On This Page

Protect your API endpoints

Instructions for

This guide explains how to add Okta authentication to your API endpoints. When you've finished following the steps, clients will need a token generated by Okta to call your protected endpoints.

Note: These steps apply to back-end APIs that are serving single-page apps or mobile apps that use Okta to sign users in. If you are building a web app that is served by a server framework, see Sign users in to your web app.


Learning outcomes

  • Add Okta authentication to your API endpoints.

What you need

Sample code


Add and configure packages

First, install an Okta SDK for your framework to help validate incoming tokens.

Include the dependency

Configure the middleware

You need to configure the Okta SDK with some information about your Okta domain. You can provide this configuration through environment variables, configuration files, or in code. Then, put the middleware provided by the SDK into your application's pipeline.

Things you need

  • Okta Domain — the Okta Domain can be found on the Admin Console's global header in the upper-right corner of the page. Click the section that displays your email and company name. A drop-down menu appears and displays general org information including the full Okta domain (for example, subdomain.okta.com).

  • Audience — the audience of your Authorization Server. The default value is api://default.

Note: https://${yourOktaDomain} is different from your admin URL. Don't include -admin in the value.

Require authentication

In many APIs, all endpoints require authentication. In others, there may be a mix of protected and unprotected (anonymous) endpoints. These examples show you how to do both.

Require authentication for a specific route

If you want the user to only have access to a route if they are signed in, require authentication for just those routes.

Require authentication for everything

For some applications, you may want to require the user to be authenticated for all routes.

Configure CORS

Configuring Cross-Origin Resource Sharing (CORS) is only required if the API is being called from a browser app hosted on a different domain. For example, if your single-page JavaScript app is on example.com, but your API is hosted on api.example.com, you need to enable CORS.

Next steps

Learn about customization options: