Problem in generating OAuth token for Okta API scopes

I’m new in using Okta. I was hoping someone would help me in figuring this out.

I need to get to Okta endpoints / /api/v1/users/ ${userId} and /api/v1/groups (described here Users | Okta Developer and Groups | Okta Developer).
I’m using OAuth to authenticate my requests.
I tried following these steps: Implement OAuth for Okta | Okta Developer
I assigned required scopes and okta.groups.manage to my existing Okta client application.

The problem lies in generating Okta OAuth token with and okta.groups.manage scopes. I am able to generate Okta token only for custom scopes defined in my custom authorization server, however I am not allowed to define a custom scope in authorization server called ex. As far as I understand scopes with names starting with ‘okta.’ are restricted to default Authorization Server.
I’m having troubles in understanding how could I get a token for scopes and okta.groups.manage. If I need to use the default Authorization Server - how should I do it?
In my Octa Dashoboard in Security > API I have a list of few Octa Authorization Servers, but I can’t find any default server

If you want to get tokens that you can use against Okta APIs, you must use the Org Authorization Server, as noted in our guide:

Important: You request an access token by making a call to your Okta Org Authorization Server /authorize endpoint. Only the Org Authorization Server can mint access tokens that contain Okta API scopes. See Which authorization server should you use.

These scopes will already be present for this server. Please note that the Org Authorization Server is not the same as the Default Authorization and it is NOT listed under Security → API → Authorization Servers.

If you make requests to this server instead (e.g. and, can you get a token back that you can use against these endpoints.

@andrea thanks for your response.
I tried making these requests GET ${baseUrl} /v1/authorize and POST ${baseUrl} /v1/token to my Okta Org Authorization Server but something is still not working right.
This is the response for GET request to /authorize endpoint to my Okta client:

As I understand I should get authorization code from this request that would be used for /token endpoint. I tried calling /token without authorization code which I should get from /authorize and I got this response:

Since only service type applications are allowed for such requests I tried following steps described in Implement OAuth for Okta with a service app | Okta Developer but I cannot find Public key/private key when i click Edit in Client Credentials section. Can someone tell me where would I find this option?

I need this private key to create a JWT to get a token using service app.
I don’t really care if I would use Okta service app or regular Okta client - I just need to find a way to generate a token for scope.
Any more ideas how could I get a valid token?

All right, lets walk back a little bit because you’re covering a lot of ground and I want to address a couple of things separately

There are two types of OAuth tokens to use against Okta APIs:

  • user-scoped tokens (retrieved via Implicit, Hybrid, or Authorization Code flow)
  • service app tokens (retrieved via Client Credentials grant)

When using user-scoped tokens, the token itself will ONLY be able to make the same calls the user that requested the token is permitted to make. So if the user is NOT an admin, they can only use the okta.users.manage.self and scopes to view/modify their own user profile). If they are an admin, they can make any request that they are granted to via their admin permissions. Aka, if this user can make this call with an API token they generated, they can also make that call with an OAuth token.

If your use case does not require the use of a user-scoped token (such as for an automation or other machine-to-machine integration), we recommend using a Service app with Client Credentials, as in the second guide you linked to. For Service apps, you must use private key JWT auth.

This leads to two separate solutions:

  1. If you want to use user-scoped tokens, make sure your /token request is correctly formed to complete authorization code flow and that the grant_type is set to authorization_code and that you are providing the code in the body. See example of how to complete this flow in our guide: Implement authorization by grant type | Okta Developer
  2. If you want to instead use a service app, you can generate and configure the app to use private_key_jwt via API, but we do have an EA feature that allows you to do the same in the admin UI. If this interests you, you will need to submit a support case to get this feature enabled.