What is an Authorization Server? Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
What is an Authorization Server?
Published: Nov 3, 2017   -   Updated: Jun 22, 2018
Issue: I'm configuring Adaptive MFA for Okta. What is an Authorization Server?

Applies to:  
  • Okta environments with the API Access Management SKU


An authorization server defines your security boundary, for example “staging” or “production.” Within each authorization server you can define your own OAuth scopes, claims, and access policies. This allows your apps and your APIs to anchor to a central authorization point and leverage the rich identity features of Okta, such as Universal Directory for transforming attributes, adaptive MFA for end-users, analytics, and system log, and extend it out to the API economy.

At its core, an authorization server is simply an OAuth 2.0 token minting engine. Each authorization server has a unique issuer URI and its own signing key for tokens in order to keep proper boundary between security domains. The authorization server also acts as an OpenID Connect Provider, which means you can request ID tokens in addition to access tokens from the authorization server endpoints.

For additional information, review: https://help.okta.com/en/prod/Content/Topics/Security/API_Access.htm