This article explains the difference between an SSWS API token and an OAuth 2.0 Bearer token. It also details the correct format for the Authorization header for each token type.
- Okta API token
- OAuth 2.0 access token
- Authentication
When using tokens for authorization in API calls, the keyword used in the Authorization header depends on the type of token being presented.
SSWS Token
An SSWS token is a proprietary API token used by Okta for authenticating requests to its own APIs. The "SSWS" keyword is specific to Okta and signals to its servers the type of authentication being used.
-
Format:
Authorization: SSWS <api_token> -
Example: If the SSWS API token is
00QCjAl4MlV-WPXM...0HmjFx-vbGua, the header would be:Authorization: SSWS 00QCjAl4MlV-WPXM...0HmjFx-vbGua
This header tells the Okta API that the request is authenticated by a long-lived API token generated within the Okta admin console.
OAuth 2.0 Bearer Token
OAuth 2.0 is an industry-standard protocol for authorization. The most common type of token issued is a "Bearer" token. The Bearer keyword indicates that the party possessing the token has access to the associated resources. This is not specific to Okta and is widely used.
-
Format:
Authorization: Bearer <access_token> -
Example: If the OAuth 2.0 access token is
eyJhbGciOiJSUzI1NiIsImtpZCI6ImYxZ..., the header would be:Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImYxZ...
This header is used when an application makes API calls on behalf of a user or itself after completing an OAuth 2.0 flow. These tokens are typically short-lived.
