O

Okta

API keyHR & OpsOrg connection

Org-level connection

Okta is connected once at the org level by an admin. The credential is shared across all groups that have been granted access — individual team members don't need to connect their own accounts.

Getting your API key

Sign in to your Okta Admin Console as a Super Admin.

(Recommended) Create a dedicated service user under Directory → People → Add Person, and assign the admin role that matches the access On Belay agents need: "Read-Only Administrator" for reporting, or a custom role / Super Admin for user/group/app lifecycle writes. Tokens inherit the creator's privileges and are deactivated if the creator's account is deactivated, so a service user keeps things stable.

Sign in as that service user.

Go to Security → API → Tokens → Create token. Name it "On Belay" and copy the value — it is shown only once.

Paste:

• Okta Domain: your full Okta host (e.g. acme.okta.com, acme.oktapreview.com, or your custom domain like id.acme.com — no scheme, no trailing slash)

• API Token: the SSWS value from step 4

Note: this token auto-deactivates after 30 days of inactivity. Regular agent traffic keeps it live; if calls start failing, regenerate using the same steps.

Ready to connect?

Sign in to On Belay and open the Integrations page to add Okta.

Sign in →

Permissions (scopes)

These are the data scopes On Belay can be granted for Okta. Your org admin controls which scopes are enabled per group.

ScopeDescriptionAccess
okta.users.readRead usersRead only
okta.users.manageManage user lifecycleRead / Write
okta.groups.readRead groupsRead only
okta.groups.manageManage group membershipRead / Write
okta.apps.readRead applicationsRead only
okta.apps.manageAssign/unassign appsRead / Write
okta.logs.readRead system logRead only

Troubleshooting

"Invalid API key" or "Unauthorized" error
Double-check that you copied the full key without any leading/trailing spaces. Some platforms show a truncated preview — make sure to copy the full token. If the key was generated with restricted scopes, verify it includes the permissions listed above.
Connected but Claude can't access data
Check that your group has been granted access to this integration in On Belay → Groups → [your group] → Integrations. Also verify the specific scopes your group is permitted to use match what your query requires.
The key expires or stops working
Some API keys have expiration policies. Generate a new key in Okta and update it in On Belay → Integrations → Okta → Update key. Consider creating a dedicated service account or machine user for On Belay so the key isn't tied to a personal account.

Still stuck? We're happy to help.

Contact support →