Okta Identity Engine API release notes (2025)

August

Weekly release 2025.08.2

Change	Expected in Preview Orgs
Bugs fixed in 2025.08.2	August 20, 2025

Bugs fixed in 2025.08.2

Some custom admin roles had different permissions for authentication policies (ACCESS_POLICY) and device signal collection policies (DEVICE_SIGNAL_COLLECTION) and couldn't access or manage device signal collection policies and rules. (OKTA-982043)
Some app groups that were deleted were still visible in searches. This fix will be slowly made available to all orgs. (OKTA-972614)
When an app was deleted, group push rules weren't deleted and would sometimes trigger erroneous System Log entries. This fix will be slowly made available to all orgs. (OKTA-881642)

Monthly release 2025.08.0

Change	Expected in Preview Orgs
Associated Domain Customizations API is self-service EA in Preview	July 16, 2025
Automate SCIM Integration for OIN Apps with Express Configuration	August 7, 2025
Breached Credentials Protection is GA in Preview	May 15, 2025
Clear user factors for all devices is GA in Preview	August 7, 2025
Cross App Access is self-service EA in Preview	August 7, 2025
Custom FIDO2 AAGUID is self-service EA in Preview	July 16, 2025
Device signal collection policy is self-service EA in Preview	August 7, 2025
Encryption of ID tokens and access tokens is EA	August 7, 2025
Expanded use of user.getGroups() function in Okta Expression Language is GA in Production	June 4, 2025
Granular configuration for Keep Me Signed In is GA in Production	January 8, 2025
Group Push Mappings is GA in Preview	August 7, 2025
MyAccount Password API is GA in Production	May 24, 2023
MyAccount WebAuthn API is EA in Production and GA in Preview	July 16, 2025
Multiple active IdP signing certificates is EA	August 7, 2025
New User Authenticator Enrollments API is GA in Preview	July 9, 2025
New user profile permission	August 7, 2025
OAuth 2.0 provisioning for Org2Org with Autorotation is GA in Production	July 2, 2025
Passkeys from Android devices is self-service EA in Preview	July 16, 2025
Send app context to external IdPs is GA in Preview	May 21, 2025
Service Accounts API is EA	August 7, 2025
System Log event for Identity Assertion Authorization Grant (ID-JAG) issuance is EA in Preview	August 7, 2025
System Log updates for ID verification events	August 7, 2025
Temporary Access Code authenticator is self-service EA in Preview	July 16, 2025
Unified claims generation for custom apps is self-service EA in preview	July 30, 2025
Universal Logout in the OIN Wizard	August 7, 2025
Web app integrations now mandate the use of the Authorization Code flow	August 7, 2025
Developer documentation updates in 2025.08.0	August 7, 2025
Bug fixed in 2025.08.0	August 7, 2025

Associated Domain Customizations API is self-service EA in Preview

You can now use the Associated Domain Customizations API (opens new window) to view and update the associated domains of your custom domain. Associated domains let you build a trust relationship among your app, the referring domain, the user's credentials that are associated with that domain, and your brand in Okta. This feature makes it easier to adopt phishing-resistant authenticators, like passkeys in the FIDO2 (WebAuthn) authenticator.

See Customize associated domains.

Automate SCIM Integration for OIN Apps with Express Configuration

Express Configuration is a feature designed to automate the setup of SSO and SCIM for instances of OIN SaaS integrations by enterprise customers with minimal manual effort. It allows enterprise customers to securely configure OIDC and SCIM integrations without copying and pasting configuration values between Okta and Auth0-enabled apps. See Express Configuration.

Breached Credentials Protection is GA in Preview

Protect your org from the impact of credentials that have been compromised. If Okta determines that a username and password combination has been compromised after being compared to a third-party curated dataset, the protection response is customizable through password policies, including resetting the user's password, forcing a logout, or calling a delegated Workflow. See the Okta Policies API (opens new window).

Clear user factors for all devices is GA in Preview

When you make a Revoke all user sessions (/api/v1/users/{userId}/sessions) request, include the new forgetDevices parameter (opens new window) to clear a user's remembered factors on all devices. The user is prompted for full authentication on their next sign-in attempt from any device. The forgetDevices parameter is set to true by default.

Cross App Access is self-service EA in Preview

Admins can now manage third-party app data sharing with the new Cross App Access feature in the Okta Admin Console. This feature moves complex consent processes away from end-users, enhancing security and streamlining the experience. Once configured, end users can access their data from other SaaS apps without navigating OAuth consent flows. See the Applications Cross Apps Connections API (opens new window) and Configure Cross App Access (opens new window).

Custom FIDO2 AAGUID is self-service EA in Preview

You can now use the Authenticators API (opens new window) to create, view, and update custom Authenticator Attestation Global Unique Identifiers (AAGUIDs).

Admins can add non-FIDO Metadata Service (MDS) security keys and other authenticators and have more granular control over them. This extends FIDO2 (WebAuthn) authenticator support to a wider range of security keys and other authenticators, which gives admins greater flexibility and control over the security in their environment.

Device signal collection policy is self-service EA in Preview

With the new device signal collection policy, admins can override Okta default behavior and specify how Okta must collect device data, which is then used to evaluate authentication policies.

See Configure a device signal collection policy.

Encryption of ID tokens and access tokens is EA

You can now encrypt OIDC ID tokens for Okta-protected custom app integrations using JSON Web Encryption. You can also now encrypt access tokens minted by a custom authorization server. See Key management.

Expanded use of user.getGroups() function in Okta Expression Language is GA in Production

You can now use the user.getGroups() function across all features that support Expression Language. See Group functions.

Granular configuration for Keep Me Signed In is GA in Production

Admins can now configure the post-authentication prompt for Keep Me Signed In (KMSI) at a granular level in authentication policies. This allows admins to selectively enable post-authentication KMSI on a per-user, per-group, or per-app basis. When enabled, this feature exposes a frequency setting that lets admins control how often the post-authentication prompt is presented to users. See Configure Keep me signed in (KMSI).

The post-authentication prompt text (title, subtitle, accept button, and reject button) is now customizable through the Brands API. See Customize post-authentication sign-in prompts.

Group Push Mappings is GA in Preview

With the API for Group Push, admins can now programmatically create, link, or manage group push configuration in Okta. This allows admins to configure Okta groups to be pushed to connected apps at scale and reduces overhead for large deployments. See Group Push Mappings API (opens new window).

MyAccount Password API is GA in Production

You can now use the MyAccount Password API (opens new window) to update passwords.

MyAccount WebAuthn API is EA in Production and GA in Preview

You can now use the MyAccount WebAuthn API (opens new window) to enroll, list, and delete WebAuthn enrollments. Admins can build out an in-app passkey creation and enrollment experience with the MyAccount WebAuthn API operations.

Multiple active IdP signing certificates is EA

Okta now supports multiple active signing certificates for a single SAML identity provider (IdP), enabling seamless certificate rotation with zero downtime. Use the new additionalKids parameter (opens new window) to add another signing certificate for the IdP. You can upload up to two certificates per IdP connection. This improvement eliminates the need for tightly coordinated swaps with IdP partners and reduces the risk of authentication failures due to expired certificates.

New User Authenticator Enrollments API is GA in Preview

The User Authenticator Enrollments API (opens new window) enables admins to manage the specific authenticator enrollments of their users.

Currently, admins in Identity Engine orgs can’t use Okta APIs to manage user authenticator enrollments with the same level of control that’s possible in Classic Engine orgs. This feature helps admins more effectively manage their user’s enrollments and improves parity between Classic Engine and Identity Engine orgs.

New user profile permission

A new user profile permission (okta.users.userprofile.read) is now available that allows granular read-only access to the user profile. See Permissions (opens new window).

OAuth 2.0 provisioning for Org2Org with Autorotation is GA in Production

Admins deploying multi-org architectures (for example Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Auto-Rotation for Org2Org app provisioning directly from the Admin Console, in addition to the API.

To support these updates, the Application Connections API includes a new endpoint, Retrieve a JSON Web Key Set (JWKS) for the default provisioning connection (opens new window), and schema updates to support token autorotation, rotationMode=AUTO. See Update the default provisioning connection (opens new window) and Integrate Okta Org2Org with Okta (opens new window).

Passkeys from Android devices is self-service EA in Preview

Okta now accepts passkeys that are generated by Android devices. Okta associates these passkeys with trusted web domains to enable users to authenticate with them. This expands the number of device types that Okta supports for passkey use.

You can enable Android passkeys by customizing the assetlinks.json file. See Customize associated domains and Add support for Digital Asset Links (opens new window).

Send app context to external IdPs is GA in Preview

You can now forward context about an app to an external identity provider (IdP) when a user attempts to access the app. When you set the sendApplicationContext parameter (opens new window) to true for an IdP, the app name and unique instance ID are included in the SAML or OpenID Connect request sent to the external IdP. This enhancement allows external IdPs to make more informed, context-aware authentication decisions, supporting advanced security scenarios, and Zero Trust environments.

Service Accounts API is EA

The new Service Accounts API (opens new window) is now available for Okta Privileged Access-enabled orgs. This API allows you to manage SaaS or On-Prem Provisioning (OPP) app accounts. App accounts that you create through the Service Accounts API are visible to resource admins in the Okta Privileged Access dashboard. See Manage service accounts (opens new window) in the Okta Privileged Access product documentation.

This feature is available only if you're subscribed to Okta Privileged Access. Ensure that you've set up the Okta Privileged Access app before creating app accounts through the API.

System Log event for Identity Assertion Authorization Grant (ID-JAG) issuance is EA in Preview

The app.oauth2.token.grant.id_jag event is generated when an app completes an OAuth 2.0 token exchange to get an Identity Assertion Authorization Grant (ID-JAG) JWT.

System Log updates for ID verification events

There are several updates for events related to identity verification:

A new event related to ID verification (user.identity_verification.start) can be viewed in the System Log.
New reasons for the DENY result of the user.identity_verification event have been added.
Admins can use two new properties (IdvReferenceId and IdvFlowId) to track events related to IDV processes.

See Event Types and Identity verification events.

Temporary Access Code authenticator is self-service EA in Preview

The new Temporary Access Code (TAC) authenticator allows admins to generate temporary codes that let users authenticate in onboarding, account recovery, and other temporary access scenarios. This authenticator enhances security in these scenarios by granting users access to their orgs without having to use their usual authenticators.

To configure the authenticator with Okta APIs, see Temporary access code authenticator integration guide, and to configure it in the Admin Console, see Configure the temporary access code authenticator (opens new window).

Unified claims generation for custom apps is self-service EA in preview

Unified claims generation is a new streamlined interface for managing claims (OIDC) and attribute statements (SAML) for Okta-protected custom app integrations. In addition to group and user profile claims, the following new claim types are available: entitlements (required OIG), device.profile, session.id, and session.amr. Collection projections in Expression Language can also be used to get claims information. See Okta Expression Language in Identity Engine.

Universal Logout in the OIN Wizard

Universal Logout (UL) in the Okta Integration Network Wizard allows you to build, test, and submit UL functionality to the Okta Integration Network (OIN). Universal Logout lets you terminate users' sessions and revoke their tokens for supported OIN apps, as well as for generic OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) apps. See Submit an integration with the OIN Wizard (opens new window).

Web app integrations now mandate the use of the Authorization Code flow

To enhance security, web app integrations now mandate the use of the Authorization Code flow, as the Implicit flow is no longer recommended. See Build a Single Sign-On (SSO) integration (opens new window).

Developer documentation updates in 2025.08.0

The Archived Okta Identity Governance API changelog (2023-2024) has been removed. For updates on these APIs, see the Okta Identity Governance API release notes.
Journeys is a new and evolving section that includes content to help guide you through your development project.

Journeys break down your development project into consumable steps:
- Key concepts to absorb
- Information on planning for tasks that you need to complete
- Links to individual guides to help you build your project
- Additional content to hep you enhance your project.
The first journey available is Secure your first web app. This journey helps you connect your web app to Okta and configure a secure sign-in experience.
The new Create an app integration guide explains what an app integration is, why you need one, and how to create one.
The new Direct authentication concept explains what direct authentication is and how you can use it.
The new Set up your org guide outlines how to set up your Okta org with some basic, but important, settings and how to configure it for different use cases.
The Sign in to your native mobile app guide describes how to add authentication to your mobile app using the Okta Client SDK for Swift. This example implements a sample iOS app, using Okta APIs and interaction code flow, for browserless authentication.
The new Sign-In Widget concept provides a high-level overview of the Okta Sign-In Widget.
The new Understand the token lifecycle concept provides an overview of OAuth 2.0 tokens, their use, and their lifecycles.

Bug fixed in 2025.08.0

Some app types were incorrectly assigned to authentication policies. (OKTA-956009)

July

Weekly release 2025.07.3

Change	Expected in Preview Orgs
Bugs fixed in 2025.07.3	July 30, 2025

Bugs fixed in 2025.07.3

The List all user grants operation (/api/v1/users/me/grants) didn't include pagination links in the header of the response. (OKTA-918661)
The Attack Protection API endpoints returned HTTP 404 Not Found errors unless -admin was appended to your org subdomain in the URL path. You can now use your standard org subdomain in the URL path when using the Attack Protection API. (OKTA-925650)
Users with case-insensitive usernames didn't match to existing strict case-sensitive users. (OKTA-969228)

Weekly release 2025.07.2

Change	Expected in Preview Orgs
Bugs fixed in 2025.07.2	July 16, 2025

Bugs fixed in 2025.07.2

When the Direct Authentication feature was enabled, calling the Apps API with a custom role couldn’t create OIDC apps. (OKTA-970705)
When an admin enabled the Temporary Access Code feature, subsequent GET /users/{userId}/factors requests returned HTTP 400 Bad Request errors. (OKTA-979585)
This update includes security enhancements. (OKTA-909930)

Weekly release 2025.07.1

Change	Expected in Preview Orgs
Bugs fixed in 2025.07.1	July 9, 2025

Bugs fixed in 2025.07.1

The multiple identifiers feature didn't process case sensitivity correctly when evaluating identifier attributes. (OKTA-899235)
When GET /api/v1/apps/{appId} is called, admins with the okta.groups.appAssignment.manage permission or okta.users.appAssignment.manage permission could view app details without having the required okta.apps.manage or okta.apps.read permissions. (OKTA-801567)

Monthly release 2025.07.0

Change	Expected in Preview Orgs
OAuth 2.0 provisioning for Org2Org with key auto-rotation is GA in Preview	July 2, 2025
MyAccount Password API is GA in Preview	May 24, 2023
New Okta Expression Language component is self-service EA in Preview	July 2, 2025
System Log event for monitoring LDAP Agent config file changes is EA	July 2, 2025
Integrate Okta with Device Posture Provider	July 2, 2025
New validation rule for user profile attributes in OIN Wizard	July 2, 2025
Stricter URL validation in the OIN Wizard	July 2, 2025
Conditions for create user permission is GA in Production	June 9, 2025
CLEAR Verified and Incode as third-party identity verification providers is GA in Production	July 2, 2025
Changes to Okta app API responses	July 7, 2025
Restrict access to the Admin Console is GA in Production	December 11, 2024
Developer documentation updates in 2025.07.0	July 2, 2025

OAuth 2.0 provisioning for Org2Org with key auto-rotation is GA in Preview

Admins deploying multi-org architectures (for example, Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Auto-Rotation for Org2Org app provisioning directly from the Admin Console, in addition to the API.

To support these updates, the Application Connections API includes a new endpoint, Retrieve a JSON Web Key Set (JWKS) for the default provisioning connection (opens new window), and schema updates to support key auto-rotation, rotationMode=AUTO. See Update the default provisioning connection (opens new window) and Integrate Okta Org2Org with Okta (opens new window).

MyAccount Password API is GA in Preview

You can now use the MyAccount Password API (opens new window) to update passwords.

New Okta Expression Language component is self-service EA in Preview

You can now use the metadata component in an Expression Language condition for an Okta account management policy. You can only use metadata in an expression that’s related to password expiry. See Enable password expiry (opens new window).

System Log event for monitoring LDAP Agent config file changes is EA

A system.agent.ldap.config_change_detected event is generated when an LDAP agent detects changes to its configuration file.

Integrate Okta with Device Posture Provider

The Device Posture Provider feature enhances Zero Trust security by integrating external device compliance signals into the Okta policy engine. Previously, Okta couldn't leverage signals from third-party or custom tools to enforce access policies. Now, by accepting SAML/OIDC assertions from external compliance services, admins can incorporate custom compliance attributes into device assurance policies. This enables orgs to use their existing device trust signals within Okta, and foster a more flexible and secure posture without the need for extra agents or redundant tooling. See the Device Integrations API (opens new window) and Integrate Okta with Device Posture Provider (opens new window).

New validation rule for user profile attributes in OIN Wizard

The OIN Wizard now requires the use of valid user profile properties when referencing attribute values in EL expressions. The system rejects any invalid user EL expressions and attributes that aren't included in the allowlist. See SAML properties (opens new window).

Stricter URL validation in the OIN Wizard

The OIN Wizard now requires all static URLs to begin with "https://" and be complete. For URL expressions, you can use any valid format. See Submit an integration with the OIN Wizard (opens new window).

Conditions for create user permission is GA in Production

You can now add conditions to the okta.user.create permission for custom admin roles. This enables you to granularly control which user attributes admins can set values for during user creation. See Permissions conditions (opens new window).

CLEAR Verified and Incode as third-party identity verification providers is GA in Production

Okta now supports using Incode and CLEAR Verified as identity providers. This increases the number of identity verification vendors (IDVs) you can use to verify the identity of your users when they onboard or reset their account. Set IDV_INCODE or IDV_CLEAR as the IdP type when you create an IdP (opens new window).

Changes to Okta app API responses

The following Okta apps won't be returned in the API response for endpoints that list apps (such as the List all applications (opens new window) GET /api/vi/apps endpoint):

Okta Access Certifications (key name: okta_iga)
Okta Access Requests Admin (key name: okta_access_requests_admin)
Okta Entitlement Management (key name: okta_entitlement_management)

In addition, a single app retrieval endpoint won't return these apps either. For example: GET /api/v1/apps/{appId} won't return the app object if {appId} is the ID for the okta_iga, okta_access_requests_admin, or okta_entitlement_management apps in your org.

Restrict access to the Admin Console is GA in Production

By default, users and groups with assigned admin roles have access to the Admin Console app. With this feature, super admins can choose to manually assign the app to delegated admins instead. This is recommended for orgs with admins who don't need access, like business partners, third-party admins, or admins who only use the Okta API. See Configure administrator settings (opens new window) and the corresponding APIs: Retrieve the Okta Admin Console Assignment Setting (opens new window) and Update the Okta Admin Console Assignment Setting (opens new window).

Developer documentation updates in 2025.07.0

The Okta Admin Management (opens new window) APIs have been reorganized into functional service groups for improved navigation and user experience. All previous anchors and links to the APIs remain the same.
A new guide is available that explains how to register security events providers in Okta, which enables continuous sharing of security information with Okta to prevent security threats.
The Agent Pools API has been renamed Directory Agent Pools (opens new window) API and is now grouped under External Identity Sources. There are no other changes to the API. All previous anchors and links to the API remain the same.
The Password import inline hook guide was revised to demonstrate the hook call using the ngrok utility (opens new window), rather than the sample code hosted on Glitch.com (opens new window). The hosted sample app on Glitch is scheduled for deprecation on July 8th, 2025.

June

Weekly release 2025.06.2

Change	Expected in Preview Orgs
Network zone restrictions for clients is self-service EA in Preview	Jun 25, 2025
Org2Org OIDC Sign-on mode is self-service EA in Preview	Jun 17, 2025
Okta Integration IdP type is self-service EA in Preview	Jun 25, 2025
Bugs fixed in 2025.06.2	Jun 25, 2025

Network zone restrictions for clients is self-service EA in Preview

You can now specify an allowlist or denylist network zone for each client to enhance token endpoint security.

Org2Org OIDC Sign-on mode is self-service EA in Preview

The Org2Org app now includes an OIDC Sign-on mode using the Okta Integration IdP. This sign-on mode reduces the complexity of configuration between the Org2Org app and the target org, and takes advantage of modern security features of OIDC. You also need to enable the Okta Integration IdP feature to use the OIDC Sign-on mode. See Secure API connections between orgs with OAuth 2.0.

Okta Integration IdP type is self-service EA in Preview

The new Okta Integration IdP type allows you to configure Org2Org OIDC IdPs with secure defaults. See Identity Providers (opens new window) and Add an Okta Identity Provider (opens new window).

Bugs fixed in 2025.06.2

When an app with imported app groups was deactivated, and users were subsequently removed from these groups, the event wasn't recorded in the System Log. (OKTA-934264)
The delete operation for the Roles API (/iam/roles/{roleIdOrLabel}) and the Resource Sets API (/iam/resource-sets/{iamPolicyIdOrLabel}) allowed users to delete IAM-based standard roles and resource sets, respectively. (OKTA-926830)
Using a private/public key for client authentication with an empty kid in the assertion threw a null pointer exception if there was an invalid use parameter in the key. (OKTA-963932)

Weekly release 2025.06.1

Change	Expected in Preview Orgs
Frame-ancestors rollout for Content Security Policy	Jun 17, 2025
Response body updates for the MyAccount Authenticators API	Jun 17, 2025
Bugs fixed in 2025.06.1	Jun 17, 2025

Frame-ancestors rollout for Content Security Policy

Okta is rolling out the frame-ancestors directive of the Content Security Policy (CSP) for the /auth/services/devicefingerprint and /api/v1/internal/device/nonce endpoints. To prevent blocking access to these endpoints from embedded frames, add any embedder origin as a trusted origin. See the Trusted Origins API (opens new window).

In addition, Okta is rolling out the use of nonce with the script-src directive of the CSP for the /auth/services/devicefingerprint. To prevent blocking inline scripts that you may have injected on the page returned by this endpoint, allowlist your inline script to account for the nonce addition to script-src.

Response body updates for the MyAccount Authenticators API

A new response property, canChange, is now returned for password enrollments when you make GET calls to the /idp/myaccount/authenticators/{authenticatorId}/enrollments/ endpoint. This property indicates if the value of a password enrollment can be changed. With the addition of the canChange property, canReset, an existing response property, now indicates whether or not the user can reset the value of their password enrollment.

See the MyAccount Authenticators API (opens new window).

Bugs fixed in 2025.06.1

When calling the Replace the resource set resource conditions endpoint, /api/v1/iam/resource-sets/{resourceSetIdOrLabel}/resources/{resourceId}, including an empty body didn't remove conditions. (OKTA-947764)
Customization fields in email templates were populated with unencoded information. (OKTA-922766)
The Directories Integration API for AD Bidirectional Group Management returned a 500 error because of a null pointer exception. (OKTA-948743)
User grants weren't returned from the Users API (/users/<userId>clients/<clientId>/grants) after revoking user sessions and OAuth 2.0 tokens. (OKTA-944549)
Users could sometimes receive too many password reset emails. (OKTA-916357)
App logos could be added or updated using any SVG format. See Application Logos (opens new window). (OKTA-876028)

Monthly release 2025.06.0

Change	Expected in Preview Orgs
Admins prevented from deleting published app instances	June 4, 2025
Authentication claims sharing between Okta orgs is GA in Production	June 4, 2025
Claims sharing between third-party IdPs and Okta is GA in Production	April 9, 2025
Conditions for create user permission	June 9, 2025
Define default values for custom user attributes is GA in Production	May 7, 2025
Domain restrictions on Realms is GA in Production	April 23, 2025
New password complexity property is self-service EA in Preview	June 4, 2025
Number matching challenge with the Factors API is GA in Production	April 9, 2025
Restrict access to the Admin Console is GA in Preview	December 11, 2024
Shared signal transmitters is GA in Production	May 7, 2025
Single Logout for IdPs is EA in Preview	June 4, 2025
Expanded use of user.getGroups() function in Okta Expression Language is GA in Preview	June 4, 2025
Developer documentation updates in 2025.06.0	June 4, 2025
Bugs fixed in 2025.06.0	June 4, 2025

Admins prevented from deleting published app instances

When an app instance has the Published version status in OIN Wizard, admins can no longer delete it from the Integrator Free Plan org.

Authentication claims sharing allows an admin to configure their Okta org to trust claims from IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from an IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Configure claims sharing.

Authentication claims sharing allows an admin to configure their Okta org to trust claims from third-party IdPs during SSO. Sharing claims also allows Okta to interpret the authentication context from a third-party IdP. This helps eliminate duplicate factor challenges during user authentication and helps improve security posture. See Configure claims sharing.

Conditions for create user permission

Define default values for custom user attributes is GA in Production

You can now define default values for custom attributes in a user profile. See the Update User Profile (opens new window) endpoint in the Schemas API.

Domain restrictions on Realms is GA in Production

You can now limit users to a specific domain in Realms, which adds an extra layer of oversight for realm and partner admins and enforces boundaries between user populations. See the Realms (opens new window) and Realm Assignments (opens new window) APIs.

New password complexity property is self-service EA in Preview

You can now use the oelStatement property to block words from being used in passwords. This feature enhances security by allowing you to customize your password strength requirements. See the Policy API (opens new window).

Number matching challenge with the Factors API is GA in Production

You can now send number matching challenges for Okta Verify push factor enrollments when you send POST requests to the /users/{userId}/factors/{factorId}/verify endpoint. For orgs that can't adopt Okta FastPass, this feature improves their overall security. See the Factors API (opens new window).

Restrict access to the Admin Console is GA in Preview

Shared signal transmitters is GA in Production

Okta uses CAEP (opens new window) to send security-related events and other data-subject signals to third-party security vendors. To enable the transmission of signals from Okta, create an SSF stream (opens new window) using the SSF Transmitter API. Then, configure the third-party receiver to accept signals sent as Security Event Tokens (SETs) (opens new window) from Okta. See the SSF Transmitter API (opens new window) and SSF Transmitter SET payload structures (opens new window).

Single Logout for IdPs is EA in Preview

The Single Logout (SLO) for IdPs feature boosts security for organizations using shared devices and external IdPs by automatically ending IdP sessions when a user signs out of any app. This feature also requires a fresh authentication for every new user, eliminating session hijacking risks on shared devices. SLO for IdP supports both SAML 2.0 and OIDC IdP connections, which provides robust session management for shared workstations in any environment. See Configure Single Logout for IdPs.

Expanded use of user.getGroups() function in Okta Expression Language is GA in Preview

You can now use the user.getGroups() function across all features that support Expression Language. See Group functions.

Developer documentation updates in 2025.06.0

The Email Customization API has been relabelled as the Org Email Settings API (opens new window). There are no other changes to the API. All previous anchors and links to the API remain the same.
A new guide explains how to migrate customizations from the second generation (Gen2) to the third generation (Gen3) of the Sign-In Widget. It describes how to use design tokens instead of CSS className selectors to customize Gen3, and which variables and functions help with your migration.
New release notes for Okta Privileged Access APIs are now available.

Bugs fixed in 2025.06.0

The /idp/myaccount/sessions endpoint didn't accept access tokens granted by custom authorization servers. (OKTA-929488)
An HTTP 500 error occurred when API requests were sent to api/v1/policies/{policyId} and api/v1/policies/{policyId}/rules/{ruleID} with certain values in the Accept header. (OKTA-892315)
MyAccount Authenticators API GET requests (/idp/myaccount/authenticators/ and /idp/myaccount/authenticators/{authenticatorId}) didn't return custom logo details. (OKTA-880048)

May

Weekly release 2025.05.3

Change	Expected in Preview Orgs
Integrator Free Plan org now available	May 22, 2025
Bugs fixed in 2025.05.3	May 29, 2025

Integrator Free Plan org now available

The Integrator Free Plan org is now available on the Sign up page of the developer documentation site. These orgs replace the previous Developer Editions Service orgs, which will start being deactivated on July 18th. See Changes Are Coming to the Okta Developer Edition Organizations (opens new window). For information on the configurations for the Integrator Free Plan orgs, see Okta Integrator Free Plan org configurations.

Bugs fixed in 2025.05.3

When third-party claims sharing was enabled, users couldn't sign in using their IdP because of an authentication loop. (OKTA-939862)
When enrolling an sms factor (POST /users/{userId}/factors), an Invalid Phone Number error was sometimes incorrectly returned. (OKTA-923373)
Users with + in their email address couldn't reset their passwords from email templates. Use the ${encode(String html)} expression to encode special characters. (OKTA-914601)
Sending a phone challenge with the MyAccount Phone API (POST /idp/myaccount/phones/{id}/challenge) sometimes returned an HTTP 500 Internal Server error. (OKTA-946865)

Weekly release 2025.05.2

Change	Expected in Preview Orgs
Enrollment grace periods is EA in Preview	May 21, 2025
Send app context to external IdPs is EA in Preview	May 21, 2025

Enrollment grace periods is EA in Preview

Today, when admins define an enrollment policy for a group, the entire group must enroll immediately, which can be disruptive to their day-to-day tasks.

With Enrollment Grace Periods, end users can defer enrollment in new authenticators until an admin-defined deadline when enrollment becomes mandatory. This allows end users to enroll at a time convenient to them and allows for more graceful enrollment before enforcing new authenticator types in authentication policies. See Authenticator enrollment policies and the Policies API (opens new window).

Send app context to external IdPs is EA in Preview

You can now forward context about an app to an external identity provider (IdP) when a user attempts to access the app. When you enable the Application context checkbox for an IdP, the app name and unique instance ID are included in the SAML or OpenID Connect request sent to the external IdP. This enhancement allows external IdPs to make more informed, context-aware authentication decisions, supporting advanced security scenarios, and Zero Trust environments. To enable this feature, go to Settings > Features in the Admin Console, locate Send Application Context to an External IdP, and enable.

Weekly release 2025.05.1

Change	Expected in Preview Orgs
Bugs fixed in 2025.05.1	May 14, 2025

Bugs fixed in 2025.05.1

After enrolling a call factor (POST /users/{userId}/factors), the resend.href link in the response body returned an HTTP 404 Not Found error when it was used. (OKTA-926672)
In some situations, the /api/v1/agentPools API failed to return agents that were stuck in an error state. (OKTA-910056)

Monthly release 2025.05.0

Change	Expected in Preview Orgs
Breached Credentials Protection is EA in Preview	May 15, 2025
Custom admin roles for ITP	May 7, 2025
New User Role Targets API endpoint	May 7, 2025
Define default values for custom user attributes	May 7, 2025
Directories integration API is GA in Preview and Production	May 7, 2025
Number matching challenge with the Factors API is GA in Preview	May 7, 2025
Claims sharing between third-party IdPs and Okta is GA in Preview	May 7, 2025
Express Configuration for OIN apps	May 7, 2025
New End-user Enrollments API is GA in Production	March 5, 2025
New System Log for super admin privilege grant	May 7, 2025
Entitlement claims is GA in Production	January 2, 2025
POST requests to authorize endpoint is GA in Production	January 8, 2025
Authentication claims sharing between Okta orgs is GA in Preview	May 7, 2025
Shared signal transmitters is GA in Preview	May 7, 2025
Developer documentation update in 2025.05.0	May 7, 2025
Bugs fixed in 2025.05.0	May 7, 2025

Breached Credentials Protection is EA in Preview

This feature is following a slow rollout process beginning on May 15.

Custom admin roles for ITP

Through this feature, customers can use granular ITP permissions and resources to create custom roles to right-size authorization for ITP configuration and monitoring. See Configure custom admin roles for ITP (opens new window).

New User Role Targets API endpoint

The User Role Targets API now includes a new endpoint, Retrieve a role target by assignment type (opens new window), that retrieves role targets by user or group assignment type.

Define default values for custom user attributes

You can now define default values for custom attributes in a user profile. See the Update User Profile (opens new window) endpoint in the Schemas API.

Directories integration API is GA in Preview and Production

The Directories Integration API provides operations to manage Active Directory (AD) group memberships using Okta. This API enables you to define adding or removing users for AD groups. This is now generally available. Previously, this was only available to subscribers of Okta Identity Governance. See Directories Integration (opens new window).

Number matching challenge with the Factors API is GA in Preview

Express Configuration for OIN apps

Express Configuration is a feature designed to automate the setup of SSO for instances of OIN SaaS integrations by enterprise customers with minimal manual effort. It allows enterprise customers to securely configure OpenID Connect (OIDC) integrations without copying and pasting configuration values between Okta and Auth0-enabled apps. See Express Configuration.

New End-user Enrollments API is GA in Production

The new End-user Enrollments API (opens new window) enables end users to enroll and unenroll authenticators by entering a URL directly into their browser. This reduces the time spent administering complex authenticator enrollment flows, and provides a streamlined enrollment process for users. After a user enrolls or unenrolls an authenticator, you can use the redirect_uri property to redirect them to another page.

New System Log for super admin privilege grant

A new System Log event now indicates when the super admin role (app.oauth2.client.privilege.grant) is granted to an API service integration.

Entitlement claims is GA in Production

You can now enrich tokens with app entitlements that produce deeper integrations. After you configure this feature for your app integration, use the Okta Expression Language in Identity Engine to add entitlements at runtime as OpenID Connect claims and SAML assertions. See Federated claims with entitlements.

POST requests to authorize endpoint is GA in Production

You can now send user data securely in a POST request body to the /authorize endpoint.

Shared signal transmitters is GA in Preview

New Applications API object

A new universalLogout object is returned in the Applications API for orgs that have Identity Threat Protection enabled.

Developer documentation update in 2025.05.0

The new Integrate Okta with identity verification vendors guide describes how third-party identity verification (IDV) vendors can integrate with Okta. IDV vendors can use the guide to integrate their service with Okta orgs.

Bugs fixed in 2025.05.0

If a third-party SAML IdP sent the session.amr SAML attribute without the attribute schema type, Okta rejected the response when the third-party claims sharing feature was enabled. (OKTA-925864)
When third-party IdP claims sharing was enabled, the redirect to the IdP happened during reauthentication even if the IdP didn't provide any AMR claims. (OKTA-922086)

April

Weekly release 2025.04.3

Change	Expected in Preview Orgs
Bugs fixed in 2025.04.3	April 30, 2025

Bugs fixed in 2025.04.3

Some versions of the Sign-In Widget v3 returned an error when trying to display the consent screen. (OKTA-755616)
The user.profile.firstName tag in email templates didn't escape or render Unicode characters correctly. (OKTA-840719)
Requests made using the sortBy parameter with custom attributes to the List all users or List all groups endpoints threw an HTTP 400 Bad Request error. (OKTA-886166)
Some admins with a custom role (okta.apps.read, okta.apps.clientCredentials.read permissions) couldn’t view client secrets for apps that they had permission to view. (OKTA-893511)
After their accounts were suspended, users who correctly answered their security question were moved to an Active status in API calls. (OKTA-897292)
The number of groups that could be returned in tokens for a groups claim was still restricted in the authorization code sign-in flow when an inline hook was used. (OKTA-907362)
When a resource set contained a devices resource, the Retrieve a resource endpoint returned a null response for the devices self object. (OKTA-914364)
When the List all Subscriptions API with a Workflows Administrator role (WORKFLOWS_ADMIN) was called, an HTTP 400 Bad Request error was returned. (OKTA-918276)
Users received an HTTP 400 Bad Request error during self-service registration in preview orgs with a Registration Inline hook. (OKTA-918774)
When an Okta Classic Engine org was involved in a multi-org Okta-to-Okta authentication flow, and Okta-to-Okta claims sharing was enabled, the OktaAuth (SAML) and okta_auth (OIDC) claims weren't processed correctly. (OKTA-918969)
When Okta-to-Okta claims sharing was enabled, federated users who were sourced from a third-party identity provider were incorrectly prompted to provide a password on their hub org. (OKTA-919385)

Weekly release 2025.04.2

Change	Expected in Preview Orgs
Subscriptions API no longer supports OKTA_ISSUE	April 9, 2025
Bugs fixed in 2025.04.2	April 16, 2025

Subscriptions API no longer supports OKTA_ISSUE

The Subscriptions API no longer supports the notificationType value OKTA_ISSUE.

Bugs fixed in 2025.04.2

Email notifications weren’t sent to end users when security methods were enrolled using POST requests to the /users/{userId}/factors endpoint and the activate parameter was set to true. (OKTA-891169)
Updates made to ACS URIs for an app using the Applications API (PUT /apps/{appId}) didn't take effect if the app was created without those URLs. (OKTA-909218)

Weekly release 2025.04.1

Change	Expected in Preview Orgs
Advanced device posture checks	April 9, 2025
Claims sharing between third-party IdPs and Okta is self-service EA in Preview	April 9, 2025
Number matching challenge with the Factors API is self-service EA in Preview	April 9, 2025
OAuth 2.0 provisioning for Org2Org with Auto-Rotation is self-service EA in Preview	April 2, 2025
Bugs fixed in 2025.04.1	April 9, 2025

Advanced device posture checks

Advanced posture checks provide extended device assurance to users. It empowers admins to enforce compliance based on customized device attributes that extend beyond Okta’s standard checks. Using osquery, this feature facilitates real-time security assessments across macOS devices. As a result, orgs gain enhanced visibility and control over their device fleet and ensure that only trusted devices can access sensitive resources. See Configure advanced posture checks for device assurance (opens new window) and the Device Posture Checks API (opens new window).

Number matching challenge with the Factors API is self-service EA in Preview

OAuth 2.0 provisioning for Org2Org with Auto-Rotation is self-service EA in Preview

Admins deploying multi-org architectures (for example, Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth 2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Auto-Rotation for Org2Org app provisioning directly from the Admin Console, in addition to the API.

Bugs fixed in 2025.04.1

In Preview orgs, org admins couldn't edit IdP group assignments when a super admin group was included in the group list. (OKTA-880124)
The id_token_hint parameter was exposed in the System Log. (OKTA-890738)
POST requests to the /authorize endpoint that contained query parameters received an error. (OKTA-905143)

Monthly release 2025.04.0

Change	Expected in Preview Orgs
Domain restrictions on Realms	April 23, 2025
OAuth 2.0 provisioning for Org2Org with Auto-Rotation is EA in Preview	April 2, 2025
Retrieve the SSF Stream status is EA in Preview	April 2, 2025
OIN test account information deleted after 30 days	April 2, 2025
Risk Provider and Risk Events APIs are deprecated	April 2, 2025
POST requests to authorize endpoint is GA Preview	January 8, 2025
Integration variable limit increase in OIN Submission	April 2, 2025
Conditional requests and entity tags are GA in Production	January 16, 2025
New rate limit event type	April 2, 2025
Create dynamic resource sets with conditions is GA in Preview	November 7, 2024
Okta account management policy is GA in Production	December 11, 2024
Okta Sign-In Widget custom template updates	April 2, 2025
Developer documentation update in 2025.04.0	April 2, 2025
Bugs fixed in 2025.04.0	April 2, 2025

Domain restrictions on Realms

OAuth 2.0 provisioning for Org2Org with Auto-Rotation is EA in Preview

Admins deploying multi-org architectures (for example, Okta hub-and-spoke orgs) need to secure user and group provisioning. Provisioning using OAuth 2.0 scoped tokens has several advantages over API tokens, including more access granularity, shorter token lifespans, and automatic key rotation. You can now enable OAuth 2.0 Auto-Rotation for Org2Org app provisioning directly from the Admin Console, in addition to the API.

To support these updates, the Application Connections API includes a new endpoint, Retrieve a JSON Web Key Set (JWKS) for the default provisioning connection (opens new window), and schema updates to support token auto-rotation, rotationMode=AUTO. See Update the default provisioning connection (opens new window) and Integrate Okta Org2Org with Okta (opens new window).

Retrieve the SSF Stream status is EA in Preview

Retrieve the SSF Stream status endpoint (/api/v1/ssf/stream/status) is now available. The status indicates whether the transmitter is able to transmit events over the stream. This endpoint is available if you have enabled the Enable Managed Apple ID federation and provisioning feature for your org.

OIN test account information deleted after 30 days

Okta deletes your test account credentials 30 days after you publish your app in OIN Wizard. You must create a new test account and re-enter the required information before submitting the app.

Risk Provider and Risk Events APIs are deprecated

These APIs have been deprecated. Use the SSF Security Event Tokens API instead to receive security-related events and other data-subject signals. Use the SSF Receiver API for third-party security event providers.

POST requests to authorize endpoint is GA Preview

You can now send user data securely in a POST request body to the /authorize endpoint.

Integration variable limit increase in OIN Submission

The maximum number of integration variables allowed in OIN submission has increased from three to eight. The apps migrated from OIN Manager with more than eight variables can retain all existing variables but can't add new variables.

Conditional requests and entity tags are GA in Production

You can now use conditional requests and entity tags to tag and check for specific versions of resources. Currently this is only available to use with user profiles. See Conditional Requests and Entity Tags (opens new window).

New rate limit event type

This rate limit event type now appears in the System Log: system.rate_limit.configuration.update. It logs the following:

Changes to client-based rate limit settings
Changes in the rate limit warning notification threshold
If the rate limit notification is enabled or disabled
Updates to the rate-limit percentage of an API token

Create dynamic resource sets with conditions is GA in Preview

Resource set conditions help you limit the scope of a role by excluding an admin's access to certain apps. This gives you more granular control over your custom admin roles and helps meet your org's unique security needs. See Resource set conditions (opens new window) and the corresponding Resource Set Resources (opens new window) API.

Okta account management policy is GA in Production

The Okta account management policy helps admins easily build phishing resistance into actions such as account unlock, password recovery, authenticator enrollment, and profile setting changes. Using the familiar rule-based framework of an authentication policy, admins can now customize which phishing-resistant authenticators are required when users attempt these common self-service actions. All of the configurations in the authentication policies can now be applied for authenticator management. See Configure an Okta account management policy.

Admins can now use the useSiwGen3 variable in the sign-in page code editor to help with migrations from Gen2 to Gen3 of the Okta Sign-In Widget. See Use the code editor.

Developer documentation update in 2025.04.0

The Update a published integration with the OIN Wizard is a newly restructured guide which consists of our existing publish integration content and a brand new updating the attribute mapping flow section for SCIM integrations.

Bugs fixed in 2025.04.0

The result of System Log events triggered by the use_dpop_nonce OAuth 2.0 error was FAILURE instead of CHALLENGE. (OKTA-902314)
When the Okta-to-Okta Claims Sharing feature was enabled, users who signed in using ADSSO on a spoke org were prompted for their password in the hub org. (OKTA-897340)
Admins using multiple user types sometimes encountered an internal error when attempting to update an app instance. (OKTA-880825)
If an AAGUID key that wasn’t verified by the FIDO Alliance Metadata Service (MDS) was added to an authenticator group, then future PUT requests to api/v1/authenticators/{authenticatorId}/methods/webauthn failed. (OKTA-875920)
The wrong HTTP error code was returned for the SSF stream creation operation when one stream already existed. (OKTA-868972)
A Policies API GET request (/api/v1/policies) returned a rel="next" link when there were no more results. (OKTA-858605)
The OIN Submission Tester didn't support custom domains in the IdP flow. (OKTA-835402)
When /api/v1/apps was called, it returned all applications assigned, even though the user wasn't part of the assigned resource set. (OKTA-826548)

March

Weekly release 2025.03.3

Change	Expected in Preview Orgs
Advanced search using conditioned profile attributes	March 26, 2025
Bugs fixed in 2025.03.3	March 26, 2025

Advanced search using conditioned profile attributes

If you have an admin role with permission conditions to access certain user profile attributes, you can now search for those users with those attributes. Note that this search enhancement doesn't support the OR operator.

Bugs fixed in 2025.03.3

Custom role admins with permission conditions couldn't search for users by firstName or lastName. (OKTA-894392)
The user.identity_verification System Log event displayed an incorrect assurance level for completed identity verifications with DENY results. (OKTA-893343)
Some PUT requests to the brands/{brandId}/templates/email/{templateName}/settings endpoint received HTTP 500 Internal Server Error messages. (OKTA-886167)
GET requests to the /api/v1/users/me/appLinks endpoint sometimes returned an HTTP 500 Internal Server error. (OKTA-873694)

Weekly release 2025.03.1

Change	Expected in Preview Orgs
Bugs fixed in 2025.03.1	March 12, 2025

Bugs fixed in 2025.03.1

createdBy and lastUpdatedBy custom attributes couldn't be used in group rules. (OKTA-566492)
Custom admins who were limited to viewing only application group members received incomplete results when using the List All Users API without a search or filter parameter. (OKTA-801592)
The JSON Web Token that Okta generates and sends to the OpenID Connect identity provider contained a string exp instead of a number 'exp'. (OKTA-852446)
When making POST requests to users/{userId}/factors/{factorId}/verify or authn/factors/{factorId}/verify endpoints with factorType instead of factorId in the URL path, multiple failed verification attempts didn't lock users out and the failed attempts weren't logged in the System Log. (OKTA-871469)
When Okta sent a request with a refresh token to the token inline hook, the session user was sometimes sent rather than the refresh token user in request.data.context. (OKTA-869758)

Monthly release 2025.03.0

Change	Expected in Preview Orgs
Global token revocation for wizard SAML and OIDC apps is GA in Production	September 11, 2024
OIDC IdPs now support group sync is GA in Production	October 23, 2024
Granular account linking for certain Identity Providers is GA in Production	December 11, 2024
Realms for Workforce is GA in Production	February 13, 2025
Improved group search functionality is GA in Production	February 12, 2025
Improved user search functionality is GA in Production	February 12, 2025
Improved realms and device search functionality is GA in Production	February 12, 2025
New End-user Enrollments API is GA in Preview	March 5, 2025
CLEAR Verified as a third-party identity verification provider is EA in Preview	March 5, 2025
Verify an SSF Stream is EA in Preview	March 5, 2025
MyAccount Password API updates	March 5, 2025
Identity Security Posture Management functionality in the OIN catalog	March 5, 2025
Default global session policy rule update	March 5, 2025
Developer documentation updates in 2025.03.0	March 5, 2025
Bugs fixed in 2025.03.0	March 5, 2025

Global token revocation for wizard SAML and OIDC apps is GA in Production

Universal Logout clears sessions and tokens for wizard SAML and OIDC apps. This enhancement extends Universal Logout functionality to more types of apps and provides greater flexibility to admins.

OIDC IdPs now support group sync is GA in Production

OpenID Connect identity providers (IdPs) now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to.

Granular account linking for certain Identity Providers is GA in Production

When admins link users from SAML and OIDC identity providers, they can now exclude specific users and admins. This improves security by allowing admins to configure granular access control scenarios. See Add an external Identity Provider for OpenId Connect and SAML 2.0.

Realms for Workforce is GA in Production

The Realms and Realms Management APIs allow you to unlock greater flexibility in managing and delegating the management of your distinct user populations within a single Okta org. See Realms (opens new window) and Realm Assignments (opens new window).

Improved group search functionality is GA in Production

You can now search for groups whose names or descriptions contain specified text. This makes it easier to find a group when you don't recall its exact name. Use the co operator within the search parameter of the Groups API. See Operators (opens new window) and search within the Groups API (opens new window).

Improved user search functionality is GA in Production

You can now search for users whose names, email addresses, or usernames contain specified text. This makes it easier to do user lookups and add users to groups. Use the co operator within the search parameter of the Users API. See Operators (opens new window) and search within the Users API (opens new window).

Improved realms and device search functionality is GA in Production

We've extended the contains (co) operator to realms and devices. You can now search for realms and devices whose profile attributes contain specified text through API. This makes lookups easier without needing to recall the exact names of various profile attributes. Use the co operator within the search parameter. See Contains operator (opens new window) and the search parameter in the Realms (opens new window) and Devices (opens new window) APIs.

New End-user Enrollments API is GA in Production

CLEAR Verified as a third-party identity verification provider is EA in Preview

Okta now supports using CLEAR Verified as an identity provider. This increases the number of identity verification vendors (IDVs) you can use to verify the identity of your users when they onboard or reset their account. Set IDV_CLEAR as the IdP type when you create an IdP (opens new window).

Verify an SSF Stream is EA in Preview

Okta SSF Transmitter now supports the verification endpoint to enable receivers to request verification events and validate the end-to-end delivery between the transmitter and receiver. In addition, the SSF Transmitter verification events claim structure is now compliant with the OpenID Shared Signals Framework ID3 spec.

MyAccount Password API updates

Admins can now send a PUT request to the /idp/myaccount/password endpoint to update the password for a user. Also, admins can send a GET request to the /idp/myaccount/password/complexity-requirements endpoint to retrieve password complexity requirements. See Replace a Password (opens new window) and Retrieve the Password Complexity Requirements (opens new window).

Identity Security Posture Management functionality in the OIN catalog

The Okta Integration Network page now provides Identity Security Posture Management functionality. When you select it, the OIN catalog displays only the apps with Identity Security Posture Management functionality.

Default global session policy rule update

The default value for the maxSessionLifetimeMinutes property of the default global session policy rule is now 1440 (24 hours) and can be changed. Previously the maxSessionLifetimeMinutes property of the default global session policy rule was read-only. See the Policies API (opens new window).

Developer documentation updates in 2025.03.0

The list of public permissions has moved from the Roles in Okta (opens new window) topic to the Permissions in Okta (opens new window) topic. The new topic contains more permission details for you to define your custom admin roles.
A new section has been added to the API documentation: Sign-in Experience API (opens new window). It contains the new End-user Enrollments API that enables end users to enroll and unenroll authenticators by entering a URL directly into their browser.

Bugs fixed in 2025.03.0

Some certificates with trailing characters were uploaded successfully to the /domains/{domainId}/certificate endpoint, despite their invalid format. (OKTA-486406)
An incorrect response was returned when a /token request was sent with an inactive user in a direct authentication flow. (OKTA-853984)

February

Weekly release 2025.02.2

Change	Expected in Preview Orgs
Incode as a third-party identity verification provider is EA in Preview	February 20, 2025
Bugs fixed in 2025.02.2	February 20, 2025

Incode as a third-party identity verification provider is EA in Preview

Okta now supports using Incode as an identity provider. This increases the number of identity verification vendors (IDVs) you can use to verify the identity of your users when they onboard or reset their account. Set IDV_INCODE as the IdP type when you create an IdP (opens new window).

Bugs fixed in 2025.02.2

An API request to create a resource set with a duplicate name sometimes returned a 5xx error instead of a 4xx error response. (OKTA-867792)
Admins couldn't retrieve more than five entitlement SAML assertions and OIDC claims when configuring apps. (OKTA-865900)
The contains (co) operator sometimes gave unclear error messages when using less than three characters or with other operators. (OKTA-846206)
When an admin attempted to revoke an API token (DELETE /api/v1/api-tokens/{apiTokenId}), and the credential used to authenticate the request was an access_token for a Service client, an HTTP 403 error was returned. (OKTA-844384)

Weekly release 2025.02.1

Change	Expected in Preview Orgs
Bugs fixed in 2025.02.1	February 13, 2025

Bugs fixed in 2025.02.1

When a GET request was made using the User Grants API (/api/v1/users/{userId}/grants), the response didn't include pagination links in the response header. (OKTA-826775)
The Users API returned inconsistent responses in Classic Engine orgs that allowed self-service registration and in Identity Engine orgs that were migrated from these orgs. (OKTA-833094)
In the Admin Console, updates in the code editor that Okta couldn't parse returned a 500 Internal Server Error. (OKTA-837068)
The On-Behalf of Token Exchange flow was returning the wrong error message when an invalid subject_token_type was requested. (OKTA-841223)
When a POST request was made (/api/v1/authorizationServers/{authServerId}/policies) to create an authorization policy, the created and lastUpdated properties had a null value. (OKTA-848623)
The /user/verify_idx_credentials endpoint didn't accept arbitrary fromUri values. (OKTA-853353)
AMR values weren't forwarded to the app when a user signed in and Okta-to-Okta claims sharing was configured. (OKTA-860242)
Some identity provider API POST (/api/v1/idps) and PUT (/api/v1/idps/{idpId}) requests returned an HTTP 500 error code if the request didn't have the policy.accountLink object in the request body. (OKTA-865143)

Monthly release 2025.02.0

Change	Expected in Preview Orgs
IP Exempt Zone is GA in Preview	October 23, 2024
Global token revocation for wizard SAML and OIDC apps is GA in Preview	September 11, 2024
OIDC IdPs now support group sync is GA in Preview	October 23, 2024
Granular account linking for certain identity providers is GA	December 11, 2024
Realms for Workforce is GA in Preview	February 13, 2025
Improved group search functionality is GA in Preview	February 12, 2025
Improved user search functionality is GA in Preview	February 12, 2025
Support for importing Active Directory group descriptions is GA in Production	February 6, 2025
Developer documentation updates in 2025.02.0	February 6, 2025
Bugs fixed in 2025.02.0	February 6, 2025

IP Exempt Zone is GA in Preview

This feature introduces useAsExemptList as a read-only Boolean property that distinguishes the new default IP exempt zones from other zones. When you enable this feature and you make a GET api/v1/zones request, Okta returns useAsExemptList in the response. The value true indicates that the zone is an exempt zone. Only system generated exempt zones are available.

Global token revocation for wizard SAML and OIDC apps is GA in Preview

Universal Logout clears sessions and tokens for wizard SAML and OIDC apps. This enhancement extends Universal Logout functionality to more types of apps and provides greater flexibility to admins.

OIDC IdPs now support group sync is GA in Preview

OpenID Connect (OIDC) identity providers (IdPs) now support full group sync and adding a user to a group that they don't already belong to. A user who authenticates with an external IdP is added to all available groups when Full sync of groups is enabled. The user is added to any groups that they don't already belong to when Add user to missing groups is enabled. This allows you to specify certain groups that users should be added to.

Granular account linking for certain identity providers is GA

Realms for Workforce is GA in Preview

Improved group search functionality is GA in Preview

Improved user search functionality is GA in Preview

You can now search for users whose names, email addresses, or usernames contain specified text. This makes it easier to add users to groups or apps. Use the co operator within the search parameter of the Users API. See Operators (opens new window) and search within the Users API (opens new window).

Support for importing Active Directory group descriptions is GA in Production

The descriptions of groups sourced from Active Directory now use their description from AD. These replace any previous descriptions of AD-sourced groups in Okta, which used a pretty-printed version of the distinguished name (DN) instead.

Developer documentation updates in 2025.02.0

The Style the Sign-In Widget (third generation) guide, under Brand and Customize, now describes how to use the afterTransform function. The function allows you to apply DOM customizations to the third generation of the widget. For example, you can use afterTransform to change button text or to add an instructional paragraph.
The new Configure a device assurance policy guide, under Sign users in, describes how to manage device assurance policies in your org. The guide uses the Device Assurance Policies API to create and edit a policy, and add device assurance to an authentication policy. It also shows how to use the System Log API to check for device assurance events.
The OIN Manager: submit an integration guide has been updated to include API service submission instructions.

Bugs fixed in 2025.02.0

When calling deleted app users through the Apps API, the API returned a 500 internal server error instead of a 404 error. (OKTA-832609)
PUT requests (/api/v1/apps/appId) to update an OpenID Connect app took 30 seconds to complete. (OKTA-852488)
When the List all devices API (opens new window) was used with a search query parameter, it sometimes returned outdated records for screenLockType and managementStatus. (OKTA-856387)

January

Weekly release 2025.01.2

Change	Expected in Preview Orgs
Authentication claims sharing between Okta orgs is EA in Preview	January 29, 2025
Bugs fixed in 2025.01.2	January 29, 2025

Bugs fixed in 2025.01.2

When the Default Network Zone IP Exempt List feature was enabled for an org, an admin was able to delete the default example IP zone using the Zones API (/api/v1/zones/{DefaultExemptIpZone ID}). (OKTA-817263)
The List all principal rate limits (opens new window) returned an empty response when querying with a custom client_id and using OAuth 2.0 for authentication. (OKTA-832687)
When a super admin updated a deactivated user to a different realm, admins received a Resource not found error. (OKTA-699778)
Events for tokens revoked in bulk for a resource didn't appear in the System Log. (OKTA-834025)
Refresh tokens for OpenID Connect apps that have Single Logout enabled with user session details were getting invalidated before their max lifetime. (OKTA-730794)
Account unlock didn't work for some orgs using the Okta account management policy. (OKTA-848066)

Weekly release 2025.01.1

Change	Expected in Preview Orgs
Bugs fixed in 2025.01.1	January 15, 2025

Bugs fixed in 2025.01.1

When an admin attempted to delete an IdP using the SDK, the operation failed with an HTTP 500 response code. (OKTA-846005)
POST requests with an OAuth token to the /devices/{deviceId}/lifecycle/deactivate endpoint by an API service app using the Client Credentials flow returned 403 error responses. The deactivations succeeded in spite of the error response. (OKTA-838539)

Monthly release 2025.01.0

Change	Expected in Preview Orgs
Additional use case selection in the OIN Wizard	January 8, 2025
Configure Identity Verification with third-party Identity Verification providers is GA Production	October 2, 2024
Deprecated API endpoints: Extend, Grant, and Revoke Okta Support access	January 8, 2025
Granular configuration for Keep Me Signed In is EA in Preview	January 8, 2025
Multiple Identifiers is GA in Preview	November 7, 2024
New group.source.id key for group functions in Expression Language	January 2, 2025
POST requests to the authorize endpoint is self-service EA	January 8, 2025
Bug fixed in 2025.01.0	January 8, 2025

Additional use case selection in the OIN Wizard

Independent software vendors (ISVs) can select the following additional use case categories when they submit their integration to the OIN:

Automation
Centralized Logging
Directory and HR Sync
Multifactor Authentication (MFA)

See OIN Wizard use case selection.

Configure Identity Verification with third-party Identity Verification providers is GA Production

You can now configure third-party Identity Verification providers using the IdP API and Okta account management policy rules. Okta supports Persona as a third-party Identity Verification provider.

Identity Verification enables you to use a third-party Identity Verification provider to verify the identity of your users. Verification requirements and the Identity Verification provider are based on your authentication policies and configurations within your Okta org. To configure an Identity Verification provider in the Admin Console, see Add an Identity Verification vendor as Identity Provider (opens new window).

Deprecated API endpoints: Extend, Grant, and Revoke Okta Support access

The following API endpoints have been deprecated:

Extend Okta Support access (opens new window) (POST /api/v1/org/privacy/oktaSupport/extend)
Grant Okta Support access (opens new window) (POST /api/v1/org/privacy/oktaSupport/grant)
Revoke Okta Support access (opens new window) (POST /api/v1/org/privacy/oktaSupport/revoke)

Use the Update an Okta Support case (opens new window) endpoint to extend, grant, or revoke Okta Support access for a specific support case. For the corresponding Okta Admin Console feature, see Give access to Okta Support (opens new window).

Granular configuration for Keep Me Signed In is EA in Preview

The post-authentication prompt text (title, subtitle, accept button, and reject button) is now customizable through the Brands API. See Customize post-authentication sign-in prompts.

Multiple Identifiers is GA in Preview

Today, end users must sign in to Okta with a username or email address only. With the Multiple Identifiers feature, admins can configure identifiers, or user attributes from Universal Directory, that an end user can enter to authenticate. Multiplier identifiers work in sign-in, recovery, self-service registration, and unlock flows. Admins can configure up to three identifiers, including email (which is still a required identifier). See Configure multiple identifiers.

New group.source.id key for group functions in Expression Language

You can now use the group.source.id key in Expression Language group functions to filter between groups that have the same name. See Group functions.

POST requests to the authorize endpoint is Self-Service EA

You can now send user data securely in a POST request body to the /authorize endpoint.

Developer documentation updates in 2025.01.0

The Sign users in to your SPA using redirect guides for the Angular and React platforms are now revised to use updated versions of Okta SDKs, framework dependencies, and coding patterns.

Bug fixed in 2025.01.0

Requests to the /policies/{policyId}/rules and /policies/{policyId}/rules/{ruleId} endpoints to create or update Okta account management policy rules included default Keep me signed in (KMSI) settings in the responses. (OKTA-848236)

Edit This Page On GitHub

On this page

Okta Identity Engine API release notes (2025)

August

Weekly release 2025.08.2

Bugs fixed in 2025.08.2

Monthly release 2025.08.0

Associated Domain Customizations API is self-service EA in Preview

Automate SCIM Integration for OIN Apps with Express Configuration

Breached Credentials Protection is GA in Preview

Clear user factors for all devices is GA in Preview

Cross App Access is self-service EA in Preview

Custom FIDO2 AAGUID is self-service EA in Preview

Device signal collection policy is self-service EA in Preview

Encryption of ID tokens and access tokens is EA

Expanded use of user.getGroups() function in Okta Expression Language is GA in Production

Granular configuration for Keep Me Signed In is GA in Production

Group Push Mappings is GA in Preview

MyAccount Password API is GA in Production

MyAccount WebAuthn API is EA in Production and GA in Preview

Multiple active IdP signing certificates is EA

New User Authenticator Enrollments API is GA in Preview

New user profile permission

OAuth 2.0 provisioning for Org2Org with Autorotation is GA in Production

Passkeys from Android devices is self-service EA in Preview

Send app context to external IdPs is GA in Preview

Service Accounts API is EA

System Log event for Identity Assertion Authorization Grant (ID-JAG) issuance is EA in Preview

System Log updates for ID verification events

Temporary Access Code authenticator is self-service EA in Preview

Unified claims generation for custom apps is self-service EA in preview

Universal Logout in the OIN Wizard

Web app integrations now mandate the use of the Authorization Code flow

Developer documentation updates in 2025.08.0

Bug fixed in 2025.08.0

July

Weekly release 2025.07.3

Bugs fixed in 2025.07.3

Weekly release 2025.07.2

Bugs fixed in 2025.07.2

Weekly release 2025.07.1

Bugs fixed in 2025.07.1

Monthly release 2025.07.0

OAuth 2.0 provisioning for Org2Org with key auto-rotation is GA in Preview

MyAccount Password API is GA in Preview

New Okta Expression Language component is self-service EA in Preview

System Log event for monitoring LDAP Agent config file changes is EA

Integrate Okta with Device Posture Provider

New validation rule for user profile attributes in OIN Wizard

Stricter URL validation in the OIN Wizard

Conditions for create user permission is GA in Production

CLEAR Verified and Incode as third-party identity verification providers is GA in Production

Changes to Okta app API responses

Restrict access to the Admin Console is GA in Production

Developer documentation updates in 2025.07.0

June

Weekly release 2025.06.2

Network zone restrictions for clients is self-service EA in Preview

Org2Org OIDC Sign-on mode is self-service EA in Preview

Okta Integration IdP type is self-service EA in Preview

Bugs fixed in 2025.06.2

Weekly release 2025.06.1

Frame-ancestors rollout for Content Security Policy

Response body updates for the MyAccount Authenticators API

Bugs fixed in 2025.06.1

Monthly release 2025.06.0

Admins prevented from deleting published app instances

Authentication claims sharing between Okta orgs is GA in Production

Claims sharing between third-party IdPs and Okta is GA in Production

Conditions for create user permission

Define default values for custom user attributes is GA in Production

Domain restrictions on Realms is GA in Production

New password complexity property is self-service EA in Preview

Number matching challenge with the Factors API is GA in Production

Restrict access to the Admin Console is GA in Preview

Shared signal transmitters is GA in Production

Single Logout for IdPs is EA in Preview

Expanded use of user.getGroups() function in Okta Expression Language is GA in Preview

Developer documentation updates in 2025.06.0

Bugs fixed in 2025.06.0

May