Okta
Org-level connection
Okta is connected once at the org level by an admin. The credential is shared across all groups that have been granted access — individual team members don't need to connect their own accounts.
Getting your API key
Sign in to your Okta Admin Console as a Super Admin.
(Recommended) Create a dedicated service user under Directory → People → Add Person, and assign the admin role that matches the access On Belay agents need: "Read-Only Administrator" for reporting, or a custom role / Super Admin for user/group/app lifecycle writes. Tokens inherit the creator's privileges and are deactivated if the creator's account is deactivated, so a service user keeps things stable.
Sign in as that service user.
Go to Security → API → Tokens → Create token. Name it "On Belay" and copy the value — it is shown only once.
Paste:
• Okta Domain: your full Okta host (e.g. acme.okta.com, acme.oktapreview.com, or your custom domain like id.acme.com — no scheme, no trailing slash)
• API Token: the SSWS value from step 4
Note: this token auto-deactivates after 30 days of inactivity. Regular agent traffic keeps it live; if calls start failing, regenerate using the same steps.
Ready to connect?
Sign in to On Belay and open the Integrations page to add Okta.
Permissions (scopes)
These are the data scopes On Belay can be granted for Okta. Your org admin controls which scopes are enabled per group.
| Scope | Description | Access |
|---|---|---|
okta.users.read | Read users | Read only |
okta.users.manage | Manage user lifecycle | Read / Write |
okta.groups.read | Read groups | Read only |
okta.groups.manage | Manage group membership | Read / Write |
okta.apps.read | Read applications | Read only |
okta.apps.manage | Assign/unassign apps | Read / Write |
okta.logs.read | Read system log | Read only |
Troubleshooting
"Invalid API key" or "Unauthorized" error
Connected but Claude can't access data
The key expires or stops working
Still stuck? We're happy to help.
Contact support →