Skip to main content
Server path: /okta-users | Type: Application | PCID required: Yes

Tools

ToolDescription
okta-users_activate_userActivate a user
okta-users_change_passwordUpdate password
okta-users_change_recovery_questionUpdate recovery question
okta-users_create_userCreate a user
okta-users_create_user_typeCreate a user type
okta-users_deactivate_userDeactivate a user
okta-users_delete_userDelete a user
okta-users_delete_user_typeDelete a user type
okta-users_expire_passwordExpire the password
okta-users_expire_password_with_temp_passwordExpire the password with a temporary password
okta-users_forgot_passwordStart forgot password flow
okta-users_forgot_password_set_new_passwordReset password with recovery question
okta-users_get_userRetrieve a user
okta-users_get_user_typeRetrieve a user type
okta-users_list_user_blocksList all user blocks
okta-users_list_user_typesList all user types
okta-users_list_usersList all users
okta-users_reactivate_userReactivate a user
okta-users_replace_userReplace a user
okta-users_replace_user_typeReplace a user type
okta-users_reset_factorsReset the factors
okta-users_reset_passwordReset a password
okta-users_suspend_userSuspend a user
okta-users_unlock_userUnlock a user
okta-users_unsuspend_userUnsuspend a user
okta-users_update_userUpdate a user
okta-users_update_user_typeUpdate a user type

okta-users_activate_user

Activate a user Parameters:
ParameterTypeRequiredDefaultDescription
idstringYesAn ID, login, or login shortname (as long as the shortname is unambiguous) of an existing Okta user
sendEmailbooleanNoSends an activation email to the user if true

okta-users_change_password

Update password Parameters:
ParameterTypeRequiredDefaultDescription
userIdstringYesID of an existing Okta user
strictbooleanNoIf true, validates against the password minimum age policy
newPasswordobjectNoSpecifies a password for a user. When a user has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, password: {}). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: Security > Authenticators > Password (or for Okta Classic orgs, use Security > Authentication > Password). For information on defaults and configuring your password policies, see Configure the password authenticator in the help documentation.
oldPasswordobjectNoSpecifies a password for a user. When a user has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, password: {}). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: Security > Authenticators > Password (or for Okta Classic orgs, use Security > Authentication > Password). For information on defaults and configuring your password policies, see Configure the password authenticator in the help documentation.
revokeSessionsbooleanNoWhen set to true, revokes all user sessions, except for the current session

okta-users_change_recovery_question

Update recovery question Parameters:
ParameterTypeRequiredDefaultDescription
userIdstringYesID of an existing Okta user
passwordobjectNoSpecifies a password for a user. When a user has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, password: {}). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: Security > Authenticators > Password (or for Okta Classic orgs, use Security > Authentication > Password). For information on defaults and configuring your password policies, see Configure the password authenticator in the help documentation.
providerobjectNoSpecifies the authentication provider that validates the user’s password credential. The user’s current provider is managed by the Delegated Authentication settings for your org. The provider object is read-only.
recovery_questionobjectNoSpecifies a secret question and answer that’s validated (case insensitive) when a user forgets their password or unlocks their account. The answer property is write-only.

okta-users_create_user

Create a user Parameters:
ParameterTypeRequiredDefaultDescription
activatebooleanNoExecutes an activation lifecycle operation when creating the user
providerbooleanNoIndicates whether to create a user with a specified authentication provider.
nextLoginstringNoWith activate=true, if nextLogin=changePassword, a user is created, activated, and the password is set to EXPIRED. The user must change it the next time they sign in.
credentialsobjectNoSpecifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org.
groupIdsstring[]NoThe list of group IDs of groups that the user is added to at the time of creation
profileobjectYesSpecifies the default and custom profile properties for a user. The default user profile is based on the System for Cross-domain Identity Management: Core Schema. The only permitted customizations of the default profile are to update permissions, change whether the firstName and lastName properties are nullable, and specify a pattern for login. You can use the Profile Editor in the Admin Console or the Schemas API to make schema modifications. You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it. You can use the Profile Editor in the Admin Console or the Schemas API to manage schema extensions. Custom attributes can contain HTML tags. It’s the client’s responsibility to escape or encode this data before displaying it. Use best-practices to prevent cross-site scripting.
realmIdstringNoThe ID of the realm in which the user is residing. See Realms.
typeobjectNoThe ID of the user type. Add this value if you want to create a user with a non-default User Type. The user type determines which schema applies to that user. After a user has been created, the user can only be assigned a different user type by an administrator through a full replacement (PUT) operation.

okta-users_create_user_type

Create a user type Parameters:
ParameterTypeRequiredDefaultDescription
_linksobjectNoThe links value
createdstringNoA timestamp from when the user type was created
createdBystringNoThe user ID of the account that created the user type
defaultbooleanNoA boolean value to indicate if this is the default user type
descriptionstringNoThe human-readable description of the user type
displayNamestringYesThe human-readable name of the user type
idstringNoThe unique key for the user type
lastUpdatedstringNoA timestamp from when the user type was most recently updated
lastUpdatedBystringNoThe user ID of the most recent account to edit the user type
namestringYesThe name of the user type. The name must start with A-Z or a-z and contain only A-Z, a-z, 0-9, or underscore (_) characters. This value becomes read-only after creation and can’t be updated.

okta-users_deactivate_user

Deactivate a user Parameters:
ParameterTypeRequiredDefaultDescription
idstringYesAn ID, login, or login shortname (as long as the shortname is unambiguous) of an existing Okta user
sendEmailbooleanNoSends a deactivation email to the admin if true
PreferstringNoRequest asynchronous processing

okta-users_delete_user

Delete a user Parameters:
ParameterTypeRequiredDefaultDescription
idstringYesAn ID, login, or login shortname (as long as the shortname is unambiguous) of an existing Okta user
sendEmailbooleanNoSends a deactivation email to the admin if true
PreferstringNoThe prefer value

okta-users_delete_user_type

Delete a user type Parameters:
ParameterTypeRequiredDefaultDescription
typeIdstringYesThe unique key for the user type

okta-users_expire_password

Expire the password Parameters:
ParameterTypeRequiredDefaultDescription
idstringYesAn ID, login, or login shortname (as long as the shortname is unambiguous) of an existing Okta user

okta-users_expire_password_with_temp_password

Expire the password with a temporary password Parameters:
ParameterTypeRequiredDefaultDescription
idstringYesAn ID, login, or login shortname (as long as the shortname is unambiguous) of an existing Okta user
revokeSessionsbooleanNoRevokes the user’s existing sessions if true

okta-users_forgot_password

Start forgot password flow Parameters:
ParameterTypeRequiredDefaultDescription
userIdstringYesID of an existing Okta user
sendEmailbooleanNoSends a forgot password email to the user if true

okta-users_forgot_password_set_new_password

Reset password with recovery question Parameters:
ParameterTypeRequiredDefaultDescription
userIdstringYesID of an existing Okta user
sendEmailbooleanNoSend Email
passwordobjectNoSpecifies a password for a user. When a user has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, password: {}). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: Security > Authenticators > Password (or for Okta Classic orgs, use Security > Authentication > Password). For information on defaults and configuring your password policies, see Configure the password authenticator in the help documentation.
providerobjectNoSpecifies the authentication provider that validates the user’s password credential. The user’s current provider is managed by the Delegated Authentication settings for your org. The provider object is read-only.
recovery_questionobjectNoSpecifies a secret question and answer that’s validated (case insensitive) when a user forgets their password or unlocks their account. The answer property is write-only.

okta-users_get_user

Retrieve a user Parameters:
ParameterTypeRequiredDefaultDescription
idstringYesAn ID, login, or login shortname (as long as the shortname is unambiguous) of an existing Okta user
Content-TypestringNoSpecifies the media type of the resource. Optional okta-response value can be included for performance optimization. Complex DelAuth configurations may degrade performance when fetching specific parts of the response, and passing this parameter can omit these parts, bypassing the bottleneck. Enum values for okta-response: * omitCredentials: Omits the credentials subobject from the response. * omitCredentialsLinks: Omits the following HAL links from the response: Update password, Change recovery question, Start forgot password flow, Reset password, Reset factors, Unlock. * omitTransitioningToStatus: Omits the transitioningToStatus field from the response.
expandstringNoAn optional parameter to include metadata in the _embedded attribute. Valid values: blocks or <x-lifecycle class=“ea”></x-lifecycle> classification.

okta-users_get_user_type

Retrieve a user type Parameters:
ParameterTypeRequiredDefaultDescription
typeIdstringYesThe unique key for the user type

okta-users_list_user_blocks

List all user blocks Parameters:
ParameterTypeRequiredDefaultDescription
idstringYesAn ID, login, or login shortname (as long as the shortname is unambiguous) of an existing Okta user

okta-users_list_user_types

List all user types

okta-users_list_users

List all users Parameters:
ParameterTypeRequiredDefaultDescription
Content-TypestringNoSpecifies the media type of the resource. Optional okta-response value can be included for performance optimization. Complex DelAuth configurations may degrade performance when fetching specific parts of the response, and passing this parameter can omit these parts, bypassing the bottleneck. Enum values for okta-response: * omitCredentials: Omits the credentials subobject from the response. * omitCredentialsLinks: Omits the following HAL links from the response: Update password, Change recovery question, Start forgot password flow, Reset password, Reset factors, Unlock. * omitTransitioningToStatus: Omits the transitioningToStatus field from the response.
searchstringNoSearches for users with a supported filtering expression for most properties. Okta recommends this query parameter because it provides the largest range of search options and optimal performance. > Note: Using an overly complex or long search query can result in an error. This operation supports pagination. Use an ID lookup for records that you update to ensure your results contain the latest data. Returned users include those with the DEPROVISIONED status. Property names in the search parameter are case sensitive, whereas operators (eq, sw, and so on) and string values are case insensitive. Unlike with user logins, diacritical marks are significant in search string values: a search for isaac.brock finds Isaac.Brock, but doesn’t find a property whose value is isáàc.bröck. This operation requires URL encoding. See Special characters. This operation searches many properties: * Any user profile attribute, including custom-defined attributes * The top-level properties: id, status, created, activated, statusChanged, and lastUpdated * The user type accessed as type.id * Properties that have array values > Note: <x-lifecycle class=“ea”></x-lifecycle> The ability to search by user classification is available as an Early Access feature. The classification.type property cannot be used in conjunction with other search terms. You can search using classification.type eq "LITE" or classification.type eq "STANDARD". You can also use sortBy and sortOrder parameters. The ne (not equal) operator isn’t supported, but you can obtain the same result by using lt ... or ... gt. For example, to see all users except those that have a status of STAGED, use (status lt "STAGED" or status gt "STAGED"). You can search properties that are arrays. If any element matches the search term, the entire array (object) is returned. Okta follows the SCIM Protocol Specification for searching arrays. You can search multiple arrays, multiple values in an array, as well as using the standard logical and filtering operators. See Filter. Searches for users can be filtered by the following operators: sw, eq, and co. You can only use co with these select user profile attributes: profile.firstName, profile.lastName, profile.email, and profile.login. See Operators.
filterstringNoFilters users with a supported expression for a subset of properties. > Note: Returned users include those with the DEPROVISIONED status. This requires URL encoding. For example, filter=lastUpdated gt "2013-06-01T00:00:00.000Z" is encoded as filter=lastUpdated%20gt%20%222013-06-01T00:00:00.000Z%22. Filtering is case-sensitive for property names and query values, while operators are case-insensitive. Filtering supports the following limited number of properties: status, lastUpdated, id, profile.login, profile.email, profile.firstName, and profile.lastName. Additionally, filtering supports only the equal eq operator from the standard Okta API filtering semantics, except in the case of the lastUpdated property. This property can also use the inequality operators (gt, ge, lt, and le). For logical operators, only the logical operators and and or are supported. The not operator isn’t supported. See Filter and Operators.
qstringNoFinds users who match the specified query. Use the q parameter for simple queries, such as a lookup of users by name when creating a people picker. The value of q is matched against firstName, lastName, or email. This performs a startsWith match, but this is an implementation detail and can change without notice. You don’t need to specify firstName, lastName, or email. > Notes: > * Using the q parameter in a request omits users that have a status of DEPROVISIONED. To return all users, use a filter or search query instead. > * This doesn’t support pagination, but you can use limit. > * This isn’t designed for large data sets. For optimal performance, use the search parameter instead.
afterstringNoThe cursor to use for pagination. It is an opaque string that specifies your current location in the list and is obtained from the Link response header. See Pagination and Link header.
limitintegerNoSpecifies the number of results returned. Defaults to 10 if q is provided. You can use limit with after to define the cursor location in the data set and manage the user records per page.
sortBystringNoSpecifies the field to sort by (for search queries only). This can be any single property, for example sortBy=profile.lastName. Users with the same value for the sortBy property are ordered by id. Use with sortOrder to control the order of results.
sortOrderstringNoSpecifies sort order: asc or desc (for search queries only). This parameter is ignored if sortBy isn’t present.
fieldsstringNoSpecifies a select set of user properties to query. Any other properties will be filtered out of the returned users. This is often called field projections in APIs, which can reduce payload size, improve performance, and limit unneccessary data exposure. Requested fields should be comma-separated. Comma-separate the fields and place sub-fields in the profile object inside a profile:() directive, for example profile:(firstName, city). The id field is always included, regardless of whether it’s specified in the fields parameter.
expandstringNo<x-lifecycle-container><x-lifecycle class=“ea”></x-lifecycle></x-lifecycle-container>A parameter to include metadata in the _embedded property. Supported value: classification.

okta-users_reactivate_user

Reactivate a user Parameters:
ParameterTypeRequiredDefaultDescription
idstringYesAn ID, login, or login shortname (as long as the shortname is unambiguous) of an existing Okta user
sendEmailbooleanNoSends an activation email to the user if true

okta-users_replace_user

Replace a user Parameters:
ParameterTypeRequiredDefaultDescription
idstringYesAn ID, login, or login shortname (as long as the shortname is unambiguous) of an existing Okta user
strictbooleanNoIf true, validates against minimum age and history password policy
If-MatchstringNoThe ETag value of the user’s expected current state. This becomes a conditional request used for concurrency control. See Conditional Requests and Entity Tags.
credentialsobjectNoSpecifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org.
profileobjectNoSpecifies the default and custom profile properties for a user. The default user profile is based on the System for Cross-domain Identity Management: Core Schema. The only permitted customizations of the default profile are to update permissions, change whether the firstName and lastName properties are nullable, and specify a pattern for login. You can use the Profile Editor in the Admin Console or the Schemas API to make schema modifications. You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it. You can use the Profile Editor in the Admin Console or the Schemas API to manage schema extensions. Custom attributes can contain HTML tags. It’s the client’s responsibility to escape or encode this data before displaying it. Use best-practices to prevent cross-site scripting.
realmIdstringNoThe ID of the realm in which the user is residing. See Realms.
typeobjectNoThe ID of the user type. Add this value if you want to create a user with a non-default User Type. The user type determines which schema applies to that user. After a user has been created, the user can only be assigned a different user type by an admin through a full replacement (PUT) operation.

okta-users_replace_user_type

Replace a user type Parameters:
ParameterTypeRequiredDefaultDescription
typeIdstringYesThe unique key for the user type
descriptionstringYesThe human-readable description of the user type
displayNamestringYesThe human-readable name of the user type
namestringYesThe name of the existing type

okta-users_reset_factors

Reset the factors Parameters:
ParameterTypeRequiredDefaultDescription
idstringYesAn ID, login, or login shortname (as long as the shortname is unambiguous) of an existing Okta user

okta-users_reset_password

Reset a password Parameters:
ParameterTypeRequiredDefaultDescription
idstringYesAn ID, login, or login shortname (as long as the shortname is unambiguous) of an existing Okta user
sendEmailbooleanYesSend Email
revokeSessionsbooleanNoRevokes all user sessions, except for the current session, if set to true

okta-users_suspend_user

Suspend a user Parameters:
ParameterTypeRequiredDefaultDescription
idstringYesAn ID, login, or login shortname (as long as the shortname is unambiguous) of an existing Okta user

okta-users_unlock_user

Unlock a user Parameters:
ParameterTypeRequiredDefaultDescription
idstringYesAn ID, login, or login shortname (as long as the shortname is unambiguous) of an existing Okta user

okta-users_unsuspend_user

Unsuspend a user Parameters:
ParameterTypeRequiredDefaultDescription
idstringYesAn ID, login, or login shortname (as long as the shortname is unambiguous) of an existing Okta user

okta-users_update_user

Update a user Parameters:
ParameterTypeRequiredDefaultDescription
idstringYesAn ID, login, or login shortname (as long as the shortname is unambiguous) of an existing Okta user
strictbooleanNoIf true, validates against minimum age and history password policy
If-MatchstringNoThe ETag value of the user’s expected current state. This becomes a conditional request used for concurrency control. See Conditional Requests and Entity Tags.
credentialsobjectNoSpecifies primary authentication and recovery credentials for a user. Credential types and requirements vary depending on the provider and security policy of the org.
profileobjectNoSpecifies the default and custom profile properties for a user. The default user profile is based on the System for Cross-domain Identity Management: Core Schema. The only permitted customizations of the default profile are to update permissions, change whether the firstName and lastName properties are nullable, and specify a pattern for login. You can use the Profile Editor in the Admin Console or the Schemas API to make schema modifications. You can extend user profiles with custom properties. You must first add the custom property to the user profile schema before you reference it. You can use the Profile Editor in the Admin Console or the Schemas API to manage schema extensions. Custom attributes can contain HTML tags. It’s the client’s responsibility to escape or encode this data before displaying it. Use best-practices to prevent cross-site scripting.
realmIdstringNoThe ID of the realm in which the user is residing. See Realms.
typeobjectNoThe ID of the user type. Add this value if you want to create a user with a non-default User Type. The user type determines which schema applies to that user. After a user has been created, the user can only be assigned a different user type by an admin through a full replacement (PUT) operation.

okta-users_update_user_type

Update a user type Parameters:
ParameterTypeRequiredDefaultDescription
typeIdstringYesThe unique key for the user type
descriptionstringNoThe updated human-readable description of the user type
displayNamestringNoThe updated human-readable display name for the user type