User list returns no users

Hi, we are requesting user information from the Okta API, as follows:

  • Application integration:
    • Sign-in method: “API Services”
    • Client authentication: Public key / Private Key
    • Okta API Scopes:
  • Tenant:
    • This is their ‘UAT environment’, https://???
    • They have upgraded to the Identity Platform.
    • They don’t have a custom auth server. Just the ‘Org’ auth server.
  • Our Oauth client:

Calls to the /users endpoints authenticate OK but I have access to no users.

  • Calls to URL https://??? and https://??? return a 403:
Status: 403 Forbidden
{"errorCode":"E0000006","errorSummary":"You do not have permission to perform the requested action","errorLink":"E0000006","errorId":"oaeRUPaKt_9Q3WpromiLHwtvw","errorCauses":[]}
  • Calls to the URL https://??? returns 200 OK an empty list
Status: 200 OK

We have used this approach successfully on other Okta tenants, where we receive a full user list (or specific data about a single user).

What do you think could be the problem here?

I guess it could be a policy setting on the client’s Okta org. Their representative could not see anything obvious which could be affecting this.

Do you have any advice, please?


Can you ensure that your API Services app has been assigned an Admin Role that has permissions to read users?

1 Like

Thanks @andrea , I didn’t know about admin roles for API Services apps. Thanks for the link, it looks like it’s a preview feature. That explains why we haven’t needed to add admin roles for other domains before.

I’m guessing that the integration would be best suited to a READ_ONLY_ADMIN role type.

I guess there’s no UI yet for configuring these? If not, then I can guide our client to set themselves up with an API key and make the POST request.


Ah, I’ve seen the UI documentation now.

It looks like we don’t have this feature on our own production org or on our developer org (but presumably our client does).

Good to know about it, thanks.

1 Like

So you don’t see the “Admin Roles” tab in your own org right now? If so, you should be able to enable it yourself under Settings → Features → “Assign admin roles to public client app”

Thanks, I was able to add it and and the client has also added it. We are closer now.
At least on my test harness, this app integration can now fetch users. Cheers

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.