How does API Access Management work?

I have read through the API Access Management guide and don’t quite understand how to actually go about securing my API. Say I have an endpoint /foo hosted on my backend serves and want to secure it. What are the steps that I need to take to allow only authorized callers to access the endpoint?

In order to understand API Access Management, you need to understand the basics of OAuth 2.0 spec. is a good reference to start with. Or you could read the RFC if you’re interested -

At a high level, oauth 2.0 describes various “flows” to secure your APIs depending on the type of the client application.
You can read through the various flows here -

Once you understand the basics, you will know that Okta will act as an Authorization Server in these flows, which is responsible for minting access tokens that in turn will be used to secure your APIs.