This article describes how to restrict the use of an API Token based on IP address and/or device.

• API Token
• Network Zone

The steps below are leveraging Network Zones to restrict the use of an API token:

1. Access the Admin console.
2. Navigate to Security > API > Tokens.
3. Click on the token that needs to be restricted.
4. In the Security section, click Edit.
5. From the API calls made with this token must originate from dropdown list, select an option to specify from where connections are allowed to come:
   • Any IP: Allow connections from any IP address or network zone.
   • In any network zone defined in Okta: Allow connections if they come from any network zone defined in the Okta org.
   • In any of the following zones: Allow connections if they come from specified network zones.
     1. Start entering text that matches the name of the network zone that should be selected. Okta presents results that match what was entered.
     2. Click a name to select it.
     3. Repeat this step to add more network zones.
   • Not in any network zone defined in Okta: Allow connections if they do not come from any network zone defined in the Okta org.
   • Not in any of the following zones: Allow connections if they do not come from specified network zones. 
     1. Start entering text that matches the name of the network zone that should be selected. Okta presents results that match what was entered.
     2. Click a name to select it.
     3. Repeat this step to add more network zones.

 NOTE: Enhanced dynamic zones are not available in the Zone selection for the API token. For details on enhanced dynamic zones and how to create one, please see the Related References section below.

Related References

• API token management
• Create an API token
• How to Create an API Token with Custom Permissions
• Create zones for IP addresses
• Create a dynamic zone
• Enhanced dynamic zones
• Create an enhanced dynamic zone