Network zone restriction for API tokens


I’ve found that it is possible to restrict the IP ranges from which a user can login, using the Network Zones and Sign-on Policies.

However, this restriction doesn’t seem to apply to the given user’s API token: when I denied access from an IP address, I wasn’t able to login to Okta UI as that user, but their API token kept functioning.

Is there a possibility to restrict the allowed IP ranges (Network Zones) for API tokens as well? If not, can it be added, please? I believe this would greatly increase security of the API tokens used.

Thanks a lot.

1 Like