Teams

The top-level organizational container. Each Team maps to a single app in the Okta dashboard.

List all Resources Checked Out by a User

Lists all resources checked out by the current user

This endpoint requires one of the following roles: authenticated_client, authenticated_service_user, end_user.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

query Parameters
resource_type
string

If specified, only returns resources with a matching type. Valid resource types: server_account_password_login.

include_pending_checkin
boolean

If specified, also returns resources that have already started the checkin process. These are not included by default.

count
integer <int32>

The number of objects per page

descending
boolean

The object order

offset
string

The offset value for pagination. The rel="next" and rel="prev" Link headers define the offset for subsequent or previous pages.

prev
boolean

The direction of paging

Responses
200

OK

get/v1/teams/{team_name}/checked_out_resources
Request samples
Response samples
application/json
{
  • "list": [
    • {
      }
    ]
}

Checks in a Resource previously checked out by the user

Checks in a Resource previously checked out by the user

This endpoint requires one of the following roles: resource_admin, security_admin, authenticated_client, authenticated_service_user, end_user.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

Request Body schema: application/json
resource_id
required
string

The UUID or ORN of the resource

resource_type
required
string (CheckoutResourceType)

The type of resource that was checked out

Enum: "managed_saas_app_account_password_login" "okta_universal_directory_account_password_login" "server_account_password_login"
Responses
204

No Content

post/v1/teams/{team_name}/checkin_resource
Request samples
application/json
{
  • "resource_id": "string",
  • "resource_type": "managed_saas_app_account_password_login"
}

List all roles

Lists all roles available to your Team

This endpoint requires one of the following roles: pam_admin.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

Responses
200

OK

get/v1/teams/{team_name}/roles
Request samples
Response samples
application/json
{
  • "list": [
    • {
      },
    • {
      },
    • {
      },
    • {
      }
    ]
}

List all Servers for a Team

Lists all Servers in your Team. This only returns Servers available to the requesting User.

This endpoint requires the following role: end_user.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

query Parameters
AdServers
boolean

If true, only return AD servers. If false, only return Non-AD servers

alt_names_contains
string

Only return Servers that contain the specified alternate name

bastion
string

Only return Servers associated with the specified bastion

canonical_name
string

A canonical name

cloud_account
string

Only return Servers associated with the specified cloud account

cloud_provider
string

Only return Servers associated with the specified cloud provider. Possible values: aws or gce

count
integer <int32>

The number of objects per page

credentialed
boolean

If true, only return unmanaged Servers with credential issuance enabled. If false, only return unmanaged Servers with credential issuance disabled.

descending
boolean

The object order

hostname
string

Only return Servers that contain the specified hostname

id
string

Only return Servers with the specified IDs. Only usable for PAM administrative views of servers, not end-user Server views.

instance_id
string

Only return Servers that contain the specified instance ID

managed
boolean

If true, only return managed servers. If false, only return unmanaged servers.

offset
string

The offset value for pagination. The rel="next" and rel="prev" Link headers define the offset for subsequent or previous pages.

prev
boolean

The direction of paging

project_name
string

Only return Servers that belong to the specified Project

state
string

Include Servers with the specified state. Valid statuses: ACTIVE or INACTIVE.

selector
string

Only return Servers that contain the specified Server selectors.

Example: selector=selector=key1=value1,key2=value2
include_labels
boolean

If true, includes server labels in the results.

Example: include_labels=true
Responses
200

OK

get/v1/teams/{team_name}/servers
Request samples
Response samples
application/json
{
  • "list": [
    • {
      },
    • {
      }
    ]
}

Retrieve settings for a Team

Retrieves Team-level settings for your Team

This endpoint requires one of the following roles: end_user, resource_admin.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

Responses
200

OK

get/v1/teams/{team_name}/settings
Request samples
Response samples
application/json
{
  • "approve_device_without_interaction": false,
  • "client_session_duration": 36000,
  • "post_device_enrollment_url": null,
  • "post_login_url": null,
  • "post_logout_url": null,
  • "reactivate_users_via_idp": false,
  • "team": "Your_OPA_Team",
  • "user_provisioning_exact_username": null,
  • "web_session_duration": 36000
}

Update settings for a Team

Updates Team-level settings for your Team. Partial updates are permitted. To disable a setting, set the value to null.

This endpoint requires the following role: resource_admin.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

Request Body schema: application/json
required
approve_device_without_interaction
boolean or null

If true, devices are automatically approved for authenticated Users

client_session_duration
integer or null <int32> [ 3600 .. 90000 ]

The maximum time before a Client session expires. The duration can be from 3600 – 90000 seconds.

post_device_enrollment_url
string or null <= 8096 characters

If specified, redirects a User to the URL after they enroll a device

post_login_url
string or null <= 8096 characters

If specified, redirects a User to the URL after they authenticate through the IdP

post_logout_url
string or null <= 8096 characters

If specified, redirects a User to the URL after they sign out

reactivate_users_via_idp
boolean or null

If true, previously deleted or disabled Users are reenabled if they authenticate through the IdP

user_provisioning_exact_username
boolean or null

If true, Users maintain the exact username specified via SCIM

web_session_duration
integer or null <int32> [ 1800 .. 90000 ]

The maximum time before a web session expires. The duration can be from 1800 – 90000 seconds.

Responses
204

No Content

put/v1/teams/{team_name}/settings
Request samples
application/json
{
  • "approve_device_without_interaction": false,
  • "client_session_duration": 3600,
  • "post_device_enrollment_url": null,
  • "post_login_url": null,
  • "post_logout_url": null,
  • "reactivate_users_via_idp": false,
  • "team": "Your_OPA_Team",
  • "user_provisioning_exact_username": null,
  • "web_session_duration": 1800
}

Retrieve statistics for a Team

Retrieves statistics about your Team

This endpoint requires one of the following roles: resource_admin, security_admin.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

Responses
200

OK

get/v1/teams/{team_name}/team_stats
Request samples
Response samples
application/json
{
  • "num_clients": 0,
  • "num_gateways": 0,
  • "num_groups": 1,
  • "num_human_users": 1,
  • "num_projects": 2,
  • "num_servers": 1,
  • "num_service_users": 0
}

Retrieve the Vault JWKS

Retrieves the Vault JWKS. Data sent to the vault must be encrypted to this key.

SecuritybearerAuth
Request
path Parameters
team_name
required
string

The name of your Team

Responses
200

OK

get/v1/teams/{team_name}/vault/jwks.json
Request samples
Response samples
application/json
{
  • "keys": [
    • {
      }
    ]
}