Get Okta users API with sessionToken

I have an Okta admin account for some applications to manage users. I noticed that once logged into the Okta admin site I can make a GET request to https://myoktadomain/api/v1/users/john.doe@mycompany.com and see in JSON format the user details as in the Okta admin screen.

To perform a one-off migration I would like to get certain user attributes present in Okta programmatically querying the Okta user endpoint.

Playing with Postman I see I can get a sessionToken calling /api/v1/authn. The /api/v1/users/ examples I see in Okta doc use SSWS {{apikey}} in the Authorization header. Trying with my sessionToken only returns a Invalid token provided or Invalid session provided error message.

Is there a way to call the /api/v1/users/ endpoint with a sessionToken? maybe I can get an apiKey with it? or the only way to make Okta API requests is by getting an apiKey from a super-admin?

The sessionToken is proof that a user has logged into Okta and is designed to be exchanged for a session cookie so that user can SSO. It cannot be used to perform admin actions.

If the API call you are looking to make requires an SSWS, that means an admin needs to perform that action, which yes, would meant that they would need generate an API token and make the request with it. You cannot get an API key via API, only via the admin portal.

Aside from the API token, you CAN request and use OAuth tokens to make these requests, but the same general rule applies. If the tokens are requested by an individual, they must have adequate Admin permissions for their account to make the request. If the tokens are requested by a client (service app), they will have the same permissions as a super admin.

thanks, I was able to get an API token and with that all can be done as per doc.

My curiosity started as once logged as admin in the browser I was able to access that API with the browser cookies. So it seems there may be some undocumented use cases. My guess is because this is the same mechanism that the admin UI uses to access the okta API. But as you said the suggested method is with a SSWS token.

You’re right, the admin console behaves a bit differently and is thus dependent only on the Okta session existing in the browser. We do support doing so for CORS requests and you’ll see which endpoints support CORS in our API docs, and you will find that not all endpoints support CORS at this time: Users | Okta Developer

While not an officially supported project, an Okta employee created a Chrome extension, Rockstar, that makes use of this functionality so you can make API calls in the browser, which might be of interest.