User Authenticator Enrollments

The Authenticator Enrollments API provides operations for admins to manage the authenticator enrollments of their users.

An authenticator enrollment is the specific instance of an authenticator that a user has enrolled. For example, if a user enrolls an sms method with a phone number, they can use both sms and voice methods. The Authenticator Enrollments API allows admins to manage both of those user enrollments.

List all authenticator enrollments
Early AccessIdentity Engine
OAuth 2.0 scopes:
okta.users.read

Lists all authenticator enrollments of the specified user

Request

path Parameters

userId

required

string

ID of an existing Okta user

Example: 00ub0oNGTSWTBKOLGLNR

Responses

200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/users/{userId}/authenticator-enrollments

Request samples

Response samples

200
403
404
429

application/json

[{"type": "email",
"id": "eae4za57woixzodEK0g7",
"key": "okta_email",
"status": "ACTIVE",
"name": "Email",
"profile": {"email": "joe@example.com"
},
"nickname": null,
"created": "2020-07-26T21:05:23.000Z",
"lastUpdated": "2020-07-28T21:45:52.000Z",
"_links": {"self": {"href": "https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7/authenticator-enrollments/eae4za57woixzodEK0g7",
"hints": {"allow": ["GET",
"DELETE"
]
}
},
"user": {"href": "https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7",
"hints": {"allow": ["GET"
]
}
},
"authenticator": {"href": "https://{yourOktaDomain}/api/v1/authenticators/auth60xfl7VbebsFr0g6",
"hints": {"allow": ["GET"
]
}
}
}
},
{"type": "password",
"id": "laeh60xfl7VbebsFr0g6",
"key": "okta_password",
"status": "ACTIVE",
"name": "Password",
"nickname": null,
"created": "2020-07-26T21:05:23.000Z",
"lastUpdated": "2020-07-26T21:05:23.000Z",
"_links": {"self": {"href": "https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7/authenticator-enrollments/laeh60xfl7VbebsFr0g6",
"hints": {"allow": ["GET",
"DELETE"
]
}
},
"user": {"href": "https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7",
"hints": {"allow": ["GET"
]
}
},
"authenticator": {"href": "https://{yourOktaDomain}/api/v1/authenticators/auth60xfl7VbebsFr0g6",
"hints": {"allow": ["GET"
]
}
}
}
},
{"type": "phone",
"id": "sms8evhwh0Ne35iPR0g7",
"key": "phone_number",
"status": "ACTIVE",
"name": "Phone",
"created": "2020-07-26T21:05:23.000Z",
"lastUpdated": "2020-07-29T00:21:29.000Z",
"profile": {"phoneNumber": "+1 XXX-XXX-6065"
},
"nickname": "Joe's Work Phone",
"_links": {"self": {"href": "https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7/authenticator-enrollments/laeh60xfl7VbebsFr0g6",
"hints": {"allow": ["GET",
"DELETE"
]
}
},
"user": {"href": "https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7",
"hints": {"allow": ["GET"
]
}
},
"authenticator": {"href": "https://{yourOktaDomain}/api/v1/authenticators/auth60xfl7VbebsFr0g6",
"hints": {"allow": ["GET"
]
}
}
}
}
]

Create an auto-activated Phone authenticator enrollment
Early AccessIdentity Engine
OAuth 2.0 scopes:
okta.users.manage

Creates a Phone authenticator enrollment that's automatically activated

Request

path Parameters

userId

required

string

ID of an existing Okta user

Example: 00ub0oNGTSWTBKOLGLNR

Request Body schema: application/json
required

authenticatorId

required

string

Unique identifier of the phone authenticator

required

object (AuthenticatorProfile)

Defines the authenticator specific parameters

phoneNumber

required

string

The phone number for a call or sms authenticator enrollment.

Responses

200

Success

400

Bad Request

403

Forbidden

429

Too Many Requests

post/api/v1/users/{userId}/authenticator-enrollments/phone

Request samples

application/json

{"authenticatorId": "aut5l4ttFyGEWdy6V0k7",
"profile": {"phoneNumber": "+14086673418"
}
}

Response samples

200
400
403
429

application/json

{"type": "phone",
"id": "sms8evhwh0Ne35iPR0g7",
"key": "phone_number",
"status": "ACTIVE",
"name": "Phone",
"created": "2020-07-26T21:05:23.000Z",
"lastUpdated": "2020-07-29T00:21:29.000Z",
"profile": {"phoneNumber": "+1 XXX-XXX-6065"
},
"nickname": "Joe's Work Phone",
"_links": {"self": {"href": "https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7/authenticator-enrollments/sms8evhwh0Ne35iPR0g7",
"hints": {"allow": ["GET",
"DELETE"
]
}
},
"user": {"href": "https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7",
"hints": {"allow": ["GET"
]
}
},
"authenticator": {"href": "https://{yourOktaDomain}/api/v1/authenticators/auth60xfl7VbebsFr0g6",
"hints": {"allow": ["GET"
]
}
}
}
}

Create an auto-activated TAC authenticator enrollment
Early Access
OAuth 2.0 scopes:
okta.users.manage
Permissions:
okta.users.credentials.manageTemporaryAccessCode

Creates an auto-activated Temporary access code (TAC) authenticator enrollment

Request

path Parameters

userId

required

string

ID of an existing Okta user

Example: 00ub0oNGTSWTBKOLGLNR

Request Body schema: application/json
required

authenticatorId

required

string

Unique identifier of the TAC authenticator

object (AuthenticatorProfileTacRequest)

Defines the authenticator specific parameters

multiUse	boolean Determines whether the enrollment can be used more than once. To enable multi-use, the org-level authenticator’s configuration must allow multi-use.
ttl	string Time-to-live (TTL) in minutes. Specifies how long the TAC enrollment is valid after it's created and activated. The configured value must be between 10 minutes (`10`) and 10 days (`14400`), inclusive. The actual allowed range depends on the org-level authenticator configuration.

Responses

200

Success

400

Bad Request

403

Forbidden

429

Too Many Requests

post/api/v1/users/{userId}/authenticator-enrollments/tac

Request samples

application/json

{"authenticatorId": "autnmtl4xbt8RQVzA0g4",
"profile": {"ttl": 11,
"multiUse": false
}
}

Response samples

200
400
403
429

application/json

{"type": "tac",
"id": "tac8evhwh0Ne35iPR0g7",
"key": "tac",
"status": "ACTIVE",
"name": "Temporary Access Code",
"created": "2025-05-28T17:21:14.000Z",
"lastUpdated": "2025-05-28T17:21:14.000Z",
"profile": {"tac": "n@C*bU26",
"multiUse": true,
"expiresAt": "2025-05-28T19:21:14"
},
"_links": {"self": {"href": "https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7/authenticator-enrollments/clf8evhwh0Ne35iPR0g7",
"hints": {"allow": ["GET",
"DELETE"
]
}
},
"user": {"href": "https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7",
"hints": {"allow": ["GET"
]
}
}
}
}

Retrieve an authenticator enrollment
Early AccessIdentity Engine
OAuth 2.0 scopes:
okta.users.read

Retrieves a user's authenticator enrollment by enrollmentId

Request

path Parameters

userId required	string ID of an existing Okta user Example: 00ub0oNGTSWTBKOLGLNR
enrollmentId required	string Unique identifier of an enrollment Example: sms8lqwuzSpWT4kVs0g4

Responses

200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/users/{userId}/authenticator-enrollments/{enrollmentId}

Request samples

Response samples

200
403
404
429

application/json

{"type": "phone",
"id": "sms8evhwh0Ne35iPR0g7",
"key": "phone_number",
"status": "ACTIVE",
"name": "Phone",
"created": "2020-07-26T21:05:23.000Z",
"lastUpdated": "2020-07-29T00:21:29.000Z",
"profile": {"phoneNumber": "+1 XXX-XXX-6065"
},
"nickname": "Joe's Work Phone",
"_links": {"self": {"href": "https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7/authenticator-enrollments/sms8evhwh0Ne35iPR0g7",
"hints": {"allow": ["GET",
"DELETE"
]
}
},
"user": {"href": "https://{yourOktaDomain}/api/v1/users/00u4za57vqNsQAN8S0g7",
"hints": {"allow": ["GET"
]
}
},
"authenticator": {"href": "https://{yourOktaDomain}/api/v1/authenticators/auth60xfl7VbebsFr0g6",
"hints": {"allow": ["GET"
]
}
}
}
}

Delete an authenticator enrollment
Early AccessIdentity Engine
OAuth 2.0 scopes:
okta.users.manage

Deletes an existing enrollment for the specified user. The user can enroll the authenticator again.

Request

path Parameters

userId required	string ID of an existing Okta user Example: 00ub0oNGTSWTBKOLGLNR
enrollmentId required	string Unique identifier of an enrollment Example: sms8lqwuzSpWT4kVs0g4

Responses

204

No Content

403

Forbidden

404

Not Found

429

Too Many Requests

delete/api/v1/users/{userId}/authenticator-enrollments/{enrollmentId}

Request samples

Response samples

403
404
429

application/json

{"errorCode": "E0000006",
"errorSummary": "You do not have permission to perform the requested action",
"errorLink": "E0000006",
"errorId": "sampleNUSD_8fdkFd8fs8SDBK",
"errorCauses": [ ]
}

User Authenticator Enrollments

List all authenticator enrollmentsEarly AccessIdentity EngineOAuth 2.0 scopes: okta.users.read

path Parameters

Create an auto-activated Phone authenticator enrollmentEarly AccessIdentity EngineOAuth 2.0 scopes: okta.users.manage

path Parameters

Request Body schema: application/jsonrequired

Create an auto-activated TAC authenticator enrollmentEarly AccessOAuth 2.0 scopes: okta.users.managePermissions: okta.users.credentials.manageTemporaryAccessCode

path Parameters

Request Body schema: application/jsonrequired

Retrieve an authenticator enrollmentEarly AccessIdentity EngineOAuth 2.0 scopes: okta.users.read

path Parameters

Delete an authenticator enrollmentEarly AccessIdentity EngineOAuth 2.0 scopes: okta.users.manage

path Parameters

List all authenticator enrollments
Early AccessIdentity Engine
OAuth 2.0 scopes:
okta.users.read

Create an auto-activated Phone authenticator enrollment
Early AccessIdentity Engine
OAuth 2.0 scopes:
okta.users.manage

Request Body schema: application/json
required

Create an auto-activated TAC authenticator enrollment
Early Access
OAuth 2.0 scopes:
okta.users.manage
Permissions:
okta.users.credentials.manageTemporaryAccessCode

Request Body schema: application/json
required

Retrieve an authenticator enrollment
Early AccessIdentity Engine
OAuth 2.0 scopes:
okta.users.read

Delete an authenticator enrollment
Early AccessIdentity Engine
OAuth 2.0 scopes:
okta.users.manage