaac.brock@example.com",
- "secondEmail": "isaac@example.org",
- "preferredLanguage": "en-US",
- "userType": "Employee",
- "organization": "Okta",
- "title": "Director",
- "division": "R&D",
- "department": "Engineering",
- "costCenter": "10",
- "employeeNumber": "187",
- "mobilePhone": "+1-555-415-1337",
- "primaryPhone": "+1-555-514-1337",
- "streetAddress": "301 Brannan St.",
- "city": "San Francisco",
- "state": "CA",
- "zipCode": "94107",
- "countryCode": "US"
}, - "credentials": {
- "password": { },
- "recovery_question": {
- "question": "What's my childhood elementary school?"
}, - "provider": {
- "type": "OKTA",
- "name": "OKTA"
}
},
}
okta.users.manage
Replaces a user's profile, credentials, or both using strict-update semantics.
All profile properties must be specified when updating a user's profile with a PUT
method. Any property not specified in the request is deleted.
Important: Don't use a
PUT
method for partial updates.
object (UserCredentials) Specifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
object (UserProfile) Specifies the default and custom profile properties for a user. The default user profile is based on the System for Cross-domain Identity Management: Core Schema. The only permitted customizations of the default profile are to update permissions, change whether the You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it. You can use the Profile Editor in the Admin Console or the Schemas API to manage schema extensions. Custom attributes can contain HTML tags. It's the client's responsibility to escape or encode this data before displaying it. Use best-practices to prevent cross-site scripting. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
realmId | string |
Success
Bad Request
Forbidden
Not Found
Too Many Requests
{- "credentials": {
- "password": {
- "value": "tlpWENT2m"
}, - "recovery_question": {
- "question": "Who's a major player in the cowboy scene?",
- "answer": "Annie Oakley"
}, - "provider": {
- "type": "OKTA",
- "name": "OKTA"
}
}, - "profile": {
- "firstName": "Isaac",
- "lastName": "Brock",
- "email": "isaac.brock@example.com",
- "login": "isaac.brock@example.com",
- "mobilePhone": "555-415-1337"
}
}
{- "id": "00ub0oNGTSWTBKOLGLNR",
- "status": "ACTIVE",
- "created": "2013-06-24T16:39:18.000Z",
- "activated": "2013-06-24T16:39:19.000Z",
- "statusChanged": "2013-06-24T16:39:19.000Z",
- "lastLogin": "2013-06-24T17:39:19.000Z",
- "lastUpdated": "2013-07-02T21:36:25.344Z",
- "passwordChanged": "2013-07-02T21:36:25.344Z",
- "profile": {
- "login": "isaac.brock@example.com",
- "firstName": "Isaac",
- "lastName": "Brock",
- "nickName": "issac",
- "displayName": "Isaac Brock",
- "email": "isaac.brock@example.com",
- "secondEmail": "isaac@example.org",
- "preferredLanguage": "en-US",
- "userType": "Employee",
- "organization": "Okta",
- "title": "Director",
- "division": "R&D",
- "department": "Engineering",
- "costCenter": "10",
- "employeeNumber": "187",
- "mobilePhone": "+1-555-415-1337",
- "primaryPhone": "+1-555-514-1337",
- "streetAddress": "301 Brannan St.",
- "city": "San Francisco",
- "state": "CA",
- "zipCode": "94107",
- "countryCode": "US"
}, - "credentials": {
- "password": { },
- "recovery_question": {
- "question": "What's my childhood elementary school?"
}, - "provider": {
- "type": "OKTA",
- "name": "OKTA"
}
},
}
okta.users.manage
Deletes a user permanently. This operation can only be performed on users that have a DEPROVISIONED
status. This action can't be recovered!
This operation on a user that hasn't been deactivated causes that user to be deactivated. A second delete operation is required to delete the user.
Note: You can also perform user deletion asynchronously. To invoke asynchronous user deletion, pass an HTTP header
Prefer: respond-async
with the request.
This header is also supported by user deactivation, which is performed if the delete endpoint is invoked on a user that hasn't been deactivated.
No Content
Bad Request
Forbidden
Not Found
Too Many Requests
{- "errorCauses": [
- {
- "errorSummary": "string"
}
], - "errorCode": "string",
- "errorId": "string",
- "errorLink": "string",
- "errorSummary": "string"
}
okta.users.read
Lists information about how the user is blocked from accessing their account
Success
Forbidden
Not Found
Too Many Requests
[- {
- "type": "DEVICE_BASED",
- "appliesTo": "UNKNOWN_DEVICES"
}
]