On this page
Apps API
The Okta Application API provides operations to manage applications and/or assignments to users or groups for your organization.
Note: Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See Okta API authentication methods.
Get started
Explore the Okta Public API Collections (opens new window) workspace to get started with the Applications Postman collection (opens new window).
Application operations
The Application operations reference is now available at the new Okta API reference portal (opens new window) as the Applications API (opens new window).
Add application
See Create an Application (opens new window) in the new Okta API reference portal (opens new window).
Add Bookmark application
See Create a BOOKMARK Application (opens new window) in the new Okta API reference portal (opens new window).
Add Basic Authentication application
See Create a BASIC_AUTH Application (opens new window) in the new Okta API reference portal (opens new window).
Add Okta Org2Org application
See Create an Org2Org app instance (opens new window) in the new Okta API reference portal (opens new window).
Add an OIN SAML 2.0 Authentication app
Adds a SAML 2.0 app instance for an app integration that's listed in the Okta Integration (OIN) catalog
- The
namefield is required, which identifies the OIN app definition for the instance that you want to create. See App name. - Specify
SAML_2_0in the requiredsignOnModeparameter.
Settings
| Parameter | Description | DataType | Nullable | Unique | Validation |
|---|---|---|---|---|---|
| attributeStatements | Check here (opens new window) for details | Array of Attribute Statements | TRUE | FALSE | |
| configuredAttributeStatements | SAML attributes that are inherited from app metadata during app creation and are used to configure group attributes | Array of Group Attribute Statements | TRUE | FALSE | |
| destinationOverride | Overrides the destination setting | String | FALSE | FALSE | |
| honorForceAuthn | Set to true to prompt users for their credentials when a SAML request has the ForceAuthn attribute set to true. Users are prompted to enter their credentials, even if they normally sign in through Desktop SSO. Set this parameter to false to ignore the ForceAuthn attribute in the SAML request. | Boolean | FALSE | FALSE | |
| url | The URL of the sign-in page for this app | String | FALSE | FALSE | URL (opens new window) |
Request example
curl -X POST \
-H 'Accept: application/json' \
-H 'Authorization: SSWS ${api_token}' \
-H 'Content-Type: application/json' \
-d '{
"name": "cornerstone",
"label": "Example SAML 2.0 App",
"signOnMode": "SAML_2_0",
"settings": {
"app": {
"orgName": "${yourOktaDomain}",
"url": "https://example.com/login.html"
},
"signOn": {
"destinationOverride": "http://www.yourDestinationOverride.com",
"attributeStatements": [
{
"type": "EXPRESSION",
"name": "firstName",
"namespace": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
"values": [
"ValueFromAPI"
]
}
]
}
}
}' "https://${yourOktaDomain}/api/v1/apps"
Response example
{
"id": "0oaugbelRxD4cY31S0g3",
"name": "cornerstone",
"label": "Example SAML 2.0 App",
"status": "ACTIVE",
"lastUpdated": "2020-01-28T18:59:30.000Z",
"created": "2020-01-28T18:59:30.000Z",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null,
"loginRedirectUrl": null
},
"visibility": {
"autoSubmitToolbar": false,
"hide": {
"iOS": false,
"web": false
},
"appLinks": {
"login": true
}
},
"features": [],
"signOnMode": "SAML_2_0",
"credentials": {
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
},
"signing": {}
},
"settings": {
"app": {
"acsURL": null,
"orgName": "{yourOktaDomain}"
},
"notifications": {
"vpn": {
"network": {
"connection": "DISABLED"
},
"message": null,
"helpUrl": null
}
},
"signOn": {
"defaultRelayState": null,
"ssoAcsUrlOverride": null,
"audienceOverride": null,
"recipientOverride": null,
"destinationOverride": "http://www.yourDestinationOverride.com",
"attributeStatements": [
{
"type": "EXPRESSION",
"name": "firstName",
"namespace": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
"values": [
"ValueFromAPI"
]
}
]
}
},
"_links": {
"help": {
"href": "https://{yourOktaDomain}/app/cornerstone/0oaugbelRxD4cY31S0g3/setup/help/SAML_2_0/external-doc",
"type": "text/html"
},
"metadata": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oaugbelRxD4cY31S0g3/sso/saml/metadata",
"type": "application/xml"
},
"appLinks": [
{
"name": "login",
"href": "https://{yourOktaDomain}/home/cornerstone/0oaugbelRxD4cY31S0g3/165",
"type": "text/html"
}
],
"groups": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oaugbelRxD4cY31S0g3/groups"
},
"logo": [
{
"name": "medium",
"href": "https://{yourOktaDomain}/assets/img/logos/cornerstone.a63cddeecf3acc5aae6d4592dcfe8125.png",
"type": "image/png"
}
],
"users": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oaugbelRxD4cY31S0g3/users"
},
"deactivate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oaugbelRxD4cY31S0g3/lifecycle/deactivate"
}
}
}
Add plugin SWA application
See Create a BROWSER_PLUGIN Application (opens new window) in the new Okta API reference portal (opens new window).
Add plugin SWA (3 field) application
See Create a BROWSER_PLUGIN Application (opens new window) in the new Okta API reference portal (opens new window).
Add SWA application (no plugin)
See Create a SECURE_PASSWORD_STORE Application (opens new window) in the new Okta API reference portal (opens new window).
Add custom SWA application
See Create an AUTO_LOGIN Application (opens new window) in the new Okta API reference portal (opens new window).
Add custom SAML application
See Create a SAML_2_0 Application (opens new window) in the new Okta API reference portal (opens new window).
Add WS-Federation application
See Create a WS_FEDERATION Application (opens new window) in the new Okta API reference portal (opens new window).
Add OAuth 2.0 client application
Adds an OAuth 2.0 client application. This application is only available to the org that creates it.
Credentials
See OoauthClient (opens new window) in the new Okta API reference portal (opens new window)
Settings
See settings (opens new window) in the new Okta API reference portal (opens new window) in the new Okta API reference portal (opens new window)
Create an app with a Profile object
To include app-specific information that you want to reference later, such as in a token claim, add those parameters within the app Profile object when you create an app. An Profile object is a container for any valid JSON schema that you can reference from a request. You can only add the Profile object to OAuth 2.0 client applications.
The following example shows how to add an app label parameter to the Profile object when creating an app.
Note: See Update application level profile attributes for an update example.
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
"name": "oidc_client",
"label": "Sample Client profile",
"signOnMode": "OPENID_CONNECT",
"credentials": {
"oauthClient": {
"token_endpoint_auth_method": "client_secret_post"
}
},
"profile": {
"label": "oauth2 client app 1"
},
"settings": {
"oauthClient": {
"client_uri": "http://localhost:8080",
"logo_uri": "http://developer.okta.com/assets/images/logo-new.png",
"redirect_uris": [
"https://example.com/oauth2/callback",
"myapp://callback"
],
"response_types": [
"token",
"id_token",
"code"
],
"grant_types": [
"implicit",
"authorization_code"
],
"application_type": "native",
"participate_slo": false
}
}
}' "https://${yourOktaDomain}/api/v1/apps"
Get application
See Retrieve an Applications (opens new window) in the new Okta API reference portal (opens new window).
List applications
See List all Applications (opens new window) in the new Okta API reference portal (opens new window).
Update application
See Replace an Application (opens new window) in the new Okta API reference portal (opens new window).
Set SWA user-editable username and password
Configures the EDIT_USERNAME_AND_PASSWORD scheme for a SWA application with a username template
Request example
curl -v -X PUT \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
"name": "template_swa",
"label": "Sample Plugin App",
"status": "ACTIVE",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null
},
"visibility": {
"autoSubmitToolbar": false,
"hide": {
"iOS": false,
"web": false
},
"appLinks": {
"login": true
}
},
"features": [],
"signOnMode": "BROWSER_PLUGIN",
"credentials": {
"scheme": "EDIT_USERNAME_AND_PASSWORD",
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
}
},
"settings": {
"app": {
"buttonField": "btn-login",
"passwordField": "txtbox-password",
"usernameField": "txtbox-username",
"url": "https://example.com/login.html"
}
}
}' "https://${yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS"
Response example
{
"id": "0oabkvBLDEKCNXBGYUAS",
"name": "template_swa",
"label": "Sample Plugin App",
"status": "ACTIVE",
"lastUpdated": "2013-10-01T06:28:03.486Z",
"created": "2013-09-11T17:46:08.000Z",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null
},
"visibility": {
"autoSubmitToolbar": false,
"hide": {
"iOS": false,
"web": false
},
"appLinks": {
"login": true
}
},
"features": [],
"signOnMode": "BROWSER_PLUGIN",
"credentials": {
"scheme": "EDIT_USERNAME_AND_PASSWORD",
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
}
},
"settings": {
"app": {
"buttonField": "btn-login",
"passwordField": "txtbox-password",
"usernameField": "txtbox-username",
"url": "https://example.com/login.html"
}
},
"_links": {
"logo": [
{
"href": "https:/example.okta.com/img/logos/logo_1.png",
"name": "medium",
"type": "image/png"
}
],
"users": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users"
},
"groups": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups"
},
"self": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS"
},
"deactivate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate"
}
}
}
Set SWA administrator sets username and password
Configures the ADMIN_SETS_CREDENTIALS scheme for a SWA application with a username template
Request example
curl -v -X PUT \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
"name": "template_swa",
"label": "Sample Plugin App",
"status": "ACTIVE",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null
},
"visibility": {
"autoSubmitToolbar": false,
"hide": {
"iOS": false,
"web": false
},
"appLinks": {
"login": true
}
},
"features": [],
"signOnMode": "BROWSER_PLUGIN",
"credentials": {
"scheme": "ADMIN_SETS_CREDENTIALS",
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
}
},
"settings": {
"app": {
"buttonField": "btn-login",
"passwordField": "txtbox-password",
"usernameField": "txtbox-username",
"url": "https://example.com/login.html"
}
}
}' "https://${yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS"
Response example
{
"id": "0oabkvBLDEKCNXBGYUAS",
"name": "template_swa",
"label": "Sample Plugin App",
"status": "ACTIVE",
"lastUpdated": "2013-10-01T06:28:03.486Z",
"created": "2013-09-11T17:46:08.000Z",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null
},
"visibility": {
"autoSubmitToolbar": false,
"hide": {
"iOS": false,
"web": false
},
"appLinks": {
"login": true
}
},
"features": [],
"signOnMode": "BROWSER_PLUGIN",
"credentials": {
"scheme": "ADMIN_SETS_CREDENTIALS",
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
}
},
"settings": {
"app": {
"buttonField": "btn-login",
"passwordField": "txtbox-password",
"usernameField": "txtbox-username",
"url": "https://example.com/login.html"
}
},
"_links": {
"logo": [
{
"href": "https:/example.okta.com/img/logos/logo_1.png",
"name": "medium",
"type": "image/png"
}
],
"users": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users"
},
"groups": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups"
},
"self": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS"
},
"deactivate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate"
}
}
}
Set SWA user-editable password
Configures the EDIT_PASSWORD_ONLY scheme for a SWA application with a username template
Request example
curl -v -X PUT \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
"name": "template_swa",
"label": "Sample Plugin App",
"status": "ACTIVE",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null
},
"visibility": {
"autoSubmitToolbar": false,
"hide": {
"iOS": false,
"web": false
},
"appLinks": {
"login": true
}
},
"features": [],
"signOnMode": "BROWSER_PLUGIN",
"credentials": {
"scheme": "EDIT_PASSWORD_ONLY",
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
}
},
"settings": {
"app": {
"buttonField": "btn-login",
"passwordField": "txtbox-password",
"usernameField": "txtbox-username",
"url": "https://example.com/login.html"
}
}
}' "https://${yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS"
Response example
{
"id": "0oabkvBLDEKCNXBGYUAS",
"name": "template_swa",
"label": "Sample Plugin App",
"status": "ACTIVE",
"lastUpdated": "2013-10-01T06:25:37.612Z",
"created": "2013-09-11T17:46:08.000Z",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null
},
"visibility": {
"autoSubmitToolbar": false,
"hide": {
"iOS": false,
"web": false
},
"appLinks": {
"login": true
}
},
"features": [],
"signOnMode": "BROWSER_PLUGIN",
"credentials": {
"scheme": "EDIT_PASSWORD_ONLY",
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
}
},
"settings": {
"app": {
"buttonField": "btn-login",
"passwordField": "txtbox-password",
"usernameField": "txtbox-username",
"url": "https://example.com/login.html"
}
},
"_links": {
"logo": [
{
"href": "https:/example.okta.com/img/logos/logo_1.png",
"name": "medium",
"type": "image/png"
}
],
"users": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users"
},
"groups": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups"
},
"self": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS"
},
"deactivate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate"
}
}
}
Set SWA Okta password
Configures the EXTERNAL_PASSWORD_SYNC scheme for a SWA application with a username template
Request example
curl -v -X PUT \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
"name": "template_swa",
"label": "Sample Plugin App",
"status": "ACTIVE",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null
},
"visibility": {
"autoSubmitToolbar": false,
"hide": {
"iOS": false,
"web": false
},
"appLinks": {
"login": true
}
},
"features": [],
"signOnMode": "BROWSER_PLUGIN",
"credentials": {
"scheme": "EXTERNAL_PASSWORD_SYNC",
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
}
},
"settings": {
"app": {
"buttonField": "btn-login",
"passwordField": "txtbox-password",
"usernameField": "txtbox-username",
"url": "https://example.com/login.html"
}
}
}' "https://${yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS"
Response example
{
"id": "0oabkvBLDEKCNXBGYUAS",
"name": "template_swa",
"label": "Sample Plugin App",
"status": "ACTIVE",
"lastUpdated": "2013-10-01T06:30:17.151Z",
"created": "2013-09-11T17:46:08.000Z",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null
},
"visibility": {
"autoSubmitToolbar": false,
"hide": {
"iOS": false,
"web": false
},
"appLinks": {
"login": true
}
},
"features": [],
"signOnMode": "BROWSER_PLUGIN",
"credentials": {
"scheme": "EXTERNAL_PASSWORD_SYNC",
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
}
},
"settings": {
"app": {
"buttonField": "btn-login",
"passwordField": "txtbox-password",
"usernameField": "txtbox-username",
"url": "https://example.com/login.html"
}
},
"_links": {
"logo": [
{
"href": "https:/example.okta.com/img/logos/logo_1.png",
"name": "medium",
"type": "image/png"
}
],
"users": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users"
},
"groups": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups"
},
"self": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS"
},
"deactivate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate"
}
}
}
Set SWA shared credentials
Configures the SHARED_USERNAME_AND_PASSWORD scheme for a SWA application with a username and password
Request example
curl -v -X PUT \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
"name": "template_swa",
"label": "Sample Plugin App",
"status": "ACTIVE",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null
},
"visibility": {
"autoSubmitToolbar": false,
"hide": {
"iOS": false,
"web": false
},
"appLinks": {
"login": true
}
},
"features": [],
"signOnMode": "BROWSER_PLUGIN",
"credentials": {
"scheme": "SHARED_USERNAME_AND_PASSWORD",
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
},
"userName": "sharedusername",
"password": {
"value": "sharedpassword"
}
},
"settings": {
"app": {
"buttonField": "btn-login",
"passwordField": "txtbox-password",
"usernameField": "txtbox-username",
"url": "https://example.com/login.html"
}
}
}' "https://${yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS"
Response example
{
"id": "0oabkvBLDEKCNXBGYUAS",
"name": "template_swa",
"label": "Sample Plugin App",
"status": "ACTIVE",
"lastUpdated": "2013-10-01T06:20:18.436Z",
"created": "2013-09-11T17:46:08.000Z",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null
},
"visibility": {
"autoSubmitToolbar": false,
"hide": {
"iOS": false,
"web": false
},
"appLinks": {
"login": true
}
},
"features": [],
"signOnMode": "BROWSER_PLUGIN",
"credentials": {
"scheme": "SHARED_USERNAME_AND_PASSWORD",
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
},
"userName": "sharedusername",
"password": {}
},
"settings": {
"app": {
"buttonField": "btn-login",
"passwordField": "txtbox-password",
"usernameField": "txtbox-username",
"url": "https://example.com/login.html"
}
},
"_links": {
"logo": [
{
"href": "https:/example.okta.com/img/logos/logo_1.png",
"name": "medium",
"type": "image/png"
}
],
"users": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/users"
},
"groups": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/groups"
},
"self": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS"
},
"deactivate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS/lifecycle/deactivate"
}
}
}
Update key credential for application
Updates the Application Key Credential by kid
Request Parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| app | app with new key credential kid | Body | Application | FALSE | |
| applicationId | id of an app | URL | String | TRUE |
Response parameters
Application with updated kid
Request example
curl -v -X PUT \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
"name": "zendesk",
"label": "Zendesk",
"signOnMode": "SAML_2_0",
"credentials": {
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
},
"signing": {
"kid": "SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4"
}
}
}' "https://${yourOktaDomain}/api/v1/apps/0oainmLkOL329Jcju0g3"
Response example
{
"id": "0oainmLkOL329Jcju0g3",
"name": "zendesk",
"label": "Zendesk",
"status": "ACTIVE",
"lastUpdated": "2015-12-16T00:00:44.000Z",
"created": "2015-12-14T18:18:48.000Z",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null,
"loginRedirectUrl": null
},
"licensing": {
"seatCount": 0
},
"visibility": {
"autoSubmitToolbar": true,
"hide": {
"iOS": false,
"web": false
},
"appLinks": {
"login": true
}
},
"features": [],
"signOnMode": "SAML_2_0",
"credentials": {
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
},
"signing": {
"kid": "SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4"
}
},
"settings": {
"app": {
"companySubDomain": "aaa",
"authToken": null
},
"notifications": {
"vpn": {
"network": {
"connection": "DISABLED"
},
"message": null,
"helpUrl": null
}
},
"signOn": {
"defaultRelayState": null
}
},
"_links": {
"logo": [
{
"name": "medium",
"href": "http://testorgone.okta.com/img/logos/zendesk.png",
"type": "image/png"
}
],
"appLinks": [
{
"name": "login",
"href": "http://testorgone.okta.com/home/zendesk/0oainmLkOL329Jcju0g3/120",
"type": "text/html"
}
],
"help": {
"href": "http://testorgone-admin.okta.com/app/zendesk/0oainmLkOL329Jcju0g3/setup/help/SAML_2_0/external-doc",
"type": "text/html"
},
"users": {
"href": "http://testorgone.okta.com/api/v1/apps/0oainmLkOL329Jcju0g3/users"
},
"deactivate": {
"href": "http://testorgone.okta.com:/api/v1/apps/0oainmLkOL329Jcju0g3/lifecycle/deactivate"
},
"groups": {
"href": "http://testorgone.okta.com/api/v1/apps/0oainmLkOL329Jcju0g3/groups"
},
"metadata": {
"href": "http://testorgone.okta.com/api/v1/apps/0oainmLkOL329Jcju0g3/sso/saml/metadata",
"type": "application/xml"
}
}
}
Set self-service application assignment
Enables or disables a self-service application assignment by modifying the accessibility.selfService property
Request example
curl -v -X PUT \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
"name": "testorgone_examplecustomsaml20app_1",
"label": "Example Custom SAML 2.0 App",
"signOnMode": "SAML_2_0",
"accessibility": {
"selfService": true,
"errorRedirectUrl": null,
"loginRedirectUrl": null
}
}' "https://${yourOktaDomain}/api/v1/apps/0oainmLkOL329Jcju0g3"
Response example
Application with updated Accessibility object
Response example (self-service application assignment not available)
If you encounter the following error when enabling self-service, you can read about username overrides (opens new window) with profile mappings (Universal Directory). You can also read about how to update user permissions on properties in the user profile to secure your app before enabling self-service.
HTTP/1.1 403 Forbidden
Content-Type: application/json
{
"errorCode": "E0000044",
"errorSummary": "Self service application assignment is not supported.",
"errorLink": "E0000044",
"errorCauses": [
{
"errorSummary": "Self service is not available because the instance : Example Custom SAML 2.0 App has username set to use read-write property and that would create a security risk."
}
]
}
Update the client authentication method
Updates the token_endpoint_auth_method property for an OAuth 2.0 client application
Request example
curl -v -X PUT \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
"id": "0oap6nz61rKdsoyOY0h7",
"name": "oidc_client",
"label": "SampleClient",
"status": "ACTIVE",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null,
"loginRedirectUrl": null
},
"visibility": {
"autoSubmitToolbar": false,
"hide": {
"iOS": true,
"web": true
},
"appLinks": {
"oidc_client_link": true
}
},
"signOnMode": "OPENID_CONNECT",
"credentials": {
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
},
"signing": {
"kid": "5gbe0HpzAYj2rsWSLxx1fYHdh-SzWqyKqwmfJ6qDk5g"
},
"oauthClient": {
"autoKeyRotation": true,
"client_id": "0oap6nz61rKdsoyOY0h7",
"token_endpoint_auth_method": "client_secret_jwt"
}
},
"settings": {
"app": {},
"notifications": {
"vpn": {
"network": {
"connection": "DISABLED"
},
"message": null,
"helpUrl": null
}
},
"oauthClient": {
"client_uri": "http://localhost:8080",
"logo_uri": "http://developer.okta.com/assets/images/logo-new.png",
"redirect_uris": [
"https://example.com/oauth2/callback",
"myapp://callback"
],
"wildcard_redirect": "DISABLED",
"post_logout_redirect_uris": [
"https://example.com/oauth2/postLogoutRedirectUri"
],
"response_types": [
"token",
"id_token",
"code"
],
"grant_types": [
"implicit",
"authorization_code"
],
"application_type": "native",
"consent_method": "TRUSTED",
"issuer_mode": "CUSTOM_URL",
"participate_slo": false
}
}
}' "https://${yourOktaDomain}/api/v1/apps/${appId}"
Response example
{
"id": "0oap6nz61rKdsoyOY0h7",
"name": "oidc_client",
"label": "SampleClient",
"status": "ACTIVE",
"lastUpdated": "2020-01-09T18:01:12.000Z",
"created": "2020-01-09T16:59:15.000Z",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null,
"loginRedirectUrl": null
},
"visibility": {
"autoSubmitToolbar": false,
"hide": {
"iOS": true,
"web": true
},
"appLinks": {
"oidc_client_link": true
}
},
"features": [],
"signOnMode": "OPENID_CONNECT",
"credentials": {
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
},
"signing": {
"kid": "5gbe0HpzAYj2rsWSLxx1fYHdh-SzWqyKqwmfJ6qDk5g"
},
"oauthClient": {
"autoKeyRotation": true,
"client_id": "0oap6nz61rKdsoyOY0h7",
"client_secret": "D0HxBn1FtTXeYC4cSBwWL_sPMztMT2t6Ei9n1QjO",
"token_endpoint_auth_method": "client_secret_jwt"
}
},
"settings": {
"app": {},
"notifications": {
"vpn": {
"network": {
"connection": "DISABLED"
},
"message": null,
"helpUrl": null
}
},
"oauthClient": {
"client_uri": "http://localhost:8080",
"logo_uri": "http://developer.okta.com/assets/images/logo-new.png",
"redirect_uris": [
"https://example.com/oauth2/callback",
"myapp://callback"
],
"wildcard_redirect": "DISABLED",
"post_logout_redirect_uris": [
"https://example.com/oauth2/postLogoutRedirectUri"
],
"response_types": [
"token",
"id_token",
"code"
],
"grant_types": [
"implicit",
"authorization_code"
],
"application_type": "native",
"consent_method": "TRUSTED",
"issuer_mode": "CUSTOM_URL",
"idp_initiated_login": {
"mode": "DISABLED"
},
"participate_slo": false
}
},
"_links": {
"appLinks": [
{
"name": "oidc_client_link",
"href": "https://{yourOktaDomain}/home/oidc_client/0oap6nz61rKdsoyOY0h7/aln5z7uhkbM6y7bMy0g7",
"type": "text/html"
}
],
"groups": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oap6nz61rKdsoyOY0h7/groups"
},
"logo": [
{
"name": "medium",
"href": "https://example.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png",
"type": "image/png"
}
],
"users": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oap6nz61rKdsoyOY0h7/users"
},
"deactivate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oap6nz61rKdsoyOY0h7/lifecycle/deactivate"
}
}
}
Update application level profile attributes
Updates the Application profile attributes
Request Parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| app | app with new profile attributes | Body | Application | TRUE | |
| applicationId | id of an app | URL | String | TRUE |
Response parameters
Application with updated profile attributes
Request example
curl -v -X PUT \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
"name": "oidc_client",
"label": "oauth2 client app 1",
"signOnMode": "OPENID_CONNECT",
"credentials": {
"oauthClient": {
"client_id": ${clientId},
"autoKeyRotation": true,
"token_endpoint_auth_method": "client_secret_post"
}
},
"profile": {
"label": "oauth2 client app 2"
},
"settings": {
"oauthClient": {
"client_uri": "http://localhost:8080",
"logo_uri": "http://developer.okta.com/assets/images/logo-new.png",
"redirect_uris": [
"https://example.com/oauth2/callback",
"myapp://callback"
],
"post_logout_redirect_uris": [],
"response_types": [
"token",
"id_token",
"code"
],
"grant_types": [
"implicit",
"authorization_code"
],
"consent_method": "TRUSTED",
"issuer_mode": "ORG_URL",
"application_type": "native",
"tos_uri": "",
"policy_uri": "",
"participate_slo": false
}
}
}' "https://${yourOktaDomain}/api/v1/apps/0oabkvBLDEKCNXBGYUAS"
Response example
{
"id": "0oa1ivcatpQDkMraA1d7",
"name": "oidc_client",
"label": "oauth2 client app 1",
"status": "ACTIVE",
"lastUpdated": "2021-10-04T22:48:42.000Z",
"created": "2021-10-04T22:42:38.000Z",
"accessibility": {
"selfService": false,
"errorRedirectUrl": null,
"loginRedirectUrl": null
},
"visibility": {
"autoLaunch": false,
"autoSubmitToolbar": false,
"hide": {
"iOS": true,
"web": true
},
"appLinks": {
"oidc_client_link": true
}
},
"features": [],
"signOnMode": "OPENID_CONNECT",
"credentials": {
"userNameTemplate": {
"template": "${source.login}",
"type": "BUILT_IN"
},
"signing": {
"kid": "Hn7zyyJ1XhKhAHa6MaNC2GjWmw3F5Pa_TxGAx9ojch0"
},
"oauthClient": {
"autoKeyRotation": true,
"client_id": "0oa1ivcatpQDkMraA1d7",
"client_secret": "LD1G1-qeKo_KfM3VQx3Ass8aaGlYxuCq_cqCGlKF",
"token_endpoint_auth_method": "client_secret_post"
}
},
"settings": {
"app": {},
"notifications": {
"vpn": {
"network": {
"connection": "DISABLED"
},
"message": null,
"helpUrl": null
}
},
"notes": {
"admin": null,
"enduser": null
},
"oauthClient": {
"client_uri": "http://localhost:8080",
"logo_uri": "http://developer.okta.com/assets/images/logo-new.png",
"redirect_uris": [
"https://example.com/oauth2/callback",
"myapp://callback"
],
"response_types": [
"token",
"id_token",
"code"
],
"grant_types": [
"implicit",
"authorization_code"
],
"application_type": "native",
"issuer_mode": "ORG_URL",
"idp_initiated_login": {
"mode": "DISABLED",
"default_scope": []
},
"participate_slo": false
}
},
"profile": {
"label": "oauth2 client app 1"
},
"_links": {
"uploadLogo": {
"href": "https://example.okta.com/api/v1/apps/0oa1ivcatpQDkMraA1d7/logo",
"hints": {
"allow": [
"POST"
]
}
},
"appLinks": [
{
"name": "oidc_client_link",
"href": "https://example.okta.com/home/oidc_client/0oa1ivcatpQDkMraA1d7/aln177a159h7Zf52X0g8",
"type": "text/html"
}
],
"groups": {
"href": "https://example.okta.com/api/v1/apps/0oa1ivcatpQDkMraA1d7/groups"
},
"logo": [
{
"name": "medium",
"href": "https://example.okta.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png",
"type": "image/png"
}
],
"users": {
"href": "https://example.okta.com/api/v1/apps/0oa1ivcatpQDkMraA1d7/users"
},
"deactivate": {
"href": "https://example.okta.com/api/v1/apps/0oa1ivcatpQDkMraA1d7/lifecycle/deactivate"
}
}
}
Delete application
See Delete an Application (opens new window) in the new Okta API reference portal (opens new window).
Update application policy
The Application policy operation reference is now available at the new Okta API reference portal (opens new window) as the Application Policies API (opens new window).
Application lifecycle operations
The Application lifecycle operations reference is now available at the new Okta API reference portal (opens new window) as Activate an Application (opens new window) and Deactivate an Application (opens new window).
Application user operations
The Application user operations reference is now available at the new Okta API reference portal (opens new window) as the Application Users API (opens new window).
Explore the Okta Public API Collections (opens new window) workspace to get started with the Application Users Postman collection (opens new window).
Application group operations
The Application group operations reference is now available at the new Okta API reference portal (opens new window) as the Application Groups API (opens new window).
Explore the Okta Public API Collections (opens new window) workspace to get started with the Application Groups Postman collection (opens new window).
Application key store operations
Generate new application key credential
POST /api/v1/apps/${applicationId}/credentials/keys/generate
Generates a new X.509 certificate for an application key credential
Note: To update application with the newly generated key credential, see Update Key Credential.
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | unique key of an Application | URL | String | TRUE | |
| validityYears | expiry of the Application Key Credential | Query | Number | TRUE |
Response parameters
Returns the generated Application Key Credential
Request example
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
}' "https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/keys/generate?validityYears=2"
Response example
{
"created": "2015-12-10T18:56:23.000Z",
"expiresAt": "2017-12-10T18:56:22.000Z",
"x5c": [
"MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw=="
],
"e": "AQAB",
"n": "mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ",
"kid": "SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4",
"kty": "RSA",
"use": "sig",
"x5t#S256": "5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps"
}
If validityYears is out of range (2 - 10 years), you receive an error response.
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: generateKey",
"errorLink": "E0000001",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw",
"errorCauses": [
{
"errorSummary": "Validity years out of range. It should be 2 - 10 years"
}
]
}
Clone application key credential
POST /api/v1/apps/${sourceApplicationId}/credentials/keys/${kid}/clone?targetAid=${targetApplicationId}
Clones an X.509 certificate for an application key credential from a source application to a target application
Important: Sharing certificates isn't a recommended security practice.
For step-by-step instructions to clone a credential, see Share application key credentials between apps.
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| kid | Unique key of an Application Key Credential | URL | String | TRUE | |
| sourceApplicationId | Unique key of the source Application | URL | String | TRUE | |
| targetAid | Unique key of the target Application | Query | String | TRUE |
Response parameters
Returns the cloned Application Key Credential
Request example
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
}' "https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/keys/SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4/clone?targetAid=0oal21k0DVN7DhS3R0g3"
Response example
{
"created": "2015-12-10T18:56:23.000Z",
"expiresAt": "2017-12-10T18:56:22.000Z",
"x5c": [
"MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw=="
],
"e": "AQAB",
"n": "mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ",
"kid": "SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4",
"kty": "RSA",
"use": "sig",
"x5t#S256": "5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps"
}
If the key is already present in the list of key credentials for the target application, you receive a 400 error response.
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: cloneKey",
"errorLink": "E0000001",
"errorId": "oaeQACJOHl1TKSGj8jA3hEpAg",
"errorCauses": [
{
"errorSummary": "Key already exists in the list of key credentials for the target app."
}
]
}
List key credentials for application
GET /api/v1/apps/${applicationId}/credentials/keys
Enumerates key credentials for an application
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | unique key of an Application | URL | String | TRUE |
Response parameters
Array of Application Key Credential
Request example
curl -v -X GET \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/keys"
Response example
[
{
"created": "2015-12-10T18:56:23.000Z",
"expiresAt": "2017-12-10T18:56:22.000Z",
"x5c": [
"MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw=="
],
"e": "AQAB",
"n": "mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ",
"kid": "SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4",
"kty": "RSA",
"use": "sig",
"x5t#S256": "5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps"
},
{
"created": "2015-12-10T18:55:35.000Z",
"expiresAt": "2045-01-23T02:15:23.000Z",
"x5c": [
"MIIDqDCCApCgAwIBAgIGAUsUkouzMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTAxMjMwMjE0MjNaFw00NTAxMjMwMjE1MjNaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKhmkmKsu3FYeBiJg44aN6Ah3g9gof1cytXJVMnblDUWpLfe/FMUQCssh8Y8NCYRri5jni4efBgk6B3SkC7ymqsOXILIEHSwUYWnAaqDOTxO101mHzryowu1+0PldRNoyTthahpprvAPYlTin9zrDTqFT+WY/zwoaN8H+CfixlW1nM85qF18zYYekkW50MSoHPcfJKe2ywIhPXTYTSBEPcHh8dQEjBrZn7A4qOoDnfOXll8OL7j2O6EVyTtHA0tLJHVLpwI4gSPsXFwEnHltjN57odwYe9yds0BbM/YG9i+am1+3cmZ6Uyd16mLGclrr05o9BHcEZ4ZctV2hr6whbRsCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAnNlF27gRmhGTQ+GRAvbvYToFRgsIbBAPvRqB2LmEIiQ6UJd602w6uP1sv/zEzBYg4SnMLuVyWgOJ6d71dCvXdIO9mgAq6BaEPjlo0WhGyt+zGrpkMnIX5EwRa64kHydcPRHNA607wVYA96sJdyNJEMzBvjY9fJnfevzzDCN3NWpMS2T6rk6HP5IziI1VuFWY2OUC1kbCqLj1dUgp8koe3ftLL55ZpkAocnVMnrzBveNjgAOAiKTMcyS0bhESph9aVWvuHVZSfTnUjnTPb/4jA2YlB3ED+qaU3aqHwft1KXwZskNXBKXy7lyC+CMoeB3/ncFhSg/UllBooPPS3wYlNA=="
],
"e": "AQAB",
"n": "htbi5H5MN_oYaKcZ8vlWRZn2oTrPY0v8_2Br_VZPJgJ57dCgguq5dDk1Me_ax-B3kjBPdXcW8wEoUFaU30spyVeQjZrdqsSvF0nMW4OzrMOIqrGLwCrAoDBS8tutfk5Y7qc-5xABzxgu4BjgSK5nWXbCt_UR0DzVTknotmMGeT8tAej8F6GAphLa0YhIxWT7Jy-y_pdANsiUPRiZBoLueGI0rrCqgYHIQVjNoj4-si105KCXbQuyYM9_Cd-dyyu5KJ4Ic0cOW61gpx4pnecMgSy8OX57FEd06W2hExBd49ah6jra2KFMeOGe3rkIXirdkofl1mBgeQ77ruKO1wW9Qw",
"kid": "mXtzOtml09Dg1ZCeKxTRBo3KrQuBWFkJ5oxhVagjTzo",
"kty": "RSA",
"use": "sig",
"x5t#S256": "7CCyXWwKzH4P6PoBP91B1S_iIZVzuGffVnUXu-BTYQQ"
}
]
Get key credential for application
GET /api/v1/apps/${applicationId}/credentials/keys/${kid}
Gets a specific Application Key Credential by kid
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | unique key of an Application | URL | String | TRUE | |
| kid | unique key of an Application Key Credential | URL | String | TRUE |
Response parameters
Request example
curl -v -X GET \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/keys/mXtzOtml09Dg1ZCeKxTRBo3KrQuBWFkJ5oxhVagjTzo"
Response example
{
"created": "2015-12-10T18:56:23.000Z",
"expiresAt": "2017-12-10T18:56:22.000Z",
"x5c": [
"MIIDqDCCApCgAwIBAgIGAVGNQFX5MA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTAeFw0xNTEyMTAxODU1MjJaFw0xNzEyMTAxODU2MjJaMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxFTATBgNVBAMMDGJhbGFjb21wdGVzdDEcMBoGCSqGSIb3DQEJARYNaW5mb0Bva3RhLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJJjrcnI6cXBiXNq9YDgfYrQe2O5qEHG4MXP8Ue0sMeefFkFEHYHnHUeZCq6WTAGqR+1LFgOl+Eq9We5V+qNlGIfkFkQ3iHGBrIALKqLCd0Et76HicDiegz7j9DtN+lo0hG/gfcw5783L5g5xeQ7zVmCQMkFwoUA0uA3bsfUSrmfORHJL+EMNQT8XIXD8NkG4g6u7ylHVRTLgXbe+W/p04m3EP6l41xl+MhIpBaPxDsyUvcKCNwkZN3aZIin1O9Y4YJuDHxrM64/VtLLp0sC05iawAmfsLunF7rdJAkWUpPn+xkviyNQ3UpvwAYuDr+jKLUdh2reRnm1PezxMIXzBVMCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEARnFIjyitrCGbleFr3KeAwdOyeHiRmgeKupX5ZopgXtcseJoToUIinX5DVw2fVZPahqs0Q7/a0wcVnTRpw6946qZCwKd/PvZ1feVuVEA5Ui3+XvHuSH5xLp7NvYG1snNEvlbN3+NDUMlWj2NEbihowUBt9+UxTpQO3+N08q3aZk3hOZ+tHt+1Te7KEEL/4CM28GZ9MY7fSrS7MAgp1+ZXtn+kRlMrXnQ49qBda37brwDRqmSY9PwNMbev3r+9ZHwxr9W5wXW4Ev4C4xngA7RkVoyDbItSUho0I0M0u/LHuppclnXrw97xyO5Z883eIBvPVjfRcxsJxXJ8jx70ATDskw=="
],
"e": "AQAB",
"n": "htbi5H5MN_oYaKcZ8vlWRZn2oTrPY0v8_2Br_VZPJgJ57dCgguq5dDk1Me_ax-B3kjBPdXcW8wEoUFaU30spyVeQjZrdqsSvF0nMW4OzrMOIqrGLwCrAoDBS8tutfk5Y7qc-5xABzxgu4BjgSK5nWXbCt_UR0DzVTknotmMGeT8tAej8F6GAphLa0YhIxWT7Jy-y_pdANsiUPRiZBoLueGI0rrCqgYHIQVjNoj4-si105KCXbQuyYM9_Cd-dyyu5KJ4Ic0cOW61gpx4pnecMgSy8OX57FEd06W2hExBd49ah6jra2KFMeOGe3rkIXirdkofl1mBgeQ77ruKO1wW9Qw",
"kid": "mXtzOtml09Dg1ZCeKxTRBo3KrQuBWFkJ5oxhVagjTzo",
"kty": "RSA",
"use": "sig",
"x5t#S256": "5GOpy9CQVtfvBmu2T8BHvpKE4OGtC3BuS046t7p9pps"
}
Preview SAML metadata for application
The Application SAML metadata preview reference is now available at the new Okta API reference portal (opens new window) as the Application SSO API (opens new window).
Explore the Okta Public API Collections (opens new window) workspace to get started with the Application SSO Postman collection (opens new window).
Generate CSR for application
POST /api/v1/apps/${applicationId}/credentials/csrs
Generates a new key pair and returns the Certificate Signing Request (CSR). The information in a CSR is used by the Certificate Authority (CA) to verify and create your certificate. It also contains the public key that is included in your certificate.
Note: The key pair isn't listed in the key credentials for the application until it's published.
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | unique key of an Application | URL | String | TRUE | |
| metadata | Metadata for the CSR | Body | CSR Metadata | TRUE |
Response parameters
Returns CSR in PKCS#10 format if the Accept media type is application/pkcs10 (opens new window) or a CSR object if the Accept media type is application/json
Request example
Generates a new key pair and returns the CSR in PKCS#10 format
curl -v -X POST \
-H "Accept: application/pkcs10" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
"subject": {
"countryName": "US",
"stateOrProvinceName": "California",
"localityName": "San Francisco",
"organizationName": "Okta, Inc.",
"organizationalUnitName": "Dev",
"commonName": "SP Issuer"
},
"subjectAltNames": {
"dnsNames": ["dev.okta.com"]
}
}' "https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/"
Generates a new key pair and returns the CSR object
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
"subject": {
"countryName": "US",
"stateOrProvinceName": "California",
"localityName": "San Francisco",
"organizationName": "Okta, Inc.",
"organizationalUnitName": "Dev",
"commonName": "SP Issuer"
},
"subjectAltNames": {
"dnsNames": ["dev.okta.com"]
}
}' "https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/"
Response example
Returns CSR in PKCS#10 format
HTTP/1.1 201 Created
Location: https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50
Content-Type: application/pkcs10; filename=okta.p10
Content-Transfer-Encoding: base64
MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4=
Returns a CSR object
{
"id": "h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50",
"created": "2017-03-28T01:11:10.000Z",
"csr": "MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4=",
"kty": "RSA",
"_links": {
"self": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50",
"hints": {
"allow": [
"GET",
"DELETE"
]
}
},
"publish": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish",
"hints": {
"allow": [
"POST"
]
}
}
}
}
Publish CSR for application
POST /api/v1/apps/${applicationId}/credentials/csrs/${csrId}/lifecycle/publish
Updates the CSR with a signed X.509 certificate and adds it into the application key credentials
Note: Publishing a certificate completes the lifecycle of the CSR and it is no longer accessible.
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | Unique key of the Application | URL | String | TRUE | |
| certificate | The signed X.509 certificate | Body | X.509 certififcate in DER, PEM or CER format | TRUE | |
| csrid | Unique key of an Application CSR | URL | String | TRUE |
For DER and CER formated certificate, the client can either post in binary or in base64 encoded. If the post is base64 encoded, the Content-Transfer-Encoding header should be set to base64.
Response parameters
Returns the new Application Key Credential
Request example
Publishes with an X.509 certificate in base64 encoded DER
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/pkix-cert" \
-H "Authorization: SSWS ${api_token}" \
-H "Content-Transfer-Encoding: base64" \
-d "MIIFgjCCA2qgAwIBAgICEAcwDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMQwwCgYDVQQLDANFbmcxDTALBgNVBAMMBFJvb3QwHhcNMTcwMzI3MjEyMDQ3WhcNMTgwNDA2MjEyMDQ3WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwKT2t0YSwgSW5jLjEQMA4GA1UECwwHSmFua3lDbzEVMBMGA1UEAwwMSWRQIElzc3VlciA3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmkC6yAJVvFwUlmM9gKjb2d+YK5qHFt+mXSsbjWKKs4EfNm+BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL/q7n0f/SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH+bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQIDAQABo4IBLjCCASowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVqJukDmyENw/2pTApbxc/HRKbngwgZAGA1UdIwSBiDCBhYAUFx245ZZXqWTTbARfMlFWN77L9EahYqRgMF4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEMMAoGA1UECwwDRW5nMQ0wCwYDVQQDDARSb290ggkAlIfpwZjO5o8wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQCcoBSRtY+9cJY00hLvq6AloYZcdn/kUQupfmyz4n3lKE3wV2FB0swKnK0QDi8iNuQJFdag/19vDHC4/LhoSuv1Q+KXM61pPZVRXXPyC1+e7Y6hj93tEI5HcqLPcDRH1AIG2l8tE7LBn+MQB5Vh6oxjG2IdoWxg6abMfISU+MauPWql4vMDUWo9iNShAo44Z5fd+nuz+hlAinU9Xn9Jf2QsfKvcbMRq7iuqgkabgdmObmWb9KK0Vm7TDkxCH0pB0onPr6epVUP8Obg/pT1Oj/1hOLbfR8CHHWdAWzUBGGvp2TIy2A8LUaEoFnwkxZfdL7Bnd0RH/ClBtAjzLOxmUo7NbZmEnYCcD5pZz7BdZI0db/eBXFqfOlA88rEe+9Sv+NndIq0/WNIIsJi2RgjJnxsxvB5MjhhzmItpFIUl5yqoO3C9jcCp6HDBJxtCGbvAr5ALPn5RCJeBIr67WpAiTd7L3Ebu9SQZlXnoHX8kP04EA6ylR3W0EFbh7KUtq8M2H2vo0wjMj7ysl/3tT7cEZ97s1ygO5iJx3GfMDyrDhtLXSBJ20uSxTJeptRw8SDiwTqunIh1WyKlcQz1WGauSbW4eXdj/r9KYMJ3qMMkdP/9THQUtTcOYx51r8RV9pdzqF2HPnZZNziBa+wXJZHEWp70NyoakNthgYwtypqiDHs2f3Q==" \
"https://${yourOktaDomain}/api/v1/apps/0oa1ysid1U3iyFqLu0g4/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish"
Publishes with an X.509 certificate in PEM format
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/x-pem-file" \
-H "Authorization: SSWS ${api_token}" \
--data-binary @certificate.pem \
"https://${yourOktaDomain}/api/v1/apps/0oa1ysid1U3iyFqLu0g4/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish"
Publishes with an X.509 certificate in binary CER format
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/x-x509-ca-cert" \
-H "Authorization: SSWS ${api_token}" \
--data-binary @certificate.cer \
"https://${yourOktaDomain}/api/v1/apps/0oa1ysid1U3iyFqLu0g4/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish"
Response example
{
"created": "2017-03-27T21:19:57.000Z",
"lastUpdated": "2017-03-27T21:19:57.000Z",
"expiresAt": "2018-04-06T21:20:47.000Z",
"x5c": [
"MIIFgjCCA2qgAwIBAgICEAcwDQYJKoZIhvcNAQELBQAwXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQKDARPa3RhMQwwCgYDVQQLDANFbmcxDTALBgNVBAMMBFJvb3QwHhcNMTcwMzI3MjEyMDQ3WhcNMTgwNDA2MjEyMDQ3WjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzETMBEGA1UECgwKT2t0YSwgSW5jLjEQMA4GA1UECwwHSmFua3lDbzEVMBMGA1UEAwwMSWRQIElzc3VlciA3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmkC6yAJVvFwUlmM9gKjb2d+YK5qHFt+mXSsbjWKKs4EfNm+BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL/q7n0f/SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH+bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQIDAQABo4IBLjCCASowCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgENBCYWJE9wZW5TU0wgR2VuZXJhdGVkIFNlcnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUVqJukDmyENw/2pTApbxc/HRKbngwgZAGA1UdIwSBiDCBhYAUFx245ZZXqWTTbARfMlFWN77L9EahYqRgMF4xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEMMAoGA1UECwwDRW5nMQ0wCwYDVQQDDARSb290ggkAlIfpwZjO5o8wDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQCcoBSRtY+9cJY00hLvq6AloYZcdn/kUQupfmyz4n3lKE3wV2FB0swKnK0QDi8iNuQJFdag/19vDHC4/LhoSuv1Q+KXM61pPZVRXXPyC1+e7Y6hj93tEI5HcqLPcDRH1AIG2l8tE7LBn+MQB5Vh6oxjG2IdoWxg6abMfISU+MauPWql4vMDUWo9iNShAo44Z5fd+nuz+hlAinU9Xn9Jf2QsfKvcbMRq7iuqgkabgdmObmWb9KK0Vm7TDkxCH0pB0onPr6epVUP8Obg/pT1Oj/1hOLbfR8CHHWdAWzUBGGvp2TIy2A8LUaEoFnwkxZfdL7Bnd0RH/ClBtAjzLOxmUo7NbZmEnYCcD5pZz7BdZI0db/eBXFqfOlA88rEe+9Sv+NndIq0/WNIIsJi2RgjJnxsxvB5MjhhzmItpFIUl5yqoO3C9jcCp6HDBJxtCGbvAr5ALPn5RCJeBIr67WpAiTd7L3Ebu9SQZlXnoHX8kP04EA6ylR3W0EFbh7KUtq8M2H2vo0wjMj7ysl/3tT7cEZ97s1ygO5iJx3GfMDyrDhtLXSBJ20uSxTJeptRw8SDiwTqunIh1WyKlcQz1WGauSbW4eXdj/r9KYMJ3qMMkdP/9THQUtTcOYx51r8RV9pdzqF2HPnZZNziBa+wXJZHEWp70NyoakNthgYwtypqiDHs2f3Q=="
],
"e": "AQAB",
"n": "mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ",
"kid": "ZC5C-1gEUwVxiYI8xdmYYDI3Noc4zI24fLNxBpZVR04",
"kty": "RSA",
"use": "sig",
"x5t#S256": "lt0HQ-Ty_f_5icHGjUTrrNSO6dofPTRoPzOZhNSg5Kc"
}
If the certificate doesn't match the CSR or its validaty period is less than 90 days, you receive a 400 error response.
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: certificate",
"errorLink": "E0000001",
"errorId": "oaeu3Ej_tjlSXytiahRUasoSg",
"errorCauses": [
{
"errorSummary": "The certificate does not match the CSR."
}
]
}
Revoke CSR from application
DELETE /api/v1/apps/${applicationId}/credentials/csrs/${csrId}
Revokes a CSR and deletes the key pair from the application
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | id of an Application | URL | String | TRUE | |
| csrId | unique key of a CSR object | URL | String | TRUE |
Response parameters
Empty response
Request example
curl -v -X DELETE \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg"
Response example
HTTP/1.1 204 No Content
List CSRs for application
GET /api/v1/apps/${applicationId}/credentials/csrs
Enumerates CSRs for an application
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | unique key of an Application | URL | String | TRUE |
Response parameters
Array of CSR objects
Request example
curl -v -X GET \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs"
Response example
[
{
"id": "h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50",
"created": "2017-03-28T01:11:10.000Z",
"csr": "MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4=",
"kty": "RSA",
"_links": {
"self": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50",
"hints": {
"allow": [
"GET",
"DELETE"
]
}
},
"publish": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish",
"hints": {
"allow": [
"POST"
]
}
}
}
},
{
"id": "-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg",
"created": "2017-03-28T01:21:10.000Z",
"csr": "MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4=",
"kty": "RSA",
"_links": {
"self": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg",
"hints": {
"allow": [
"GET",
"DELETE"
]
}
},
"publish": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/-_-BFwAGoUYN-DDvsSKQFdx7OXaPZqrEPpFDO1hu-rg/lifecycle/publish",
"hints": {
"allow": [
"POST"
]
}
}
}
}
]
Get CSR for application
GET /api/v1/apps/${applicationId}/credentials/csrs/${csrId}
Gets a specific CSR object by csrid
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | unique key of an Application | URL | String | TRUE | |
| csrId | unique key of a CSR object | URL | String | TRUE |
Response parameters
Returns a base64 encoded CSR in DER format if the Accept media type is application/pkcs10 or a CSR object if the Accept media type is application/json
Request example
curl -v -X GET \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50"
Response example
{
"id": "h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50",
"created": "2017-03-28T01:11:10.000Z",
"csr": "MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4=",
"kty": "RSA",
"_links": {
"self": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50",
"hints": {
"allow": [
"GET",
"DELETE"
]
}
},
"publish": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish",
"hints": {
"allow": [
"POST"
]
}
}
}
}
Application client secret management operations
Add new client secret
POST /api/v1/apps/${applicationId}/credentials/secrets
Adds a new secret to the client's collection of secrets
Note: This API lets you bring your own secret. If no secret is specified in the request, it adds a new system-generated secret.
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | Unique key of an Application | URL | String | TRUE | |
| metadata | Client secret request object Client Secret Metadata | Body | Client Secret Metadata | FALSE |
Response parameters
Returns the generated Client Secret
Request example
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
"client_secret" : "3vimrC5Yv6bSDJzrUdLEYvkf9ElwUeWdndO5nhYp"
}' "https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/secrets"
Response example
{
"id": "ocsap6nz61rKdsoyOY0h7",
"client_secret": "3vimrC5Yv6bSDJzrUdLEYvkf9ElwUeWdndO5nhYp",
"secret_hash": "0xbeefbeefbeefbeefbeefbeef",
"created": "2022-01-01T04:22:27.000Z",
"status": "ACTIVE",
"_links" : {
"deactivate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/secrets/ocsap6nz61rKdsoyOY0h7/lifecycle/deactivate",
"hints": {
"allow": [
"POST"
]
}
}
}
}
If client_secret in the request is more than 100 characters long, you receive an error response.
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: client_secret",
"errorLink": "E0000001",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw",
"errorCauses": [
{
"errorSummary": "client_secret: 'client_secret' cannot be more than '100' characters long."
}
]
}
If client_secret in the request is less than 14 characters long, you receive an error response.
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: client_secret",
"errorLink": "E0000001",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw",
"errorCauses": [
{
"errorSummary": "client_secret: 'client_secret' must be at least '14' characters long."
}
]
}
If client_secret in the request is less than 32 characters long, and the token_endpoint_auth_method of the app is client_secret_jwt, you receive an error response.
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: client_secret",
"errorLink": "E0000001",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw",
"errorCauses": [
{
"errorSummary": "client_secret: 'client_secret' must be at least '32' characters long when 'token_endpoint_auth_method' is 'client_secret_jwt'."
}
]
}
If token_endpoint_auth_method for the app is private_key_jwt, you receive an error response.
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: OAuth2ClientSecretMediated",
"errorLink": "E0000001",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw",
"errorCauses": [
{
"errorSummary": "'client_secret' cannot be used when 'token_endpoint_auth_method' is 'private_key_jwt'."
}
]
}
If client_secret in the request contains non ASCII characters, you receive an error response.
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: client_secret",
"errorLink": "E0000001",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw",
"errorCauses": [
{
"errorSummary": "client_secret: ''client_secret'' must only contain printable ASCII: [x20-x7E]+"
}
]
}
If the number of client secrets per application exceeds 2, you receive an error response.
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: OAuth2ClientSecretMediated",
"errorLink": "E0000001",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw",
"errorCauses": [
{
"errorSummary": "You have reached the maximum number of client secrets per client."
}
]
}
List client secrets
GET /api/v1/apps/${applicationId}/credentials/secrets
Enumerates the client's collection of secrets
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | Unique key of an Application | URL | String | TRUE |
Response parameters
Returns the list of Client Secrets
Request example
curl -v -X GET \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/secrets"
Response example
[
{
"id": "ocsap6nz61rKdsoyOY0h7",
"client_secret": "3vimrC5Yv6bSDJzrUdLEYvkf9ElwUeWdndO5nhYp",
"secret_hash": "0xbeefbeefbeefbeefbeefbeef",
"created": "2022-01-01T04:22:27.000Z",
"status": "ACTIVE",
"_links" : {
"deactivate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/secrets/ocsap6nz61rKdsoyOY0h7/lifecycle/deactivate",
"hints": {
"allow": [
"POST"
]
}
}
}
},
{
"id": "ocsap6nz61rKdsoyOY0j8",
"client_secret": "D0HxBn1FtTXeYC4cSBwWL_sPMztMT2t6Ei9n1QjO",
"secret_hash": "0ybeefbeefbeefbeefbeefbeef",
"created": "2022-01-01T04:22:27.000Z",
"status": "ACTIVE",
"_links" : {
"deactivate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/secrets/ocsap6nz61rKdsoyOY0j8/lifecycle/deactivate",
"hints": {
"allow": [
"POST"
]
}
}
}
}
]
Get client secret
GET /api/v1/apps/${applicationId}/credentials/secrets/{secretId}
Gets a specific client secret by secretId
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | Unique key of an Application | URL | String | TRUE | |
| secretId | Unique key of a Client Secret | URL | String | TRUE |
Response parameters
Returns the Client Secret
Request example
curl -v -X GET \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/secrets/ocsap6nz61rKdsoyOY0h7"
Response example
{
"id": "ocsap6nz61rKdsoyOY0h7",
"client_secret": "3vimrC5Yv6bSDJzrUdLEYvkf9ElwUeWdndO5nhYp",
"secret_hash": "0xbeefbeefbeefbeefbeefbeef",
"created": "2022-01-01T04:22:27.000Z",
"status": "ACTIVE",
"_links" : {
"deactivate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/secrets/ocsap6nz61rKdsoyOY0h7/lifecycle/deactivate",
"hints": {
"allow": [
"POST"
]
}
}
}
}
If a secret isn't found for the secretId, you receive an error response.
{
"errorCode": "E0000007",
"errorSummary": "Not found: Resource not found: 1234 (OAuth2ClientSecretMediated)",
"errorLink": "E0000007",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw"
}
Activate a client secret
POST /api/v1/apps/${applicationId}/credentials/secrets/{secretId}/lifecycle/activate
Activates a specific client secret by secretId
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | Unique key of an Application | URL | String | TRUE | |
| secretId | Unique key of a Client Secret | URL | String | TRUE |
Response parameters
Returns an activated Client Secret
Request example
curl -v -X GET \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/secrets/ocsap6nz61rKdsoyOY0h7/lifecycle/activate"
Response example
{
"id": "ocsap6nz61rKdsoyOY0h7",
"client_secret": "3vimrC5Yv6bSDJzrUdLEYvkf9ElwUeWdndO5nhYp",
"secret_hash": "0xbeefbeefbeefbeefbeefbeef",
"created": "2022-01-01T04:22:27.000Z",
"status": "ACTIVE",
"_links" : {
"deactivate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/secrets/ocsap6nz61rKdsoyOY0h7/lifecycle/deactivate",
"hints": {
"allow": [
"POST"
]
}
}
}
}
If a secret isn't found for the secretId, you receive an error response.
{
"errorCode": "E0000007",
"errorSummary": "Not found: Resource not found: 1234 (OAuth2ClientSecretMediated)",
"errorLink": "E0000007",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw"
}
Deactivate a client secret
POST /api/v1/apps/${applicationId}/credentials/secrets/{secretId}/lifecycle/deactivate
Deactivates a specific client secret by secretId
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | Unique key of an Application | URL | String | TRUE | |
| secretId | Unique key of a Client Secret | URL | String | TRUE |
Response parameters
Returns the deactivated Client Secret
Request example
curl -v -X GET \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/secrets/ocsap6nz61rKdsoyOY0h7/lifecycle/deactivate"
Response example
{
"id": "ocsap6nz61rKdsoyOY0h7",
"client_secret": "3vimrC5Yv6bSDJzrUdLEYvkf9ElwUeWdndO5nhYp",
"secret_hash": "0xbeefbeefbeefbeefbeefbeef",
"created": "2022-01-01T04:22:27.000Z",
"status": "INACTIVE",
"_links": {
"activate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/secrets/ocsap6nz61rKdsoyOY0h7/lifecycle/activate",
"hints": {
"allow": [
"POST"
]
}
},
"delete": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/secrets/ocsap6nz61rKdsoyOY0h7",
"hints": {
"allow": [
"DELETE"
]
}
}
}
}
If a secret isn't found for the secretId, you receive an error response.
{
"errorCode": "E0000007",
"errorSummary": "Not found: Resource not found: 1234 (OAuth2ClientSecretMediated)",
"errorLink": "E0000007",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw"
}
If the application has only one active client secret, and if a deactivate request is sent for that client secret, you receive an error response.
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: OAuth2ClientSecretMediated",
"errorLink": "E0000001",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw",
"errorCauses": [
{
"errorSummary": "You can't deactivate the only active client secret."
}
]
}
Delete a client secret
DELETE /api/v1/apps/${applicationId}/credentials/secrets/{secretId}
Deletes a specific client secret by secretId
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | Unique key of an Application | URL | String | TRUE | |
| secretId | Unique key of a Client Secret | URL | String | TRUE |
Response parameters
Empty response
Request example
curl -v -X DELETE \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/secrets/ocsap6nz61rKdsoyOY0h7"
Response example
HTTP/1.1 204 No Content
If a secret isn't found for the secretId, you receive an error response.
{
"errorCode": "E0000007",
"errorSummary": "Not found: Resource not found: 1234 (OAuth2ClientSecretMediated)",
"errorLink": "E0000007",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw"
}
If the delete request is received for an active secret, you receive an error response.
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: OAuth2ClientSecretMediated",
"errorLink": "E0000001",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw",
"errorCauses": [
{
"errorSummary": "You can't delete an active client secret. Deactivate the secret before deleting it."
}
]
}
Application client JSON Web Key management operations
Add new JSON Web Key
POST /api/v1/apps/${applicationId}/credentials/jwks
Adds a new JSON Web Key to the client’s JSON Web Keys.
Note: This API doesn't let you add a key if the existing key doesn't have a
kid. This is also in sync with how the clients/apps APIs behave, as they don't allow the creation of multiple keys withoutkids. Use the Update application operation or the Update a client application to update the JWKS or use the new JWKS Management API's delete a key operation and re-add the key with akid.
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | Unique key of an Application | URL | String | TRUE | |
| metadata | JSON Web Key Request Object JSON Web Key Metadata | Body | JSON Web Key Metadata | TRUE |
Response parameters
Returns the generated JSON Web Key
Request example
curl -v -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
-d '{
"kid": "key1",
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"e":"AQAB",
"n":"AJncrKuine49_CEVR4GPn.....zOrouIUCSMlRL0HU="
}' "https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/jwks"
Response example
{
"id": "pks055raeabcdef5rpg6",
"kid": "key1",
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"e":"AQAB",
"n":"AJncrKuine49_CEVR4GPn.....zOrouIUCSMlRL0HU=",
"status": "ACTIVE",
"created": "2022-01-01 21:51:14.0",
"_links" : {
"deactivate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/jwks/pks055raeabcdef5rpg6/lifecycle/deactivate",
"hints": {
"allow": [
"POST"
]
}
}
}
}
If there is more than one JSON Web Key, each key must have unique non-null kid or you receive an error response.
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: JsonWebKey",
"errorLink": "E0000001",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw",
"errorCauses": [
{
"errorSummary": "Each key should have a unique kid when adding multiple keys. Use the Apps API to update the JWKS to add a kid for the existing key, or delete the existing key and re-add the key with a kid using the JWKS APIs."
}
]
}
If the JSON Web Key has a duplicate kid, you receive an error response.
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: JsonWebKey",
"errorLink": "E0000001",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw",
"errorCauses": [
{
"errorSummary": "All keys in the 'jwks' must have a unique kid."
}
]
}
If the RSA JSON Web Key length is less than 2048 bits, you receive an error response.
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: JsonWebKey",
"errorLink": "E0000001",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw",
"errorCauses": [
{
"errorSummary": "RSA key length in the 'jwks' is less than '2,048' bits for the given key."
}
]
}
If the number of JSON Web Keys per application exceeds the set limit (currently 50), you receive an error response.
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: OAuth2ClientSecretMediated",
"errorLink": "E0000001",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw",
"errorCauses": [
{
"errorSummary": "You can't create a new key. You have reached the maximum number of keys allowed (50). To add another key, you must first delete an existing one."
}
]
}
List JSON Web Keys
GET /api/v1/apps/${applicationId}/credentials/jwks
Enumerates the client's collection of JSON Web Keys
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | Unique key of an Application | URL | String | TRUE |
Response parameters
Returns the list of JSON Web Keys
Request example
curl -v -X GET \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/jwks"
Response example
{
"jwks": {
"keys": [
{
"id": "pks055raeabcdef5rpg6",
"kid": "key1",
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"e":"AQAB",
"n":"AJncrKuine49_CEVR4GPn.....zOrouIUCSMlRL0HU=",
"status": "ACTIVE",
"created": "2022-01-01 21:51:14.0",
"_links" : {
"deactivate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/jwks/pks055raeabcdef5rpg6/lifecycle/deactivate",
"hints": {
"allow": [
"POST"
]
}
}
}
},
{
"id": "pks055raeabcdef5ruuu",
"kid": "key2",
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"e":"AQAB",
"n":"AJncrKuine49_CEVR4GPn.....zOrouIUCSMlRL0HU=",
"status": "ACTIVE",
"created": "2022-01-01 21:51:14.0",
"_links" : {
"deactivate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/jwks/pks055raeabcdef5ruuu/lifecycle/deactivate",
"hints": {
"allow": [
"POST"
]
}
}
}
}
]
}
}
Get JSON Web Key
GET /api/v1/apps/${applicationId}/credentials/jwks/{id}
Gets a specific JSON Web Key by id
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | Unique key of an Application | URL | String | TRUE | |
| id | Unique key of a JSON Web Key | URL | String | TRUE |
Response parameters
Returns the JSON Web Key
Request example
curl -v -X GET \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/jwks/pks055raeabcdef5rpg6"
Response example
{
"id": "pks055raeabcdef5rpg6",
"kid": "key1",
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"e":"AQAB",
"n":"AJncrKuine49_CEVR4GPn.....zOrouIUCSMlRL0HU=",
"status": "ACTIVE",
"created": "2022-01-01 21:51:14.0",
"_links" : {
"deactivate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/jwks/pks055raeabcdef5rpg6/lifecycle/deactivate",
"hints": {
"allow": [
"POST"
]
}
}
}
}
If the JSON Web Key isn't found for the id, you receive an error response.
{
"errorCode": "E0000007",
"errorSummary": "Not found: Resource not found: xyz (JsonWebKey)",
"errorLink": "E0000007",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw"
}
Activate a JSON Web Key
POST /api/v1/apps/${applicationId}/credentials/jwks/{id}/lifecycle/activate
Activates a specific JSON Web Key by id
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | Unique key of an Application | URL | String | TRUE | |
| id | Unique key of a JSON Web Key | URL | String | TRUE |
Response parameters
Returns an activated JSON Web Key
Request example
curl -v -X GET \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/jwks/pks055raeabcdef5rpg6/lifecycle/activate"
Response example
{
"id": "pks055raeabcdef5rpg6",
"kid": "key1",
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"e":"AQAB",
"n":"AJncrKuine49_CEVR4GPn.....zOrouIUCSMlRL0HU=",
"status": "ACTIVE",
"created": "2022-01-01 21:51:14.0",
"_links" : {
"deactivate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/jwks/pks055raeabcdef5rpg6/lifecycle/deactivate",
"hints": {
"allow": [
"POST"
]
}
}
}
}
If the JSON Web Key isn't found for the id, you receive an error response.
{
"errorCode": "E0000007",
"errorSummary": "Not found: Resource not found: 2345 (JsonWebKey)",
"errorLink": "E0000007",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw"
}
Deactivate a JSON Web Key
POST /api/v1/apps/${applicationId}/credentials/jwks/{id}/lifecycle/deactivate
Deactivates a specific JSON Web Key by id
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | Unique key of an Application | URL | String | TRUE | |
| id | Unique key of a JSON Web Key | URL | String | TRUE |
Response parameters
Returns a deactivated JSON Web Key
Request example
curl -v -X GET \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/jwks/pks055raeabcdef5rpg6/lifecycle/deactivate"
Response example
{
"id": "pks055raeabcdef5rpg6",
"kid": "key1",
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"e":"AQAB",
"n":"AJncrKuine49_CEVR4GPn.....zOrouIUCSMlRL0HU=",
"status": "INACTIVE",
"created": "2022-01-01 21:51:14.0",
"_links" : {
"activate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/jwks/pks055raeabcdef5rpg6/lifecycle/activate",
"hints": {
"allow": [
"POST"
]
}
},
"delete": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/jwks/pks055raeabcdef5rpg6/delete",
"hints": {
"allow": [
"DELETE"
]
}
}
}
}
If a JSON Web Key isn't found for the id, you receive an error response.
{
"errorCode": "E0000007",
"errorSummary": "Not found: Resource not found: 2345 (JsonWebKey)",
"errorLink": "E0000007",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw"
}
If the application has only one active JSON Web Key, the token_endpoint_auth_method is private_key_jwt, and a deactivate request is received for the JSON Web Key, then you will receive an error response.
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: JsonWebKey",
"errorLink": "E0000001",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw",
"errorCauses": [
{
"errorSummary": "Can't deactivate the only active JSON Web Key when the value for ''token_endpoint_auth_method'' is ''private_key_jwt''."
}
]
}
If the application has only one active JSON Web Key that matches request_object_signature_algorithm and a deactivate request is received for the JSON Web Key, then you will receive an error response.
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: JsonWebKey",
"errorLink": "E0000001",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw",
"errorCauses": [
{
"errorSummary": "The ''jwks'' must contain at least one key with an algorithm matching the ''request_object_signature_algorithm''."
}
]
}
Delete a JSON Web Key
DELETE /api/v1/apps/${applicationId}/credentials/jwks/{id}
Deletes a specific JSON Web Key by id
Request parameters
| Parameter | Description | Param Type | DataType | Required | Default |
|---|---|---|---|---|---|
| applicationId | Unique key of an Application | URL | String | TRUE | |
| id | Unique key of a JSON Web Key | URL | String | TRUE |
Response parameters
Empty response
Request example
curl -v -X DELETE \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \
"https://${yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/jwks/pks055raeabcdef5rpg6"
Response example
HTTP/1.1 204 No Content
If a JSON Web Key isn't found for the id, you receive an error response.
{
"errorCode": "E0000007",
"errorSummary": "Not found: Resource not found: xyz (JsonWebKey)",
"errorLink": "E0000007",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw"
}
If the delete request is received for an active JSON Web Key, you receive an error response.
{
"errorCode": "E0000001",
"errorSummary": "Api validation failed: JsonWebKey",
"errorLink": "E0000001",
"errorId": "oaeMHrsk2WLTACvPU5T7yQ4yw",
"errorCauses": [
{
"errorSummary": "You can't delete an active JSON Web key. Deactivate the key before deleting it."
}
]
}
Application OAuth 2.0 role assignment operations
See Role assignment operations.
Application OAuth 2.0 scope consent grant operations
The Application OAuth 2.0 scope consent grant operations reference is now available at the new Okta API reference portal (opens new window) as the Application Grants API (opens new window).
Explore the Okta Public API Collections (opens new window) workspace to get started with the Application Grants Postman collection (opens new window).
Application OAuth 2.0 token operations
The Application OAuth 2.0 token operations reference is now available at the new Okta API reference portal (opens new window) as the Application Tokens API (opens new window).
Explore the Okta Public API Collections (opens new window) workspace to get started with the Application Tokens Postman collection (opens new window).
Application logo operations
The Application logo operations reference is now available at the new Okta API reference portal (opens new window) as the Application Logos API (opens new window).
Explore the Okta Public API Collections (opens new window) workspace to get started with the Application Logos Postman collection (opens new window).
Application Provisioning Connection operations
The Application provisioning connection operations reference is now available at the new Okta API reference portal (opens new window) as the Application Connections API (opens new window).
Explore the Okta Public API Collections (opens new window) workspace to get started with the Application Connections Postman collection (opens new window).
Application Feature operations
The Application Feature operations reference is now available at the new Okta API reference portal (opens new window) as the Application Features API (opens new window).
Explore the Okta Public API Collections (opens new window) workspace to get started with the Application Features Postman collection (opens new window).
Models
- Idp-Initiated Login object
- Refresh Token object
- Application object
- Application User object
- Application Group object
Idp-Initiated Login object
See dp_initiated_login (opens new window) in the new Okta API reference portal (opens new window).
Refresh token object
See refresh_token (opens new window) in the new Okta API reference portal (opens new window).
Application properties
See Application object in the response (opens new window) in the new Okta API reference portal (opens new window).
App names
See name (opens new window) for each OIN and custom app signOnMode (opens new window) in the new Okta API reference portal (opens new window).
App settings
See settings (opens new window) in the new Okta API reference portal (opens new window).
Identity Store ID
See identityStoreId (opens new window) in the new Okta API reference portal (opens new window).
Features
See features (opens new window) in the new Okta API reference portal (opens new window).
Sign-on modes
See signOnMode (opens new window) in the new Okta API reference portal (opens new window).
Accessibility object
See Application - accessibility (opens new window) in the new Okta API reference portal (opens new window).
Visibility object
See Application - visibility (opens new window) in the new Okta API reference portal (opens new window).
Application Credentials object
See Application - credentials (opens new window) in the new Okta API reference portal (opens new window).
Authentication schemes
See Application - scheme (opens new window) in the new Okta API reference portal (opens new window).
Username Template object
See Application - userNameTemplate (opens new window) in the new Okta API reference portal (opens new window).
Signing Credential object
See credentials.signing (opens new window) in the new Okta API reference portal (opens new window).
OAuth Credential object
See credentials.oauthClient (opens new window) in the new Okta API reference portal (opens new window).
Built-in expressions
See credentials.userNameTemplate.template (opens new window) in the new Okta API reference portal (opens new window).
Password object
See credentials.password (opens new window) in the new Okta API reference portal (opens new window).
Application Links object
See _links (opens new window) in the new Okta API reference portal (opens new window).
Notifications object
See notifications (opens new window) in the new Okta API reference portal (opens new window).
Attribute Statements object
See attributeStatements (opens new window) in the new Okta API reference portal (opens new window).
Single Logout object
See slo (opens new window) in the new Okta API reference portal (opens new window).
Participate Single Logout object
See participateSlo (opens new window) in the new Okta API reference portal (opens new window).
Service Provider certificate
See spCertificate in the new Okta API reference portal (opens new window).
Group Attribute Statements object
See GROUP attributeStatements (opens new window) in the new Okta API reference portal (opens new window).
Profile object
See profile (opens new window) in the new Okta API reference portal (opens new window).
Application User object
See Application User (opens new window) in the new Okta API reference portal (opens new window).
Application Group object
See Application Group (opens new window) in the new Okta API reference portal (opens new window).
Application Key Credential object
The application key credential object defines a JSON Web Key (opens new window) for a signature or encryption credential for an application.
Note: Currently only the X.509 JWK format is supported for applications with the
SAML_2_0sign-on mode.
Example
{
"created": "2015-11-20T21:09:30.000Z",
"expiresAt": "2017-11-20T21:09:29.000Z",
"x5c": [
"MIIDmDCCAoCgAwIBAgIGAVEmuwhKMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEUMBIGA1UECwwLU1NPUHJvdmlkZXIxDTALBgNVBAMMBHJhaW4xHDAaBgkqhkiG9w0BCQEWDWluZm9Ab2t0YS5jb20wHhcNMTUxMTIwMjEwODMwWhcNMTcxMTIwMjEwOTI5WjCBjDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNVBAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMQ0wCwYDVQQDDARyYWluMRwwGgYJKoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1ml7//IDMpngTKGJJ5qhodUaOY2Yx7k6mCYyETA8wjVfJjWFYVDwfTJ5kB7zbuPBNVDFuLIxMqGyJk3i2/nSBKe1eAC2lv+WK2R5xqSgXNNLlnhR3xMp8ed7TCmrHFRoS46uIBpMfvROij4cmOjVtX1ZGTjdqC8Z8bPg+JiZW9BkBo9sdEIjWjZTzMpmuHJ26EcJkuODFp5jr3/SKv3LvFAjbF5slEXrZLyUFrmSL0AXU6fWszN1llUoPBjS9uSTelOsS4PvBUy/oH1e7vbo8jag68ym2+wbbTw9toOjGcdOcwsT7Phwh0ixjt1/oKnjNvMKHapSr2GoiY8cltkQ2wIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBkYvW3dtPU5spAvUUNHZmk76C0GC0Dg+XD15menebia931qeO6o21SJLbcRr+0Doy8p59r8ZmqIj/jJOhCrA0jqiKT+wch/494K6OYz8k3jJ3OtrBQ3OtYJ7gpAq0QuWf/G3tFpH23tW/8VfBtalwPMxiffG9rkFzPYAoNgYHXAGLO5yRz3TC0Z8nkcY5xPO/NAN1gsWvlvTBxf3B06giug7g+szRaReAjpM3WUFz9XG4Hs/EtaqiBFeArWRqWxxO7igmSQEEmlAHYCCoTZ/Atvwa96CqCTlM2Dr45aT1h8tkaVFXl8HGdt1/m8mnw53PbgxvYW2AvN5JBwp9S8c6w"
],
"e": "AQAB",
"n": "mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ",
"x5t#S256": "CyhOiLD8_9hCFT02nUbkvmlNncBsb31xY_SUbF6fHPA",
"kid": "SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4",
"kty": "RSA",
"use": "sig"
}
Application Key Credential (certificate) properties
| Property | Description | DataType | Nullable | Unique | Readonly | MinLength | MaxLength | Validation |
|---|---|---|---|---|---|---|---|---|
| created | timestamp when certificate was created | Date | FALSE | FALSE | TRUE | |||
| e | RSA key value (exponent) for key binding | String | FALSE | FALSE | TRUE | |||
| expiresAt | timestamp when certificate expires | Date | FALSE | FALSE | TRUE | |||
| kid | unique identifier for the certificate | String | FALSE | TRUE | TRUE | |||
| kty | cryptographic algorithm family for the certificate's keypair | String | FALSE | FALSE | TRUE | |||
| n | RSA key value (modulus) for key binding | String | FALSE | FALSE | TRUE | |||
| use | acceptable usage of the certificate | String | TRUE | FALSE | TRUE | |||
| x5c | X.509 certificate chain | Array | TRUE | TRUE | TRUE | |||
| x5t#S256 | X.509 certificate SHA-256 thumbprint | String | TRUE | TRUE | TRUE |
CSR Metadata object
The metadata for a CSR
Example
{
"subject": {
"countryName": "US",
"stateOrProvinceName": "California",
"localityName": "San Francisco",
"organizationName": "Okta, Inc.",
"organizationalUnitName": "Dev",
"commonName": "SP Issuer"
},
"subjectAltNames": {
"dnsNames": ["dev.okta.com"]
}
}
CSR Metadata properties
| Property | Description | DataType | Nullable | Unique | Readonly | MinLength | MaxLength | Validation |
|---|---|---|---|---|---|---|---|---|
| subject | Subject of the CSR | Subject object | FALSE | FALSE | FALSE | |||
| subjectAltNames | Subject Alternative Name of the CSR | Subject Alternative Name object | TRUE | FALSE | FALSE |
Subject object
| Property | Description | DataType | Nullable | Unique | Readonly | MinLength | MaxLength | Validation |
|---|---|---|---|---|---|---|---|---|
| commonName | Common name of the subject | String | TRUE | FALSE | FALSE | |||
| countryName | country name or code | String | TRUE | FALSE | FALSE | |||
| localityName | locality (city) name | String | TRUE | FALSE | FALSE | |||
| organizationName | large organization name | String | TRUE | FALSE | FALSE | |||
| organizationalUnitName | small organization (e.g, department or division) name | String | TRUE | FALSE | FALSE | |||
| stateOrProvinceName | state or province name | String | TRUE | FALSE | FALSE |
Subject Alternative Name object
| Property | Description | DataType | Nullable | Unique | Readonly | MinLength | MaxLength | Validation |
|---|---|---|---|---|---|---|---|---|
| dnsNames | DNS names of the subject | Array | TRUE | FALSE | FALSE |
Application CSR object
The application CSR object defines a Certificate Signing Request for a signature or encryption credential for an application.
Example
{
"id": "h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50",
"created": "2017-03-28T01:11:10.000Z",
"csr": "MIIC4DCCAcgCAQAwcTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xEzARBgNVBAoMCk9rdGEsIEluYy4xDDAKBgNVBAsMA0RldjESMBAGA1UEAwwJU1AgSXNzdWVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6m8jHVCr9/tKvvbFN59T4raoCs/78KRm4fSefHQOv1TKLXo4wTLbsqYWRWc5u0sd5orUMQgPQOyj3i6qh13mALY4BzrT057EG1BUNjGg29QgYlnOk2iX890e5BIDMQQEIKFrvOi2V8cLUkLvE2ydRn0VO1Q1frbUkYeStJYC5Api2JQsYRwa+1ZeDH1ITnIzUaugWhW2WB2lSnwZkenne5KtffxMPYVu+IhNRHoKaRA6Z51YNhMJIx17JM2hs/H4Ka3drk6kzDf7ofk/yBpb9yBWyU7CTSQhdoHidxqFprMDaT66W928t3AeOENHBuwn8c2K9WeGG+bELNyQRJVmawIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAOggxkZXYub2t0YS5jb20wDQYJKoZIhvcNAQELBQADggEBAA2hsVJRVM+A83X9MekjTnIbt19UNT8wX7wlE9jUKirWsxceLiZBpVGn9qfKhhVIpvdaIRSeoFYS2Kg/m1G6bCvjmZLcrQ5FcEBjZH2NKfNppGVnfC2ugtUkBtCB+UUzOhKhRKJtGugenKbP33zRWWIqnd2waF6Cy8TIuqQVPbwEDN9bCbAs7ND6CFYNguY7KYjWzQOeAR716eqpEEXuPYAS4nx/ty4ylonR8cv+gpq51rvq80A4k/36aoeM0Y6I4w64vhTfuvWW2UYFUD+/+y2FA2CSP4JfctySrf1s525v6fzTFZ3qZbB5OZQtP2b8xYWktMzywsxGKDoVDB4wkH4=",
"kty": "RSA",
"_links": {
"self": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50",
"hints": {
"allow": [
"GET",
"DELETE"
]
}
},
"publish": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/csrs/h9zkutaSe7fZX0SwN1GqDApofgD1OW8g2B5l2azha50/lifecycle/publish",
"hints": {
"allow": [
"POST"
]
}
}
}
}
Application CSR properties
| Property | Description | DataType | Nullable | Unique | Readonly | MinLength | MaxLength | Validation |
|---|---|---|---|---|---|---|---|---|
| _links | discoverable resources related to the CSR | JSON HAL (opens new window) | TRUE | FALSE | TRUE | |||
| created | timestamp when CSR was created | Date | FALSE | FALSE | TRUE | |||
| csr | Base64 encoded CSR in DER format | String | TRUE | TRUE | TRUE | |||
| id | unique identifier for the CSR | String | FALSE | TRUE | TRUE | |||
| kty | cryptographic algorithm family for the CSR's keypair | String | FALSE | FALSE | TRUE |
ACS Endpoint Object
The ACS endpoint that contains the ACS URI and the index of the URI.
{
"url": "https://www.example.com/sso/saml",
"index": 0
}
ACS Endpoint properties
| Property | Description | DataType | Nullable | Unique | Readonly | MinLength | MaxLength | Validation |
|---|---|---|---|---|---|---|---|---|
| url | URL of the ACS | String | FALSE | FALSE | FALSE | 1024 | URL (opens new window) | |
| index | index of the URL in the array of ACS endpoints | Number | FALSE | TRUE | FALSE |
Property details
urlcan't have query or fragment parameters.indexhas to be a non-negative number and cannot be duplicated in a set of ACS endpoints configured for an app.
Provisioning Connection object
See Application Connection - Provisioning response (opens new window) in the new Okta API reference portal (opens new window).
Application Feature object
See Application Feature - response payload (opens new window) in the new Okta API reference portal (opens new window).
Client Secret Request object
Example
{
"client_secret": "D0HxBn1FtTXeYC4cSBwWL_sPMztMT2t6Ei9n1QjO"
}
Client Secret Request object properties
| Property | Description | DataType | Nullable | Unique | Readonly | MinLength | MaxLength |
|---|---|---|---|---|---|---|---|
| client_secret | Client secret | String | TRUE | TRUE | FALSE | 14 | 100 |
Note: If
token_endpoint_auth_methodof the app isclient_secret_jwtthen MinLength ofclient_secretshould be 32.
Client Secret Response object
Example
{
"id": "ocsap6nz61rKdsoyOY0h7",
"client_secret": "D0HxBn1FtTXeYC4cSBwWL_sPMztMT2t6Ei9n1QjO",
"secret_hash": "0xbeefbeefbeefbeefbeefbeef",
"created": "2022-01-01T03:22:27.000Z",
"lastUpdated": "2022-01-01T04:22:27.000Z",
"status": "INACTIVE",
"_links" : {
"activate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oa11s8ONPmrGh5XB0g4/credentials/secrets/0sap6nz61rKdsoyOY0h7/lifecycle/activate",
"hints": {
"allow": [
"POST"
]
}
},
"delete": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oa11s8ONPmrGh5XB0g4/credentials/secrets/0sap6nz61rKdsoyOY0h7",
"hints": {
"allow": [
"DELETE"
]
}
}
}
}
Client Secret Response object properties
| Property | Description | DataType | Nullable | Unique | Readonly | Default |
|---|---|---|---|---|---|---|
| id | Unique key of the group | String | FALSE | TRUE | TRUE | |
| client_secret | Client secret | String | FALSE | TRUE | FALSE | |
| secret_hash | Hash of the client secret | String | FALSE | TRUE | TRUE | |
| created | Timestamp when the secret was created | Date | FALSE | FALSE | TRUE | |
| lastUpdated | Timestamp when the secret was last updated | Date | FALSE | FALSE | TRUE | |
| status | Status of the Client Secret | ACTIVE, INACTIVE | FALSE | FALSE | FALSE | ACTIVE |
| _links | Discoverable resources related to client secrets | JSON HAL (opens new window) | FALSE | FALSE | TRUE |
JSON Web Key Request object
The application JSON Web Key object defines a JSON Web Key (opens new window) for a signature or encryption credential for an application.
Example
{
"e": "AQAB",
"alg": "RS256",
"n": "mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ",
"kid": "SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4",
"kty": "RSA",
"use": "sig",
"status": "ACTIVE"
}
Application JSON Web Key Request properties
| Property | Description | DataType | Nullable | Unique | Readonly | Default |
|---|---|---|---|---|---|---|
| e | RSA key value (exponent) for key binding | String | FALSE | FALSE | TRUE | |
| alg | Algorithm used in the key | String | FALSE | FALSE | TRUE | |
| n | RSA key value (modulus) for key binding | String | FALSE | FALSE | TRUE | |
| kid | Unique identifier for the certificate | String | TRUE | TRUE | TRUE | |
| kty | Cryptographic algorithm family for the certificate's key pair | String | FALSE | FALSE | TRUE | |
| use | Acceptable use of the certificate | String | TRUE | FALSE | TRUE | |
| status | Status of the JSON Web Key | ACTIVE, INACTIVE | TRUE | FALSE | FALSE | ACTIVE |
JSON Web Key Response object
The application JSON Web Key object defines a JSON Web Key (opens new window) for a signature or encryption credential for an application.
Example
{
"id": "pks055raeabcdef5rpg6",
"e": "AQAB",
"alg": "RS256",
"n": "mkC6yAJVvFwUlmM9gKjb2d-YK5qHFt-mXSsbjWKKs4EfNm-BoQeeovBZtSACyaqLc8IYFTPEURFcbDQ9DkAL04uUIRD2gaHYY7uK0jsluEaXGq2RAIsmzAwNTzkiDw4q9pDL_q7n0f_SDt1TsMaMQayB6bU5jWsmqcWJ8MCRJ1aJMjZ16un5UVx51IIeCbe4QRDxEXGAvYNczsBoZxspDt28esSpq5W0dBFxcyGVudyl54Er3FzAguhgfMVjH-bUec9j2Tl40qDTktrYgYfxz9pfjm01Hl4WYP1YQxeETpSL7cQ5Ihz4jGDtHUEOcZ4GfJrPzrGpUrak8Qp5xcwCqQ",
"kid": "SIMcCQNY3uwXoW3y0vf6VxiBb5n9pf8L2fK8d-FIbm4",
"kty": "RSA",
"use": "sig",
"created": "2022-01-01T03:22:27.000Z",
"lastUpdated": "2022-01-01T04:22:27.000Z",
"status": "INACTIVE",
"_links" : {
"activate": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oa11s8ONPmrGh5XB0g4/credentials/jwks/pks055raeabcdef5rpg6/lifecycle/activate",
"hints": {
"allow": [
"POST"
]
}
},
"delete": {
"href": "https://{yourOktaDomain}/api/v1/apps/0oa11s8ONPmrGh5XB0g4/credentials/jwks/pks055raeabcdef5rpg6",
"hints": {
"allow": [
"DELETE"
]
}
}
}
}
Application JSON Web Key Response properties
| Property | Description | DataType | Nullable | Unique | Readonly | Default |
|---|---|---|---|---|---|---|
| id | Unique key of group | String | FALSE | TRUE | TRUE | |
| e | RSA key value (exponent) for key binding | String | FALSE | FALSE | TRUE | |
| alg | Algorithm used in the key | String | FALSE | FALSE | TRUE | |
| n | RSA key value (modulus) for key binding | String | FALSE | FALSE | TRUE | |
| kid | Unique identifier for the certificate | String | FALSE | TRUE | TRUE | |
| kty | Cryptographic algorithm family for the certificate's key pair | String | FALSE | FALSE | TRUE | |
| use | Acceptable use of the certificate | String | TRUE | FALSE | TRUE | |
| created | Timestamp when the JSON Web Key was created | Date | FALSE | FALSE | TRUE | |
| lastUpdated | Timestamp when the JSON Web Key was last updated | Date | FALSE | FALSE | TRUE | |
| status | Status of the JSON Web Key | ACTIVE, INACTIVE | FALSE | FALSE | FALSE | ACTIVE |
| _links | Discoverable resources related to JSON Web Keys | JSON HAL (opens new window) | FALSE | FALSE | TRUE |