Authorization using session token

Hi Team,

When authenticating with okta, it returns the user’s information and sessionToken. What we want is to protect our APIs by validating if the user is authorized or not. My question is how we can do that with session token. I know that session token is itself a proof of successful authentication, but to check if he is authorized to access the API we need to validate it somehow.

This is the service that we are calling in which we are getting user credentials & session token.
https://{okta_domain}/api/v1/authn

it there a way of doing this, how to validate the session token against okta ?

Thanks.

That is not the purpose of the sessionToken. The sessionToken is returned by the /authn endpoint and is intended to be used to exchange it for a session cookie (more info in our Sessions documentation here)

If you are trying to protect an API with Okta, I would recommend creating an OIDC application and securing your API with the Access Tokens issued by a Custom Authorization Server (users would need to log into this OIDC application after completing primary authentication).

Your API would receive these Access Tokens as bearer auth for your API and would validate these tokens before granting access to the resource.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.