401 Unauthorized when changing user password

I’m developing a script that I’m hoping will change the password for a user under the context of the user but I’m running into a roadblock.
I’m using the following endpoint to authenticate a basic (non-admin) user. The username and password of the user are included with the body.

https://oktaorg.com/api/v1/authn

A “sessionToken” is returned, and I am then using that token in the Authorization header in the following endpoint to change the password:

https://oktaorg.com/idp/myaccount/password/change-password

I’m getting “401 (Unauthorized)”

I’m really not sure where to go from here so any help is appreciated.
Thanks!

A sessionToken is not a Bearer token that can be used as authorization against an Okta Endpoint.

To use the Replace a Password endpoint, the request must be authorized with an OAuth token granted to the user who wishes to change their password

Example curl here, where <YOUR_TOKEN_HERE> needs to be replaced with an access token:

  https://subdomain.okta.com/idp/myaccount/password \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "profile": {
      "password": "Abcd1234"
    }
  }'

More details about how to get an OAuth access token is covered in this guide: Implement OAuth for Okta | Okta Developer

For instance, you are trying to chain this after an /authn call, your sequence could look something like this

  1. request to /authn with username/password in request body
    a. once the user has completed primary authentication, a sessionToken will be returned
  2. request to /oauth2/v1/authorize?... with the sessionToken in the query parameters
    a. once the OAuth flow is completed (see types of flows here, make sure the flow will return an access token), an Access Token will be returned
  3. request to /idp/myaccount/password with the access token as Bearer Auth