Overview
API tokens (also known as SSWS tokens) in Okta are used to authenticate and authorize access to the Okta API. They are typically used by applications and scripts that need to interact with Okta programmatically.
These tokens are always associated with a specific user in Okta, and the permissions of the token are determined by the role assignments of that user. For example, if a user has the Super Administrator role, any API token generated by that user will have full access to all API endpoints. Moreover, the long-lived API tokens are typically stored in plaintext in application configuration files or environment variables, making them a high-value target for attackers.
The use of API tokens is generally discouraged in favor of OAuth 2.0 access tokens, as they provide better security and flexibility. However, API tokens are still widely used by Okta customers.
In OktaHound, API tokens are represented as Okta_ApiToken nodes.
Edges
The tables below list edges defined by the OktaHound extension only. Additional edges to or from this node may be created by other extensions.
Inbound Edges
No inbound edges are defined by the OktaHound extension for this node.
Outbound Edges
| Edge Type | Destination Node Types | Traversable |
|---|
| Okta_ApiTokenFor | Okta_User | ✅ |
Properties
| Name | Source | Type | Description |
|---|
id | apiToken.id | string | Unique API token identifier. |
name | apiToken.name | string | Friendly name of the API token. |
displayName | apiToken.name | string | Display label used in BloodHound. |
oktaDomain | Collector context (non-API) | string | Okta organization domain where the token exists. |
userId | apiToken.userId | string | ID of the Okta user that owns the token. |
clientName | apiToken.clientName | string | Client/application name associated with the token. |
created | apiToken.created | datetime | Token creation timestamp. |
lastUpdated | apiToken.lastUpdated | datetime | Last update timestamp of token metadata. |
expiresAt | apiToken.expiresAt | datetime | Token expiration timestamp. |
networkConnection | apiToken.network.connection | string | Network connection restriction for token usage. |
tokenWindow | ToTimeSpan(apiToken.tokenWindow) | duration | Inactivity window converted to TimeSpan when present. |
Sample Property Values
id: 00T36fk75smeJybKx697
name: Postman
displayName: Postman
oktaDomain: contoso.okta.com
userId: 00uw0o8iizq37KgKP697
clientName: Okta API
created: 2025-10-03T10:08:09+00:00
lastUpdated: 2026-01-31T20:22:42+00:00
expiresAt: 2026-03-02T20:22:42+00:00
networkConnection: ANYWHERE
tokenWindow: 30.00:00:00
