User Authenticator Enrollments

The Authenticator Enrollments API provides operations for admins to manage the authenticator enrollments of their users.

An authenticator enrollment is the specific instance of an authenticator that a user has enrolled. For example, if a user enrolls an sms method with a phone number, they can use both sms and voice methods. The Authenticator Enrollments API allows admins to manage both of those user enrollments.

List all authenticator enrollments
Identity Engine
OAuth 2.0 scopes:
  • okta.users.read

Lists all authenticator enrollments of the specified user

Request
path Parameters
userId
required
string

ID of an existing Okta user

Example: 00ub0oNGTSWTBKOLGLNR
query Parameters
discloseIdentifiers
Array of strings

Indicates whether or not the identifier of an authenticator enrollment is disclosed or anonymized. If it's included in the operation query, then the identifier of the authenticator enrollment (the actual phone number, for example) is included in the response.

Items Value: "phone"
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

get/api/v1/users/{userId}/authenticator-enrollments
Request samples 
Response samples 
application/json
[]
Create an auto-activated Phone authenticator enrollment
Identity Engine
OAuth 2.0 scopes: 
  • okta.users.manage
Creates a Phone authenticator enrollment that's automatically activated


Request 
path Parameters
userId
required
string
ID of an existing Okta user


 
 Example:  00ub0oNGTSWTBKOLGLNR
Request Body schema: application/json
required
authenticatorId
required
string
Unique identifier of the phone authenticator


 
required
object (AuthenticatorProfile) 
Defines the authenticator specific parameters


 
phoneNumber
required
string
The phone number for a call or sms authenticator enrollment.


 
Responses 
200
Success


400
Bad Request


403
Forbidden


429
Too Many Requests


post/api/v1/users/{userId}/authenticator-enrollments/phone
Request samples 
application/json
{
  • "authenticatorId": "aut5l4ttFyGEWdy6V0k7",
  • "profile": {
    • "phoneNumber": "+14086673418"
    }
}
Response samples 
application/json
{}
Create an auto-activated TAC authenticator enrollment
Early Access
OAuth 2.0 scopes: 
  • okta.users.manage
Permissions: 
  • okta.users.credentials.manageTemporaryAccessCode
Creates an auto-activated Temporary access code (TAC) authenticator enrollment


Request 
path Parameters
userId
required
string
ID of an existing Okta user


 
 Example:  00ub0oNGTSWTBKOLGLNR
Request Body schema: application/json
required
authenticatorId
required
string
Unique identifier of the TAC authenticator


 
object (AuthenticatorProfileTacRequest) 
Defines the authenticator specific parameters


 
multiUse
boolean
Determines whether the enrollment can be used more than once. To enable multi-use, the org-level authenticator’s configuration must allow multi-use.


 
ttl
string
Time-to-live (TTL) in minutes.


Specifies how long the TAC enrollment is valid after it's created and activated.
The configured value must be between 10 minutes (10) and 10 days (14400), inclusive.
The actual allowed range depends on the org-level authenticator configuration.


 
Responses 
200
Success


400
Bad Request


403
Forbidden


429
Too Many Requests


post/api/v1/users/{userId}/authenticator-enrollments/tac
Request samples 
application/json
{
  • "authenticatorId": "autnmtl4xbt8RQVzA0g4",
  • "profile": {
    • "ttl": 11,
    • "multiUse": false
    }
}
Response samples 
application/json
{}
Retrieve an authenticator enrollment
Identity Engine
OAuth 2.0 scopes: 
  • okta.users.read
Retrieves a user's authenticator enrollment by enrollmentId


Request 
path Parameters
userId
required
string
ID of an existing Okta user


 
 Example:  00ub0oNGTSWTBKOLGLNR
enrollmentId
required
string
Unique identifier of an enrollment


 
 Example:  sms8lqwuzSpWT4kVs0g4
query Parameters
discloseIdentifiers
Array of strings
Indicates whether or not the identifier of an authenticator enrollment is disclosed or anonymized. If it's included in the operation query, then the identifier of the authenticator enrollment (the actual phone number, for example) is included in the response.


Items Value: "phone"  
Responses 
200
Success


403
Forbidden


404
Not Found


429
Too Many Requests


get/api/v1/users/{userId}/authenticator-enrollments/{enrollmentId}
Request samples 
Response samples 
application/json
{}
Delete an authenticator enrollment
Identity Engine
OAuth 2.0 scopes: 
  • okta.users.manage
Deletes an existing enrollment for the specified user. The user can enroll the authenticator again.


Request 
path Parameters
userId
required
string
ID of an existing Okta user


 
 Example:  00ub0oNGTSWTBKOLGLNR
enrollmentId
required
string
Unique identifier of an enrollment


 
 Example:  sms8lqwuzSpWT4kVs0g4
Responses 
204
No Content


403
Forbidden


404
Not Found


429
Too Many Requests


delete/api/v1/users/{userId}/authenticator-enrollments/{enrollmentId}
Request samples 
Response samples 
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}