On this page
Okta Identity Governance API release notes (2025)
Okta Identity Governance is available for both Okta Classic and Identity Engine.
August
Weekly release 2025.08.2
| Change | Expected in Preview Orgs |
|---|---|
| Bug fixed in 2025.08.2 | August 20, 2025 |
Bug fixed in 2025.08.2
The List all grants API operation ( GET /governance/api/v1/grants) returned an incorrect number of objects. (OKTA-995619)
Monthly release 2025.08.0
| Change | Expected in Preview Orgs |
|---|---|
| Governance delegates APIs are Beta | August 7, 2025 |
| List all access request catalog entries for a user is GA | July 16, 2025 |
| Unified requester experience is EA | July 16, 2025 |
| Developer documentation updates in 2025.08.0 | August 7, 2025 |
| Bug fixed in 2025.08.0 | August 7, 2025 |
Governance delegates APIs are Beta
BetaSuper admins and users can assign delegates to complete governance tasks. These include access certification campaign reviews and access request approvals, questions, and tasks. When approvers are unavailable, their tasks can be assigned to different stakeholders ( delegates) for a period of time to ensure that governance processes don't stall. This also reduces the time admins and users spend reassigning requests and reviews manually.
The following APIs support the governance delegates flow and are available as Beta:
- Principal Settings API > Update the principal settings (opens new window)
- Delegates > List all delegate appointments (opens new window)
- My Settings > Retrieve the settings (opens new window)
- My Settings > Update the settings (opens new window)
- My Settings > List the eligible delegate users (opens new window)
List all access request catalog entries for a user is GA
The List all access request catalog entries for a user (opens new window) (GET /governance/api/v2/catalogs/default/user/{userId}/entries) operation is now included in the Access Requests - V2 > Catalogs (opens new window) API. As an admin, use this operation to list access request catalog entries for a user. A filter expression query parameter is required to specify the set of entries in the response.
Unified requester experience is EA
Use this feature to create a consistent and unified experience for initiating requests in End-User Dashboard, Slack, and Microsoft Teams regardless of whether the request is managed by conditions or request types. This gives you the flexibility to use either or both methods together to manage resource access without altering the requester experience.
- Request types now appear as tiles in the End-User Dashboard's resource catalog alongside other resources. Your settings for a request type's audience continue to govern which users can view the request type on their dashboard and request access.
- In Slack and Microsoft Teams, users can now request access to resources that are governed by access request conditions, and the user experience for requesting resources that are managed by request types has also been changed.
Additionally, in the Okta Access Requests app, the Access requests page has been renamed to Resource catalog and clicking it redirects requesters to the resource catalog on the End-User Dashboard. The Request types section in the web app is only visible to admins and team members who own the request type. See Create requests (opens new window).
This is an Early Access feature. See Enable self-service features (opens new window).
The following Access Request API updates have been made to support the unified requester experience:
- New
REQUEST_TYPEoption for accessScopeType (opens new window) in the Requests (opens new window) API - New validRequestOnBehalfOfSettings (opens new window) property for Request Settings (opens new window) API
- Related entry link updates for catalog entry responses
- List all access request catalog entries for a user (opens new window)
Developer documentation updates in 2025.08.0
The Archived Okta Identity Governance API changelog (2023-2024) has been removed.
Bug fixed in 2025.08.0
The filtered entitlement bundles request (GET /governance/api/v1/entitlement-bundles) with the contains (co) operator didn't sort results by the substring's location within the name field.
July
Weekly release 2025.07.2
| Change | Expected in Preview Orgs |
|---|---|
| Related entity link updates for catalog entry responses | July 16, 2025 |
| Bug fixed in 2025.07.2 | July 16, 2025 |
Related entity link updates for catalog entry responses
The _links.relatedEntity (or data._links.relatedEntity) property is now returned for parent catalog entries, in addition to child entries, for the following operations:
- List all entries for the default access request catalog (opens new window)
- Retrieve a catalog entry (opens new window)
- List all of my entries for the default access request catalog (opens new window)
- Retrieve an entry from my catalog (opens new window)
- List all of my catalog entry users (opens new window)
Bug fixed in 2025.07.2
A null pointer exception occurred when a PUT /governance/api/v1/collections/{collecionId}/resources/{resourceId} request was made on a collection without resources. (OKTA-970817)
Monthly release 2025.07.0
| Change | Expected in Preview Orgs |
|---|---|
| Changes to Okta app API responses | July 7, 2025 |
Changes to Okta app API responses
The following Okta apps won't be returned in the API response for endpoints that list apps (such as the List all applications (opens new window) GET /api/vi/apps endpoint):
- Okta Access Certifications (key name:
okta_iga) - Okta Access Requests Admin (key name:
okta_access_requests_admin) - Okta Entitlement Management (key name:
okta_entitlement_management)
In addition, a single app retrieval endpoint won't return these apps either. For example: GET /api/v1/apps/{appId} won't return the app object if {appId} is the ID for the okta_iga, okta_access_requests_admin, or okta_entitlement_management apps in your org.
June
Weekly release 2025.06.1
| Change | Expected in Preview Orgs |
|---|---|
| List all access request catalog entries for a user is Beta | June 17, 2025 |
List all access request catalog entries for a user is Beta
BetaThe List all access request catalog entries for a user (opens new window) (GET /governance/api/v2/catalogs/default/user/{userId}/entries) operation is now included in the Access Requests - V2 > Catalogs (opens new window) API. As an admin, use this operation to list access request catalog entries for a particular user. A filter expression query parameter is required to specify the set of entries in the response.
May
Weekly release 2025.05.3
| Change | Expected in Preview Orgs |
|---|---|
| Request condition name length increase | May 29, 2025 |
Request condition name length increase
The Request Condition API (opens new window) has increased the length of the request condition name from 50 to 255 characters.
Weekly release 2025.05.1
| Change | Expected in Preview Orgs |
|---|---|
| New variable for Access Certification campaign emails | May 14, 2025 |
| Generate a risk assessment is Beta | May 14, 2025 |
New variable for Access Certification campaign emails
You can now include the campaign description in your customized Access Certification campaign email notifications. See the new ${campaign.campaignDescription} variable in Use VTL variables (opens new window).
Generate a risk assessment is Beta
BetaThe Generate a risk assessment (opens new window) operation is now included in the Risk Rules API (opens new window). This operation requires the okta.governance.riskRule.read OAuth 2.0 scope. Use this resource to evaluate potential separation of duties (SOD) violations when a user requests entitlements.
April
Monthly release 2025.04.0
| Change | Expected in Preview Orgs |
|---|---|
| Risk Rules API is Beta | April 2, 2025 |
Risk Rules API is Beta
BetaThe Risk Rules API (opens new window) is now available in Beta and includes the following new scopes:
okta.governance.riskRule.manageokta.governance.riskRule.read
Use this API to define risk rules to support separation of duties (SOD) in Access Certifications and Access Requests.
The following new properties were added to support the SOD feature in existing Identity Governance resources:
Campaigns resource:
principalScopeSettings.onlyIncludeUsersWithSODConflicts(opens new window)Reviews resource:
riskRuleConflicts(opens new window)Request Settings:
validRiskSettings(opens new window) andriskSettings(opens new window)
See Separation of duties (opens new window) in the product documentation.
March
Weekly release 2025.03.2
| Change | Expected in Preview Orgs |
|---|---|
| Collections API is Beta | March 19, 2025 |
Collections API is Beta
BetaThe Collections API (opens new window) is available in Beta. This API allows you to manage sets of apps and entitlements. See Resource collections (opens new window).
Weekly release 2025.03.1
| Change | Expected in Preview Orgs |
|---|---|
| Bug fixed in 2025.03.1 | March 12, 2025 |
Bug fixed in 2025.03.1
The requestOnBehalfOfSettings property wasn’t validated for DIRECT_REPORT when a user calls the Retrieve an entry’s request fields (opens new window) (GET /governance/api/v2/my/catalogs/default/entries/{entryId}/request-fields). (OKTA-807528)
Monthly release 2025.03.0
| Change | Expected in Preview Orgs |
|---|---|
| Entitlements and Entitlement Bundles APIs are GA | March 5, 2025 |
| New Access Certifications campaign | March 5, 2025 |
| Bug fixed in 2025.03.0 | March 5, 2025 |
Entitlements and Entitlement Bundles APIs are GA
The following APIs have transitioned from Beta to GA:
New Access Certifications campaign
A new property, resourceSettings.includeAdminRoles, has been added to the access certification campaign schema in the Campaigns API . This property indicates that the user-centric access certification campaign includes users’ admin role assignments.
Bug fixed in 2025.03.0
The remediationSettings.autoRemediationSettings and principalScopeSettings.predefinedInactiveUsersScope properties were missing from the Access Certification campaign schema in the Campaigns API reference. (OKTA-880900)
February
Weekly release 2025.02.1
| Change | Expected in Preview Orgs |
|---|---|
| List all entitlements API response update | February 13, 2025 |
List all entitlements API response update
BetaBreaking change: The List all entitlement (opens new window) response no longer returns a values object. Previously, this response returned an empty array for this property after the following update in 2024.04.0: List all entitlements will no longer return values. To fetch values for a given entitlement, use List all values for an entitlement (opens new window) or List all entitlement values (opens new window).
Monthly release 2025.02.0
| Change | Expected in Preview Orgs |
|---|---|
| New System Log event | February 6, 2025 |
New system log event
An access.request.settings.update System Log event now appears when a Request of behalf of setting is toggled on or off in the Admin Console, or when you set or change the requestOnBehalfOfSettings object for Requests Settings (opens new window). The event's debugData property includes the app for which the setting was updated and the changeDetails property includes the previous and new state of the setting.
January
Weekly release 2025.01.2
| Change | Expected in Preview Orgs |
|---|---|
| Bug fixed in 2025.01.2 | January 29, 2025 |
Bug fixed in 2025.01.2
- The
okta.accessRequests.catalog.readscope was missing from the Okta Identity Governance APIs. (OKTA-846162)
Monthly release 2025.01.0
| Change | Expected in Preview Orgs |
|---|---|
| Selected Okta Identity Governance APIs are now GA | January 8, 2025 |
Selected Okta Identity Governance APIs are now GA
The following Okta Identity Governance APIs are GA:
- Campaigns (opens new window)
- Reviews (opens new window)
- Access Requests - V2 (opens new window)
- My Catalogs (opens new window)
- My Requests (opens new window)
The following Access Requests - V2 administrative APIs are now EA:
- List all entries for the default access request catalog (opens new window)
- Retrieve a catalog entry by an ID (opens new window)
For further information, see Identity Governance (opens new window) and Okta Identity Governance API (opens new window).
