REST API Create user returns a list of users when using HTTP not HTTPS

When creating a user using the REST API we have found that if you switch the HTTPS for a HTTP POST it returns a full list of users rather than creating a new one.

I would never advocate not using HTTPS this was noted by our internal QA and its raised a discussion around how this happened. I would expect to have an error status code not a different data set.


POST {domain}/api/v1/users?activate=true
Accept application/json
Content-Type application/json
Authorization SSWS {apikey}
  "profile": {
    "firstName": "TEST",
    "lastName": "USER",
    "email": "yourtestemail",
    "login": "yourtestemail"
  "groupIds": [
  "credentials": {
    "password" : { "value": "Password1234" }

If you simply remove the ‘S’ from HTTPS and run the POST request in Postman or another tool you get a status code of 200 and a full list of users rather than a newly created user.

As the endpoint /api/v1/users is used for many things I am wondering if the nature of the request not being secure is oddly returning a list of users rather than dealing with the payload in the body and creating a user.

Normally a list of users is obtained using a GET.

From my point of view all requests would always be HTTPS but i’m more curious by removing the S to make it not secure returns a different dataset based on the same endpoint and body.

Any thoughts would be great.

Hi @dw_lh

If you switch from https to http, Okta will respond with a 302 to redirect to https and the redirect is sent as a GET request. As a result, there is a GET request on /api/v1/users which returns the list of users.

Many thanks for the clarification :grinning: