Server-to-server Communications - Clients

We are currently looking to implement Okta in our environment, but are confused on how the server-to-server (client credentials grant) works in Okta.

Our assumption (which with research, I beleive is incorrect), is that we could create an application for our “application”, to be able to host users logging into it. (Standard OAuth2/OIDC)

We also believed we could create another OIDC application (clientid and clientsecret pair) as secure credentials for our customer’s application. We then thought we could add these credentials in, similar to a user, and give them profile attributes similarly (i.e. an applicaiton could be treated as a “user” in this way).

Unfortunately I do not believe this is the case with Okta, and applications are meant to be an internal item for our company, and not an external entity.

If this is correct, is there anything in the works to be able to support such a mechanism, otherwise, what suggestions would we be able to receive to implement something similar. Right now, we are in a HIPAA industry, so we have thought about creating user accounts to act as “headless” accounts for customers, however this is usually frowned upon as it is a user account that is not tied to an actual individual, for audit and compliance purposes. In this manner, we would instruct our customers to access the application and enter credentials once, and then request a refresh token, which they could then use from their service application to request an access token via the Implicit flow (not the best way, but one that may work).

Please let me know if there is something I am missing that may help point me to a better solution.

I believe the typical pattern for this would be to create an authorization server ( for your first app in Okta and use client credentials flow for you second app against this authz server ( - in the access policy rules you can define which client can consume the authz server endpoints