Direct Authentication — Password + SMS/Voice MFA
Send credentials to get an mfa_token for the phone challenge.
/oauth2/default/v1/token
password
Send an MFA challenge request to trigger an SMS or voice call to the user's phone.
/oauth2/default/v1/challenge
Enter the verification code received via SMS or voice call.
/oauth2/default/v1/token
urn:okta:params:oauth:grant-type:mfa-oob
Test the access token by making an authenticated API request to a resource server.
Use the endpoints below to inspect, revoke, or end sessions for the tokens obtained above.
Call the /userinfo endpoint with the access token to retrieve the authenticated user's profile claims. API Reference ↗
Call the /introspect endpoint to inspect the token and verify its active status, scopes, and metadata. API Reference ↗
Call the /revoke endpoint to revoke an access or refresh token, rendering it unusable. API Reference ↗
End the user's Okta session using RP-Initiated Logout. Will open in a new browser window. API Reference ↗
Use the Okta Management API to view and update the application. Requires management scopes (e.g. okta.apps.read, okta.apps.manage).
Call GET /api/v1/apps/{appId} with the access token to retrieve the application object from Okta. API Reference ↗
okta.apps.read is not included in the authorize request. Call PUT /api/v1/apps/{appId} to update the application. Use "Load Current" to fetch the current app JSON, edit it, then send the update. API Reference ↗
okta.apps.manage is not included in the authorize request.