Authentication & Authorization ‐ Oauth 2 and API tokens
Tako v1.25 and above supports two types of token mechanisms for secure authentication with Okta.
Authentication Methods:
- 🔐 OAuth 2.0 Tokens - Modern OAuth 2.0 flow with enhanced security (Recommended)
- 🔑 API Tokens - Simple token-based authentication
💡 Recommendation: Use OAuth 2.0 for production environments as it provides better security, audit trails, and granular permissions.
OAuth 2.0 provides enhanced security with private key authentication and granular scope-based permissions.
- Navigate to Admin Console → Applications → Create App Integration
- Select API Services
- Give it a descriptive name like "Tako API OAuth2"
- Click Save to create the application
- On the General Tab, click EDIT button in the Client Credentials section
- Select Public key / Private Key
- Select Save keys in Okta
- Click on Add Key button
- Click on Generate new key
- In the bottom section, select PEM format
- Copy the generated private key to clipboard
⚠️ Important: This private key value goes into theOKTA_OAUTH2_PRIVATE_KEY_PEMvariable in your.envfile
- Click on the Okta API Scopes tab
- Click Grant on all scopes ending with ".read"
- For enhanced security, grant only specific scopes you need
📋 Best Practice: By default, select all scopes that end with ".read" for comprehensive read-only access
- Click on Admin Roles tab
- Assign the Read-only Administrator role to start
- Add additional custom roles as needed
- Click on Application Rate Limits tab
- Set appropriate rate limits based on your usage requirements
⚠️ Critical: Rate limits determine theOKTA_CONCURRENT_VALUEin your configuration. Refer to the optimal API settings guide for concurrent limit values.
- Login to the Okta admin console with a read-only administrator account
- Navigate to Security → API → Tokens
- Click Create Token
- Give the token a descriptive name
-
⚠️ HIGHLY RECOMMENDED: Restrict the token to a specific IP address or network zone for enhanced security
- ✅ Always use IP restrictions when possible
- ✅ Use network zones to limit token access
- ✅ Follow the principle of least privilege
- ✅ Regularly rotate API tokens
- ❌ Never embed tokens in client-side code
For scenarios requiring additional permissions beyond the read-only administrator role (e.g., listing Okta administrators), you can create custom roles.
- Navigate to Admin Console → Security → Administrators → Roles
- Click Create New Role
- Select the necessary permissions based on your requirements
- Click Save Role to finalize the configuration
- Create a resource set for Identity and Access Management resources
- Define the scope of resources this role can access
Finally, assign both the custom role and resource set to the user or service account that will be used to create the API token.
API Token rate Limits:
Set the appropriate rate limits. This is IMPORTANT because this decides the OKTA_CONCURRENT_VALUE limit in the configuration Refer to this table to see how the AP rate limit affects the CONCURRENT_LIMIT value: https://github.com/fctr-id/okta-ai-agent?tab=readme-ov-file#-optimal-api-settings-for-maximum-sync-speed-
- 🔐 Use OAuth 2.0 when possible, for enhanced security
- 🛡️ Implement IP restrictions for all API tokens
- 🔄 Rotate tokens regularly (recommended: every 90 days)
- 📊 Monitor token usage through audit logs
- 🚫 Revoke unused tokens immediately
- 👥 Use service accounts for automated processes
- 📋 Maintain an inventory of all active tokens
- 🔍 Regular access reviews for custom roles
- 📝 Document all custom role configurations
- ❓ Token not working? Check IP restrictions and network zones
- ❓ Permission denied? Verify custom role assignments
- ❓ Audit failures? Confirm resource set configurations
Last updated: August 31, 2025
Copyright © 2025 Fctr Identity. Licensed under Apache License 2.0
