API Authentication from client with Token


As the title says, I’m trying to access my API server that has Okta endpoint protection on it, but I’m not sure how to go about doing this from the client’s perspective.

I currently have an ASP.NET 6 API project using Okta API endpoint protection (as mentioned here) and currently I’m struggling to create an authorized request from both Postman, curl, and my client that’s trying to interact with the server.

I created an “API Services” application in Okta (under Applications > Applications > Create App Integration). I also generated a token from Security > API > Tokens > Create Token. “Okta Domain”, “Client ID”, and “Client secret” values from the settings of the newly create application and have them in my appsettings.json, as well as the token I created. My project has the following code:

// Register Okta for authorization/authentication via API access
services.AddAuthentication(options => {
    options.DefaultAuthenticateScheme = OktaDefaults.ApiAuthenticationScheme;
    options.DefaultChallengeScheme = OktaDefaults.ApiAuthenticationScheme;
    options.DefaultSignInScheme = OktaDefaults.ApiAuthenticationScheme;
    .AddOktaWebApi(new OktaWebApiOptions {
        OktaDomain = Configuration["Okta:Domain"]


    // Some weird error happens when processing complex JSON objects if this isn't present
    .AddNewtonsoftJson(options => {
        options.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore;

// ...


app.UseEndpoints(endpoints => {

Then, on my controller, I have an [Authorize] tag above the method I’m testing to get data from. However, when I make a request and add the following header:

Authorization: SSWS $TOKEN

where $token is the token I generated earlier. I’ve also tried replacing SSWS with Bearer just to see, but that didn’t change anything. I still get a 401 either way. I verified in the request headers that it is in fact sending the token value and not the placeholder $TOKEN text.

Can anyone tell me how to access the API endpoints using my token?

Thank you.

@choover1110 Hi, which API endpoint you are trying to test in postman? Is there a screenshot?
Also, SSWS token should be API token. When you created an API token, you need to record the token value. Please see the reference here Create an API token | Okta Developer

@Lijia Hi, I’m actually trying to test my own endpoints for my application. I recorded the token value when I created one. Here’s one controller I wrote to test it:

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;

namespace TMHCC.Intake.Api.Controllers {
    public class TestController : ControllerBase {
        public IActionResult Get() {
            return Ok();

When I try to GET /Test with Postman or curl and with a header value of: Authorization: SSWS {token} (but replace {token} with the one I generated, I get a 401 Unauthorized error.

And in my initial question, you can see I’m using API authentication for my application. Am I doing something wrong or misunderstanding how to use the token?

Thank you.

@choover1110 Did you refer the sample here to initialize a client?

You can create a client with API token, for test purpose, just hardcode the token value in the initialize object. Then you can call the API endpoint as the doc mentioned.

@Lijia Correct me if I’m wrong, but isn’t that for getting Okta-related information? I’m trying to have two projects I wrote communicate using an API key I generated in Okta. This is the code I used to test it:

try {
	var client = new OktaClient(new OktaClientConfiguration {
		OktaDomain = "https://hcc-dev.oktapreview.com",
		Token = "{token}"

	await client.PostAsync(new Okta.Sdk.HttpRequest {
		Uri = "https://localhost:5003/Test"
	return Ok();
} catch (Exception ex) {
	Logger.LogError($"OktaClient POST err: {ex.Message}\n\n{ex.StackTrace}");
	return Problem("Unable to POST /Test");

What I’m trying to do is have my web server (the client, from Okta’s perspective) send a request to my API server. Using what the API Security - Protecting you API endpoints article said to do, since my API server only returns API-related responses and not HTML, my API server is using the ApiAuthenticationScheme.

What I am trying to figure out is how I can give my web server the token I generated through Okta to make authorized requests to my API server from my web server. I do not need to manage Okta users, applications, or anything else Okta-related in my application - I only need to validate this token.

You need to send an “access token” issued by Okta to your API that you’re trying to protect, and not the SSWS token you obtain from Security > API > Tokens > Create Token

Check out how you can obtain this “access token” by making an /authorize request - OpenID Connect & OAuth 2.0 API | Okta Developer
For more info. on what access tokens are and how OAuth2 works, check out OAuth 2.0 and OpenID Connect Overview | Okta Developer

Hi @choover1110

As you correctly suggest, the API Token used for SSWS requests is to access the underlying Okta API, allowing the client to make calls into Okta itself, add users, delete users, etc. For what it’s worth, I would NEVER allow developers to do this; the API token is a security nightmare; any of my devs that need Okta API access, I would always direct them to create Service Applications and use access tokens retrieved through JWT assertions instead.

You don’t need any of that. What you’re trying to do is straightforward oAuth2. What you need to do is go to your Okta console, create an Application and set the grant type to Client Credentials. Note the client ID / Secret of the application you’ve created. Then you make an oAuth2 Token POST request to your Authorization server. This will be something like:


In the Authorization header, you put a Basic credential string, with your Client ID and Secret encoded in Base64. In the form body, set your grant_type to ‘client_credentials’

Okta will then return you an access token in the response. If all this sounds complicated, I would Google oAuth2 Client Credential Grant Type; there are hundreds of good sites.

@digitalelysium Thank you! That’s all I’ve been trying to do and for some reason, there wasn’t just a straight forward article explaining it. Most of the articles require you to go to 2-3 other pages just to understand it. Really appreciate your help.

No worries; hope you get sorted.

You’re diving in the deep end with what you’re trying to do. oAuth2 / OIDC has a fairly steep learning curve. I think the Okta guys sometimes just assume you already know all this stuff.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.