<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
How to Export a List of All Certificate Expiration Dates for SAML Applications and SAML Identity Providers
Aug 25, 2025
Single Sign-On
Okta Classic Engine
Okta Identity Engine
Overview

This article provides guidance on how to use an API call to obtain the expiration dates of certificates for SAML applications. This method involves using the GET /api/v1/apps/${applicationId}/credentials/keys endpoint, which enumerates the key credentials for a given application.

 

This article will also explain how to use the GET {{url}}/api/v1/idps/credentials/keys endpoint, which enumerates the key credentials for SAML Identity Providers (IdPs). This GET displays the whole list of SAML IdPs rather than getting the certificate expiration date one by one.


NOTE: Some of the curl code examples on this page include SSWS API token authentication. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. See Okta API authentication methods.
 

Applies To
  • Okta API consumers
  • Certificate Expiration Date
Cause
Monitoring certificate expiration dates is a common requirement for maintaining system security and functionality. Failure to update expired certificates can result in authentication errors or service disruptions.
Solution

Follow the steps or video below.

 

  1. Make a GET request to the /api/v1/apps/${applicationId}/credentials/keys endpoint.
    • The applicationId parameter is a unique key representing an Application and is required. Replace ${applicationId} with the ID of the application.

Example of a GET request using curl:

curl -v -X GET \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "Authorization: SSWS ${api_token}" \ "https://${OktaDomainName}/api/v1/apps/0oad5lTSBOMUBOBVVQSC/credentials/keys"

NOTE: Replace ${api_token} with Okta API token and ${OktaDomainName} with the Okta domain.

  1. The response is an array of Application Key Credentials. Each object in the array corresponds to a key credential and includes properties such as created (creation date) and expiresAt (expiration date). Look for the expiresAt field in the response to find the certificate expiration date.

Example of a response:

[
  {
    "created": "2015-12-10T18:56:23.000Z",
    "expiresAt": "2017-12-10T18:56:22.000Z",
    // other fields...
  },
  {
    "created": "2015-12-10T18:55:35.000Z",
    "expiresAt": "2045-01-23T02:15:23.000Z",
    // other fields...
  }
]

 

In this example, the first key credential will expire on December 10, 2017, and the second one will expire on January 23, 2045.

 

When using the /api/v1/idps/credentials/keys endpoint to verify IdP expiration dates, the IdP names will not be directly provided. Instead, they can be correlated using the KID value. For example, the KID value received can be used to run a GET against GET {{url}}/api/v1/idps?kid=<KIDvalue> to view the associated IdP name.

NOTE:  After using GET {{url}}/api/v1/idps?kid=<KIDvalue>, it will show all the IdPs, but will show their name, creation date, and cert expiry date, as "KID" does not support filtering.


Related Reference

Recommended content

Still looking for help?
Loading
How to Export a List of All Certificate Expiration Dates for SAML Applications and SAML Identity Providers