Authorisation
Control which apps and APIs your users have access to using attribute-based policies enforced through SAML and OAuth protocols
Gartner has predicted that APIs will become the primary attack vector by 2022. Additionally, OWASP has flagged the potential risks associated with APIs repeatedly in its list of top 10 critical security flaws.

Are you a developer?
API Access Management
Create fine-grained API authorisation policies that combine the OAuth grant type, user group membership, and external data sources.

Flexible context-sensitive authorisation policies

API authorisation policies
API authorisation policies can take into account the OAuth grant type, user group membership, and external data sources.
- Configurable access token and refresh token lifetime and expiration policies
- OAuth Client specific policies to segregate and log customers, users, and applications separately
- Integrate with internal systems to retrieve dynamic data or additional entitlements for downstream applications
Integration with API Gateways
Enable rapid application development and centralised, identity-driven API security.
Role-based access control to applications
Allow teams to establish, maintain, and audit authorisation policies based on group membership and user context without writing code.


Centralised administration and monitoring
Capture real time access and authorisation logs to understand normal access and detect bad actors mid-attack.
Create and customise authorisation policies
Administrative dashboard to create authorisation servers that generate tokens with custom-defined scopes and claims.

Token preview
Preview the scopes, claims and values of your OAuth token.

Real-time dashboard and system log
Real-time visibility and anomalous behaviour reports. As token-related events occur in Okta, including creation and revocation, notify external services outside of Okta with Event Hooks.
