Creating an API token

I would like to use the Apps API to get a list of applications.

I am not an Okta admin in my organization, and the documentation says that tokens need to be generated by an admin. But they also say that the token gets the privileges of the user who created the token. So it seems that all tokens have to have administrative permissions. But other documentation suggests creating API tokens using a service account.

This has all left me very confused. Is it possible to create a token with minimal privileges so that I can get a current list of applications using the API? I can get an Okta admin to cooperate with a reasonable request, but I’m sure they won’t give me a token with admin rights.

Thanks!

In order to create an API token, an administrator must be logged into Okta. The token that will be created will have the same permissions as the user that created the token.

This is why our documentation recommends that you create a dedicated service account, grant it the appropriate Administrator role, and use it to generate an API token. That way you don’t have to worry about an administrator in your Okta tenant leaving the company and, upon them being deactivated in Okta, finding that your API calls no longer succeed. Its safer to have these applications rely on a service account that is not tied to a specific employees employment status.

Thank you for this. So I’m correct that all tokens will be granted admin permissions, since only admins can create them, and they inherit that user’s permissions?

Yup, @vam, that’s right!

1 Like

As a quick follow up, keep in mind that, if the administrator that was used to generate the token has their administrator privileges raised or lowered, the API token will always have the same permissions as the Administrator themselves, at the time the token is used. So, if the token was granted to an Org Administrator and they are later promoted to a Super Administrator, that token will now have the same Super Administrator permissions.

That’s interesting! So I guess we would create the token and then revoke as many privileges as possible while retaining whatever is needed to list applications.

The approach our Okta people are looking at now is to create an application for my needs and give me that API token. Hopefully it will be able to access the list applications endpoint.

Something else you may want to take a look at is the newly added support for using OAuth tokens to make API calls to Okta. In your case, you could make a Service (OAuth) Application, and only grant it the Okta API scopes needed for your integration.

Your service application would then request an access token (using private_key_jwt auth) with the scopes it needs (for example, okta.apps.read). The only scopes it will be able to request are ones enabled at the application level in Okta, so this may work for your use case.

1 Like