Can I use Org Auth Server for protecting my backend APIs?

I have SPA in Angular with a dotnet core backend. When the app is accessed by a user he gets redirected to Okta for login. Once the user is authenticated the app can retrieve data from the backend. But… the backend endpoints are not protected. My company only provides access to the Org Authorization Server so I can’t customize it. I need a way to send the access token to the backend API to protect the endpoints there. That access token needs to include also group claims. How can I do that?


Create a new developer account at and you’ll get API access management for free! If you want to use your company’s account (that doesn’t have API Access Management), I don’t think it’s possible.

So, just to be sure. In this case I can’t use the information below to authorize the backend?

That is correct. Authorization Servers | Okta Developer

1 Like

ok, thanks for confirming