Using different API tokens for ReST Call


We have a requirement to invoke Okta API’s based on a user who has logged into an application.For example,we have a small login application where the user logs in and then will perform some operation like searchuser,createuser etc in Okta.If the logged in user is a SuperAdmin,then he should be able to perform all the operations and if the logged user is a normal user without any permissions,he can do only the operations he is allowed.

To implement this my understanding is,we need to pass the logged in user’s API Token while invoking the ReST call.But Okta has not provided any option to retrieve another person’s token.

Let me know is there any other solution available to implement this.

Thanks in advance.


How are the users authenticating inside the application? If you have a SAML or OpenID Connect authentication, you can pass the user’s group memberships and, based on this, provide certain roles inside the application.

All the calls to Okta from the application can be done via an API Token created by a super admin service account and you can have a logic inside your application to provide a number of available calls depending on the group memberships.