Update an Access Policy Rule on an Authorization Server to Trigger an Inline Token Hook
May 21, 2025
API Access Management
Okta Classic Engine
Okta Identity Engine
Overview
How to make an API request to modify an Authorization Server's access policies and rules to trigger a Token Inline Hook.
Solution
Pre-Requisites
- Okta Domain
- API Token OR Access Token
- Authorization Server ID
- Access Policy ID (Authorization Server ID is needed to make this request)
- Access Rule ID (Authorization Server ID and Access Policy ID is needed to make this request)
- Inline Hook ID (Search only for the Token Hooks with this request:
https://oktaDomain/api/v1/inlineHooks?type=com.okta.oauth2.tokens.transform
Making the update
- Get the current configuration for the Access Rule that is being updated.
GET https://oktaDomain/api/v1/authorizationServers/{{authorizationServerId}}/policies/{{accessPolicyId}}/rules/{{accessRuleId}}
-
- Example response:
{ "id": "0pr1234567890", "status": "ACTIVE", "name": "Token Hook", "priority": 2, "created": null, "lastUpdated": null, "system": false, "conditions": { "people": { "users": { "include": [], "exclude": [] }, "groups": { "include": [ "EVERYONE" ], "exclude": [] } }, "grantTypes": { "include": [ "implicit", "urn:ietf:params:oauth:grant-type:saml2-bearer", "client_credentials", "password", "urn:ietf:params:oauth:grant-type:device_code", "authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange" ] }, "scopes": { "include": [ "*" ] } }, "actions": { "token": { "accessTokenLifetimeMinutes": 60, "refreshTokenLifetimeMinutes": 0, "refreshTokenWindowMinutes": 10080 } }, "type": "RESOURCE_ACCESS" }
- Example response:
- Format the request body for the update
- Modify the `actions` object returned above to add the inlineHook.id:
"actions": { "token": { "accessTokenLifetimeMinutes": 60, "refreshTokenLifetimeMinutes": 0, "refreshTokenWindowMinutes": 10080, "inlineHook": { "id": "<<inline hook id>>" } } }
- Modify the `actions` object returned above to add the inlineHook.id:
- Make the update request,
PUT https://oktaDomain/api/v1/authorizationServers/{{authorizationServerId}}/policies/{{accessPolicyId}}/rules/{{accessRuleId}}{ "id": "0pr123456789", "status": "ACTIVE", "name": "Token Hook", "priority": 2, "created": null, "lastUpdated": null, "system": false, "conditions": { "people": { "users": { "include": [], "exclude": [] }, "groups": { "include": [ "EVERYONE" ], "exclude": [] } }, "grantTypes": { "include": [ "implicit", "urn:ietf:params:oauth:grant-type:saml2-bearer", "client_credentials", "password", "urn:ietf:params:oauth:grant-type:device_code", "authorization_code", "urn:ietf:params:oauth:grant-type:token-exchange" ] }, "scopes": { "include": [ "*" ] } }, "actions": { "token": { "accessTokenLifetimeMinutes": 60, "refreshTokenLifetimeMinutes": 0, "refreshTokenWindowMinutes": 10080, "inlineHook": { "id": "cal1234567890" } } }, "type": "RESOURCE_ACCESS" }
