Accessing Admin controls using OAuth


Is there a way to access the following endpoints using an OAuth? (e.g. an “app integration” of the “OIDC - OpenID Connect” type):

  • Security notifications - a way to see if configurations such as “Report suspicious activity via email” are enabled?
  • API tokens - who issued? are they active? did an admin issue an API token?
  • Missing supported saml apps - a way to see (via OAuth API) if my apps have the “SIGN ON METHODS” configured to support “SAML”
  • Threat insights - a way to see the Okta ThreatInsight Settings such as “Log and block authentication attempts from malicious IPs”?
  • Multi factors - access and see all my MFA in the multifactor authentication section under security?
  • Health check - all the HealthInsight section, any way to consume it?

It just seems that the endpoints are very limited, and don’t include all we need. Is there a way to formally request to expose these endpoints?

Thank you!


All of the Okta “supported” public APIs can be found here.
All APIs support the use of an API Token and most also support OAuth.
Instructions to setup OAuth integration for Okta APIs can be found here.

Usually I will first use an API Token to get a particular API to work. After that I will test with OAuth for a super admin user using an OIDC application with all Okta scopes granted. If the call works with the API Token, but not OAuth then that endpoint might not support OAuth yet. If you run into this let us know the exact endpoint and we can verify if it should work or not.


Hi @erik,

Thank you for your response! Much appreciated.
Threat insights is a supported API token that doesn’t work for me in OAuth.

While not an official end-point, I was able to access using an API token the following:
but this doesn’t work in OAuth. Is there a reason for this? A workaround? A way to request making this an official supported OAuth end-point?

Thank you!

Important note: Internal endpoints like this are not publicly supported and their implementation can change at any time, thus we do not recommend that any solutions be built around them as they can stop working without notification.

As this is not a public endpoint, it is also not intended for use with OAuth tokens.

1 Like

Thanks, @andrea.
Makes perfect sense. Is there a way to request specific Internal endpoints to become Publicly supported?

Any type of feature request can be done at


This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.