API tokens are used to authenticate requests to the Okta API, just like HTTP cookies authenticate requests to the Okta Application with the browser. An API token is issued for a specific user and all requests with the token act on behalf of the user. API tokens are secret and should be treated like passwords.
When API tokens are created using the Admin Console, rate limits for token interactions are set automatically to 50 percent of each API maximum limit. See API rate limits. This percentage can be adjusted for each token.
The threshold of an API token can be modified in the Admin Console. By default, it is set at 50%. Please see the Set token rate limits.
- Okta API Token
- Rate Limits
An API token rate limit violation event is a kind of Operation Rate Limit. In Okta, it is expected behavior that admins are not notified of client and operations-based rate limit usage.
An event like this would show up in the System Log like the following:
