okta:ApiToken vs okta:ClientSecret

Hi All,

I have started to use Okta and I have couple of newbie questions.

What is the difference between using okta:ApiToken vs okta:ClientSecret ?


You can go through the following links to understand the significance of the two -

API Token - https://support.okta.com/help/Documentation/Knowledge_Article/API-54325410
Client Secret - https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/

At a high level, API tokens are used to authenticate requests to the Okta API just like HTTP cookies authenticate requests to the Okta Application with your browser.

Client secret is generated by the Authorization Server when you create a Web Application (with an associated client ID), and its use is as specified in the OAuth2 spec - https://tools.ietf.org/html/rfc6749

1 Like

To add even more explanation - you would need an API token or a client secret for different things:

  • If you are calling the Okta management APIs (Users API, Groups API, etc) you need an API token. An API token is like a password for all of the Okta management APIs.

  • If you are building an app or project that uses Okta for authentication, you will create an Application inside of Okta that gets assigned a client secret. The client secret is used for OpenID Connect communication between your application and Okta (usually the authorization code flow). If you are following one of our authentication quickstarts, this applies to you!

For both API tokens and client secrets, it’s very important not to leak the values. You shouldn’t store either in source control, and you shouldn’t use them in browser-based applications (like single-page apps), only in server code.

Hope this helps!

@nate.barbettini The resource-server example includes/creates a .samples.config.json file that contains a webServer.oidc.clientSecret property that initially looks like it is meant to be filled in ("clientSecret": "{clientSecret}") like clientId and issuer. I don’t know where to find my client secret however, and everything seems to work without it. Are the properties this object is initialized with no longer current, or what is this field for? Is it something the @okta/oidc-middleware takes care of under-the-hood for me?

Also, how to gain access to the api_token? I see it is required when creating a new user.

(Please let me know if it is preferable for me to start a new thread, instead of tacking onto this one.)