Create an Okta API Token for a Restricted Administrator Role
Last Updated:
Overview
Generating an Okta API token for a service account requires specific administrative privileges. When an account requires a restricted custom administrator role that lacks token creation permissions, administrators must create the token while the account holds a higher-privileged role. Assign a role with token creation privileges to the account, generate the API token, and then downgrade the account to the restricted custom administrator role. Alternatively, implement OAuth 2.0 with a service application to grant scoped access without relying on static API tokens.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Application Programming Interface (API) Tokens
- Custom Administrator Roles
- OAuth 2.0 Service Applications
Solution
How do administrators create an API token for a restricted role?
Assign a temporary high-privilege administrator role to the target account, generate the API token, and then reassign the restricted custom administrator role to maintain least privilege access.
- Navigate to Security, and then select Administrators in the Okta Admin Console.
- Assign a role with API token creation privileges, such as the Super Administrator role, to the target account.
- Sign in to the Okta Admin Console using the target account.
- Navigate to Security, and then select API.
- Select the Tokens tab and choose Create Token.
- Enter a descriptive name for the token and select Create Token.
- Copy the token value and store it securely, as Okta does not display the token value again.
- Sign out of the target account and sign back in using an account with Super Administrator privileges.
- Navigate to Security, and then select Administrators.
- Remove the temporary high-privilege role from the target account and assign the restricted custom administrator role:
NOTE: The API token inherits the permissions of the user account that created it. When administrators downgrade the account role, Okta automatically restricts the API token permissions to match the new custom administrator role.
What is the OAuth 2.0 alternative to API tokens?
Implement OAuth 2.0 with a service application to provide secure, scoped API access without requiring a static API token or temporary role elevation. Review the OAuth for Okta Service App documentation to configure a machine-to-machine authentication flow.
