On this page
API service integrations in the OIN
Note: The API Service Integration is a self-service Early Access (EA) feature. See Manage Early Access and Beta features (opens new window) to enable this feature.
You can publish any service app that accesses or modifies Okta resources (such as system logs, apps, sessions, or policies) in the Okta Integration Network (OIN) as an API service integration. This integration type allows your service app to access your customer tenant Okta org through Okta management APIs using OAuth 2.0.
Before this feature, a service requiring Okta management API access used an API token tied to a specific Okta user. This approach meant that you couldn't restrict the service’s access to particular resources. However, with an OAuth 2.0 API service integration, your service app can have secure, reliable, and granular access to Okta APIs without being associated with a user.
When your service app integration is listed in the Okta Integration Network (OIN) catalog, your customers can discover and configure it in their own Okta tenant org. Configuration is easy and consistent for your customers because you've already done the hard work by building the integration with the required configuration instructions. Customers trust that integrations in the OIN are secure and reliable because they're Okta verified.
Before the OIN supported API service integrations, Okta API tokens were a common way for integrations to access the Okta management APIs. API service integrations offer improved security and reliability:
|Access granularity||Using OAuth 2.0 scopes, you can restrict access requests to specific resources instead of all the resources that a user can access.|
|Configuration experience||You can discover API service integrations and add them directly from the OIN catalog. You don't need to create a service account or an anonymous activity user for the integration.|
|Service integration||Okta API tokens represent a user, which means they're not a great fit for service integrations where a user context isn’t needed or desirable.|
|Reliability||Okta API tokens expire after 30 days of inactivity or when a user leaves the Okta org. After being authorized, API service integrations can request a new access token whenever necessary and without manual action from an admin.|
|Rotation||You must rotate Okta API tokens manually. You can automatically rotate API service integration access tokens.|
API service integrations access Okta management APIs using OAuth 2.0 and are sometimes referred to as service-to-service or machine-to-machine integrations. This API access represents the application itself rather than a particular user. Consider the following scenarios to determine if you need to build a service-based or a user-based OAuth 2.0 API integration.
|Service-based API access||User-based API access|
|Use cases|| |
|Best-fit API integration||If these use cases and examples describe your needs, implement an API service integration for the OIN. See Build an API service integration.||If these use cases and examples describe your needs, implement a user-based API integration. User-based API integrations aren't supported in the OIN. See Implement OAuth for Okta to learn more about user-based API integrations.|
Post your questions on the Okta Developer Forum (opens new window) if you need help or have an issue.