Error 401 when creating new user in okta using okta post api In angular app

I implemented the sign in with okta successfully and I was also able to get user list with okta api in my angular app but now I want to add a new user with post api of okta but this post api gives 401 error . I have added the bearer access token in header also still I am facing this issue

@ash Hi, are you testing in postman with this API call? Any screenshot of the postman?
What is the endpoint you used?

yes, I tried to run this API {{url}}/api/v1/users?activate=false to create a new user in okta in the
angular app but it’s not running in okta too. it gives the following error but get API to get user list works fine.

This is how I am calling my api

export class AddUserComponent implements OnInit {

httpOptions: { headers: any };

constructor(private http: HttpClient, public oktaAuth: OktaAuthService) {

this.httpOptions = {

  headers: new HttpHeaders({

    Accept: ' application/json',

    'Content-Type': 'application/json',

    Authorization: 'Bearer ' + this.oktaAuth.getAccessToken(),




onSubmit(data: any = ) {


const payload = {

  profile: {

    firstName: data.firstName,

    lastName: data.lastName,


    login: data.login,

    mobilePhone: data.mobilePhone,









  .subscribe((result) => {

    console.log('result', result);



ngOnInit(): void {}


Hi ash,

Perhaps you have figured this out but I don’t like to leave questions hanging for other readers. It sounds like one of several things could be configured wrong, and I’ll start from the bottom up:

  1. The user that is logging into the app must have the admin role to create users (Group Administrator or Super Administrator). This is required, the scope claim will simply unlock it.

  2. The SPA application configuration must have the “okta.users.manage” scope “granted” (under the tab “Okta API Scopes”.

  3. The authentication request to the org server must include “okta.users.manage” in the list of scopes requested.

You can verify that the scope is authorized in the claim by grabbing the access token and deciphering it, you can plug it into if you don’t know that site. Failure of one of the three configuration settings I listed above is the only reason the scope won’t appear in the claims in the token. And, if the scope doesn’t appear in the token claims, then you will get a 400 series error when you try to do the API call.

You didn’t put in the token claims above, so I can’t see if that was the case.

Answer back if this is still a problem and I’ll be more than happy to work through it with you :slight_smile:


@ash, looks kind of like the Okta User profile in your org has a required attribute, role that you are not including in your user creation request.

If you add a value for this attribute, does the request work?