<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
System Log Events Show End Users Creating API Tokens
Oct 30, 2025
Administration
Okta Classic Engine
Okta Identity Engine
Overview

This article aims to explain why admins may notice events in the System log with "Create API token" where the actor is an end-user who does not have administrator permission, or specifically does not have permission to create API tokens.

However, the event for that actor still shows the following:

- eventType eq "system.api_token.create"

 

Applies To
  • System Log
  • API
  • Okta Mobile
Cause

This event type is generated when end-users access their accounts via Okta Mobile App.

Solution

This does not mean this user created an API token within the Okta organization. Those token creation events appear when users log in to the Okta Mobile App on their mobile devices. A session token is generated, and the system log captures it as a token creation event. Admins can also see in the next event in the syslog where the user logged in to Okta, and the device used is Mobile.

 

This session token does not appear in the API tokens menu, does not grant any additional permissions, and is not an API token with administrative privileges.

Recommended content

Still looking for help?
Loading
System Log Events Show End Users Creating API Tokens