Okta Token

Bridgecrew Policy ID: BC_GIT_56
Chekov Check ID: CKV_SECRET_56
Severity: LOW

Okta Token


Okta API tokens are used to authenticate requests to the Okta API just like HTTP cookies authenticate requests to the Okta Application with your browser. An API token is issued for a specific user and all requests with the token act on behalf of the user. API tokens are secrets and should be treated like passwords.

API tokens are generated with the permissions of the user that created the token. If a user’s permissions change, then so do the token’s. Super admins, org admins, and group admins may create tokens.

Fix - Buildtime


To revoke a token, click the trash icon at the right of the token information. Note that the icon is not always active:

  • Agent tokens are revocable if the agent is not active; otherwise, you must deactivate the agent before revoking the token. Some agents such as the Okta AD Agent automatically revoke their tokens for you when you deactivate the agent.
  • API Tokens are always revocable.