Service account for API tokens


I currently have an API token under my user account, but I see that the below page recommends “Okta recommends generating API tokens from a service account with permissions that do not change”:

My question is: what are the best practices for setting up a service account? For example:

  • is a service account just a regular user under Directory - People, or is there another way to set-up a service account?

  • my Okta account currently has multifactor enabled. Since many people will be sharing this service account, how do you log into it with multifactor?


Hi @rbro

As service accounts are a sensible part of the infrastructure (eg. used to set-up Okta AD Agents), they should be created directly in Okta and not Active Directory.

Regarding MFA, this depends on the company’s policy and the users that will have access to it. The easiest solutions to implement are security question (user will need to enter a specific answer) or email authentication (an email is sent to a distribution list, such as, so that the authentication is visible to multiple people and does not rely on a single person).