activationToken is invalid once used to authenticate user using /api/v1/authn API

We have custom requirements to handle sending activation emails to users and validate activation token on our side (also accepting password from end-user and set it through API).

We create users on okta, without credentials, setting activate=false, to avoid sending activation email from Okta, then we proactively call activate API to get activation Token (step #2)
We then send activationToken to end user through our custom email provider, then user clicks activate and go to our custom page, where we call Okta API to authenticate using activation (step #3 )

But once this API call is done, activationToken returned from step#2, is not valid anymore and can’t be called again to authenticate user End user could click on the link for any reason , close browser, click again on custom activation link and use it even in another browser, then activationToken won’t be valid anymore, which is inconvenient

Note: Authentication API request using activation Token, is sent from a trusted backend app, with an API token, but not sending User-Agent or X-Forwarded-For headers, though API call returns success response, but only once for given activationToken

My question, is there a way to be able to authenticate with this “activationToken” multiple times within its validity time-frame ?


No, the activationToken is an ephemeral token and can only be exchanged one time to log a user in directly. This is why users will see an error about the activationToken being invalid if they try to use the link a second time, thus they will need a new email/activationToken issued.