Every Okta org comes with a built-in authorization server called the org authorization server. Use the org authorization server to perform SSO with Okta for your OpenID Connect apps or to get an access token for the Okta APIs. You can't customize this authorization server with regards to audience, claims, policies, or scopes. Additionally, the resulting access token's issuer is https://{yourOktaDomain}
, which indicates that only Okta can consume or validate it. The access token can't be used or validated by your own applications.
Note: Okta has two types of authorization servers: the org authorization server and the custom authorization server. To learn more about each type of authorization server and when to use them, see Authorization servers.
Returns OpenID Connect metadata for the Okta org authorization server. Clients use this information to programmatically configure their interactions with Okta.
Success
Invalid Client ID
{- "response_types_supported": [
- "code",
- "id_token",
- "code id_token",
- "code token",
- "id_token token",
- "code id_token token"
], - "response_modes_supported": [
- "query",
- "fragment",
- "form_post",
- "okta_post_message"
], - "grant_types_supported": [
- "authorization_code",
- "implicit",
- "refresh_token",
- "password",
- "urn:ietf:params:oauth:grant-type:device_code"
], - "subject_types_supported": [
- "public"
], - "id_token_signing_alg_values_supported": [
- "RS256"
], - "scopes_supported": [
- "openid",
- "email",
- "profile",
- "address",
- "phone",
- "offline_access",
- "groups"
], - "token_endpoint_auth_methods_supported": [
- "client_secret_basic",
- "client_secret_post",
- "client_secret_jwt",
- "private_key_jwt",
- "none"
], - "claims_supported": [
- "iss",
- "ver",
- "sub",
- "aud",
- "iat",
- "exp",
- "jti",
- "auth_time",
- "amr",
- "idp",
- "nonce",
- "name",
- "nickname",
- "preferred_username",
- "given_name",
- "middle_name",
- "family_name",
- "email",
- "email_verified",
- "profile",
- "zoneinfo",
- "locale",
- "address",
- "phone_number",
- "picture",
- "website",
- "gender",
- "birthdate",
- "updated_at",
- "at_hash",
- "c_hash"
], - "code_challenge_methods_supported": [
- "S256"
], - "introspection_endpoint_auth_methods_supported": [
- "client_secret_basic",
- "client_secret_post",
- "client_secret_jwt",
- "private_key_jwt",
- "none"
], - "revocation_endpoint_auth_methods_supported": [
- "client_secret_basic",
- "client_secret_post",
- "client_secret_jwt",
- "private_key_jwt",
- "none"
], - "request_parameter_supported": true,
- "request_object_signing_alg_values_supported": [
- "HS256",
- "HS384",
- "HS512",
- "RS256",
- "RS384",
- "RS512",
- "ES256",
- "ES384",
- "ES512"
],
}
This endpoint returns a unique identifier (auth_req_id
) that identifies the authentication flow while it tries to authenticate the user in the background. This auth_req_id
value is used in subsequent token requests to the /token
endpoint.
Note: The
/bc/authorize
endpoint requires client authentication. The method is configured per client application. See Client authentication methods for more information.
binding_message | string A message that appears for the user to identify the transaction. |
id_token_hint required | string An ID token previously issued to the client as a hint to identify the user for whom authentication is being requested. Note: You can specify either |
login_hint required | string A hint to the OpenID Provider regarding the user for whom authentication is being requested. Note: You can specify either |
request | string A JWT created by the client that enables requests to be passed as a single, self-contained parameter.
|
request_expiry | integer [ 1 .. 300 ] Allows the client to request the |
scope required | string
|
property name* additional property | any |
Success
Bad Request
Unauthorized
Too Many Requests
client_id=0jrabyQWm4B9zVJPbotY&client_secret=6W7XvLCrs4ByKn7Ucwh8ygeeXRhdGFdVOTp75eOc&scope=openid&binding_message=Signing%20in%20from%20device&login_hint=john.doe%40example.com
{- "auth_req_id": "ftJwF5ZwW2SGPPoTQEKtAr_U8_Ek3RvWyR",
- "expires_in": 300,
- "interval": 5
}
Initiates the challenge of subsequent factor(s) in a Direct Authentication flow after the token endpoint has responded with 'mfa_required'. This endpoint is optional if the client is able to proceed without it, for example, when the client knows it needs to follow up with an OTP and can prompt the end user for one.
Note: The
/challenge
endpoint requires client authentication. The method is configured per client application. See Client authentication methods.
The next factor type to challenge is returned and in the case of out-of-band factors, any information needed for the out-of-band transaction.
Bad Request
Unauthorized
Forbidden
Too Many Requests
mfa_token=Qwk9va6QYgR3s7JMiWUm&channel_hint=push&challenge_types_supported=http%3A%2F%2Fauth0.com%2Foauth%2Fgrant-type%2Fmfa-oob
Returns a user code, device code, activation link, and QR code activation link
client_id | string Obtained during either manual client registration or through the Dynamic Client Registration API. It identifies the client and must match the value preregistered in Okta. |
scope | string A list of scopes that the client wants included in the access token. |
Based on the type of token and whether it is active, the returned JSON contains a different set of information.
Bad Request
Unauthorized
Too Many Requests
client_id=string&scope=string
{- "user_code": "RGTCFDTL",
- "device_code": "5cbeb234-7e00-4ff7-9aa2-b1a4558a75d2",
- "interval": 5,
- "expires_in": 600
}
This endpoint takes an access token, ID token, refresh token, or device secret and returns a boolean that indicates whether it is active. If the token is active, additional data about the token is also returned. If the token is invalid, expired, or revoked, it is considered inactive.
Be sure that you are using the /introspect
endpoint of the same authorization server that you used to create the token.
Note: The
/introspect
endpoint requires client authentication. The method is configured per client application. See Client authentication methods. For public clients (such as single-page and mobile apps) that don't have aclient_secret
, include theclient_id
as a query parameter when calling the/introspect
endpoint. Make sure that you aren't passing the Authorization header in the request.
Based on the type of token and whether it is active, the returned JSON contains a different set of information.
Bad Request
Unauthorized
Too Many Requests
{- "token": "string",
- "token_type_hint": "access_token"
}
{- "active": true,
- "token_type": "Bearer",
- "scope": "openid profile",
- "client_id": "a9VpZDRCeFh3Nkk2VdYa",
- "username": "john.doe@example.com",
- "exp": 1451606400,
- "iat": 1451602800,
- "sub": "john.doe@example.com",
- "jti": "AT.7P4KlczBYVcWLkxduEuKeZfeiNYkZIC9uGJ28Cc-YaI",
- "uid": "00uid4BxXw6I6TV4m0g3"
}
Returns a JSON Web Key Set (JWKS) that contains the public keys that can be used to verify the signatures of tokens that you receive from your authorization server.
Note: Looking for how to obtain the
jwks_uri
for your org authorization server? See the well-known OpenID Connect metadata endpoint.
Any of the two or three keys listed are used to sign tokens. The order of keys in the result doesn't indicate which keys are used.
These keys can be used to locally validate JWTs returned by Okta. Standard open-source libraries are available for every major language to perform JWS signature validation.
Note: The information returned from this endpoint could lag slightly, but will eventually be up-to-date.
Note: Okta returns standard HTTP Cache-Control headers for applicable JWKS endpoints. Ensure that you respect the cache header directives, as they are updated based on the time of the request.
For more information on key rotation and best practices, see JSON Web Key Set.
Success
Too Many Requests
{- "keys": [
- {
- "alg": "RS256",
- "e": "AQAB",
- "n": "iKqiD4cr7FZKm6f05K4r-GQOvjRqjOeFmOho9V7SAXYwCyJluaGBLVvDWO1XlduPLOrsG_Wgs67SOG5qeLPR8T1zDK4bfJAo1TvbwYeTwVSfd_0mzRq8WaVc_2JtEK7J-4Z0MdVm_dJmcMHVfDziCRohSZthN__WM2NwGnbewWnla0wpEsU3QMZ05_OxvbBdQZaDUsNSx46is29eCdYwhkAfFd_cFRq3DixLEYUsRwmOqwABwwDjBTNvgZOomrtD8BRFWSTlwsbrNZtJMYU33wuLO9ynFkZnY6qRKVHr3YToIrqNBXw0RWCheTouQ-snfAB6wcE2WDN3N5z760ejqQ",
- "kid": "U5R8cHbGw445Qbq8zVO1PcCpXL8yG6IcovVa3laCoxM",
- "kty": "RSA",
- "use": "sig"
}, - {
- "alg": "RS256",
- "e": "AQAB",
- "n": "l1hZ_g2sgBE3oHvu34T-5XP18FYJWgtul_nRNg-5xra5ySkaXEOJUDRERUG0HrR42uqf9jYrUTwg9fp-SqqNIdHRaN8EwRSDRsKAwK3HIJ2NJfgmrrO2ABkeyUq6rzHxAumiKv1iLFpSawSIiTEBJERtUCDcjbbqyHVFuivIFgH8L37-XDIDb0XG-R8DOoOHLJPTpsgH-rJeM5w96VIRZInsGC5OGWkFdtgk6OkbvVd7_TXcxLCpWeg1vlbmX-0TmG5yjSj7ek05txcpxIqYu-7FIGT0KKvXge_BOSEUlJpBhLKU28OtsOnmc3NLIGXB-GeDiUZiBYQdPR-myB4ZoQ",
- "kid": "Y3vBOdYT-l-I0j-gRQ26XjutSX00TeWiSguuDhW3ngo",
- "kty": "RSA",
- "use": "sig"
}, - {
- "alg": "RS256",
- "e": "AQAB",
- "n": "lC4ehVB6W0OCtNPnz8udYH9Ao83B6EKnHA5eTcMOap_lQZ-nKtS1lZwBj4wXRVc1XmS0d2OQFA1VMQ-dHLDE3CiGfsGqWbaiZFdW7UGLO1nAwfDdH6xp3xwpKOMewDXbAHJlXdYYAe2ap-CE9c5WLTUBU6JROuWcorHCNJisj1aExyiY5t3JQQVGpBz2oUIHo7NRzQoKimvpdMvMzcYnTlk1dhlG11b1GTkBclprm1BmOP7Ltjd7aEumOJWS67nKcAZzl48Zyg5KtV11V9F9dkGt25qHauqFKL7w3wu-DYhT0hmyFcwn-tXS6e6HQbfHhR_MQxysLtDGOk2ViWv8AQ",
- "kid": "h5Sr3LXcpQiQlAUVPdhrdLFoIvkhRTAVs_h39bQnxlU",
- "kty": "RSA",
- "use": "sig"
}
]
}
Use this operation to sign a user out by removing their Okta browser session.
This endpoint takes an ID token and logs the user out of Okta if the subject matches the current Okta session. A post_logout_redirect_uri
may be specified to redirect the browser after the logout is performed. Otherwise, the browser is redirected to the Okta sign-in page. See Sign users out for more information.
If no Okta session exists, this endpoint has no effect and the browser is redirected immediately to the Okta sign-in page or the post_logout_redirect_uri
(if specified).
If the ID token passed using id_token_hint
is invalid, the browser is redirected to an error page.
If the ID token is valid, but expired, and the subject matches the current Okta session, a logout request signs the user out and redirects the browser to the post_logout_redirect_uri
.
Note: When making requests to the
/logout
endpoint, the browser (user agent) should be redirected to the endpoint. You can't use AJAX with this endpoint. We may load an interstitial to do client-side logic before redirecting to thepost_logout_redirect_uri
, or login page if no redirect is provided.
Successful logout
Too Many Requests
{- "errorCode": "E0000047",
- "errorSummary": "You exceeded the maximum number of requests. Try again in a while.",
- "errorLink": "E0000047",
- "errorId": "sampleQPivGUj_ND5v78vbYWW",
- "errorCauses": [ ]
}
Use this operation to sign a user out by removing their Okta browser session. This is the recommended method over GET as you can wrap the parameters in the request body.
This endpoint uses the ID token to verify that the subject matches the current Okta session, and then signs the user out. You can specify a post_logout_redirect_uri
to redirect the browser after the user signs out. Otherwise, the browser is redirected to the Okta sign-in page. See Sign users out.
If no Okta session exists, this endpoint has no effect and the browser is redirected immediately to the Okta sign-in page or the post_logout_redirect_uri
(if specified).
If the ID token passed using id_token_hint
is invalid, the browser is redirected to an error page.
If the ID token is valid, but expired, and the subject matches the current Okta session, a logout request signs the user out and redirects the browser to the post_logout_redirect_uri
.
Note: When making requests to the
/logout
endpoint, the browser (user agent) should be redirected to the endpoint. You need to make a POST request from a form. A POST request to this endpoint from the backend doesn't completely terminate the session.
Successful logout
Too Many Requests
id_token_hint=eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIwiZW1haWxfJhaW4ub2t0YTEuY29tO.....jE4MDIiLCJsb2dpbiI6ImFkbWluaXN0cmF0b3IxQGNsb3VkaXR1ZGUubmV0IiwiYXVkIjoidUFhdW5vZldrYURKeHVrQ0ZlQngiLCJpYXQiOjE0NDk2MjQwMjYsImV4cCI6MTQ0OTYyNzYyNiwiYW1yIjpbInB3ZCJdLCJqdGkiOiI0ZUFXSk9DTUIzU1g4WGV3RGZWUiIsImF1dGhfdGltZSI6MTQ0OTYyNDAyNiwiYXRfaGFzaCI6ImNwcUtmZFFBNWVIODkxRmY1b0pyX1EifQ.Btw6bUbZhRa89DsBb8KmL9rfhku--_mbNC2pmF45Pn3u_6KKwxJnxcWxLvMuuisnvIs7NScKpOAab6ayZU0VL8W6XAijQmnYTtMWQfSuaaR8rYOaWHrffh3OypvDdrQuYacbkT0csxdrayXfBG3UF5-ZAlhfch1fhFT3yZFdWwzkSDc0BGygfiFyNhCezfyT454wbciSZgrA9ROeHkfPCaX7KCFO8GgQEkGRoQntFBNjluFhNLJIUkEFovEDlfuB4tv_M8BM75celdy3jkpOurg&post_logout_redirect_uri=https%3A%2F%2Fwww.example.com%2Foauth2%2FpostLogoutRedirectUri&state=1230000
{- "errorCode": "E0000047",
- "errorSummary": "You exceeded the maximum number of requests. Try again in a while.",
- "errorLink": "E0000047",
- "errorId": "sampleQPivGUj_ND5v78vbYWW",
- "errorCauses": [ ]
}
Initiates direct authentication with an out-of-band authenticator
Note: The
/oob-authenticate
endpoint requires client authentication. The method is configured per client application. See Client authentication methods.
Out-of-band authentication has successfully been initiated.
Bad Request
Unauthorized
Forbidden
Too Many Requests
login_hint=testuser%40example.com&channel_hint=push
{- "oob_code": "ftOpMH6ohWMGWoH1vgrX-lNX6tnXE6JNd9",
- "channel": "push",
- "binding_method": "none",
- "expires_in": 300,
- "interval": 5
}
Use this operation to request the permitted communication options for the /par
operation.
Note: CORS is enforced on a per-client basis. This endpoint always returns CORS headers with the current Origin.
Success
Too Many Requests
{- "errorCode": "E0000047",
- "errorSummary": "You exceeded the maximum number of requests. Try again in a while.",
- "errorLink": "E0000047",
- "errorId": "sampleQPivGUj_ND5v78vbYWW",
- "errorCauses": [ ]
}
The pushed authorization request endpoint (/par
) promotes OAuth security by allowing the authorization server to authenticate the client before any user interaction happens. The increased confidence in the client's identity during the authorization process means the authorization server can refuse illegitimate requests much earlier in the process. This process prevents attempts to spoof clients or otherwise tamper with or misuse an authorization request and provides a simple way to make a confidential and integrity-protected authorization request.
The /par
endpoint allows an OAuth 2.0 client to push the payload of an authorization request directly to the authorization server. The authorization server provides a request URI value in the response. The request URI is a reference to the authorization request payload data in a subsequent call to the /authorize
endpoint through a user agent.
client_id | string Obtained during either manual client registration or through the Dynamic Client Registration API |
code_challenge | string A challenge for PKCE. The challenge is verified in the access token request. |
code_challenge_method | string Method used to derive the code challenge for PKCE |
display | string The |
idp | string An Okta Extension to the OpenID Specification. The ID of the Identity Provider to use if there's no Okta Session |
idp_scope | string An Okta Extension to the OpenID Specification. A space-delimited list of scopes to be provided to the external Identity Provider when performing social login. These scopes are used in addition to the scopes already configured for the Identity Provider. |
login_hint | string A username to pre-populate if prompting for authentication |
max_age | integer Allowable elapsed time, in seconds, since the last time the end user was actively authenticated by Okta |
nonce | string A value that's returned in the ID token. It's used to mitigate replay attacks. The value is required for Implicit and Hybrid flows, but optional for Auth Code flows. See OIDC Specs. |
prompt | string If no
|
redirect_uri | string Callback location where you want the authorization code or tokens sent to. It must match the value preregistered in Okta during client registration. |
request | string Used to push a Request Object JWT to the authorization server |
response_mode | string How Okta should return the authorization response. If The |
response_type | string Any combination of |
scope | string A space-delimited string of scopes requested |
sessionToken | string Okta one-time session token. This is an Okta extension to the OpenID specification. The |
state | string A value returned with the token. The client app can use it to remember the state of its interaction with the end user at the time of the authentication call. It can contain alphanumeric, comma, period, underscore, and hyphen characters. |
Success
Bad Request
Unauthorized
Forbidden
Too Many Requests
{- "client_id": "string",
- "code_challenge": "string",
- "code_challenge_method": "string",
- "display": "string",
- "idp": "string",
- "idp_scope": "string",
- "login_hint": "string",
- "max_age": 0,
- "nonce": "string",
- "prompt": "string",
- "redirect_uri": "string",
- "request": "string",
- "response_mode": "string",
- "response_type": "string",
- "scope": "string",
- "sessionToken": "string",
- "state": "string"
}
{- "request_uri": "urn:okta:Y1hIQ3ZqYjFodEZMOVJ3TUF4ZHRPZjJuNFZRV2ZWQ044MmFoX2VIT2oyNDo",
- "expires_in": 3600
}
The API takes an access or refresh token and revokes it. Revoked tokens are considered inactive at the introspection endpoint. A client may only revoke its own tokens. See Revoke tokens for more information.
Note: The
/revoke
endpoint requires client authentication. The method is configured per client application. See Client authentication methods for more information.
Successful revocation. Note that revoking an invalid, expired, or revoked token is still considered a success so information isn't leaked.
Bad Request
Unauthorized
Too Many Requests
{- "token": "string",
- "token_type_hint": "access_token"
}
{- "error": "invalid_request",
- "error_description": "The `token` parameter is required."
}
Use this operation to request the permitted communication options for the /token
operation.
Note: CORS is enforced on a per-client basis. This endpoint will always return CORS headers with the current Origin.
Success
Too Many Requests
{- "errorCode": "E0000047",
- "errorSummary": "You exceeded the maximum number of requests. Try again in a while.",
- "errorLink": "E0000047",
- "errorId": "sampleQPivGUj_ND5v78vbYWW",
- "errorCauses": [ ]
}
This endpoint returns access tokens, ID tokens, and refresh tokens depending on the request parameters. For password, client credentials, SAML 2.0 assertion, and refresh token flows, calling /token
is the only step of the flow. For the authorization code flow, calling /token
is the second step of the flow.
Note: The
/token
endpoint requires client authentication. The method is configured per client application. See Client authentication methods for more information.
Based on the scopes requested. Generally speaking, the scopes specified in a request are included in the access token in the response.
Bad Request
Unauthorized
Too Many Requests
client_id=0jrabyQWm4B9zVJPbotY&client_secret=6W7XvLCrs4ByKn7Ucwh8ygeeXRhdGFdVOTp75eOc&grant_type=authorization_code&redirect_uri=https%3A%2F%2Fwww.example.com%2Foauth2%2FredirectUri&code=QnowT-aeawtOJKp-MtkH%26
{- "access_token": "eyJhbGciOiJSUzI1NiJ9.eyJ2ZXIiOjEsImlzcyI6Imh0dHA6Ly9yYWluLm9rdGExLmNvbToxODAyIiwiaWF0IjoxNDQ5NjI0MDI2LCJleHAiOjE0NDk2Mjc2MjYsImp0aSI6IlVmU0lURzZCVVNfdHA3N21BTjJxIiwic2NvcGVzIjpbIm9wZW5pZCIsImVtYWlsIl0sImNsaWVudF9pZCI6InVBYXVub2ZXa2FESnh1a0NGZUJ4IiwidXNlcl9pZCI6IjAwdWlkNEJ4WHc2STZUVjRtMGczIn0.HaBu5oQxdVCIvea88HPgr2O5evqZlCT4UXH4UKhJnZ5px-ArNRqwhxXWhHJisslswjPpMkx1IgrudQIjzGYbtLFjrrg2ueiU5-YfmKuJuD6O2yPWGTsV7X6i7ABT6P-t8PRz_RNbk-U1GXWIEkNnEWbPqYDAm_Ofh7iW0Y8WDA5ez1jbtMvd-oXMvJLctRiACrTMLJQ2e5HkbUFxgXQ_rFPNHJbNSUBDLqdi2rg_ND64DLRlXRY7hupNsvWGo0gF4WEUk8IZeaLjKw8UoIs-ETEwJlAMcvkhoVVOsN5dPAaEKvbyvPC1hUGXb4uuThlwdD3ECJrtwgKqLqcWonNtiw",
- "token_type": "Bearer",
- "expires_in": 3600,
- "scope": "openid email offline_access",
- "refresh_token": "a9VpZDRCeFh3Nkk2VdY",
- "id_token": "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIwMHVpZDRCeFh3Nkk2VFY0bTBnMyIsImVtYWlsIjoid2VibWFzdGVyQGNsb3VkaXR1ZGUubmV0IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInZlciI6MSwiaXNzIjoiaHR0cDovL3JhaW4ub2t0YTEuY29tOjE4MDIiLCJsb2dpbiI6ImFkbWluaXN0cmF0b3IxQGNsb3VkaXR1ZGUubmV0IiwiYXVkIjoidUFhdW5vZldrYURKeHVrQ0ZlQngiLCJpYXQiOjE0NDk2MjQwMjYsImV4cCI6MTQ0OTYyNzYyNiwiYW1yIjpbInB3ZCJdLCJqdGkiOiI0ZUFXSk9DTUIzU1g4WGV3RGZWUiIsImF1dGhfdGltZSI6MTQ0OTYyNDAyNiwiYXRfaGFzaCI6ImNwcUtmZFFBNWVIODkxRmY1b0pyX1EifQ.Btw6bUbZhRa89DsBb8KmL9rfhku--_mbNC2pgC8yu8obJnwO12nFBepui9KzbpJhGM91PqJwi_AylE6rp-ehamfnUAO4JL14PkemF45Pn3u_6KKwxJnxcWxLvMuuisnvIs7NScKpOAab6ayZU0VL8W6XAijQmnYTtMWQfSuaaR8rYOaWHrffh3OypvDdrQuYacbkT0csxdrayXfBG3UF5-ZAlhfch1fhFT3yZFdWwzkSDc0BGygfiFyNhCezfyT454wbciSZgrA9ROeHkfPCaX7KCFO8GgQEkGRoQntFBNjluFhNLJIUkEFovEDlfuB4tv_M8BM75celdy3jkpOurg"
}
openid
Returns information about the user that is the subject of the access token. Many of these claims are also included in the ID token, but calling this endpoint always returns all of the user's claims. The ID token can be configured to include a subset of the user's claims. See Scope-dependent claims for more information.
Success
Unauthorized
Forbidden
Too Many Requests
{- "sub": "00uid4BxXw6I6TV4m0g3",
- "name": "John Doe",
- "nickname": "Jimmy",
- "given_name": "John",
- "middle_name": "James",
- "family_name": "Doe",
- "zoneinfo": "America/Los_Angeles",
- "locale": "en-US",
- "updated_at": 1311280970,
- "email": "john.doe@example.com",
- "email_verified": true,
- "address": {
- "street_address": "123 Hollywood Blvd.",
- "locality": "Los Angeles",
- "region": "CA",
- "postal_code": "90210",
- "country": "US"
}, - "phone_number": "+1 (425) 555-1212"
}