<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta Access Policy Rules with "AND User is" Filter Do Not Apply to API Service Apps/Client Credentials Flow
Sep 18, 2025
Okta Classic Engine
Okta Identity Engine
API Access Management
Overview

This article explains that Okta's Access Policy rules, which use the AND User is filter set to Assigned the app and a member of one of the following, do not apply to the Client Credentials grant type (used by API Service Apps), because this flow operates without a user context.

Applies To
Cause

Okta Access Policy rules with an AND User is filter set to Assigned the app and a member of one of the following are not triggered during Client Credentials Flow. This flow is designed for machine-to-machine communication and, therefore, operates without an end-user context. Since there is no user associated with the request, any Access Rule that requires a specific user will not be met and, consequently, will not be applied.

Solution

To ensure the Access Policy rule is evaluated, set the AND User is filter to Any user assigned the app.

AND User is filter

Recommended content

Still looking for help?
Loading
Okta Access Policy Rules with "AND User is" Filter Do Not Apply to API Service Apps/Client Credentials Flow