> ## Documentation Index > Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt > Use this file to discover all available pages before exploring further. # Okta_ApiToken > A secret used by users to authenticate to the Okta API Applies to BloodHound Enterprise and CE ## Overview API tokens (also known as SSWS tokens) in Okta are used to authenticate and authorize access to the Okta API. They are typically used by applications and scripts that need to interact with Okta programmatically. These tokens are always associated with a specific user in Okta, and the permissions of the token are determined by the role assignments of that user. For example, if a user has the Super Administrator role, any API token generated by that user will have full access to all API endpoints. Moreover, the long-lived API tokens are typically stored in plaintext in application configuration files or environment variables, making them a high-value target for attackers. The use of API tokens is generally discouraged in favor of OAuth 2.0 access tokens, as they provide better security and flexibility. However, API tokens are still widely used by Okta customers. Okta API tokens are represented as Okta\_ApiToken nodes in BloodHound. ## Edges The tables below list edges defined by the Okta extension only. Additional edges to or from this node may be created by other extensions. ### Inbound Edges No inbound edges are defined by the Okta extension for this node. ### Outbound Edges | Edge Type | Destination Node Types | Traversable | | ---------------------------------------------------------------------- | -------------------------------------------------------- | ----------- | | [Okta\_ApiTokenFor](/opengraph/extensions/okta/edges/okta_apitokenfor) | [Okta\_User](/opengraph/extensions/okta/nodes/okta_user) | ✅ | ## Properties | Name | Source | Type | Description | | ------------------- | ---------------------------------- | ---------- | ------------------------------------------------------- | | `id` | `apiToken.id` | `string` | Unique API token identifier. | | `name` | `apiToken.name` | `string` | Friendly name of the API token. | | `displayName` | `apiToken.name` | `string` | Display label used in BloodHound. | | `oktaDomain` | Collector context (non-API) | `string` | Okta organization domain where the token exists. | | `userId` | `apiToken.userId` | `string` | ID of the Okta user that owns the token. | | `clientName` | `apiToken.clientName` | `string` | Client/application name associated with the token. | | `created` | `apiToken.created` | `datetime` | Token creation timestamp. | | `lastUpdated` | `apiToken.lastUpdated` | `datetime` | Last update timestamp of token metadata. | | `expiresAt` | `apiToken.expiresAt` | `datetime` | Token expiration timestamp. | | `networkConnection` | `apiToken.network.connection` | `string` | Network connection restriction for token usage. | | `tokenWindow` | `ToTimeSpan(apiToken.tokenWindow)` | `duration` | Inactivity window converted to `TimeSpan` when present. | ## Sample Property Values ```yaml theme={null} id: 00T36fk75smeJybKx697 name: Postman displayName: Postman oktaDomain: contoso.okta.com userId: 00uw0o8iizq37KgKP697 clientName: Okta API created: 2025-10-03T10:08:09+00:00 lastUpdated: 2026-01-31T20:22:42+00:00 expiresAt: 2026-03-02T20:22:42+00:00 networkConnection: ANYWHERE tokenWindow: 30.00:00:00 ```