Okta Authentication
This page describes the authentication methods supported by Okta inputs (e.g., Users, Groups, Apps, System Log). These methods do not apply to Auth0-based inputs.
Authentication Methods
Okta inputs support two authentication methods:
| Method | Description |
|---|---|
| API Key | Simple token-based auth using an Okta API token. |
| OAuth 2.0 (Service App) | Machine-to-machine OAuth 2.0 using a public/private key pair. |
API Key
The API Key method is the simpler option and is sufficient for most use cases.
Requirements
- An Okta API token scoped to your organization.
- Instructions here.
- Your Okta Organization URL.
- When on the Okta Admin Dashboard, if your URL is
https://companyname-admin.okta.com/admin/dashboardthen your org URL ishttps://companyname.okta.com. - Edge cases and alternate URL formats are documented here.
- When on the Okta Admin Dashboard, if your URL is
Configuration
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Org URL | string | Yes | Your Okta Organization URL (e.g. https://yourorg.okta.com). |
| Cron | string | Yes | A cron expression defining how often to run the input. |
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| API Key | string | Yes | Your Okta API token. |
OAuth 2.0 (Service App)
The OAuth 2.0 method uses a service application with a public/private key pair to authenticate against the Okta API. This follows Okta's OAuth for service apps flow.
Setup
1. Create a Service App Integration
- Sign in to your Okta Admin Console.
- Navigate to Applications > Applications and click Create App Integration.
- Select API Services as the sign-in method and click Next.
- Provide a name for the application and click Save.
2. Note the Client ID
On the app's General tab, copy the Client ID — you will need this later.
3. Configure Public Key / Private Key Authentication
- On the app's General tab, scroll to the Client Credentials section and click Edit.
- Change the Client authentication type to Public key / Private key.
- Click Add key, then Generate new key. Okta will generate a public/private key pair.
- Copy and save the private key immediately — this is the only time it will be shown.
- Note the Key ID (kid) displayed for the generated key pair.
- Click Save.
4. Disable DPoP
On the app's General tab under General Settings, ensure that Require Demonstrating Proof of Possession (DPoP) header in token requests is disabled.
5. Grant OAuth Scopes
On the Okta API Scopes tab, grant the scopes required by the specific Okta input you are configuring (e.g. okta.users.read, okta.apps.read). Look at the secrets section of the specific Okta input's docs to understand what permissions must be granted.
Configuration
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Org URL | string | Yes | Your Okta Organization URL (e.g. https://yourorg.okta.com). |
| Cron | string | Yes | A cron expression defining how often to run the input. |
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| RSA Private Key | string | Yes | The RSA private key generated when creating the key pair in your Okta service app. |
| Client ID | string | Yes | The OAuth 2.0 Client ID from your Okta service app. |
| Key ID | string | Yes | The Key ID (kid) associated with the RSA key pair in your Okta service app. |