Restricting API Token Creation for Administrator Roles in Okta
Last Updated:
Overview
This article addresses whether it is possible to prevent specific administrators from creating Application Programming Interface (API) tokens within the Okta environment. Currently, certain administrative roles can generate these tokens, which inherit the permissions of the user who created them.
Applies To
- Application Programming Interface (API) Tokens
- Administrator Roles
Cause
By design, specific administrator roles in Okta are granted the ability to create API tokens to facilitate automation and integrations. These tokens inherit the exact permissions of the administrator who generated them (for example, a token created by a Group Administrator can only manage groups).
Solution
It is not possible to explicitly disable the "Create API Token" permission for a user while they maintain an administrative role that includes this privilege. To restrict the ability to create API tokens, consider the following workarounds:
- Downgrade Administrative Privileges: Move the user to a role that does not have API token creation permissions. Only the following roles have the authority to create API tokens:
- Super Administrator
- Organization Administrator
- Group Administrator
- Read-only Administrator
- Group Membership Administrator
- Remove Administrative Access: If a user does not require administrative oversight, removing their administrative status will revoke their ability to create API tokens entirely, as standard users do not have this permission.
- Implement Custom Admin Roles (OIE Only): In Okta Identity Engine, explore creating granular Custom Admin Roles to see whether a task-based role can meet the requirements without including token management, while standard "out-of-the-box" roles retain their default behaviors.
