Skip to main content
Applies to BloodHound Enterprise and CE

Overview

API service integrations in Okta represent OAuth 2.0 service (daemon) applications that can be granted machine-to-machine access to Okta APIs. There are some important differences between API service integrations and regular OIDC service applications in Okta:
FeatureService ApplicationsAPI Service Integrations
Can be created manually:
Can be added from the OIN Catalog:
Require role assignments:
Support authentication using client secrets:
Support authentication using private keys:
Admins can read cleartext client secrets:
In OktaHound, API service integrations are represented as Okta_ApiServiceIntegration nodes.

Edges

The tables below list edges defined by the OktaHound extension only. Additional edges to or from this node may be created by other extensions.

Inbound Edges

Edge TypeSource Node TypesTraversable
Okta_AppAdminOkta_User, Okta_Group, Okta_Application
Okta_ContainsOkta_Organization
Okta_CreatorOfOkta_User, Okta_Application, Okta_ApiServiceIntegration
Okta_ResourceSetContainsOkta_ResourceSet
Okta_ScopedToOkta_RoleAssignment
Okta_SecretOfOkta_ClientSecret

Outbound Edges

Edge TypeDestination Node TypesTraversable
Okta_CreatorOfOkta_ApiServiceIntegration

Properties

NameSourceTypeDescription
idservice.idstringUnique API service integration identifier.
nameservice.namestringName of the API service integration in Okta.
displayNameservice.namestringDisplay label used in BloodHound.
oktaDomainCollector context (non-API)stringOkta organization domain where the integration exists.
appTypeservice.typestringIntegration/application type identifier.
oauthScopesservice.grantedScopesstring[]OAuth 2.0 scopes granted to the integration.
createdAtservice.createdAtdatetimeTimestamp when the integration was created.

Sample Property Values

id: 0oaz7jy5f2oXnvtmN697
name: Falcon Shield
displayName: Falcon Shield
oktaDomain: contoso.okta.com
appType: falconshieldapiservice
oauthScopes:
  - okta.users.read
  - okta.oauthIntegrations.read
  - okta.threatInsights.read
  - okta.devices.read
  - okta.apiTokens.read
  - okta.roles.read
  - okta.logs.read
  - okta.groups.read
  - okta.apps.read
  - okta.domains.read
  - okta.factors.read
  - okta.authenticators.read
  - okta.policies.read
  - okta.networkZones.read
  - okta.features.read
createdAt: 2026-01-15T12:25:42.000Z

Integration OAuth 2.0 Scopes

Each API service integration comes with a pre-defined set of OAuth 2.0 scopes to access Okta APIs: Okta API service integration scopes in BloodHound