okta:ApiToken vs okta:ClientSecret


Hi All,

I have started to use Okta and I have couple of newbie questions.

What is the difference between using okta:ApiToken vs okta:ClientSecret ?



You can go through the following links to understand the significance of the two -

API Token - https://support.okta.com/help/Documentation/Knowledge_Article/API-54325410
Client Secret - https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/

At a high level, API tokens are used to authenticate requests to the Okta API just like HTTP cookies authenticate requests to the Okta Application with your browser.

Client secret is generated by the Authorization Server when you create a Web Application (with an associated client ID), and its use is as specified in the OAuth2 spec - https://tools.ietf.org/html/rfc6749


To add even more explanation - you would need an API token or a client secret for different things:

  • If you are calling the Okta management APIs (Users API, Groups API, etc) you need an API token. An API token is like a password for all of the Okta management APIs.

  • If you are building an app or project that uses Okta for authentication, you will create an Application inside of Okta that gets assigned a client secret. The client secret is used for OpenID Connect communication between your application and Okta (usually the authorization code flow). If you are following one of our authentication quickstarts, this applies to you!

For both API tokens and client secrets, it’s very important not to leak the values. You shouldn’t store either in source control, and you shouldn’t use them in browser-based applications (like single-page apps), only in server code.

Hope this helps!