Okta API Authentication


I know there are a lot of posts about API Authentication but I cannot get it right :frowning:
I have the whole Okta Postman library
I have a SSWS token which I’m using to do “Primary Authentication” through {{url}}/api/v1/authn where I obtain a sessionToken which I’m using to “Create Session with Session Token” through {{url}}/api/v1/sessions?additionalFields=cookieToken where I obtain the cookieToken which is where I’m stuck now. I’ve also noticed mentions of a {{url}}/oauth2/v1/authorize call which would be used to manually create the necessary cookie, but is there a way to have it created automatically?

I’m pretty new to API but to my understanding I need to use some type of Authentication (in this case the SSWS token) in order to make API calls. I don’t understand why after authentication I get another token (sessionToken) to Authenticate again with and then receive a cookieToken to keep me authenticated but I still cannot make a simple “Get User” call

I’ve looked through the documentation, not entirely but everything I could find on authentication and through other API Authentication related posts but I couldn’t find something to help me understand

Thank you!

So the endpoint you are trying to get information back from is /api/v1/users? In that case, you should look to use an SSWS API token to authorize the request (the Postman collection helps you format this.

If you generate an API token (SSWS) in the admin console, and make a request to /api/v1/users/${userId} (replacing ${userId} with the target user’s ID) can you get that call to work?

Hello Andrea,

If I try what you suggested it returns 401 Unauthorized:

    "errorCode": "E0000011",
    "errorSummary": "Invalid token provided",
    "errorLink": "E0000011",
    "errorId": "oae05t3STsDTb6VIhDf_T9aOw",
    "errorCauses": []

However doing {{url}}/api/v1/authn works with the same SSWS token, that’s what gets me confused… I thought after making the above call I would need to place the newly generated sessionToken somewhere so a GET user call would work…


These endpoints are more or less completely separate.

/api/v1/authn is used to complete primary authentication to log a user into Okta. The end result of that flow will be a sessionToken that can be exchanged for an Okta session cookie. As this is an end-user authentication endpoint, authorization in the form of an SSWS api token is NOT required (though Trusted Applications can do so to utilize certain functionality)

/api/v1/users is a management endpoint that only admin users can use to create and manage users in the org. This endpoint requires that auth be provided. If the request is failing, there is something wrong with how you are authorizing the call. I recommend comparing what you are trying against the examples in our docs:

curl -v -X GET \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \

Hello Andrea,

Sorry for the lateness of my reply and thank you for the info and having patience with me.
On the link you mentioned for “Creating a session” it’s mentioned you want to set the session cookie yourself instead of allowing Okta to set it - is there another method to be used where Okta would set the session cookie automatically? Because I can’t figure what to do next. I’m able to call {{url}}/api/v1/sessions successfully but I don’t know what to do with the sessionID or the cookietoken mentioned initially

To summarise once I authenticate and create a session what else should I do to gain access to different endpoints like “Get Current User” or “List Groups” etc?

Thank you!

As long as you exchange the sessionToken for a session cookie, you just need to ensure that cookies are sent in your request to the /api/v1/users/me endpoint. That endpoint will return information about the authenticated user as long as you’re able to access the Okta session cookie (ymmv if your browser blocks third party cookies, see this FAQ for more info on that)

Here’s an example fetch request that you can call from a domain added to Trusted Origins for CORS requests and on a browser that doesn’t blcok 3rd party cookies OR from a domain that is TLD+1 from your Okta domain (see the FAQ above for examples):

fetch('https://oktaDomain/api/v1/users/me', {credentials: "include"})
  .then((response) => {
    return response.json();
  .then((data) => {

List Groups has different requirements and can only be accessed with Admin permissions, aka, you'll need an [SSWS](https://developer.okta.com/docs/guides/create-an-api-token/) (don't use one on the front end!) or an Access Token granted to an [admin](https://developer.okta.com/docs/guides/implement-oauth-for-okta/main/) or a [service app](https://developer.okta.com/docs/guides/implement-oauth-for-okta-serviceapp/) to access this endpoint.

Thank you for the information Andrea

Have a nice day!

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.