<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Okta RADIUS Token Expiry Time
Apr 30, 2026
Multi-Factor Authentication
Okta Identity Engine
Overview

Okta’s RADIUS Agent enables integration with systems that use RADIUS for authentication. For secure communication between the RADIUS client and Okta, an Application Programming Interface (API) token is required. The token allows the RADIUS Agent to interact with Okta’s API to verify user credentials and enforce Multi-Factor Authentication (MFA).

Okta recommends using a dedicated service account to authorize RADIUS agents. This ensures that the API token is not tied to a specific user account.

Applies To
  • RADIUS
  • Application Programming Interface (API) Token
  • Multi-Factor Authentication (MFA)
  • Okta Identity Engine (OIE)
Solution

Okta API tokens are valid for 30 days from issuance. To ensure uninterrupted functionality, it is essential to understand how to manage and renew these tokens effectively. It is important to consider the following key points:

Token Validity

  • Each API token is valid for 30 days.
  • The validity is extended by 30 additional days every time the token is used to make an API call.

Token Renewal

  • To keep a token active, ensure it is used to make at least one API call within its 30-day validity period. This will automatically refresh the token’s expiration date, resetting it for another 30 days.
    • Example: If a token is issued on November 1st and used on November 25th, its validity will extend to December 25th.

Revoked Tokens

  • If a token is revoked (for example, due to security concerns or manual action), it cannot be renewed or used further. In such cases, a new token must be generated.

Best Practices

  • Automate periodic API calls using the token to ensure its expiration date is consistently refreshed.
  • Monitor token usage and expiration dates to avoid disruptions in the integration.
  • Maintain a secure environment for storing API tokens and prevent unauthorized access or accidental revocation.

 

If the token has already expired, remove the current RADIUS agent and reinstall it by following the Install the Okta RADIUS Server Agent for Windows documentation. There is no need to manually create an API token; a new one will be generated when the RADIUS agent is reinstalled.

Related References

Recommended content

Still looking for help?
Loading
Okta RADIUS Token Expiry Time