This guide explains what an API token is, why you need one, and how to create one.
Learning outcomes
- Learn how an Okta API token is used.
- Understand why it's good practice to create a service account for use with an API token.
- Know the alternatives to Okta API tokens.
- Find out when a token expires and what happens when it expires.
- Find out how API tokens are deactivated.
What you need
Okta Developer Edition organization (opens new window)
Okta API tokens
Okta API tokens are used to authenticate requests to Okta APIs. When calling an Okta API endpoint, you need to supply a valid API token in the HTTP Authorization header, with a valid token specified as the header value. You need to prefix the value with the SSWS identifier, which specifies the proprietary authentication scheme that Okta uses. For example:
Authorization: SSWS 00QCjAl4MlV-WPXM...0HmjFx-vbGua
Privilege level
Different Okta API operations require different admin privilege levels. API tokens inherit the privilege level of the admin account that is used to create them. It’s therefore good practice to create a service account to use when you create API tokens. With a separate service account, you can assign specific privilege levels to your API tokens. See Administrators (opens new window) for admin account types and the specific privileges of each.
OAuth 2.0 instead of API tokens
As an alternative to Okta API tokens, you can use Okta APIs. You can use a scoped OAuth 2.0 access token for various Okta endpoints. Each access token enables the bearer to perform specific actions on specific Okta endpoints, with that ability controlled by which scopes the access token contains. For more information, see the OAuth for Okta guide.
Create the token
See Create Okta API tokens (opens new window) to create an API token and define the network zones that API calls can originate from.
Note: Record the token value. This is the only opportunity to see it and record it.
Token network restrictions
You can specify a network range for every SSWS API token. The tokens only work if API requests are made from the specified IP or network range. You can specify network zones while you create an API token. You can also modify an existing token to specify a network range.
See Manage Okta API tokens (opens new window) for steps on creating API tokens and editing network restrictions for an existing API token.
Token rate limits
When API tokens are created, the rate limit for each token interaction is set automatically to 50 percent of each API maximum limit. See API rate limits. You can adjust this percentage by editing the Token rate limits section. See Set token rate limits (opens new window).
Token expiration and deactivation
Tokens expire automatically after a certain period and can also be deactivated at any time.
Token expiration
Tokens are valid for 30 days from creation or last use, so that the 30 day expiration automatically refreshes with each API call. Tokens that aren't used for 30 days expire. The 30-day period is fixed and can't be changed for your org.
Token deactivation
If a user account is deactivated in Okta, any API token created by that user account is deprovisioned at the same time.
Next steps
With the token created, you can begin using it, supplying it in the Authorization header of calls to Okta API endpoints. See Sign users into your SPA using the redirect model for a functional example.
See also
FAQs
Super admins, org admins, group admins, group membership admins, and read-only admins may create tokens. Tokens are valid only if the user who created them is active. Tokens issued by deactivated users are rejected.
How to generate an API token? ›
To generate an API token, perform the following:
- From Home > My Access, select the appropriate resource for which you need to generate a token. ...
- Click API Token > Generate Token.
- Specify the following details: ...
- Click Generate Token. ...
- Click to copy the appropriate token and use it as required.
Super admins, org admins, group admins, group membership admins, and read-only admins may create tokens. Tokens are valid only if the user who created them is active. Tokens issued by deactivated users are rejected.
What is an API token? ›
In contrast, an API token is a string of codes containing comprehensive data that identifies a specific user. API tokens also carry the scope of access granted to a specific user. This allows the server to both authenticate requests of the calling user and validate the extent of API usage.
How do I create an authentication token in Web API? ›
See Authentication Service for more information on authentication processes.
- What is JWT? From the JWT website: ...
- JWT library. ...
- Preparing to use tokens. ...
- Create private and public keys. ...
- Replace newline characters. ...
- Create your public key JSON file. ...
- Register your public key. ...
- Create a JWT signature.
An API token follows a set series of steps. First, the API verifies the username and password from the payload. Once these are verified, the API sends an asset to your browser to be stored. Then anytime you send a query to the API, the access token is sent along with it.
How do I create an API authentication? ›
Authentication is typically done by requiring the client to provide some form of credentials – such as a user name and password, an OAuth token, or a JSON Web Token (JWT). As an API owner, you can implement authentication in Apigee using policies.
What is the difference between API Key and API token? ›
The main distinction between these two is: API keys identify the calling project — the application or site — making the call to an API. Authentication tokens identify a user — the person — that is using the app or site.
Who generates API Key? ›
API keys are generated by the project making a call but cannot be used to identify who created the project.
How do I create a bearer token for API? ›
How to Generate Bearer Token
- What are Bearer Tokens?
- How to Generate a Bearer Token on GitHub?
- Step 1: Register your application on GitHub.
- Step 2: Request authorization from the user.
- Step 3: Exchange authorization code for a token.
- Step 4: Use the Bearer token.
- Pass and Run Bearer Token in Apidog.
Navigate to the API access page in the admin UI (available at the URL /admin/api ). Use the navigation menu item "Configure" and select "API access". On the API access page, use the "New API token" button to navigate to the token creation form.
How to generate an API key? ›
To create your application's API key:
- Go to the API Console.
- From the projects list, select a project or create a new one.
- If the APIs & services page isn't already open, open the left side menu and select APIs & services.
- On the left, choose Credentials.
- Click Create credentials and then select API key.
Secret API keys serve as secure tokens to authenticate and authorize requests made to your API. They are deemed secret because their exposure to unauthorized individuals or the public could lead to security breaches.
How do I create an auth token? ›
Add the relevant information in the following fields and click Create Service:
- In the Service Name field, type a name for this authorized service. ...
- From the User Role list, select Admin the user role.
- From the Security Profile list, select the security profile that you want to assign to this authorized service.
The second way to pass your API token is via a query parameter called key in the URL like below. Use of the X-Dataverse-key HTTP header form is preferred to passing key in the URL because query parameters like key appear in URLs and might accidentally get shared, exposing your API token. (Again it's like a password.)
How do I add an access token to my API URL? ›
Set the request URL to: https://{your-openremote-url}/api/master/asset/{assetID} (see also OpenRemote Manager HTTP API Swagger UI) Add an Authorization header to the request and set the value to Bearer {access_token} , where {access_token} is the access token obtained in the previous step.
How do I generate my API key? ›
Setting up API keys
- Go to the API Console.
- From the projects list, select a project or create a new one.
- If the APIs & services page isn't already open, open the left side menu and select APIs & services.
- On the left, choose Credentials.
- Click Create credentials and then select API key.
Generate Bearer Token Using API Credentials
- Step #1 Download Postman Collection. If you do not have the postman tool installed, refer to download instructions and install Postman.
- Step #2 Get API product credentials for token generation. ...
- Step #3 Generate Bearer Token.
To create an API key:
- In the Google Cloud console, go to Menu menu > APIs & Services > Credentials. Go to Credentials.
- Click Create credentials > API key.
- Your new API key is displayed. Click Copy content_copy to copy your API key for use in your app's code.
To generate a Postman API key, do the following:
- Select your avatar in the Postman header, then select Settings. In the account settings page, select API keys.
- If you don't have a key, you'll be prompted to create one. Select Generate API Key.
- Enter a name for your key and select Generate API Key.
- Copy your key.
