How to grant okta.myAccount.password.manage

I’ve been struggling to get the Update My Password working because it requires an access token containing the okta.myAccount.password.manage scope. I cannot figure out how to grant that scope to my application. It is not visible within the Okta API Scopes list.

Because it is not visible, I assumed it is configurable through some options within the Okta Admin dashboard, but I have yet to find it if it exists.

When I attempt to make this API request, it fails because my access token does not contain the scope. When I attempt to make a token request containing that scope, it fails because that scope is not configured for the authorization server resource.
When I attempt to add that scope to the authorization server, it fails because scopes starting with okta are reserved and cannot be added.

I’m at a loss on how to move forward here. Any help or a point in the right direction would be swell!

I think you may try to use APIs to assign it to your app first - Apps | Okta Developer

I’ll definitely give that a shot, thanks @phi1ipp


I am stuck also with exactly this. It happens that okta.myAccount.password.manage is missing from the okta scopes available in the “Okta Api Scopes” tab in the application configuration. There are many other that seems to belong to the same family, i.e., but not for password.

We have also tried to add this scope via API, using the “Okta Apps” API. When we do that, we get no error message, but the scope still does not pop up, and any attempt to grant it results in “Invalid Scope Error”

The main goal here is to allow the user to change its own password. In this scenario the user has already logged-in, therefore it owns a bearer token, and by means of this token it wants to use the MyAccunt API PUT /idp/myaccount/password to set a new password. We we using the right approach? If so, how can we add the required scope.

Kind regards

As long as you are using an Okta Identify Engine org, you should be able to self-service enable this Early Access Feature. Note that this endpoint is not supported in Okta Classic.

If you do have an OIE org, can you confirm whether or not you can see option to enable “IDP My Account API Password” in the Otka Admin Console under Settings → Features?

If you turn it on, do you now see the and okta.myAccount.password.manage scopes listed under the “Okta API Scopes” list for your application?