I was following this guide on hitting the API with the okta.users.read scope to list out the users on one of my applications. I’m using the Okta DotNet SDK as well; however, the guide mentions that I need an access token but evidently I do not, all I am doing is supplying the API token and I am able to retrieve my list of users.
Is there some sort of explanation for this? I’d really prefer to request an access token than just have a static API token that immediately grants me access.
You only need to pick one or the other when setting up the SDK. So if you want to use OAuth tokens, you will want to follow the guide above to create your API Services app and then configure the OktaClient to use the ClientID, Scopes, and PrivateKey for that application
If you choose to use an API token, you only need to set the OktaDomain and Token for the OktaClient