Get an access token manually for testing

I have a website (reactjs) and a back-end server (spring-boot). Okta is integrated in the UI to do login, and then the back-end server is validating the token before processing requests. It’s all working great.

Now, I want to be able to test the back-end via Postman rather than thru the UI all the time, so I need to figure out how to authenticate via Postman. I created a dummy user account in Okta that I can use for this testing, I also set up an Access Token for use with Postman (not sure I need this, but I’m grasping at straws at this point).

I’ve installed numerous Okta Collections in Postman, and I have the “okta environment” set up, and I can make requests just fine, for example, in the Authentication Collection I can use the “Primary Authentication” request and it injects my username/password from the “okta environment” and I get a successful response back with a sessionToken.

I can copy that value into the “okta environment” and even use the Session Collection to “Create Session with Session Token”, which also returns a valid response, and even includes a “cookieToken”.

I feel like I’m one step away from figuring this out … but I’m baffled. How do I get from here to the normal “bearer token” that I see when I log into my web app?

Any help/advice would be greatly appreciated!

Still looking for help … would appreciate some guidance here.

Let me see if I understand your problem correctly -

Assuming that you’re using the Authorization code flow,

  • You have a setup with front-end doing the login and getting the access token -> /authorize endpoint called, which returns your an authorization_code
  • The back-end then exchanges the code to get back and access_token
  • You pass the access_token to your spring-boot back-end which validates the token and processes the request
  • You want to validate the back-end without front-end dependency

With postman, the only difference from the above flow is that you call /authn endpoint first to get the sessionToken
Now you should pass the sessionToken to the /authorize call which should return you the authorization code in the URL
Then you call the /token endpoint with the code and get back the access_token
Once you have this token, you can test your back-end using this.

See -
This thread might be helpful - Using sessionToken how can get access_token and id_token

Disclaimer - I haven’t tried this flow using postman. Postman requires interceptor for this to work and you also have to follow redirects.

ok, I’m going to admit that I gave up. vijet’s answer above helped me get closer. Something is wrong with my /authorize call, probably related to Interceptor (which I’ve never used).

I was trying to do this in the Native Postman App, not the Chrome Web Browser Extension, which makes Interceptor a bit funky. It looks like it’ll proxy HTTPS, but I haven’t tried that yet (Charles still works for me).

Anyway, for now I’m just grabbing the bearer token from my browser session and copy/paste it over to Postman and it works fine until it times out, but that’s good enough for now.

If anyone manages to get this working, I’d love a step-by-step instruction manual. :slight_smile:

Hey @tphilip! This is unfortunately harder than it should be in Postman. The reason it’s tricky is because it has two parts. How it normally works is (assuming you are using the implicit flow for your single-page app):

  • You construct an /authorize URL and redirect your browser to it
  • Okta logs the user in, and redirects back to your callback URL with tokens

Postman is great at handling single requests/responses, but it’s tricky to capture the above. You can use an interceptor but to be honest, I’ve never gotten that working properly. :stuck_out_tongue:

I built a small tool to make this much easier to do:
Here’s how to use it:

First, configure your Okta app (temporarily) to allow redirects back to


Then, configure the request in the debugger tool:

Your Authorize URI should be https://{yourOktaDomain}.com/oauth2/default/v1/authorize unless you are using a custom Authorization Server.

When you click Send request, you’ll be prompted to log in and be issued an access token. If it doesn’t prompt you, do it in an incognito window.

Hope this helps make it a little easier! :slight_smile:

1 Like