Hi, I am unable to activate the flow. I have already validated that the required grant — as mentioned in the documentation (Scopes for Okta connector cards | Okta Workflows) — is assigned to our Okta Workflows OAuth app.
The user executing the flow has Okta Workflow Admin access. However, when I check the system logs, I see a 403 Forbidden error, and the UI shows “Webhook registration failed.”
I tried removing the Okta Suspend card, then saving and enabling the flow — and it activates successfully. But when the suspend card is present, activation fails. I also tried re-authorizing the Okta connection, but it didn’t resolve the issue.
Grant Missing Scopes: Go to Applications > Applications in the Admin Console, click Okta Workflows OAuth, and ensure okta.eventHooks.manage and okta.eventHooks.read are granted in the Okta API Scopes tab.
Reauthorize Connection: After updating scopes, you must reauthorize the Okta connection within Workflows.
The “Cannot activate Flow. Webhook registration failed (403 Forbidden)” error occurs when the Okta Workflows service cannot create the required event hook in your Okta org. This typically happens when the Okta connection used in the flow was authorized by a user who doesn’t have sufficient privileges to create event hooks.
Here’s how to resolve it:
Ensure that the Okta connection in Workflows is authorized using a Super Admin account. Only Super Admins can create and manage event hooks required for event-triggered flows (such as those using the User Suspended event card).
Re-authenticate the Okta connection in Workflows with that Super Admin account.
Confirm that the connection includes the following scopes:
okta.eventHooks.read
okta.eventHooks.manage
These can be verified or granted under the Okta API Scopes tab of the Okta Workflows OAuth application.
