Invoke an API endpoint flow

An API Endpoint flow is a type of flow triggered by changes at an external source.

Unlike flows that start with events associated with a connected application, these flows can be triggered at any time. When the external client calls the endpoint, the flow is executed and the client receives any output from that flow execution.

The only requirement is that the external client calls the designated endpoint with valid security credentials. There are three ways of securing your API endpoint for Okta Workflows:

Secure with OAuth 2.0

Limited Early Access release

The API endpoint flow is secured using OAuth 2.0 protocols for authorization of scoped access tokens. An admin adds the appropriate scopes to any app integration that needs to call the API. This feature supports the OAuth client credentials grant type with the use of a private JSON Web Token (JWT). The flow is triggered after the Okta authorization server receives and approves the access token.

Custom authorization servers aren't supported for this method.

See Secure with OAuth 2.0.

Secure with client token

The API endpoint flow is registered as a webhook and is secured through a unique client token. It's only accessible if the requesting service passes the proper client token through the invoke URL. The invoke URL is constructed using a flow alias.

See Secure with client token.

None (public service)

The API endpoint flow is publicly available to anyone with the invoke URL. The invoke URL is constructed using a flow alias.

See No security (public service).

Related topics

Invoke a flow with an API endpoint

Function: API Endpoint

Resume a paused flow

Flow aliases

Flow client token