Okta API Token Format

I am wondering if there is a set format for Okta API tokens. Our team is interested in adding a RegEx for Okta API tokens to one of our tools which scans our pipeline output for exposed credentials. It seems to start with two zeros and have a total of 42 chars that can be [A-Za-z0-9-] so the regex would be /00[\w\d-]{40}/

Will the format ever change? For instance three zeros or 1 zero at the start?

You should not assume a set structure for Okta’s API tokens. We do not currently have plans on changing this but that is not to say that it will not change in the future.

A different approach you could use would be to start using OAuth Bearer tokens which have the benefit of being short-lived, and then you could be scanning your pipeline for private keys.

1 Like

Okay that is helpful to know. We do have plans to switch to OAuth Bearer tokens in the future. Just to be 100% certain, when you say scan the pipeline for private keys you mean set a RegEx to match any JWK format (or PEM if applicable)? Would that RegEx ever have any false positives do you think?

Private keys have a very well-known structure, so I’d suggest scanning whichever form that you are making use of that in, whether it be JWK or PEM/X.509.
The JWK might be a little harder to get a regex built for, but scanning for private keys is a good practice no matter what they are acting as credentials for.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.