Okta Comprehensive Cheatsheet
Installation
Okta CLI Installation
| Platform | Command |
|---|
| macOS (Homebrew) | brew install --cask okta or brew tap okta/okta && brew install okta-aws-cli |
| Linux (Ubuntu/Debian) | curl -L https://github.com/okta/okta-cli/releases/latest/download/okta-cli-linux-amd64 -o okta && chmod +x okta && sudo mv okta /usr/local/bin/ |
| Windows (Chocolatey) | choco install okta |
| Windows (Direct) | Invoke-WebRequest -Uri "https://github.com/okta/okta-cli/releases/latest/download/okta-cli-windows-amd64.exe" -OutFile "okta.exe" |
| Verify Installation | okta --version |
SDK Installation
| Language | Command |
|---|
| Node.js | npm install @okta/okta-sdk-nodejs @okta/okta-auth-js |
| Python | pip install okta okta-jwt-verifier |
| Java (Maven) | Add dependency: com.okta.sdk:okta-sdk-api:8.2.3 |
| Go | go get github.com/okta/okta-sdk-golang/v2 |
| .NET | dotnet add package Okta.Sdk |
On-Premises Agent Installation
| Component | Command |
|---|
| AD Agent (Windows) | .\OktaADAgentSetup.exe /silent /log="C:\Temp\okta-install.log" |
| Verify AD Service | Get-Service OktaADAgent |
| LDAP Agent (Linux) | wget https://example.okta.com/downloads/OktaLDAPAgent-latest.tar.gz && tar -xzf OktaLDAPAgent-latest.tar.gz && cd OktaLDAPAgent && sudo ./install.sh |
Basic Commands
CLI Setup and Authentication
| Command | Description |
|---|
okta login | Configure Okta CLI with your organization credentials |
okta org set --org-url https://dev-123456.okta.com | Set default organization URL |
okta session get | Display current session information |
okta logout | Logout from current session |
User Management
| Command | Description |
|---|
okta users list | List all users in the organization |
okta users get user@example.com | Get details for a specific user |
okta users create --email user@example.com --firstName John --lastName Doe | Create a new user |
okta users update user@example.com --firstName Jane | Update user profile information |
okta users deactivate user@example.com | Deactivate a user account |
okta users delete user@example.com | Permanently delete a user |
Application Management
| Command | Description |
|---|
okta apps list | List all applications in the organization |
okta apps get <app-id> | Get details for a specific application |
okta apps create | Create a new application (interactive) |
okta apps assign-user <app-id> <user-id> | Assign user to an application |
Group Management
| Command | Description |
|---|
okta groups list | List all groups in the organization |
okta groups create --name "Engineering" --description "Engineering Team" | Create a new group |
okta groups add-user <group-id> <user-id> | Add user to a group |
okta groups remove-user <group-id> <user-id> | Remove user from a group |
Advanced Usage
API Authentication
| Command | Description |
|---|
curl -X POST "https://{yourOktaDomain}/oauth2/default/v1/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id={clientId}&client_secret={clientSecret}&scope=okta.users.read" | Get OAuth 2.0 access token using client credentials |
curl -X POST "https://{yourOktaDomain}/oauth2/default/v1/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=authorization_code&code={code}&redirect_uri={redirectUri}&client_id={clientId}&client_secret={clientSecret}" | Exchange authorization code for access token |
curl -X POST "https://{yourOktaDomain}/oauth2/default/v1/token" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=refresh_token&refresh_token={refreshToken}&client_id={clientId}&client_secret={clientSecret}" | Refresh an expired access token |
Advanced User Operations
| Command | Description |
|---|
curl -X GET "https://{yourOktaDomain}/api/v1/users?filter=status eq \"ACTIVE\"" -H "Authorization: SSWS {apiToken}" | Search users by status filter |
curl -X GET "https://{yourOktaDomain}/api/v1/users?search=profile.department eq \"Engineering\"" -H "Authorization: SSWS {apiToken}" | Search users by profile attribute |
curl -X GET "https://{yourOktaDomain}/api/v1/users?search=profile.firstName sw \"J\" and status eq \"ACTIVE\"" -H "Authorization: SSWS {apiToken}" | Complex user search with multiple conditions |
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/suspend" -H "Authorization: SSWS {apiToken}" | Suspend a user account |
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/unsuspend" -H "Authorization: SSWS {apiToken}" | Unsuspend a user account |
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/unlock" -H "Authorization: SSWS {apiToken}" | Unlock a locked user account |
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/expire_password?tempPassword=false" -H "Authorization: SSWS {apiToken}" | Force password expiration for user |
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/reset_password?sendEmail=true" -H "Authorization: SSWS {apiToken}" | Reset user password and send email |
User Creation and Updates
| Command | Description |
|---|
curl -X POST "https://{yourOktaDomain}/api/v1/users?activate=true" -H "Authorization: SSWS {apiToken}" -H "Content-Type: application/json" -d '{"profile":{"firstName":"John","lastName":"Doe","email":"john.doe@example.com","login":"john.doe@example.com"},"credentials":{"password":{"value":"TempPass123!"}}}' | Create new user with password |
curl -X PUT "https://{yourOktaDomain}/api/v1/users/{userId}" -H "Authorization: SSWS {apiToken}" -H "Content-Type: application/json" -d '{"profile":{"firstName":"Jane","lastName":"Doe"}}' | Update user profile attributes |
curl -X POST "https://{yourOktaDomain}/api/v1/users" -H "Authorization: SSWS {apiToken}" -H "Content-Type: application/json" --data-binary @users.json | Bulk import users from JSON file |
Group and Application Operations
| Command | Description |
|---|
curl -X GET "https://{yourOktaDomain}/api/v1/groups" -H "Authorization: SSWS {apiToken}" | List all groups via API |
curl -X PUT "https://{yourOktaDomain}/api/v1/groups/{groupId}/users/{userId}" -H "Authorization: SSWS {apiToken}" | Assign user to group via API |
curl -X GET "https://{yourOktaDomain}/api/v1/apps" -H "Authorization: SSWS {apiToken}" | List all applications via API |
curl -X POST "https://{yourOktaDomain}/api/v1/apps/{appId}/users" -H "Authorization: SSWS {apiToken}" -H "Content-Type: application/json" -d '{"id":"{userId}","scope":"USER"}' | Assign application to user |
curl -X GET "https://{yourOktaDomain}/api/v1/users/{userId}/sessions" -H "Authorization: SSWS {apiToken}" | List active sessions for user |
Configuration
API Token Configuration
Store your Okta API token securely in environment variables:
# Linux/macOS
export OKTA_API_TOKEN="your_api_token_here"
export OKTA_DOMAIN="https://dev-123456.okta.com"
# Windows PowerShell
$env:OKTA_API_TOKEN="your_api_token_here"
$env:OKTA_DOMAIN="https://dev-123456.okta.com"
Okta CLI Configuration File
Location: ~/.okta/okta.yaml
okta:
client:
orgUrl: "https://dev-123456.okta.com"
token: "your_api_token_here"
connectionTimeout: 30
requestTimeout: 0
rateLimit:
maxRetries: 4
OAuth 2.0 Application Configuration
{
"client_id": "0oa2abc3def4GHI5j6k7",
"client_secret": "your_client_secret",
"redirect_uris": [
"https://yourapp.com/callback"
],
"grant_types": [
"authorization_code",
"refresh_token"
],
"response_types": [
"code"
],
"token_endpoint_auth_method": "client_secret_post"
}
LDAP Agent Configuration
Location: /opt/OktaLDAPAgent/conf/OktaLDAPAgent.conf
# Okta Organization Settings
okta.domain=dev-123456.okta.com
okta.apiToken=your_api_token
# LDAP Server Settings
ldap.host=ldap.example.com
ldap.port=389
ldap.baseDN=dc=example,dc=com
ldap.bindDN=cn=admin,dc=example,dc=com
ldap.bindPassword=encrypted_password
# Agent Settings
agent.pollInterval=60
agent.logLevel=INFO
Active Directory Agent Configuration
Location: C:\Program Files\Okta\Okta AD Agent\OktaADAgent.exe.config
<configuration>
<appSettings>
<add key="OktaDomain" value="dev-123456.okta.com" />
<add key="ApiToken" value="your_api_token" />
<add key="ADDomain" value="corp.example.com" />
<add key="SyncInterval" value="300" />
<add key="LogLevel" value="Information" />
</appSettings>
</configuration>
Common Use Cases
Use Case 1: Onboard New Employee
# Step 1: Create user account
curl -X POST "https://{yourOktaDomain}/api/v1/users?activate=false" \
-H "Authorization: SSWS {apiToken}" \
-H "Content-Type: application/json" \
-d '{
"profile": {
"firstName": "Alice",
"lastName": "Johnson",
"email": "alice.johnson@example.com",
"login": "alice.johnson@example.com",
"department": "Engineering",
"title": "Software Engineer"
}
}'
# Step 2: Add to relevant groups
curl -X PUT "https://{yourOktaDomain}/api/v1/groups/{engineeringGroupId}/users/{userId}" \
-H "Authorization: SSWS {apiToken}"
# Step 3: Assign applications
curl -X POST "https://{yourOktaDomain}/api/v1/apps/{slackAppId}/users" \
-H "Authorization: SSWS {apiToken}" \
-H "Content-Type: application/json" \
-d '{"id":"{userId}","scope":"USER"}'
# Step 4: Activate user and send welcome email
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/activate?sendEmail=true" \
-H "Authorization: SSWS {apiToken}"
Use Case 2: Offboard Employee
# Step 1: Suspend user account immediately
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/suspend" \
-H "Authorization: SSWS {apiToken}"
# Step 2: List user's active sessions
curl -X GET "https://{yourOktaDomain}/api/v1/users/{userId}/sessions" \
-H "Authorization: SSWS {apiToken}"
# Step 3: Clear all sessions
curl -X DELETE "https://{yourOktaDomain}/api/v1/users/{userId}/sessions" \
-H "Authorization: SSWS {apiToken}"
# Step 4: After retention period, deactivate
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/deactivate" \
-H "Authorization: SSWS {apiToken}"
# Step 5: Finally delete user
curl -X DELETE "https://{yourOktaDomain}/api/v1/users/{userId}" \
-H "Authorization: SSWS {apiToken}"
Use Case 3: Bulk User Import from CSV
# Step 1: Convert CSV to JSON
cat users.csv | jq -R -s -f csv_to_json.jq > users.json
# Step 2: Import users in batch
for user in $(cat users.json | jq -c '.[]'); do
curl -X POST "https://{yourOktaDomain}/api/v1/users?activate=true" \
-H "Authorization: SSWS {apiToken}" \
-H "Content-Type: application/json" \
-d "$user"
sleep 1 # Rate limiting
done
Use Case 4: Implement MFA for High-Risk Users
# Step 1: Search for admin users
curl -X GET "https://{yourOktaDomain}/api/v1/users?search=profile.role eq \"Admin\"" \
-H "Authorization: SSWS {apiToken}" > admin_users.json
# Step 2: Enroll users in MFA factor
curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/factors" \
-H "Authorization: SSWS {apiToken}" \
-H "Content-Type: application/json" \
-d '{
"factorType": "token:software:totp",
"provider": "OKTA"
}'
# Step 3: Create policy requiring MFA for admins
curl -X POST "https://{yourOktaDomain}/api/v1/policies" \
-H "Authorization: SSWS {apiToken}" \
-H "Content-Type: application/json" \
-d '{
"type": "MFA_ENROLL",
"name": "Admin MFA Policy",
"status": "ACTIVE",
"conditions": {
"people": {
"groups": {
"include": ["{adminGroupId}"]
}
}
}
}'
Use Case 5: Generate Access Report
# Step 1: Get all active users
curl -X GET "https://{yourOktaDomain}/api/v1/users?filter=status eq \"ACTIVE\"&limit=200" \
-H "Authorization: SSWS {apiToken}" > active_users.json
# Step 2: For each user, get assigned applications
while read userId; do
curl -X GET "https://{yourOktaDomain}/api/v1/apps?filter=user.id eq \"${userId}\"" \
-H "Authorization: SSWS {apiToken}" >> user_apps_report.json
done < <(jq -r '.[].id' active_users.json)
# Step 3: Get last login information
curl -X GET "https://{yourOktaDomain}/api/v1/logs?filter=eventType eq \"user.session.start\"&limit=1000" \
-H "Authorization: SSWS {apiToken}" > login_report.json
# Step 4: Combine and format report
jq -s '.[0] + .[1]' active_users.json login_report.json > complete_access_report.json
Best Practices
- Use API Tokens Securely: Store API tokens in environment variables or secure vaults, never hardcode them in scripts or commit to version control
- Implement Rate Limiting: Okta enforces rate limits (varies by endpoint). Implement exponential backoff and respect
X-Rate-Limit-* headers to avoid throttling
- Enable MFA for All Users: Require multi-factor authentication for all users, especially administrators and privileged accounts, to enhance security posture
- Use Groups for Access Management: Assign applications and permissions to groups rather than individual users for easier management and consistency
- Implement Least Privilege: Grant users only the minimum permissions necessary for their role. Regularly audit and remove unnecessary access
- Monitor System Logs: Regularly review Okta system logs for suspicious activities, failed login attempts, and unauthorized access patterns
- Automate Lifecycle Management: Use Okta Workflows or APIs to automate user provisioning, deprovisioning, and access reviews to reduce manual errors
- Test in Developer Environment: Always test configuration changes, integrations, and scripts in a development Okta org before deploying to production
- Document Custom Integrations: Maintain thorough documentation of custom API integrations, webhooks, and automation scripts for team knowledge sharing
- Implement Session Policies: Configure appropriate session timeouts and idle timeouts based on security requirements and user experience needs
- Regular Security Audits: Conduct quarterly reviews of user access, application assignments, group memberships, and policy configurations
Troubleshooting
| Issue | Solution |
|---|
| 401 Unauthorized Error | Verify API token is valid and not expired. Check token has appropriate scopes: curl -X GET "https://{yourOktaDomain}/api/v1/users/me" -H "Authorization: SSWS {apiToken}" |
| 429 Rate Limit Exceeded | Implement exponential backoff. Check X-Rate-Limit-Reset header for reset time. Reduce request frequency or contact Okta to increase limits |
| User Cannot Login | Check user status: okta users get user@example.com. Verify account is ACTIVE, not SUSPENDED or LOCKED_OUT. Unlock if needed: curl -X POST "https://{yourOktaDomain}/api/v1/users/{userId}/lifecycle/unlock" -H "Authorization: SSWS {apiToken}" |
| MFA Factor Not Working | Reset MFA factors: curl -X DELETE "https://{yourOktaDomain}/api/v1/users/{userId}/factors/{factorId}" -H "Authorization: SSWS {apiToken}". User must re-enroll |
| Application Not Appearing | Verify user is assigned to application: curl -X GET "https://{yourOktaDomain}/api/v1/apps/{appId}/users/{userId}" -H "Authorization: SSWS {apiToken}". Check application is ACTIVE |
| AD/LDAP Agent Not Syncing | Check agent service status. Review logs at /opt/OktaLDAPAgent/logs/ (Linux) or C:\Program Files\Okta\Okta AD Agent\logs\ (Windows). Verify network connectivity and credentials |
| SSO Integration Failing | Verify SAML/OIDC configuration. Check certificate validity, ACS URL, and entity ID. Use Okta’s SAML debugger or browser developer tools to inspect authentication flow |
| API Returns Empty Results | Check query syntax and filters. Verify pagination with limit and after parameters: curl -X GET "https://{yourOktaDomain}/api/v1/users?limit=200" -H "Authorization: SSWS {apiToken}" |
| Password Reset Email Not Sent | Verify email settings in Okta admin console. Check user’s email address is valid. Review email server logs and Okta system logs for delivery failures |
