<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Required Admin Permissions to Create an API Token for Org2Org Provisioning
Apr 3, 2026
Okta Classic Engine
Administration
Overview

This article details what admin permissions are needed to create an API Token for Org2Org Provisioning.

Applies To
  • Okta Org2Org
  • Okta Integration Network (OIN)
  • Provisioning
  • Okta Classic Engine
Solution

For Org2Org provisioning, a Super Administrator must generate the API token. Using another type of administrator with a different set of permissions will result in provisioning failures.

 

The failure occurs due to Okta executing multiple internal API calls, including but not limited to user creation. For instance, if an API key is generated with a different type of admin role, if the provision fails because of a permission issue, the user creation also fails. Occasionally, Okta also runs Group reconciliation Jobs besides the user creation API. 

Okta allows customers to set up provisioning with an API token generated by other types of admins. It will not show an error when they verify credentials in the provisioning tab, but it will fail when users are assigned.

It is essential to confirm the type of admin role used to create the API token in cases of Org2Org provisioning errors.

Recommended content

Still looking for help?
Loading
Required Admin Permissions to Create an API Token for Org2Org Provisioning