On this page
API service integrations in the OIN
You can publish any service app that accesses or modifies Okta resources (such as system logs, apps, sessions, or policies) in the Okta Integration Network (OIN) as an API service integration. This integration type allows your service app to access your customer tenant Okta org through Okta management APIs using OAuth 2.0.
Before this feature, a service requiring Okta management API access used an API token tied to a specific Okta user. This approach meant that you couldn't restrict the service’s access to particular resources. However, with an OAuth 2.0 API service integration, your service app can have secure, reliable, and granular access to Okta APIs without being associated with a user.
When your service app integration is listed in the Okta Integration Network (OIN) catalog, your customers can discover and configure it in their own Okta tenant org. Configuration is easy and consistent for your customers because you've already done the hard work by building the integration with the required configuration instructions. Customers trust that integrations in the OIN are secure and reliable because they're Okta verified.
API service integration benefits
Before the OIN supported API service integrations, Okta API tokens were a common way for integrations to access the Okta management APIs. API service integrations offer improved security and reliability:
| Access granularity | Using OAuth 2.0 scopes, you can restrict access requests to specific resources instead of all the resources that a user can access. |
| Configuration experience | You can discover API service integrations and add them directly from the OIN catalog. You don't need to create a service account or an anonymous activity user for the integration. |
| Service integration | Okta API tokens represent a user, which means they're not a great fit for service integrations where a user context isn’t needed or desirable. |
| Reliability | Okta API tokens expire after 30 days of inactivity or when a user leaves the Okta org. After being authorized, API service integrations can request a new access token whenever necessary and without manual action from an admin. |
| Rotation | You must rotate Okta API tokens manually. You can automatically rotate API service integration access tokens. |
When to build an API service integration
API service integrations access Okta management APIs using OAuth 2.0 and are sometimes referred to as service-to-service or machine-to-machine integrations. This API access represents the application itself rather than a particular user. Consider the following scenarios to determine if you need to build a service-based or a user-based OAuth 2.0 API integration.
| Service-based API access | User-based API access | |
|---|---|---|
| Use cases |
|
|
| Examples |
|
|
| Best-fit API integration | If these use cases and examples describe your needs, implement an API service integration for the OIN. See Build an API service integration. | If these use cases and examples describe your needs, implement a user-based API integration. User-based API integrations aren't supported in the OIN. See Implement OAuth for Okta to learn more about user-based API integrations. |
Next steps
Ready to get started? Sign up for a free developer-edition Okta org and see Build an API service integration.
Post your questions on the Okta Developer Forum (opens new window) if you need help or have an issue.