When an administrator undergoes a password reset or encounters an account lockout, questions often arise about the stability of integrated services using that admin's Application Programming Interface (API) tokens. This guide explains the relationship between user status and token validity.

• Application Programming Interface (API) Token
• Administrator Accounts
• Okta Classic Engine
• Okta Identity Engine (OIE)

Resetting or changing an Okta Admin account password does not invalidate existing API tokens.

API tokens are tied to the user's overall lifecycle state rather than to their specific authentication credentials (such as passwords). In Okta, a user in a Password Reset or Locked Out state is still considered Active.

Key Factors for Token Validity

• Active Status: As long as the user account remains in an Active state, all associated API tokens remain functional.
• Deactivation: Tokens are only invalidated if the user is in a Deactivated state, deleted, or if the token itself is manually revoked in the Okta Admin Console.
• Security Best Practice: If a password reset is being performed due to a suspected compromise, it is highly recommended to also manually revoke any existing API tokens and generate new ones to ensure environment security.

Related References

• About user account status
• Manage API Tokens