Okta API Integration
These are the list of integration use cases supported by Knit for Okta API as part of the HRIS category
Delete a Group
ID: delete_a_groupOperation: writeEntities: permission, error, groupSummary: The 'Delete a Group' API allows you to delete a group with the OKTA_GROUP type using the DELETE method. The request requires the 'groupId' as a path parameter and an 'Authorization' header with your API key. The endpoint is 'https://{yourOktaDomain}/api/v1/groups/{groupId}'. A successful request returns a 204 No Content response. If there are errors, the response will include an error code, summary, link, ID, and causes. Common errors include 403 Forbidden, 404 Not Found, and 429 Too Many Requests.Input Fields: Input FieldsOutput Fields: Output Fields
Delete a User
ID: delete_a_userOperation: writeEntities: error cause, userSummary: The 'Delete a User' API permanently deletes a user from the Okta system. This operation can only be performed on users that have a DEPROVISIONED status. If called on an ACTIVE user, the user will be transitioned to DEPROVISIONED. The API requires the user ID as a path parameter and an authorization API key in the headers. An optional query parameter 'sendEmail' can be used to specify whether to send an email notification, defaulting to false. The API returns a 204 No Content response on success. In case of errors, it returns a JSON object with details about the error, including error summary, code, ID, and link.Input Fields: Input FieldsOutput Fields: Output Fields
Delete a Group Rule
ID: delete_group_ruleOperation: writeEntities: rule, user, groupSummary: The 'Delete a Group Rule' API allows you to delete a specific group rule identified by the 'groupRuleId'. The request requires an authorization header with an API key. The 'groupRuleId' is a required path parameter that specifies the ID of the group rule to be deleted. An optional query parameter 'removeUsers' can be included to indicate whether users should be removed from groups assigned by this rule. The API responds with various status codes, including 202 (Accepted), 403 (Forbidden), 404 (Not Found), and 429 (Too Many Requests). The response body contains error details if the request fails, including an error code, summary, link, ID, and causes.Input Fields: Input FieldsOutput Fields: Output Fields
Delete a Linked Object
ID: delete_linked_objectOperation: writeEntities: linked object, user, relationshipSummary: The 'Delete a Linked Object' API allows you to delete linked objects for a user in Okta. The endpoint requires the user ID or login and the relationship name as path parameters. The API key must be provided in the Authorization header. The API returns a 204 No Content status on success. If there are errors, it returns a JSON response with details such as error code, summary, and causes. Common errors include 403 Forbidden, 404 Not Found, and 429 Too Many Requests.Input Fields: Input FieldsOutput Fields: Output Fields
Revoke all Grants for a Client
ID: delete_revoke_all_grants_for_a_clientOperation: writeEntities: client, grant, userSummary: This API revokes all grants for a specified user and client in Okta. It requires the user ID and client ID as path parameters. The request must include an authorization header with a valid API key. If successful, the API returns a 204 No Content status. If there are errors, such as insufficient permissions, the API returns a JSON error response with details including error code, summary, and a unique error ID.Input Fields: Input FieldsOutput Fields: Output Fields
Revoke all Refresh Tokens for a Client
ID: delete_revoke_all_refresh_tokens_for_a_clientOperation: deleteEntities: client, user, tokenSummary: This API revokes all refresh tokens issued for the specified User and Client in Okta. It requires the userId and clientId as path parameters, and an Authorization header with a valid API key. The API returns a 204 No Content response on success. If there are errors, it returns a JSON object with details about the error, including errorCode, errorSummary, errorLink, errorId, and errorCauses. Possible error responses include 403 Forbidden, 404 Not Found, and 429 Too Many Requests.Input Fields: Input FieldsOutput Fields: Output Fields
Revoke all User Grants
ID: delete_revoke_all_user_grantsOperation: writeEntities: error, grant, userSummary: The 'Revoke all User Grants' API is used to revoke all grants for a specified user in Okta. It requires the DELETE method and the endpoint is 'https://{yourOktaDomain}/api/v1/users/{userId}/grants'. The request must include the 'Authorization' header with a valid API key and the 'userId' path parameter, which is the ID of an existing Okta user. The API does not require a request body or query parameters. Upon successful execution, it returns a 204 No Content response. If there are errors, it returns a JSON response with error details such as 'errorCode', 'errorSummary', 'errorLink', 'errorId', and 'errorCauses'. Possible error responses include 403 Forbidden, 404 Not Found, and 429 Too Many Requests.Input Fields: Input FieldsOutput Fields: Output Fields
Revoke all User Sessions
ID: delete_revoke_all_user_sessionsOperation: writeEntities: session, user, tokenSummary: The 'Revoke all User Sessions' API revokes all active identity provider sessions of a specified user in Okta. This forces the user to authenticate on the next operation. The API can optionally revoke OpenID Connect and OAuth refresh and access tokens issued to the user. The request requires the 'userId' path parameter, which is the ID of an existing Okta user. The 'oauthTokens' query parameter is optional and defaults to false, indicating whether to revoke issued OpenID Connect and OAuth tokens. The API requires an 'Authorization' header with a valid API key. The response can be a 204 No Content on success, or various error responses such as 403 Forbidden, 404 Not Found, or 429 Too Many Requests, each with a detailed error schema.Input Fields: Input FieldsOutput Fields: Output Fields
Revoke a Token for a Client
ID: delete_revoke_token_for_clientOperation: writeEntities: client, user, tokenSummary: This API revokes a specified refresh token for a client in Okta. It requires the user ID, client ID, and token ID as path parameters. The request must include an Authorization header with a valid API key. If successful, the API returns a 204 No Content status. If there are errors, it returns a JSON response with error details, including errorCode, errorSummary, errorLink, errorId, and errorCauses. Possible error responses include 403 Forbidden, 404 Not Found, and 429 Too Many Requests.Input Fields: Input FieldsOutput Fields: Output Fields
Revoke a User Grant
ID: delete_revoke_user_grantOperation: writeEntities: error, grant, userSummary: The 'Revoke a User Grant' API allows you to revoke a specific grant for a specified user in Okta. This API requires the DELETE method and is accessed via the endpoint 'https://{yourOktaDomain}/api/v1/users/{userId}/grants/{grantId}'. The request must include the 'Authorization' header with a valid API key. The 'userId' and 'grantId' are required path parameters that specify the user and the grant to be revoked, respectively. A successful request returns a 204 No Content response. If there are errors, the response will include an error code, summary, link, ID, and causes. Possible error responses include 403 Forbidden, 404 Not Found, and 429 Too Many Requests, each with a detailed JSON schema describing the error.Input Fields: Input FieldsOutput Fields: Output Fields
Unassign a User
ID: delete_unassign_userOperation: writeEntities: user, groupSummary: The 'Unassign a User' API allows you to unassign a user from a group with 'OKTA_GROUP' type in Okta. This API requires the DELETE method and is accessed via the endpoint 'https://{yourOktaDomain}/api/v1/groups/{groupId}/users/{userId}'. The request must include the 'Authorization' header with a valid API key. The path parameters 'groupId' and 'userId' are required to specify the group and user respectively. The API returns a 204 No Content response on success. In case of errors, it returns JSON with error details such as 'errorCode', 'errorSummary', 'errorLink', 'errorId', and 'errorCauses'. Possible error responses include 403 Forbidden, 404 Not Found, and 429 Too Many Requests.Input Fields: Input FieldsOutput Fields: Output Fields
Unenroll a Factor
ID: delete_unenroll_a_factorOperation: writeEntities: factor, error, userSummary: The 'Unenroll a Factor' API allows you to unenroll an existing Factor for a specified user in Okta. This API requires the user ID and factor ID as path parameters. An optional query parameter 'removeRecoveryEnrollment' can be set to true to remove the phone number as both a recovery method and a Factor, applicable only for sms and call Factors. The API requires an authorization header with an API key. On success, it returns a 204 No Content response. If there are errors, it returns a JSON object with error details including error code, summary, and ID.Input Fields: Input FieldsOutput Fields: Output Fields
Delete a User Type
ID: delete_user_typeOperation: writeEntities: error cause, user typeSummary: The 'Delete a User Type' API allows you to permanently delete a user type in Okta. It requires the 'typeId' path parameter, which is the unique key for the user type you wish to delete. The request must include an 'Authorization' header with a valid API key. Note that you cannot delete the default user type or a user type that is currently assigned to users. The API returns a 204 No Content response on success. If there are errors, it returns a JSON object with details such as 'errorCode', 'errorSummary', 'errorLink', and 'errorId'. Common error responses include 403 Forbidden, 404 Not Found, and 429 Too Many Requests.Input Fields: Input FieldsOutput Fields: Output Fields
List all Enabled Products for an Org
ID: get_enabled_products_for_orgOperation: readEntities: product, account, organizationSummary: This API endpoint lists all enabled products for a specified Okta organization. It requires the accountId and orgId as path parameters and an authorization bearer token in the headers. The response includes a list of products with their IDs and names. In case of errors, it returns appropriate error codes and messages, including unauthorized access, forbidden access, resource not found, rate limit exceeded, and internal server errors.Input Fields: Input FieldsOutput Fields: Output Fields
Retrieve a Factor Transaction Status
ID: get_factor_transaction_statusOperation: readEntities: factor, transaction, userSummary: The 'Retrieve a Factor Transaction Status' API allows you to retrieve the status of a push Factor verification transaction for a specific user in Okta. You need to provide the userId, factorId, and transactionId as path parameters. The API requires an Authorization header with your API key. The response includes the factorResult, which indicates the result of the verification transaction, and a profile object containing the credentialId. Additionally, the response includes links for polling the Factor resource for status information and for canceling a push factor challenge with a WAITING status.Input Fields: Input FieldsOutput Fields: Output Fields
List all Assigned Application Links
ID: get_list_all_assigned_application_linksOperation: readEntities: app link, application, userSummary: The 'List all Assigned Application Links' API retrieves all appLinks for applications assigned to a specific Okta user, either directly or indirectly through group membership. The request requires the userId as a path parameter and an Authorization header with a valid API key. The response is a JSON array containing details of each appLink, including appAssignmentId, appInstanceId, appName, credentialsSetup status, visibility (hidden), id, label, linkUrl, logoUrl, and sortOrder. The API supports OAuth 2.0 with the OKTA.USERS.READ scope.Input Fields: Input FieldsOutput Fields: Output Fields
List all Assigned Applications
ID: get_list_all_assigned_applicationsOperation: readEntities: application, groupSummary: The 'List all Assigned Applications' API retrieves all applications assigned to a specific group in Okta. It requires the group ID as a path parameter and supports optional query parameters for pagination, such as 'after' and 'limit'. The API returns a list of applications with details such as accessibility settings, creation and update timestamps, features, licensing information, sign-on mode, status, and visibility settings. The response is an array of application objects, each containing embedded resources and links related to the application.Input Fields: Input FieldsOutput Fields: Output Fields
List all Clients
ID: get_list_all_clientsOperation: readEntities: client, link, userSummary: The 'List all Clients' API retrieves all client resources for which the specified user has grants or tokens. It requires the user ID as a path parameter and an API key for authorization in the headers. The response includes an array of client objects, each containing details such as client_id, client_name, client_uri, logo_uri, and links for further actions. The API handles various response codes, including 200 for success, 403 for forbidden access, 404 for not found, and 429 for too many requests.Input Fields: Input FieldsOutput Fields: Output Fields
List all enrolled Factors
ID: get_list_all_enrolled_factorsOperation: readEntities: factor, user, profileSummary: This API lists all enrolled factors for a specified user in Okta. It requires the user ID as a path parameter and an API key for authorization in the headers. The response includes an array of factors, each with details such as the creation timestamp, factor type, ID, last updated timestamp, profile attributes, provider, status, vendor name, and any embedded resources or links. The API returns a 200 status code on success, and can also return error responses with status codes 403, 404, or 429, each providing details about the error.Input Fields: Input FieldsOutput Fields: Output Fields
List all Grants for a Client
ID: get_list_all_grants_for_a_clientOperation: readEntities: client, grant, userSummary: The 'List all Grants for a Client' API retrieves all grants for a specified user and client in Okta. It requires the user ID and client ID as path parameters. The API supports optional query parameters such as 'expand', 'after', and 'limit' to control the response. The response includes details about each grant, such as the client ID, creation timestamp, issuer, scope ID, source, status, and user ID. The response also includes embedded resources and links for further navigation. The API returns a 200 status code on success, with possible error responses for forbidden access, not found resources, and too many requests.Input Fields: Input FieldsOutput Fields: Output Fields
List all Group Rules
ID: get_list_all_group_rulesOperation: readEntities: action, condition, group ruleSummary: The 'List all Group Rules' API retrieves all group rules from the Okta system. It requires an API key for authorization. The API supports query parameters such as 'limit' to specify the number of results per page, 'after' for pagination, 'search' for keyword-based filtering, and 'expand' to include group names. The response includes details about each group rule, such as actions, conditions, creation date, last updated date, name, status, and type. The API returns a 200 status code on success, with a JSON array of group rules. In case of errors, it may return 403 or 429 status codes with error details.Input Fields: Input FieldsOutput Fields: Output Fields
List all Groups
ID: get_list_all_groupsOperation: readEntities: user, groupSummary: The 'List all Groups' API retrieves all groups of which a specified user is a member in Okta. It requires the user ID as a path parameter and supports pagination through the 'after' query parameter. The 'limit' query parameter can be used to specify the number of groups to return, with a default of 20 and a maximum of 200. The response includes details about each group, such as creation date, last updated date, object class, profile information, and links to related resources. The API requires an authorization header with an API key. Possible error responses include 403 Forbidden, 404 Not Found, and 429 Too Many Requests, each providing detailed error information.Input Fields: Input FieldsOutput Fields: Output Fields
List all Identity Providers
ID: get_list_all_identity_providersOperation: readEntities: policy, user, identity providerSummary: This API endpoint lists all Identity Providers (IdPs) associated with a specific Okta user. It requires the user ID as a path parameter and an API key for authorization in the headers. The response is a JSON array containing details of each IdP, including creation date, ID, issuer mode, last updated date, name, policy, properties, protocol, status, type, and related links. The API supports various issuer modes and IdP types, and provides detailed information about the IdP's configuration and status.Input Fields: Input FieldsOutput Fields: Output Fields
List all Member Users
ID: get_list_all_member_usersOperation: readEntities: profile, user, groupSummary: The 'List all Member Users' API retrieves all users that are members of a specified group in Okta. It requires the group ID as a path parameter and supports pagination through the 'after' query parameter. The 'limit' query parameter specifies the number of user results per page, with a default of 1000. The API requires an authorization header with an API key. The response includes detailed user information such as activation status, profile details, and credentials. The API also provides links for user lifecycle operations and supports error handling for forbidden, not found, and too many requests scenarios.Input Fields: Input FieldsOutput Fields: Output Fields
List all Orgs
ID: get_list_all_orgsOperation: readEntities: error, account, orgSummary: The 'List all Orgs' API allows users to retrieve a list of organizations associated with a specific Aerial Account. The API requires an authorization token and the account ID as a path parameter. Optional query parameters include 'after', 'before', 'limit', and 'filter' to control pagination and filtering of results. The response includes details about each organization such as account ID, name, cell, domain, status, whether it is an Aerial Org, creation date, and ID. The API also provides pagination links in the response headers. Error responses include detailed error codes and descriptions for troubleshooting.Input Fields: Input FieldsOutput Fields: Output Fields
List all Refresh Tokens for a Client
ID: get_list_all_refresh_tokens_for_a_clientOperation: readEntities: client, user, tokenSummary: This API endpoint lists all refresh tokens issued for a specified user and client in Okta. It requires the user ID and client ID as path parameters and supports optional query parameters for expanding related resources, pagination, and limiting the number of tokens returned. The response includes details about each token, such as its creation and expiration timestamps, status, associated scopes, and links to related resources. The API requires an authorization header with an API key.Input Fields: Input FieldsOutput Fields: Output Fields
List all supported Factors
ID: get_list_all_supported_factorsOperation: readEntities: factor, provider, userSummary: The 'List all supported Factors' API retrieves a list of all the supported factors that can be enrolled for a specified user in Okta. The API requires the user ID as a path parameter and an authorization header with an API key. The response is an array of factor objects, each containing details such as enrollment status, factor type, provider, status, vendor name, embedded resources, and links for various operations related to the factor. The API supports OAuth 2.0 with the scope 'OKTA.USERS.READ'.Input Fields: Input FieldsOutput Fields: Output Fields
List all supported Security Questions
ID: get_list_all_supported_security_questionsOperation: readEntities: factor, question, userSummary: This API endpoint lists all available security questions for a specified user in Okta. The request requires the user ID as a path parameter and an API key for authorization in the headers. The response is a JSON array containing objects with 'question' and 'questionText' fields, representing the unique key and human-readable text of each security question. Possible response codes include 200 for success, 403 for forbidden access, 404 if the user is not found, and 429 if too many requests are made.Input Fields: Input FieldsOutput Fields: Output Fields
List all User Blocks
ID: get_list_all_user_blocksOperation: readEntities: block, userSummary: The 'List all User Blocks' API retrieves information about how a specific user is blocked from accessing their account in Okta. It requires the user ID as a path parameter and an API key for authorization in the headers. The response provides details on the type of block and the devices it applies to. Possible response codes include 200 for success, 403 for forbidden access, 404 if the user is not found, and 429 if too many requests are made.Input Fields: Input FieldsOutput Fields: Output Fields
List all User Grants
ID: get_list_all_user_grantsOperation: readEntities: grant, user, scopeSummary: The 'List all User Grants' API retrieves all grants for a specified user in Okta. It requires the user ID as a path parameter and supports optional query parameters such as scopeId, expand, after, and limit to refine the results. The API returns an array of grant objects, each containing details like clientId, created timestamp, issuer, scopeId, source, status, and userId. The response also includes embedded resources and links for further navigation. The API requires an Authorization header with a valid API key.Input Fields: Input FieldsOutput Fields: Output Fields
List all User Types
ID: get_list_all_user_typesOperation: readEntities: user type, user, schemaSummary: The 'List all User Types' API allows you to retrieve all user types available in your Okta organization. It requires an API key for authorization, which should be included in the request headers. The API returns an array of user types, each containing details such as the unique ID, display name, name, description, creator and last updater IDs, creation and last update timestamps, and whether it is the default user type. Additionally, it provides links to the resource and associated schema. The response is in JSON format.Input Fields: Input FieldsOutput Fields: Output Fields
List all Users
ID: get_list_all_usersOperation: readEntities: user, profile, credentialSummary: The 'List all Users' API retrieves a list of users from the Okta system. It supports filtering, searching, and sorting of users based on various criteria such as firstName, lastName, email, and more. The API requires an authorization header with an API key and a Content-Type header specifying the media type. Query parameters include 'q' for matching user properties, 'after' for pagination, 'limit' for the number of results, 'filter' for filtering expressions, 'search' for search criteria, 'sortBy' and 'sortOrder' for sorting results. The response includes user details such as id, status, created date, last login, profile information, and more. The API returns users that are not 'DEPROVISIONED' by default, with a maximum of 200 users per request.Input Fields: Input FieldsOutput Fields: Output Fields
List the primary or all of the associated Linked Object values
ID: get_primary_or_all_associated_linked_object_valuesOperation: readEntities: linked object, user, relationshipSummary: This API lists either the self link for the primary user or all associated users in the relationship specified by relationshipName. It requires the userIdOrLogin and relationshipName as path parameters. Optional query parameters include 'after' for pagination and 'limit' to specify the number of results. The response is an array of linked objects, each containing a self link. If the specified user isn't associated in any relationship, an empty array is returned. The API requires an authorization header with an API key.Input Fields: Input FieldsOutput Fields: Output Fields
Retrieve a Refresh Token for a Client
ID: get_refresh_token_for_clientOperation: readEntities: client, user, tokenSummary: The 'Retrieve a Refresh Token for a Client' API allows you to retrieve a refresh token issued for a specified user and client in Okta. The API requires the user ID, client ID, and token ID as path parameters. It also accepts optional query parameters such as 'expand', 'limit', and 'after' for additional control over the response. The request must include an 'Authorization' header with a valid API key. The response includes details about the token, such as its creation and expiration timestamps, status, associated scopes, and links to related resources. The API returns a 200 status code on success, with detailed information about the token in JSON format. Error responses include 403 (Forbidden), 404 (Not Found), and 429 (Too Many Requests), each providing specific error details.Input Fields: Input FieldsOutput Fields: Output Fields
Retrieve a Factor
ID: get_retrieve_a_factorOperation: readEntities: factor, user, profileSummary: The Retrieve a Factor API allows you to retrieve an existing factor for a specified user in Okta. The API requires the user ID and factor ID as path parameters. The request must include an authorization header with a valid API key. The response includes details about the factor such as its creation date, type, ID, last updated timestamp, profile information (including phone extension and number), provider, status, and vendor name. The API can return various HTTP status codes, including 200 for success, 403 for forbidden access, 404 for resource not found, and 429 for too many requests, each with a detailed error schema.Input Fields: Input FieldsOutput Fields: Output Fields
Retrieve a Group
ID: get_retrieve_a_groupOperation: readEntities: profile, link, groupSummary: The 'Retrieve a Group' API allows you to retrieve details of a specific group in Okta by providing the groupId as a path parameter. The request requires an Authorization header with an API key. The response includes details such as the group's creation date, last updated date, object class, profile information, and type. It also includes embedded resources and links for further navigation. The API returns a 200 status code on success, and can return error codes such as 403, 404, and 429 for forbidden access, not found, and too many requests respectively.Input Fields: Input FieldsOutput Fields: Output Fields
Retrieve a Group Rule
ID: get_retrieve_a_group_ruleOperation: readEntities: user, group, group ruleSummary: The Retrieve a Group Rule API allows you to retrieve a specific group rule by its groupRuleId. The request requires an Authorization header with an API key and a path parameter groupRuleId which is the ID of the group rule. An optional query parameter 'expand' can be used to expand the response. The response includes details about the group rule such as actions, conditions, creation date, last updated date, name, status, and type. The API returns a 200 status code on success with the group rule details in JSON format. In case of errors, it returns appropriate error codes and messages for 403 Forbidden, 404 Not Found, and 429 Too Many Requests.Input Fields: Input FieldsOutput Fields: Output Fields
Retrieve a User
ID: get_retrieve_a_userOperation: readEntities: user, profile, credentialSummary: The Retrieve a User API allows you to fetch details of a specific user from your Okta organization. The API requires the user ID as a path parameter and an API key for authorization. Additionally, the 'Content-type' header is required to specify the media type of the resource. Optionally, you can use the 'expand' query parameter to include additional metadata in the response. The response includes comprehensive user details such as activation time, creation time, credentials, profile information, status, and embedded resources. The API also provides various links for user-related operations like activation, password reset, and more.Input Fields: Input FieldsOutput Fields: Output Fields
Retrieve a User Grant
ID: get_retrieve_a_user_grantOperation: readEntities: grant, user, scopeSummary: The 'Retrieve a User Grant' API allows you to retrieve a specific grant for a user in Okta. It requires the user ID and grant ID as path parameters. The API key must be provided in the Authorization header. Optionally, you can use the 'expand' query parameter to include additional data. The response includes details about the grant such as client ID, creation timestamp, issuer, scope ID, source, status, and user ID. It also provides embedded resources and links for further navigation. The API returns a 200 status code on success, and error responses for forbidden, not found, and too many requests scenarios.Input Fields: Input FieldsOutput Fields: Output Fields
Retrieve a User Type
ID: get_retrieve_a_user_typeOperation: readEntities: error cause, link, user typeSummary: The 'Retrieve a User Type' API allows you to fetch details of a specific User Type by its unique ID. The request requires an authorization header with an API key and a path parameter 'typeId' which is the unique key for the User Type. The response includes details such as the User Type's name, display name, description, creation and last update timestamps, and links to related resources. The API returns a JSON object with these details, and it supports OAuth 2.0 with the scope OKTA.USERTYPES.READ.Input Fields: Input FieldsOutput Fields: Output Fields
Retrieve an Org by ID
ID: get_retrieve_an_org_by_idOperation: readEntities: error, account, orgSummary: The 'Retrieve an Org by ID' API allows users to retrieve details of an organization within an Aerial Account using the organization's ID. The API requires the accountId and orgId as path parameters, and an Authorization header with a Bearer token for authentication. The response includes details such as the organization's name, domain, status, and creation date. In case of errors, the API provides detailed error messages with codes and descriptions to help troubleshoot issues.Input Fields: Input FieldsOutput Fields: Output Fields
Retrieve the Org details
ID: get_retrieve_the_org_detailsOperation: readEntities: error, link, organizationSummary: This API retrieves the details of an organization in Okta. It requires a GET request to the endpoint 'https://{yourOktaDomain}/idp/myaccount/organization' with an Authorization header containing a Bearer token. The response includes the organization's name, URL, help link, and support email, as well as discoverable resources related to the organization. The response is in JSON format and includes a '_links' object with a 'self' link to the resource.Input Fields: Input FieldsOutput Fields: Output Fields
List all Users
ID: list_all_employeesOperation: readEntities: employeesSummary: The 'List all Users' API retrieves a list of users from the Okta system. It supports filtering, searching, and sorting of users based on various criteria such as firstName, lastName, email, and more. The API requires an authorization header with an API key and a Content-Type header specifying the media type. Query parameters include 'q' for matching user properties, 'after' for pagination, 'limit' for the number of results, 'filter' for filtering expressions, 'search' for search criteria, 'sortBy' and 'sortOrder' for sorting results. The response includes user details such as id, status, created date, last login, profile information, and more. The API returns users that are not 'DEPROVISIONED' by default, with a maximum of 200 users per request.Input Fields: Input FieldsOutput Fields: Output Fields
Activate a Factor
ID: post_activate_a_factorOperation: writeEntities: factor, user, activationSummary: The 'Activate a Factor' API is used to activate a specific factor for a user in Okta. This is necessary for factors such as call, email, push, sms, token:software:totp, u2f, and webauthn to complete the enrollment process. The API requires the user ID and factor ID as path parameters, and optionally a passcode in the request body. The response includes details about the factor such as its type, status, and associated profile information. Okta enforces a rate limit of five activation attempts within five minutes, and exceeding this limit will result in an error.Input Fields: Input FieldsOutput Fields: Output Fields
Activate a Group Rule
ID: post_activate_group_ruleOperation: writeEntities: error, rule, groupSummary: The 'Activate a Group Rule' API activates a specific group rule identified by the 'groupRuleId'. It requires an API key for authorization, which should be included in the request headers. The 'groupRuleId' is a required path parameter. The API does not require a request body or query parameters. Upon successful activation, the API returns a 204 No Content status. If there are errors, such as lack of permissions, the API returns a JSON response with error details including 'errorCode', 'errorSummary', 'errorLink', 'errorId', and 'errorCauses'. Possible error responses include 403 Forbidden, 404 Not Found, and 429 Too Many Requests.Input Fields: Input FieldsOutput Fields: Output Fields
Activate a User
ID: post_activate_userOperation: writeEntities: activation token, activation url, userSummary: The Activate a User API is used to activate a user in the Okta system. This operation can only be performed on users with a STAGED or DEPROVISIONED status. The activation process is asynchronous, and the user will have a transitioningToStatus property with a value of ACTIVE during activation. The user will have a status of ACTIVE when the activation process is complete. The API requires the userId as a path parameter and an optional sendEmail query parameter to send an activation email. The response includes an activationToken and activationUrl upon success, or error details if the request fails.Input Fields: Input FieldsOutput Fields: Output Fields
Add an Org to the Account
ID: post_add_org_to_accountOperation: writeEntities: account, orgSummary: The 'Add an Org to the Account' API allows users to add an organization to a specified Aerial Account in Okta. The API requires a POST request to the endpoint with the account ID as a path parameter. The request must include an authorization bearer token and a JSON body containing either the orgId or domain of the Okta Org, with an optional cell parameter for faster response times. Upon successful execution, the API returns details of the added organization, including its account ID, name, cell, domain, status, aerialOrg flag, creation date, and ID. The API also handles various error responses, including bad requests, unauthorized access, forbidden actions, rate limit exceeded, and internal server errors, each with detailed error codes and descriptions.Input Fields: Input FieldsOutput Fields: Output Fields
Change Password
ID: post_change_passwordOperation: writeEntities: provider, user, passwordSummary: The Change Password API allows you to change a user's password by validating the user's current password. This operation can only be performed on users in STAGED, ACTIVE, PASSWORD_EXPIRED, or RECOVERY status that have a valid password credential. The API requires the user ID as a path parameter and supports a strict mode as a query parameter. The request body must include the old and new password details, which can include hashed password information and optional password hooks. The response includes the updated password credentials, authentication provider details, and recovery question information.Input Fields: Input FieldsOutput Fields: Output Fields
Change Recovery Question
ID: post_change_recovery_questionOperation: writeEntities: recovery question, user, passwordSummary: The Change Recovery Question API allows you to change a user's recovery question and answer credential by validating the user's current password. This operation can only be performed on users in STAGED, ACTIVE, or RECOVERY status that have a valid password credential. The request requires the user's ID as a path parameter and includes a password object and a recovery question object in the request body. The password object can include a hash with various properties such as algorithm, digestAlgorithm, iterationCount, keySize, salt, saltOrder, value, and workFactor. The recovery question object includes the question and answer. The response returns the updated password and recovery question details.Input Fields: Input FieldsOutput Fields: Output Fields
Create a Group
ID: post_create_a_groupOperation: writeEntities: profile, link, groupSummary: The 'Create a Group' API allows you to create a new group in Okta with a specified profile and type. The request requires an API key for authorization and a JSON body containing the group's profile (name and description) and type (e.g., APP_GROUP). The response includes details about the created group, such as its ID, creation timestamp, and links to related resources. The API supports OAuth 2.0 with the scope OKTA.GROUPS.MANAGE.Input Fields: Input FieldsOutput Fields: Output Fields
Create a Group Rule
ID: post_create_a_group_ruleOperation: writeEntities: user, group, group ruleSummary: The 'Create a Group Rule' API allows you to create a rule in Okta that dynamically adds users to specified groups based on certain conditions. The request requires an API key for authorization and a JSON body that specifies the actions, conditions, name, status, and type of the rule. The actions define which groups users will be assigned to, while the conditions specify the criteria for user inclusion or exclusion. The response includes details of the created rule, such as its ID, creation date, and status. The API supports OAuth 2.0 with the scope 'OKTA.GROUPS.MANAGE'.Input Fields: Input FieldsOutput Fields: Output Fields
Create a User
ID: post_create_a_userOperation: writeEntities: costCenter, organization, profileSummary: The Create a User API allows you to create a new user in your Okta organization with or without credentials. The API requires an API key for authorization and accepts a JSON request body that includes user credentials, profile details, and optional group IDs. The API supports query parameters to activate the user, specify an authentication provider, and set the next login action. The profile object requires the following fields: firstName, lastName, email, login, and mobilePhone. Upon successful creation, the API returns a JSON response with user details, including activation status, profile information, and links to related resources. The API also provides error responses for bad requests, forbidden actions, and rate limiting.Input Fields: Input FieldsOutput Fields: Output Fields
Create a User Type
ID: post_create_user_typeOperation: writeEntities: link, schema, user typeSummary: The 'Create a User Type' API allows you to create a new custom user type in Okta. You can add up to nine additional user types beyond the default one provided by Okta. The API requires an API key for authorization and expects a JSON body with the 'name', 'displayName', and optionally 'description' of the user type. The 'name' must start with a letter and can only contain letters, numbers, or underscores. The response includes details about the created user type, such as its ID, name, display name, description, creation and update timestamps, and links to related resources.Input Fields: Input FieldsOutput Fields: Output Fields
Deactivate a Group Rule
ID: post_deactivate_group_ruleOperation: writeEntities: permission, error, group ruleSummary: This API deactivates a specific group rule identified by the groupRuleId. It requires an API key for authorization, which should be included in the headers. The groupRuleId is a required path parameter. The API responds with a 204 No Content status if successful. If there are errors, it returns a JSON object with details about the error, including an error code, summary, link, ID, and causes. Common error responses include 403 Forbidden, 404 Not Found, and 429 Too Many Requests.Input Fields: Input FieldsOutput Fields: Output Fields
Deactivate a User
ID: post_deactivate_userOperation: writeEntities: error, userSummary: The 'Deactivate a User' API deactivates a user in the Okta system. This operation can only be performed on users that do not have a DEPROVISIONED status. The API requires the user ID as a path parameter and optionally accepts a query parameter 'sendEmail' to determine if an email notification should be sent. The request must include an 'Authorization' header with a valid API key. The response can include various error codes and summaries if the operation fails, such as '403 FORBIDDEN' if the user does not have permission, '404 NOT FOUND' if the user ID does not exist, or '429 TOO MANY REQUESTS' if the request rate limit is exceeded.Input Fields: Input FieldsOutput Fields: Output Fields
Enroll a Factor
ID: post_enroll_a_factorOperation: writeEntities: factor, user, profileSummary: The 'Enroll a Factor' API allows you to enroll a supported Factor for a specified user in Okta. This API requires the user ID as a path parameter and supports various query parameters such as 'updatePhone', 'templateId', 'tokenLifetimeSeconds', and 'activate' to customize the enrollment process. The request body must include the 'factorType', 'profile' with phone details, and 'provider'. The API returns a response with details of the enrolled Factor, including its ID, type, status, and timestamps for creation and last update. The response also includes the profile details and provider information.Input Fields: Input FieldsOutput Fields: Output Fields
Expire Password
ID: post_expire_passwordOperation: writeEntities: user, profile, credentialSummary: The Expire Password API allows you to expire a user's password in Okta, transitioning the user to the PASSWORD_EXPIRED status. This requires the user to change their password at their next login. The API requires the userId as a path parameter and an Authorization header with an API key. The response includes detailed user information such as activation and creation timestamps, credentials, profile details, and status information. The response also includes links for related operations such as activating, resetting password, and more.Input Fields: Input FieldsOutput Fields: Output Fields
Expire Password and Set Temporary Password
ID: post_expire_password_and_set_temporary_passwordOperation: writeEntities: session, user, passwordSummary: This API expires a user's password and sets a temporary password for the user. The user is transitioned to the PASSWORD_EXPIRED status, requiring them to change their password at the next login. The API requires the userId as a path parameter and optionally accepts a revokeSessions query parameter to revoke all user sessions except the current one. The response includes a temporary password if successful, or error details if the request fails.Input Fields: Input FieldsOutput Fields: Output Fields
Generate a Reset Password Token
ID: post_generate_reset_password_tokenOperation: writeEntities: session, user, tokenSummary: This API generates a one-time token (OTT) that can be used to reset a user's password. The OTT link can be automatically emailed to the user or returned to the API caller for distribution using a custom flow. The API requires the user ID as a path parameter and has query parameters to specify whether to send the reset email and whether to revoke existing sessions. The response includes a URL for resetting the password if successful, or error details if the request fails.Input Fields: Input FieldsOutput Fields: Output Fields
Initiate Forgot Password
ID: post_initiate_forgot_passwordOperation: writeEntities: error, user, credentialSummary: The 'Initiate Forgot Password' API initiates the forgot password flow for a user in Okta. It generates a one-time token (OTT) that can be used to reset the user's password. The API requires the user ID as a path parameter and optionally accepts a query parameter 'sendEmail' to determine if an email should be sent. The response includes a URL to reset the password if successful, or error details if the request fails.Input Fields: Input FieldsOutput Fields: Output Fields
Reactivate a User
ID: post_reactivate_userOperation: writeEntities: userSummary: The 'Reactivate a User' API allows you to reactivate a user in Okta. This operation can only be performed on users with a PROVISIONED status. It restarts the activation workflow if the user activation wasn't completed. The API requires the user ID as a path parameter and optionally allows sending an activation email via a query parameter. The response includes an activation token and URL upon success, or error details if the request fails.Input Fields: Input FieldsOutput Fields: Output Fields
Resend a Factor Enrollment
ID: post_resend_factor_enrollmentOperation: writeEntities: factor, user, profileSummary: The 'Resend a Factor Enrollment' API allows you to resend an SMS, call, or email factor challenge as part of an enrollment flow. It enforces a rate limit of one OTP challenge per device every 30 seconds for call and SMS factors. The API endpoint requires the user ID and factor ID as path parameters, and optionally a template ID as a query parameter for SMS factors. The request body must include the factor type, profile details such as phone extension and phone number, and the provider. The response includes details about the factor, such as its creation and last updated timestamps, status, and vendor name. Error responses provide detailed information about the cause of the error.Input Fields: Input FieldsOutput Fields: Output Fields
Reset all Factors
ID: post_reset_all_factorsOperation: writeEntities: factor, error, userSummary: The 'Reset all Factors' API resets all factors for the specified user in Okta. All MFA factor enrollments are returned to the unenrolled state, but the user's status remains ACTIVE. This API requires the user to be currently enrolled in one or more MFA factors. The request requires the 'userId' as a path parameter and optionally 'removeRecoveryEnrollment' as a query parameter to remove the phone number as both a recovery method and a Factor. The response includes error details if the request fails, such as error codes, summaries, and unique identifiers for troubleshooting.Input Fields: Input FieldsOutput Fields: Output Fields
Reset Password with Recovery Question
ID: post_reset_password_with_recovery_questionOperation: writeEntities: recovery question, user, passwordSummary: The 'Reset Password with Recovery Question' API allows resetting a user's password by providing the correct answer to a recovery question. The API requires the user ID as a path parameter and optionally sends an email notification. The request body must include the password details, including hash and hook information, and the recovery question with its answer. The response returns the password details, authentication provider information, and the recovery question. The API supports various hash algorithms and requires authorization via an API key.Input Fields: Input FieldsOutput Fields: Output Fields
Suspend a User
ID: post_suspend_userOperation: writeEntities: error cause, userSummary: The 'Suspend a User' API allows you to suspend a user in Okta. This operation can only be performed on users with an ACTIVE status. The user will have a status of SUSPENDED when the process is complete. The API requires the user ID as a path parameter and an API key for authorization in the headers. The response will include error details if the operation is not successful, such as error code, summary, link, ID, and causes.Input Fields: Input FieldsOutput Fields: Output Fields
Unlock a User
ID: post_unlock_userOperation: writeEntities: permission, error, userSummary: The 'Unlock a User' API allows you to unlock a user in Okta who has a LOCKED_OUT status or is blocked from unknown devices while having an ACTIVE status. The API requires a POST request to the specified endpoint with the user's ID as a path parameter. The request must include an 'Authorization' header with a valid API key. Upon success, the user will be unlocked and can sign in with their current password. The API returns various error responses, including 403 FORBIDDEN, 404 NOT FOUND, and 429 TOO MANY REQUESTS, each with a detailed error schema containing error codes, summaries, and unique identifiers for troubleshooting.Input Fields: Input FieldsOutput Fields: Output Fields
Unsuspend a User
ID: post_unsuspend_userOperation: writeEntities: error cause, userSummary: The Unsuspend a User API allows you to unsuspend a user in Okta, returning them to the ACTIVE state. This operation can only be performed on users that have a SUSPENDED status. The API requires the user ID as a path parameter and an authorization API key in the headers. The response will indicate success or provide error details if the operation cannot be completed, such as insufficient permissions or if the user ID is not found.Input Fields: Input FieldsOutput Fields: Output Fields
Update a User
ID: post_update_a_userOperation: writeEntities: manager, organization, profileSummary: The 'Update a User' API allows you to update an existing user's information in Okta. The API requires the user ID as a path parameter and supports a 'strict' query parameter for strict mode updates. The request body includes user credentials and profile information, such as password, recovery question, and various profile attributes like email, name, and address. The response returns the updated user details, including timestamps for creation, last update, and password change, as well as the user's status and profile information. The API also provides links for related operations, such as activating or deactivating the user.Input Fields: Input FieldsOutput Fields: Output Fields
Update a User Type
ID: post_update_user_typeOperation: writeEntities: error, link, user typeSummary: The Update a User Type API allows you to update an existing User Type in Okta. This operation is a partial update, meaning you can only update the displayName and description elements of the User Type. The API requires a POST request to the specified endpoint with the typeId as a path parameter. The request body can include the updated displayName and description. The response includes details of the updated User Type, such as its id, displayName, name, description, createdBy, lastUpdatedBy, created timestamp, lastUpdated timestamp, and default status. The response also includes links for dynamic discovery of related resources.Input Fields: Input FieldsOutput Fields: Output Fields
Verify a Factor
ID: post_verify_a_factorOperation: writeEntities: factor, user, verificationSummary: The 'Verify a Factor' API is used to verify an OTP for a Factor in Okta. It supports various factors such as call, email, push, sms, u2f, and webauthn. The API requires the user ID and factor ID as path parameters. Optional query parameters include templateId for custom SMS templates and tokenLifetimeSeconds to define the token's validity duration. The request headers must include Authorization and Content-Type, with optional headers for Accept-Language, User-Agent, and X-Forwarded-For. The request body can include a passCode for OTP verification. The response includes the verification result, expiration timestamp, and links for further actions. The API handles various response statuses, including success, bad request, forbidden, not found, and too many requests.Input Fields: Input FieldsOutput Fields: Output Fields
Assign a User to a Group
ID: put_assign_a_user_to_a_groupOperation: writeEntities: error, user, groupSummary: This API assigns a user to a group in Okta. It requires the group ID and user ID as path parameters. The request must include an Authorization header with a valid API key. If successful, the API returns a 204 No Content status. If there is an error, such as insufficient permissions, the API returns a JSON object with error details, including an error code, summary, and unique error ID.Input Fields: Input FieldsOutput Fields: Output Fields
Change the status of an Org
ID: put_change_status_of_orgOperation: writeEntities: account, orgSummary: This API allows you to change the status of an organization (Org) in Okta. The request requires the accountId and orgId as path parameters, and the status to be set in the request body. The status can be either 'ACTIVE' or 'INACTIVE'. The request must include an Authorization header with a Bearer token and a Content-Type header set to 'application/json'. On success, it returns the details of the Org including its accountId, name, cell, domain, status, aerialOrg flag, createdDate, and id. In case of errors, it returns appropriate error messages with details.Input Fields: Input FieldsOutput Fields: Output Fields
Replace a Group
ID: put_replace_a_groupOperation: writeEntities: profile, link, groupSummary: The Replace a Group API allows you to replace the profile for a group with the OKTA_GROUP type. It requires the group ID as a path parameter and an API key for authorization. The request body must include the profile details such as description and name, and the type of the group. The response includes details about the group such as creation timestamp, last updated timestamp, profile details, and links to related resources. The API supports error responses for bad requests, forbidden access, not found errors, and too many requests.Input Fields: Input FieldsOutput Fields: Output Fields
Replace a Group Rule
ID: put_replace_a_group_ruleOperation: writeEntities: action, condition, group ruleSummary: The Replace a Group Rule API allows you to update an existing group rule in Okta. Only INACTIVE rules can be updated. The API requires the group rule ID as a path parameter and an API key for authorization. The request body must include the actions, conditions, name, status, and type of the group rule. The response includes the updated group rule details such as actions, conditions, creation date, last updated date, name, status, and type. The API returns various error responses for bad requests, forbidden access, not found resources, and too many requests.Input Fields: Input FieldsOutput Fields: Output Fields
Replace a User
ID: put_replace_a_userOperation: writeEntities: manager, organization, profileSummary: The Replace a User API allows you to replace a user's profile and/or credentials using strict-update semantics. It requires the user ID as a path parameter and supports a 'strict' query parameter for strict update semantics. The request body must include user credentials and profile details. The credentials include password details, authentication provider, and recovery question. The profile includes various user attributes such as city, email, first name, last name, etc. The response includes the user's activation timestamp, creation timestamp, credentials, profile, status, and links to related resources. The API supports updating the user's password, recovery question, and other profile attributes.Input Fields: Input FieldsOutput Fields: Output Fields
Replace the Linked Object value for primary
ID: put_replace_linked_object_value_for_primaryOperation: writeEntities: linked object, user, relationshipSummary: This API replaces the linked object value for 'primary' in Okta. It assigns a primary user to an associated user for a specified relationship. The API requires the user ID or login of the associated user, the name of the primary relationship, and the user ID of the primary user. The request must include an authorization header with a bearer token. On success, it returns a 204 status code. If there are errors, it returns a JSON object with error details, including error code, summary, link, ID, and causes.Input Fields: Input FieldsOutput Fields: Output Fields
Replace a User Type
ID: put_replace_user_typeOperation: writeEntities: error, link, user typeSummary: The Replace a User Type API allows you to replace an existing User Type in Okta. This operation is a full update, meaning you can replace the displayName and description elements of the User Type. The API requires the typeId as a path parameter, which is the unique key for the User Type. The request body must include the name, displayName, and description of the User Type. The response includes details about the updated User Type, such as its id, displayName, name, description, createdBy, lastUpdatedBy, created timestamp, lastUpdated timestamp, and whether it is the default User Type. The response also includes links for dynamic discovery of related resources.Input Fields: Input FieldsOutput Fields: Output Fields
Update Enabled Products for an Org
ID: put_update_enabled_products_for_an_orgOperation: writeEntities: product, account, organizationSummary: The 'Update Enabled Products for an Org' API allows you to update the list of enabled products for a specific organization within Okta. This is done by sending a PUT request to the specified endpoint with the organization ID and account ID as path parameters. The request must include an authorization header with a bearer token and a JSON body containing an array of product objects, each with an 'id' and optionally a 'name'. The response will return the updated list of enabled products. If any products are not included in the request, they will be disabled for the organization. The API also handles various error responses, including 400 Bad Request, 401 Unauthorized, 403 Forbidden, 429 Rate Limit Exceeded, and 500 Internal Server Error, each with detailed error information.Input Fields: Input FieldsOutput Fields: Output Fields
Terminate Employee
ID: terminate_employeeOperation: writeEntities: employee, terminationSummary: The 'Terminate Employee' API permanently deletes a user from the Okta system. This operation can only be performed on users that have a DEPROVISIONED status. If called on an ACTIVE user, the user will be transitioned to DEPROVISIONED. The API requires the user ID as a path parameter and an authorization API key in the headers. An optional query parameter 'sendEmail' can be used to specify whether to send an email notification, defaulting to false. The API returns a 204 No Content response on success. In case of errors, it returns a JSON object with details about the error, including error summary, code, ID, and link.Input Fields: Input FieldsOutput Fields: Output Fields
Updated 7 days ago