Okta Service App for access to Mgmt API

I am running automated test of my code against my developer Okta account.

I use a script to setup an app of type service with JWT authentication.

I have assigned Okta API scopes okta.groups.read and okta.users.read and uploaded the public PEM key. I can see all this in the Web UI.

When I run my code the JWT token authentication works just fine, but then I try to lookup the groups of a userID in the mgmt API with the JWT token and I get an error:

URL: f"{org.rstrip(‘/’)}/api/v1/users/{lst[0].get(‘id’)}/groups"

Error: AssertionError: Groups API failed: 403 {“errorCode”:“E0000006”,“errorSummary”:“You do not have permission to perform the requested action”,“errorLink”:“E0000006”,“errorId”:“oaefb16eVUrSAmPcRMaqO76AQ”,“errorCauses”:}

I checked the logs in Okta, but I don`t see anything logged about this error.

Screenshot 2025-12-08 at 12.47.111382×534 35.1 KB

Using the old method with SWSS API key it works, but this is way too permissive as it cannot properly restricted to read only or certain scopes.

Am I missing anything here? What is the purpose of a service app if the JWT token from that app cannot be used against the mgmt API? Or do I need to assign a policy to the app to make this work, besides the scope granted?

HI,

Could you check the Admin Roles assigned to this application? Assign this app Super Admin role and check if the endpoint is working.

Hi, that worked. But is that not too permissive to add a “Super Admin” role? My intention is to limit the app to the group read only lookup of users.

And can this be limited to users/groups that are assigned to the app? Again I hesitate to give this app permission to read all of our orgs users and groups.