The Manage API Tokens permission alone does not grant the ability to create an API token. The Manage Users permission must be granted in addition to any other permissions assigned to the custom administrator role. The API token inherits the exact permissions assigned to the custom administrator role, so additional permissions are required for specific administrative tasks. If the token lacks the correct permissions during an API call, Okta generates the following error:
403 Forbidden Error
- Okta Identity Engine (OIE)
- Okta Classic Engine
- API Token
- Administrator Roles
What are the minimum permissions required to create an API token?
Review the following guidelines to establish the correct permissions for an API token:
-
Assign the Manage Users permission to the custom administrator role to allow API token creation.
NOTE: The Manage API Tokens permission alone does not grant the ability to create API tokens.
- Assign additional permissions based on the required tasks, because the API token strictly inherits the permissions of the custom administrator. For example, to edit groups, grant the Manage Groups permission and define the Groups resource set to select the correct groups.
-
Define the Users resource set to select the appropriate scope.
NOTE: Okta generates a 403 Forbidden Error if the API call lacks the correct permissions.
