Network zone restriction for API tokens


I’ve found that it is possible to restrict the IP ranges from which a user can login, using the Network Zones and Sign-on Policies.

However, this restriction doesn’t seem to apply to the given user’s API token: when I denied access from an IP address, I wasn’t able to login to Okta UI as that user, but their API token kept functioning.

Is there a possibility to restrict the allowed IP ranges (Network Zones) for API tokens as well? If not, can it be added, please? I believe this would greatly increase security of the API tokens used.

Thanks a lot.


+1 This would be a great feature to have and am surprised it’s not available.

Our product team reviews feature requests filed in our Okta Ideas portal, so I’d recommend creating an Idea there so other Admins can vote on the idea which we use to gauge interest in each request.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.