Your options depends on which timestamp you want: when the token was issued or when the user originally logged into Okta
Within the tokens issued, you should see an ‘iat’ value. Represented as a Unix (epoch) timestamp, this will tell you when a token was issued.
If you’re using a custom authorization server (like the one called ‘default’) you could look to use a token inline hook to have this timestamp included in the token. Per our docs, we include an eventTime value in the request we send to your endpoint when a token is requested (either via the authorize endpoint or the token endpoint, depending on the OAuth flow). This easily has the most overhead, when similar information will already be included in the token as the ‘iat,’ but could prove useful if there is other information about their authentication you want included in the token directly.
If you want to know when they user last completed primary authentication, you can find out when they started their Okta session by making a CORS request to /api/v1/sessions/me. There you can get the createdAt (when their session started) and lastPasswordVerification or lastFactorVerification (the last time they were prompted to authenticate or verify an MFA factor)