Verifying identities of untrusted clients

Hey there,
My organization provides API access to our customers. Authorization to those APIs is currently performed via API keys. We’ve run into situations recently where our customers have been sharing their keys with some of our competitors that both overlap with and extend our functionality. In most cases we’d like to prevent them from doing so.

Are there any mechanisms in Okta’s solutions that would help address this, whether it’s simply by better identifying situations where this is happening or preventing it from happening in the first place?



Typically you would protect your APIs with Bearer Tokens that could only be minted by Okta. These tokens can have lifetimes as short as 5 minutes. Meaning the customer would need to request a new token every 5 minutes.
Usually this is to protect against cases where tokens are compromised, the lifetime would be short lived.

The situation you describe however is your customers share API Keys. There is nothing that would stop them from sharing the credentials used to obtain new tokens with others so they could obtain their own token. One possible solution would be to set policies in Okta that only allow specific IPs to request tokens. This way even if a customer shared credentials with someone else their request would be blocked.

For a case like this I suggest reaching out to the Okta Sales Team. They can put you in touch with a professional services representative who has experience with prior integrations that required similar protection.

Thank You,