Create an Okta app integration
On This Page
Before you can sign a user in, you need to create an Okta app integration that represents your web application.
Sign in to your Okta organization with your administrator account.
From the Admin Console side navigation, click Applications > Applications.
Click Add Application and then Create New App.
Pick Web as the platform and click Create.
Note: It is important to choose the appropriate application type for apps that are public clients. Failing to do so may result in Okta API endpoints attempting to verify an app's client secret, which public clients aren't designed to have, hence breaking the sign-in or sign-out flow.
Enter a name for your app integration (or leave the default value).
Enter values for the Login redirect URI. This is the callback described in Understand the callback route. Add values for local development (for example,
http://localhost:8080/authorization-code/callback) and production (for example,
- Click Save to finish creating the Okta app integration.
- On the General tab, the Client Credentials section shows the client ID and client secret values for your app integration.
- Copy the Client ID and Client secret values using the Copy to Clipboard button beside each text field. You need to copy some values into your application later, so leave your Admin Console open.
You can choose to get a refresh token along with the access token and/or ID token.
The default refresh token behavior is Use persistent token for web apps.
To enable refresh token rotation in your app integration, do the following:
- Open the web app integration that you just created and select the General tab.
- Scroll to the General Settings panel, and click Edit.
- In the Allowed grant types, select Refresh Token.
- In the Refresh Token section, select Rotate token after every use.
Note: The default number of seconds for the Grace period for token rotation is set to 30 seconds. You can change the value to any number between 0 and 60 seconds. After the refresh token is rotated, the previous token remains valid for this amount of time to allow clients to get the new token. Using a value of 0 indicates that there is no grace period.
XMLHttpRequest to the Okta API with the Okta session cookie. For instructions on setting trusted origins, see Grant cross-origin access to websites.
Note: You should only grant access to specific origins (websites) that you control and trust to access the Okta API.