Skip to content

Okta Comprehensive Cheatsheet

Installation

Okta CLI Installation

Platform Command
macOS (Homebrew) brew install --cask okta or brew tap okta/okta && brew install okta-aws-cli
Linux (Ubuntu/Debian) curl -L https://github.com/okta/okta-cli/releases/latest/download/okta-cli-linux-amd64 -o okta && chmod +x okta && sudo mv okta /usr/local/bin/
Windows (Chocolatey) choco install okta
Windows (Direct) Invoke-WebRequest -Uri "https://github.com/okta/okta-cli/releases/latest/download/okta-cli-windows-amd64.exe" -OutFile "okta.exe"
Verify Installation okta --version

SDK Installation

Language Command
Node.js npm install @okta/okta-sdk-nodejs @okta/okta-auth-js
Python pip install okta okta-jwt-verifier
Java (Maven) Add dependency: com.okta.sdk:okta-sdk-api:8.2.3
Go go get github.com/okta/okta-sdk-golang/v2
.NET dotnet add package Okta.Sdk

On-Premises Agent Installation

Component Command
AD Agent (Windows) .\OktaADAgentSetup.exe /silent /log="C:\Temp\okta-install.log"
Verify AD Service Get-Service OktaADAgent
LDAP Agent (Linux) wget https://example.okta.com/downloads/OktaLDAPAgent-latest.tar.gz && tar -xzf OktaLDAPAgent-latest.tar.gz && cd OktaLDAPAgent && sudo ./install.sh

Basic Commands

CLI Setup and Authentication

Command Description
okta login Configure Okta CLI with your organization credentials
okta org set --org-url https://dev-123456.okta.com Set default organization URL
okta session get Display current session information
okta logout Logout from current session

User Management

Command Description
okta users list List all users in the organization
okta users get user@example.com Get details for a specific user
okta users create --email user@example.com --firstName John --lastName Doe Create a new user
okta users update user@example.com --firstName Jane Update user profile information
okta users deactivate user@example.com Deactivate a user account
okta users delete user@example.com Permanently delete a user

Application Management

Command Description
okta apps list List all applications in the organization
okta apps get <app-id> Get details for a specific application
okta apps create Create a new application (interactive)
okta apps assign-user <app-id> <user-id> Assign user to an application

Group Management

Command Description
okta groups list List all groups in the organization
okta groups create --name "Engineering" --description "Engineering Team" Create a new group
okta groups add-user <group-id> <user-id> Add user to a group
okta groups remove-user <group-id> <user-id> Remove user from a group

Advanced Usage

API Authentication

Command Description
curl -X POST "https://{yourOktaDomain}/oauth2/default/v1/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id={clientId}&client_secret={clientSecret}&scope=okta.users.read" Get OAuth 2.0 access token using client credentials
curl -X POST "https://{yourOktaDomain}/oauth2/default/v1/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=authorization_code&code={code}&redirect_uri={redirectUri}&client_id={clientId}&client_secret={clientSecret}" Exchange authorization code for access token
curl -X POST "https://{yourOktaDomain}/oauth2/default/v1/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=refresh_token&refresh_token={refreshToken}&client_id={clientId}&client_secret={clientSecret}" Refresh an expired access token

Advanced User Operations

Command Description
curl -X GET "https://{yourOktaDomain}/api/v1/users?filter=status eq \"ACTIVE\"" -H "Authorization: SSWS {apiToken}" Search users by status filter
curl -X GET "https://{yourOktaDomain}/api/v1/users?search=profile.department eq \"Engineering\"" -H "Authorization: SSWS {apiToken}" Search users by profile attribute
curl -X GET "https://{yourOktaDomain}/api/v1/users?search=profile.firstName sw \"J\" and status eq \"ACTIVE\"" -H "Authorization: SSWS {apiToken}" Complex user search with multiple conditions
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/suspend" -H "Authorization: SSWS {apiToken}" Suspend a user account
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/unsuspend" -H "Authorization: SSWS {apiToken}" Unsuspend a user account
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/unlock" -H "Authorization: SSWS {apiToken}" Unlock a locked user account
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/expire_password?tempPassword=false" -H "Authorization: SSWS {apiToken}" Force password expiration for user
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/reset_password?sendEmail=true" -H "Authorization: SSWS {apiToken}" Reset user password and send email

User Creation and Updates

Command Description
curl -X POST "https://{yourOktaDomain}/api/v1/users?activate=true" -H "Authorization: SSWS {apiToken}" -H "Content-Type: application/json" -d '{"profile":{"firstName":"John","lastName":"Doe","email":"john.doe@example.com","login":"john.doe@example.com"},"credentials":{"password":{"value":"TempPass123!"}}}' Create new user with password
curl -X PUT "https://{yourOktaDomain}/api/v1/users/{userId}" -H "Authorization: SSWS {apiToken}" -H "Content-Type: application/json" -d '{"profile":{"firstName":"Jane","lastName":"Doe"}}' Update user profile attributes
curl -X POST "https://{yourOktaDomain}/api/v1/users" -H "Authorization: SSWS {apiToken}" -H "Content-Type: application/json" --data-binary @users.json Bulk import users from JSON file

Group and Application Operations

Command Description
curl -X GET "https://{yourOktaDomain}/api/v1/groups" -H "Authorization: SSWS {apiToken}" List all groups via API
curl -X PUT "https://{yourOktaDomain}/api/v1/groups/{groupId}/users/{userId}" -H "Authorization: SSWS {apiToken}" Assign user to group via API
curl -X GET "https://{yourOktaDomain}/api/v1/apps" -H "Authorization: SSWS {apiToken}" List all applications via API
curl -X POST "https://{yourOktaDomain}/api/v1/apps/{appId}/users" -H "Authorization: SSWS {apiToken}" -H "Content-Type: application/json" -d '{"id":"{userId}","scope":"USER"}' Assign application to user
curl -X GET "https://{yourOktaDomain}/api/v1/users/{userId}/sessions" -H "Authorization: SSWS {apiToken}" List active sessions for user

Configuration

API Token Configuration

Store your Okta API token securely in environment variables:

# Linux/macOS
export OKTA_API_TOKEN="your_api_token_here"
export OKTA_DOMAIN="https://dev-123456.okta.com"

# Windows PowerShell
$env:OKTA_API_TOKEN="your_api_token_here"
$env:OKTA_DOMAIN="https://dev-123456.okta.com"

Okta CLI Configuration File

Location: ~/.okta/okta.yaml

okta:
  client:
    orgUrl: "https://dev-123456.okta.com"
    token: "your_api_token_here"
    connectionTimeout: 30
    requestTimeout: 0
    rateLimit:
      maxRetries: 4

OAuth 2.0 Application Configuration

{
  "client_id": "0oa2abc3def4GHI5j6k7",
  "client_secret": "your_client_secret",
  "redirect_uris": [
    "https://yourapp.com/callback"
  ],
  "grant_types": [
    "authorization_code",
    "refresh_token"
  ],
  "response_types": [
    "code"
  ],
  "token_endpoint_auth_method": "client_secret_post"
}

LDAP Agent Configuration

Location: /opt/OktaLDAPAgent/conf/OktaLDAPAgent.conf

# Okta Organization Settings
okta.domain=dev-123456.okta.com
okta.apiToken=your_api_token

# LDAP Server Settings
ldap.host=ldap.example.com
ldap.port=389
ldap.baseDN=dc=example,dc=com
ldap.bindDN=cn=admin,dc=example,dc=com
ldap.bindPassword=encrypted_password

# Agent Settings
agent.pollInterval=60
agent.logLevel=INFO

Active Directory Agent Configuration

Location: C:\Program Files\Okta\Okta AD Agent\OktaADAgent.exe.config

<configuration>
  <appSettings>
    <add key="OktaDomain" value="dev-123456.okta.com" />
    <add key="ApiToken" value="your_api_token" />
    <add key="ADDomain" value="corp.example.com" />
    <add key="SyncInterval" value="300" />
    <add key="LogLevel" value="Information" />
  </appSettings>
</configuration>

Common Use Cases

Use Case 1: Onboard New Employee

# Step 1: Create user account
curl -X POST "https://{yourOktaDomain}/api/v1/users?activate=false" \
  -H "Authorization: SSWS {apiToken}" \
  -H "Content-Type: application/json" \
  -d '{
    "profile": {
      "firstName": "Alice",
      "lastName": "Johnson",
      "email": "alice.johnson@example.com",
      "login": "alice.johnson@example.com",
      "department": "Engineering",
      "title": "Software Engineer"
    }
  }'

# Step 2: Add to relevant groups
curl -X PUT "https://{yourOktaDomain}/api/v1/groups/{engineeringGroupId}/users/{userId}" \
  -H "Authorization: SSWS {apiToken}"

# Step 3: Assign applications
curl -X POST "https://{yourOktaDomain}/api/v1/apps/{slackAppId}/users" \
  -H "Authorization: SSWS {apiToken}" \
  -H "Content-Type: application/json" \
  -d '{"id":"{userId}","scope":"USER"}'

# Step 4: Activate user and send welcome email
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/activate?sendEmail=true" \
  -H "Authorization: SSWS {apiToken}"

Use Case 2: Offboard Employee

# Step 1: Suspend user account immediately
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/suspend" \
  -H "Authorization: SSWS {apiToken}"

# Step 2: List user's active sessions
curl -X GET "https://{yourOktaDomain}/api/v1/users/{userId}/sessions" \
  -H "Authorization: SSWS {apiToken}"

# Step 3: Clear all sessions
curl -X DELETE "https://{yourOktaDomain}/api/v1/users/{userId}/sessions" \
  -H "Authorization: SSWS {apiToken}"

# Step 4: After retention period, deactivate
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/deactivate" \
  -H "Authorization: SSWS {apiToken}"

# Step 5: Finally delete user
curl -X DELETE "https://{yourOktaDomain}/api/v1/users/{userId}" \
  -H "Authorization: SSWS {apiToken}"

Use Case 3: Bulk User Import from CSV

# Step 1: Convert CSV to JSON
cat users.csv | jq -R -s -f csv_to_json.jq > users.json

# Step 2: Import users in batch
for user in $(cat users.json | jq -c '.[]'); do
  curl -X POST "https://{yourOktaDomain}/api/v1/users?activate=true" \
    -H "Authorization: SSWS {apiToken}" \
    -H "Content-Type: application/json" \
    -d "$user"
  sleep 1  # Rate limiting
done

Use Case 4: Implement MFA for High-Risk Users

# Step 1: Search for admin users
curl -X GET "https://{yourOktaDomain}/api/v1/users?search=profile.role eq \"Admin\"" \
  -H "Authorization: SSWS {apiToken}" > admin_users.json

# Step 2: Enroll users in MFA factor
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/factors" \
  -H "Authorization: SSWS {apiToken}" \
  -H "Content-Type: application/json" \
  -d '{
    "factorType": "token:software:totp",
    "provider": "OKTA"
  }'

# Step 3: Create policy requiring MFA for admins
curl -X POST "https://{yourOktaDomain}/api/v1/policies" \
  -H "Authorization: SSWS {apiToken}" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "MFA_ENROLL",
    "name": "Admin MFA Policy",
    "status": "ACTIVE",
    "conditions": {
      "people": {
        "groups": {
          "include": ["{adminGroupId}"]
        }
      }
    }
  }'

Use Case 5: Generate Access Report

# Step 1: Get all active users
curl -X GET "https://{yourOktaDomain}/api/v1/users?filter=status eq \"ACTIVE\"&limit=200" \
  -H "Authorization: SSWS {apiToken}" > active_users.json

# Step 2: For each user, get assigned applications
while read userId; do
  curl -X GET "https://{yourOktaDomain}/api/v1/apps?filter=user.id eq \"${userId}\"" \
    -H "Authorization: SSWS {apiToken}" >> user_apps_report.json
done < <(jq -r '.[].id' active_users.json)

# Step 3: Get last login information
curl -X GET "https://{yourOktaDomain}/api/v1/logs?filter=eventType eq \"user.session.start\"&limit=1000" \
  -H "Authorization: SSWS {apiToken}" > login_report.json

# Step 4: Combine and format report
jq -s '.[0] + .[1]' active_users.json login_report.json > complete_access_report.json

Best Practices

  • Use API Tokens Securely: Store API tokens in environment variables or secure vaults, never hardcode them in scripts or commit to version control
  • Implement Rate Limiting: Okta enforces rate limits (varies by endpoint). Implement exponential backoff and respect X-Rate-Limit-* headers to avoid throttling
  • Enable MFA for All Users: Require multi-factor authentication for all users, especially administrators and privileged accounts, to enhance security posture
  • Use Groups for Access Management: Assign applications and permissions to groups rather than individual users for easier management and consistency
  • Implement Least Privilege: Grant users only the minimum permissions necessary for their role. Regularly audit and remove unnecessary access
  • Monitor System Logs: Regularly review Okta system logs for suspicious activities, failed login attempts, and unauthorized access patterns
  • Automate Lifecycle Management: Use Okta Workflows or APIs to automate user provisioning, deprovisioning, and access reviews to reduce manual errors
  • Test in Developer Environment: Always test configuration changes, integrations, and scripts in a development Okta org before deploying to production
  • Document Custom Integrations: Maintain thorough documentation of custom API integrations, webhooks, and automation scripts for team knowledge sharing
  • Implement Session Policies: Configure appropriate session timeouts and idle timeouts based on security requirements and user experience needs
  • Regular Security Audits: Conduct quarterly reviews of user access, application assignments, group memberships, and policy configurations

Troubleshooting

Issue Solution
401 Unauthorized Error Verify API token is valid and not expired. Check token has appropriate scopes: curl -X GET "https://{yourOktaDomain}/api/v1/users/me" -H "Authorization: SSWS {apiToken}"
429 Rate Limit Exceeded Implement exponential backoff. Check X-Rate-Limit-Reset header for reset time. Reduce request frequency or contact Okta to increase limits
User Cannot Login Check user status: okta users get user@example.com. Verify account is ACTIVE, not SUSPENDED or LOCKED_OUT. Unlock if needed: curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/unlock" -H "Authorization: SSWS {apiToken}"
MFA Factor Not Working Reset MFA factors: curl -X DELETE "https://{yourOktaDomain}/api/v1/users/{userId}/factors/{factorId}" -H "Authorization: SSWS {apiToken}". User must re-enroll
Application Not Appearing Verify user is assigned to application: curl -X GET "https://{yourOktaDomain}/api/v1/apps/{appId}/users/{userId}" -H "Authorization: SSWS {apiToken}". Check application is ACTIVE
AD/LDAP Agent Not Syncing Check agent service status. Review logs at /opt/OktaLDAPAgent/logs/ (Linux) or C:\Program Files\Okta\Okta AD Agent\logs\ (Windows). Verify network connectivity and credentials
SSO Integration Failing Verify SAML/OIDC configuration. Check certificate validity, ACS URL, and entity ID. Use Okta's SAML debugger or browser developer tools to inspect authentication flow
API Returns Empty Results Check query syntax and filters. Verify pagination with limit and after parameters: curl -X GET "https://{yourOktaDomain}/api/v1/users?limit=200" -H "Authorization: SSWS {apiToken}"
Password Reset Email Not Sent Verify email settings in Okta admin console. Check user's email address is valid. Review email server logs and Okta system logs for delivery failures
Session Timeout Issues Review session policy settings in Okta admin console. Adjust idle timeout and maximum session lifetime. Consider implementing refresh token rotation for long-lived sessions