Invoke a flow with an API endpoint

An API Endpoint flow is a type of flow triggered by changes at an external source.

Unlike flows that start with events associated with a connected app, these flows can be triggered at any time. When the external client calls the endpoint, the flow is executed and the client receives any output from that flow execution.

The only requirement is that the external client calls the designated endpoint with valid security credentials. There are three ways of securing your API endpoint for Okta Workflows:

Secure with OAuth 2.0

The API endpoint flow is secured using OAuth 2.0 protocols for authorization of scoped access tokens. An admin adds the appropriate scopes to any app integration that needs to call the API. This feature supports the OAuth client credentials grant type with the use of a private JSON Web Token (JWT). The flow is triggered after the Okta authorization server receives and approves the access token.

Custom authorization servers aren't supported for this method.

See Invoke a flow with an API endpoint using OAuth 2.0.

Secure with client token

The API endpoint flow is registered as a webhook and is secured through a unique client token. It's only accessible if the requesting service passes the proper client token through the invoke URL. The invoke URL is constructed using a flow alias.

See Invoke a flow with an API endpoint using a Client Token.

None (public service)

The API endpoint flow is publicly available to anyone with the invoke URL. The invoke URL is constructed using a flow alias.

See Invoke a flow with an API as a public service.

After you invoke a flow, it sends the flow output as a response object.

Related topics

Function: API Endpoint

Flow aliases

Flow client token