Getting Invalid Session error for User risk API with access token

I ( with a super admin role ) have created a service app as per Implement OAuth for Okta with a service app | Okta Developer , have given okta.userRisk.read scope to the app, have assigned super admin role to the app. I have then generated an access token ( given okta.userRisk.read scope ) and tried to access the user risk api ( User Risk ). I am getting this error
{
“errorCode”: “E0000005”,
“errorSummary”: “Invalid session”,
“errorLink”: “E0000005”,
“errorId”: “oaeoZLaLv9zSb2O5QFDqIIwVw”,
“errorCauses”:
}

My okta account has Identity Threat Protection enabled and this same user risk api works if accessed via API Token. This issue is seen only using a scoped access token.

Can you please let me know what is missing because I have given all required permissions and still getting this error.

Could you check if the token you passed with the Request is valid and the Authorization headers are correctly formatted?

Hey @venkatesh.s I’m seeing the same issue as you are when making requests to this endpoint using an OAuth token issued to an API Service application.

I’ve reported this issue to our engineering team for further investigation (for internal ref, OKTA-1024961) and will look to update this thread once I hear more.

@venkatesh.s The fix for this issue went out in the 2025.10.1 release. Let me know once you get a chance to test this request again and if its working now (it worked fine when I tested it myself)