Skip to main content

What Living Security needs

Scopes: okta.users.read okta.logs.readokta.users.read backs the users sync and okta.logs.read backs the system log sync; both are required. Required role: Super Administrator in Okta (to create apps and assign admin roles)

Prerequisites

  • You must have Super Administrator access in Okta to create API Services applications and assign administrator roles.

Part A — In Okta

Your Okta administrator completes these steps.
1

Create an API Services application

  1. Log in to your Okta Admin Console.
  2. In the left sidebar, navigate to ApplicationsApplications.
  3. Click Create App Integration.
  4. Select API Services as the sign-in method and click Next.
Okta application creation dialog with API Services selected
  1. Give your application a name (e.g., Living Security) and click Save.
  2. On the application’s General tab, find your Client ID — you’ll need it in Part B.
2

Configure public key authentication

  1. On the General tab, set Client authentication to Public key / Private key.
Client authentication set to Public key / Private key
  1. Disable Proof of possession (DPoP) — it is not supported.
DPoP toggle disabled
The application must use Public key / Private key authentication. okta.* scopes are only supported with this authentication method.
3

Generate and register the RSA key pair

Option A: Use Okta’s key generator (recommended)
  1. On the General tab, scroll to the PUBLIC KEYS section.
  2. Click Add Key, then select Generate new key.
  3. Click Save — Okta generates the key pair and displays the Private Key (JWK) once.
  4. Copy and save the private key JSON immediately — it will not be shown again.
Okta key generation dialog
The private key is sensitive credential material. Store it in a password vault or secrets manager. Do not email it — use delegated setup so the admin enters it directly into the platform.
Option B: Generate your own keyIf you prefer to generate keys yourself, use this Node.js script (requires Node.js 18+):
Then register the public JWK in Okta:
  1. On the General tab, scroll to the PUBLIC KEYS section.
  2. Click Add Key, paste the public JWK JSON, and click Save.
4

Find your Okta Domain

Your Okta Domain is the subdomain of your Okta organization URL:
  • In the Admin Console, your browser shows a URL like https://dev-12345678-admin.okta.com
  • Your Okta Domain is the part before .okta.com, ignoring -admin (e.g., dev-12345678)
  • Alternatively, go to SettingsAccount in the Admin Console
5

Grant API scopes

  1. In the Admin Console, navigate to ApplicationsApplications and open your application.
  2. Click the Okta API Scopes tab.
  3. Grant the required scopes:
    • okta.users.read
    • okta.logs.read
See the Okta Management API reference for the full list of available scopes.
6

Assign an admin role

Granting scopes alone is not enough — Okta Management API endpoints silently return empty results if your application has no admin role. You must assign at least Read-Only Administrator:
  1. In the Admin Console, navigate to SecurityAdministrators.
  2. Click Add administrator assignment and select your API Services application.
Administrator assignment dropdown
  1. Assign the Read-Only Administrator role.
  2. Click Save.
Read-Only Administrator role selected
Without an admin role, API calls succeed with 200 OK but return empty results — there is no 403 error to indicate the problem.

Part B — In the Living Security Platform

The program owner completes this step, or the system admin if using delegated setup.
1
You are now connected to Okta (Client Credentials).

Troubleshooting

The application is missing an admin role assignment. Okta Management API endpoints return empty arrays instead of errors when the application lacks permissions.Fix: Assign at least Read-Only Administrator to the application in Security → Administrators.
The credentials are invalid. Check:
  1. Client ID is correct
  2. Private key matches the public key registered in Okta
  3. Okta Domain is correct (no https://, no -admin suffix)
The application is missing required scopes. Verify that okta.users.read and okta.logs.read are granted in Applications → [Your App] → Okta API Scopes.
DPoP (Demonstrating Proof of Possession) is enabled but not supported. Disable DPoP in the application’s General settings.

Portions of this documentation are adapted from Nango, used under the Elastic License 2.0.