Do API tokens continue working after the password expires?

Our security team has asked us to tighten controls over the API tokens our backend services are using to communicate with Okta. One thing on the table is setting a tight password rotation policy. I have been trying to find a reference that explains whether or not an API token is still good after the account password has expired. I will test it out shortly, but as its for a policy document, I have been asked to find a reference in the Okta documentation.

Our scenario would be this:

  1. Service account is created with USER_ADMIN or READ_ONLY_ADMIN role (as appropriate for the purpose)
  2. Engineer logs into the account, setting a password
  3. Engineer retrieves the API token, provides the token securely to the backend service
  4. From this point forward, the API token is in regular use, avoiding the 30-day inactivity automatic expiration for API tokens
  5. Some time later, the service account password expires

Does the API token continue to work? Or would we need to rotate the service account password and retrieve a new API token?


Yes, the API token should still work. It would only be revoked if the user loses their Admin permissions or are deactivated/deleted.

Thanks Andrea, that’s what I expected. Do you know if that is stated explicitly anywhere in the Okta documentation? The main API Token Management doc does not mention it.

Our documentation (noted over here too) only highlights when these tokens get deactivated, not events that would not trigger this deactivation

It makes perfect sense in that light. Thank you for clarifying!