API token management
Use the API page to manage and create all Okta API tokens and to add Origin URLs. For additional information on Okta APIs, see the Okta Developer Site.
API tokens are used to authenticate requests to the Okta API just like HTTP cookies authenticate requests to the Okta Application with your browser. An API token is issued for a specific user and all requests with the token act on behalf of the user. API tokens are secrets and should be treated like passwords.
API tokens are generated with the permissions of the user that created the token. If a user’s permissions change, then so do the token’s. Super admins, org admins, and group admins may create tokens.
Tokens are valid only if the user who created them is active. Tokens issued by deactivated users are rejected. To avoid service interruptions, Okta recommends generating API tokens using a service account that won’t be deactivated and with Super Admin permissions that won’t change.
API tokens are valid for 30 days and automatically renew every time they are used with an API request. When a token has been inactive for more than 30 days it is revoked and cannot be used again.
Okta Agents are also issued API tokens during installation which they use to access your Okta organization. While these tokens are similar to the standard API token, they are managed by Okta.
Use the API Token page to manage all Okta API tokens. Agent tokens are usually managed when you activate, deactivate, or reactivate an agent.
Agent tokens are displayed on this page for your review, and to highlight any security issues that might arise with them. Most agents use a token. The token setup is usually handled automatically when you activate or reactivate an agent. This list of tokens contains Okta token usage information for your organization.
To create your own token to authenticate with the Okta API, navigate to Security > API and click the Create Token button.
The only time you can view the token is during the creation process. After the token is created, it is stored as a hash for your protection. Treat API tokens like passwords. You might want to capture a screen shot of it for future reference, but be sure to store it in a secure place.
All tokens are displayed when you open the API Tokens page. The token status, type, name, use, and creation, expiration, and last used dates for all agent and API tokens are shown. To sort the display, choose a sort from the Sort by dropdown menu at the right.
The following color codes are used to show the token status.
- Green – the token has been used within the last three days.
- Gray – the token has not been used in the last three days, and today is at least seven days before its expiration date.
- Red – the token is within seven days of expiring.
- Yellow – the token is suspicious.
A suspicious token is associated with an agent that is not registered in Okta. Normal agent deployments do not create suspicious tokens.
Recommendation: Investigate suspicious tokens. Click on the token name and review the provisioning for the associated agent. If the agent is not registered in Okta or if you have deactivated it without reactivating it, you can revoke and delete the token from this page.
Select any token type from the list on the left to limit the display to that token type. Most of the categories are types of tokens. Additionally, the Suspicious Tokens category contains tokens that are associated with an agent that is not registered in Okta.
To find a single token, enter the token value and then select Find Token.
The number of tokens for a particular type is always shown. This list is dynamic and changes as the token count and type changes.
To revoke a token, click the trash icon at the right of the token information. Note that the icon is not always active:
- Agent tokens are revocable if the agent is not active; otherwise, you must deactivate the agent before revoking the token. Some agents such as the Okta AD Agent automatically revoke their tokens for you when you deactivate the agent.
- API Tokens are always revocable.
The system logs contain information about API token creation and revocation. The message associated with these operations is either API Token created or API Token revoked. In the System Log v1, which is only accessible through the Okta API, the category for these events is Token Lifecycle.
If a token is revoked by the same user who created it, the actor and target contain the same information; if an admin who did not create the token revokes it, the actor and target contain different information.