<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Validation Failed on Access Token Issued by the Org Authorization Server
Jun 11, 2025
API Access Management
Okta Classic Engine
Overview

When using the Org Authorization Server to request an access token, the JWT validation process fails for that access token.

If the token's issuer (stored in the claims) is the base domain URL, e.g., https://example.okta.com or https://okta.mycompany.com, the Org Authorization Server is being used. 

Applies To
  • OAuth 2.0
  • OpenID Connect
  • O​rg Authorization Server
  • Okta Classic Engine
Cause

Access Tokens from the Org Authorization Server are designed to be used and consumed by Okta only, and it can change and cause issues if decoding and verifying locally, such as the typ header being changed when Okta started to use an externally published signing key, as outlined in the March 2024 Release. This is expected and accounted for by the Okta's endpoints but should not be used otherwise.

Because Okta itself is the intended audience for these tokens, the aud parameter in these Access Tokens is the Okta org, e.g. https://example.okta.com. An Access Token issued by the Okta Org Authorization Server is not safe to be used in an authorization use case, where the audience needs to be set to a resource server and custom scopes/proper access policies are required. 

Solution

Access Tokens issued by the Org Authorization Server should only be used for Authentication use cases (Open ID Connect) and not Authorization use cases (OAuth). If the Authorization (OAuth) use case is needed, a Custom Authorization Server must be used instead (associated with the API Access Management feature), for which local token validation is supported.

Any integrations receiving Access Tokens from the Org Authorization should treat them as opaque. While it is technically possible to decode Access Tokens issued by the Org Authorization Server using a third-party decoder, the content of these tokens is subject to change at any time without notice, as outlined within our documentation for the Org Authorization Server. If the tokens need to be validated, use the Introspect endpoint to do so, as it will be up to date with any changes to Access Tokens issued by the Org Authorization Server and can successfully decode and validate securely. 

As Okta is the intended audience, Access Tokens issued by the Org Authorization Server can authorize Okta's APIs, notably the Userinfo EndpointIntrospect Endpoint, and Management Endpoints.

Related References

Recommended content

Still looking for help?
Loading
Validation Failed on Access Token Issued by the Org Authorization Server