Create Long-Lived Personal Access Tokens and Programmatically Customize Scopes


Howdy folks! I am wondering if there is a way to create a long-lived (read 6 month lifetime) Okta access tokens with custom scopes defined at runtime. I am trying to set up a way to allow clients to gain API access to our business logic, and I was wanting to allow them to create Personal Access Tokens that they could use to authenticate from their applications. This is entirely backend application-to-application logic with no browser, hence the need for some kind of access token.


As I understand it, we can follow a few flows to get tokens from the /oath2/v1/token endpoint which will allow authentication / authorization, but those tokens are more-or-less hardcoded to about an hour. Having the user constantly needing to exchange refresh tokens is tricky given our situation, so I was hoping to just set a custom timeout. However, the tokens that come back from the /oauth/v1/token endpoint do not allow a lifetime to be set.

Secondly, I want to be able to programmatically add new scopes to the token I create. I don’t want to create access tokens that have access to our entire infrastructure, so I wanted to be able to limit the tokens to just certain API endpoints when they are created. I know I can create custom scopes within the Okta admin portal for the application, but I would have to define all of the possible scopes ahead of time. Those scopes would then only be applied to each user instead of being able to pick and choose per access token. We have an internal list of “features” the user is allowed to access in a database which I would love to leverage to assign custom scopes. Effectively, each access token would be limited to a subset of features that the user it’s being created for would have access to. This is easy enough to do from within code, but there’s no way to actually assign the extra claims to the token.


  1. I am using a Web Application and a C# .NET backend.
  2. My sign-on method is OpenID Connect.
  3. I am attempting to use the “implicit” flow laid out in this tutorial for getting tokens without a browser:
    Okta Help Center (Lightning)
  4. I am using a custom identity server, so my domain for the oauth2 endpoints is https://<corporate domain>.com/oauth2/<auth server id>/v1.

Desired Outcome:

I would like to be able to create access tokens with a long-lived lifetime (~6 months or more). Additionaly, I would like to be able to create tokens which can add custom scopes programmatically at lifetime based on the situation or parameters to our business logic.

Any help would be appreciated!

Unfortunately there isn’t a way to set up an access token with a lifetime longer than 24 hours, the lifetime would be set up within the access policy for the custom authorization server. This type of use case would require using a refresh token which can have an unlimited lifetime, by default it is 10 minutes, this is also adjustable within the access policy for a custom authorization server.

You would initially have to authenticate with all of the possible scopes the token could have. When making a /token call with the refresh token, the specific scopes needed for the access token would be based on the scope parameter that is passed in the token call.


Thanks! Appreciate the information.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.