On this page

Create an API token

This guide explains what an API token is, why you need one, and how to create one.

Learning outcomes

  • Learn how an Okta API token is used.
  • Understand why it's good practice to create a service account for use with an API token.
  • Know the alternatives to Okta API tokens.
  • Find out when a token expires and what happens when it expires.
  • Find out how API tokens are deactivated.

What you need

Okta Developer Edition organization (opens new window)

Okta API tokens

Okta API tokens are used to authenticate requests to Okta APIs. When calling an Okta API endpoint, you need to supply a valid API token in the HTTP Authorization header, with a valid token specified as the header value. You need to prefix the value with the SSWS identifier, which specifies the proprietary authentication scheme that Okta uses. For example:

Authorization: SSWS 00QCjAl4MlV-WPXM...0HmjFx-vbGua

Privilege level

Different Okta API operations require different admin privilege levels. API tokens inherit the privilege level of the admin account that is used to create them. It is therefore good practice to create a service account to use when you create API tokens so that you can assign the token the specific privilege level needed. See Administrators (opens new window) for admin account types and the specific privileges of each.

OAuth 2.0 instead of API tokens

As an alternative to Okta API tokens, you can now interact with Okta APIs using scoped OAuth 2.0 access tokens for a number of Okta endpoints. Each access token enables the bearer to perform specific actions on specific Okta endpoints, with that ability controlled by which scopes the access token contains. For more information, see the OAuth for Okta guide.

Create the token

To create an API token, follow these steps:

  1. Sign in to your Okta organization as a user with administrator privileges (opens new window).

    API tokens have the same permissions as the user who creates them, and if the user permissions change, the API token permissions also change.

    See the section above on Privilege level, regarding the use of a service account when creating an API token, to specifically control the privilege level associated with the token.

  2. In the Admin Console, select Security > API from the menu and then select the Tokens tab.

  3. Click Create Token.

  4. Name your token and click Create Token.

  5. Record the token value. This is the only opportunity to see it and record it.

Token rate limits

When API tokens are created, the rate limit for each token interaction is set automatically to 50 percent of each API maximum limit. See API rate limits. You can adjust this percentage by editing the Token rate limits section. See Set token rate limits (opens new window).

Token expiration and deactivation

Tokens expire automatically after a certain period and can also be deactivated at any time.

Token expiration

Tokens are valid for 30 days from creation or last use, so that the 30 day expiration automatically refreshes with each API call. Tokens that aren't used for 30 days expire. The 30-day period is currently fixed and can't be changed for your organization.

Token deactivation

If a user account is deactivated in Okta, any API token created by that user account is deprovisioned at the same time.

Next steps

With the token created, you can begin using it, supplying it in the Authorization header of calls to Okta API endpoints. See Sign users into your SPA using the redirect model for a practical example.

See also