User Lifecycle

The User Lifecycle API provides lifecycle operations, which are non-idempotent operations that initiate a state transition for a user's status. Some operations are asynchronous while others are synchronous. The user's current status limits what operations are allowed.

Reactivate a User
CORS
OAuth 2.0: okta.users.manage

Reactivates a user.

This operation can only be performed on Users with a PROVISIONED or RECOVERY status. This operation restarts the activation workflow if for some reason the user activation wasn't completed when using the activationToken from Activate User.

Users that don't have a password must complete the flow by completing Reset Password and MFA enrollment steps to transition the user to ACTIVE status.

If sendEmail is false, returns an activation link for the user to set up their account. The activation token can be used to create a custom activation link.

Request
path Parameters
id
required
string

id, login, or login shortname (as long as it is unambiguous) of user

query Parameters
sendEmail
boolean
Default: false

Sends an activation email to the user if true

Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/users/{id}/lifecycle/reactivate
Request samples
Response samples
application/json
{}

Activate a User
CORS
OAuth 2.0: okta.users.manage

Activates a User.

This operation can only be performed on Users with a STAGED or DEPROVISIONED status. Activation of a User is an asynchronous operation.

  • The User will have the transitioningToStatus property with an ACTIVE value during activation to indicate that the user hasn't completed the asynchronous operation.
  • The User will have an ACTIVE status when the activation process completes.

Users who don't have a password must complete the welcome flow by visiting the activation link to complete the transition to ACTIVE status.

Note: If you want to send a branded User Activation email, change the subdomain of your request to the custom domain that's associated with the brand. For example, change subdomain.okta.com to custom.domain.one. See Multibrand and custom domains.

Note: If you have Optional Password enabled, visiting the activation link is optional for users who aren't required to enroll a password. See Create user with Optional Password enabled.

Legal disclaimer After a user is added to the Okta directory, they receive an activation email. As part of signing up for this service, you agreed not to use Okta's service/product to spam and/or send unsolicited messages. Please refrain from adding unrelated accounts to the directory as Okta is not responsible for, and disclaims any and all liability associated with, the activation email's content. You, and you alone, bear responsibility for the emails sent to any recipients.

Request
path Parameters
userId
required
string

ID of an existing Okta user

Example: 00ub0oNGTSWTBKOLGLNR
query Parameters
sendEmail
boolean
Default: true

Sends an activation email to the user if true

Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/users/{userId}/lifecycle/activate
Request samples
Response samples
application/json
{}

Deactivate a User
CORS
OAuth 2.0: okta.users.manage

Deactivates a User.

This operation can only be performed on Users that do not have a DEPROVISIONED status.

  • The User's transitioningToStatus property is DEPROVISIONED during deactivation to indicate that the user hasn't completed the asynchronous operation.
  • The User's status is DEPROVISIONED when the deactivation process is complete.

Important: Deactivating a User is a destructive operation. The User is deprovisioned from all assigned apps, which might destroy their data such as email or files. This action cannot be recovered!

You can also perform user deactivation asynchronously. To invoke asynchronous user deactivation, pass an HTTP header Prefer: respond-async with the request.

Request
path Parameters
userId
required
string

ID of an existing Okta user

Example: 00ub0oNGTSWTBKOLGLNR
query Parameters
sendEmail
boolean
Default: false

Sends a deactivation email to the admin if true

header Parameters
Prefer
string

Request asynchronous processing

Value: "respond-async"
Responses
200

OK

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/users/{userId}/lifecycle/deactivate
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}

Reset Factors
CORS
OAuth 2.0: okta.users.manage

Resets all factors for the specified User. All MFA factor enrollments return to the unenrolled state. The User's status remains ACTIVE. This link is present only if the User is currently enrolled in one or more MFA factors.

Request
path Parameters
userId
required
string

ID of an existing Okta user

Example: 00ub0oNGTSWTBKOLGLNR
Responses
200

OK

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/users/{userId}/lifecycle/reset_factors
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}

Suspend a User
CORS
OAuth 2.0: okta.users.manage

Suspends a user. This operation can only be performed on Users with an ACTIVE status. The User has a SUSPENDED status when the process completes.

Suspended users can't sign in to Okta. They can only be unsuspended or deactivated. Their group and app assignments are retained.

Request
path Parameters
userId
required
string

ID of an existing Okta user

Example: 00ub0oNGTSWTBKOLGLNR
Responses
200

OK

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/users/{userId}/lifecycle/suspend
Request samples
Response samples
application/json
{
  • "errorCode": "E0000028",
  • "errorSummary": "The request is missing a required parameter.",
  • "errorLink": "E0000028",
  • "errorId": "sampleiCF-l7mr9XqM1NQ",
  • "errorCauses": [ ]
}

Unlock a User
CORS
OAuth 2.0: okta.users.manage

Unlocks a User with a LOCKED_OUT status or unlocks a User with an ACTIVE status that is blocked from unknown devices. Unlocked Users have an ACTIVE status and can sign in with their current password.

Note: This operation works with Okta-sourced users. It doesn't support directory-sourced accounts such as Active Directory.

Request
path Parameters
userId
required
string

ID of an existing Okta user

Example: 00ub0oNGTSWTBKOLGLNR
Responses
200

Success

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/users/{userId}/lifecycle/unlock
Request samples
Response samples
application/json
{
  • "errorCode": "E0000006",
  • "errorSummary": "You do not have permission to perform the requested action",
  • "errorLink": "E0000006",
  • "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
  • "errorCauses": [ ]
}

Unsuspend a User
CORS
OAuth 2.0: okta.users.manage

Unsuspends a user and returns them to the ACTIVE state. This operation can only be performed on users that have a SUSPENDED status.

Request
path Parameters
userId
required
string

ID of an existing Okta user

Example: 00ub0oNGTSWTBKOLGLNR
Responses
200

Success

400

Bad Request

403

Forbidden

404

Not Found

429

Too Many Requests

post/api/v1/users/{userId}/lifecycle/unsuspend
Request samples
Response samples
application/json
{
  • "errorCode": "E0000028",
  • "errorSummary": "The request is missing a required parameter.",
  • "errorLink": "E0000028",
  • "errorId": "sampleiCF-l7mr9XqM1NQ",
  • "errorCauses": [ ]
}