After you have the following, you can get an access token and make a request to an endpoint.
Note: Using a Service app? See Get an access token using a Service app for the steps.
Request an access token by making a request to your Okta Org Authorization Server
/authorize endpoint. Only the Org Authorization Server can mint access tokens that contain Okta API scopes.
For testing purposes, we recommend that you use the Implicit grant flow. Using the Implicit grant flow streamlines authentication for testing by returning a token without introducing any additional steps. In a production environment, we recommend that you always use the Authorization Code grant flow. See Implement the Authorization Code Flow for more information on this grant type.
Note: If this is your first time working with the Okta APIs, read Get Started with the Okta REST APIs first.
In Postman, select the request that you want to make, such as a
GET request to the
/api/v1/users endpoint to get back a list of all users.
On the Header tab, remove the existing SSWS Authorization API Key.
Click the Authorization tab and from the Type drop-down list, select OAuth 2.0.
On the right, click Get New Access Token.
In the dialog box that appears, enter a name for the token and select Implicit as the grant type.
Define the following for the token request:
Note: There isn't an entry in the dialog box for a
nonceparameter. But, you can append it to the Auth URL here. Use any value for
nonce. This is a string that is included in the returned ID token. It associates a client session with an ID token and mitigates replay attacks. In this example, we aren't requesting the
id_tokenresponse type, so an ID token isn't returned.
client_idof your Okta OAuth application that you created in the previous step.
Click Request Token. You are prompted to sign in to your Okta org. After you are authenticated, the Manage Access Tokens window displays the access token, including the scopes requested. The token also automatically populates the Available Token drop-down list.
Note: The lifetime for this token is fixed at one hour.
Click Use Token at the bottom of the window to use this access token in your request to the
Click Send. Since you requested
okta.users.read, the response should contain an array of all the users associated with your app. This is dependent on the user's permissions.
Note: You can also manually build the request URL and paste it into a private browser window. After you authenticate, the browser returns the access token in the address bar. Your request URL should look something like this: