Okta API tokens expire automatically after a specified period of inactivity and are deactivated when the associated user account is deactivated. Understanding the expiration timelines, deactivation triggers, and status color codes ensures uninterrupted API access and proper token lifecycle management.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- API Tokens
- Token Expiration and Deactivation
What causes Okta API tokens to expire and deactivate?
Okta API tokens expire automatically after a specific period and are deactivated immediately upon user account deactivation.
What is the fixed 30-day expiration lifecycle for Okta API tokens?
Review the following guidelines to understand the fixed 30-day expiration lifecycle for Okta API tokens:
- Tokens remain valid for 30 days from the date of creation or last use, and Okta automatically refreshes the expiration date with each API call.
- Tokens that remain unused for 30 days expire.
- The 30-day period remains fixed and applies to all organizations.
NOTE: Once an API token expires, Okta revokes it, and it becomes permanently invalid.
What causes Okta to deactivate an API token?
Okta deprovisions API tokens based on the status of the associated user account.
If Okta deactivates a user account, Okta simultaneously deprovisions any API token created by that user account.
How does Okta indicate the current status of an API token?
Okta uses the following color codes to indicate the current status of an API token.
| Token Color | Condition / Status |
| Green | The token registered activity within the last three days. |
| Gray | The token lacks activity in the last three days, and the current date is at least seven days before the expiration date. |
| Red | The token reaches expiration within seven days. |
| Yellow | The token exhibits suspicious activity. |
