New260+ blocks and 240+ tools are now fully documented
DocumentationReferenceTool IntegrationsSecurity & Identity
Tool

Okta Tools

List, retrieve, and create users and list groups in your Okta organization via the Okta Management API.

The Okta tools let a workflow manage identities in your Okta organization: list users, look up a single user, create and activate a new user, and list groups. Use them when a workflow needs to read directory data or provision accounts as part of onboarding, access reviews, or HR automation.

Overview

PropertyValue
Providerokta
Categorytools
AuthAPI Token (sent as Authorization: SSWS <token>)

Operations

OperationTool IDDescription
List usersokta_list_usersList users in your Okta organization with optional search
Get userokta_get_userRetrieve a single Okta user by ID or login
Create userokta_create_userCreate and activate a new user in your Okta organization
List groupsokta_list_groupsList groups in your Okta organization with optional search

Configuration

Every operation requires orgUrl and apiToken. The apiToken is a secret and is passed in the Authorization: SSWS <apiToken> header — keep it in an environment variable rather than inline.

okta_list_users

ParameterTypeRequiredDescription
orgUrlstringYesOkta org URL (e.g. https://your-org.okta.com).
apiTokenstringYesSecret. Okta API token used as the SSWS bearer credential.
searchstringNoOkta search expression (e.g. profile.email co "example.com").
limitnumberNoMaximum number of users to return (max 200).

okta_get_user

ParameterTypeRequiredDescription
orgUrlstringYesOkta org URL (e.g. https://your-org.okta.com).
apiTokenstringYesSecret. Okta API token used as the SSWS bearer credential.
userIdstringYesUser ID or login (email) to look up.

okta_create_user

ParameterTypeRequiredDescription
orgUrlstringYesOkta org URL (e.g. https://your-org.okta.com).
apiTokenstringYesSecret. Okta API token used as the SSWS bearer credential.
firstNamestringYesFirst name of the user.
lastNamestringYesLast name of the user.
emailstringYesEmail address of the user.
loginstringNoLogin for the user (defaults to email if not provided).

The user is created with ?activate=true, so the account is created and activated in a single call.

okta_list_groups

ParameterTypeRequiredDescription
orgUrlstringYesOkta org URL (e.g. https://your-org.okta.com).
apiTokenstringYesSecret. Okta API token used as the SSWS bearer credential.
searchstringNoOkta search expression (e.g. profile.name sw "Engineering").
limitnumberNoMaximum number of groups to return.

Outputs

okta_list_users

  • data (json) — Array of Okta user objects.
  • metadata (json) — List metadata.
    • count (number) — Number of users returned.

okta_get_user

  • data (json) — The requested Okta user object.
  • metadata (json) — User identifiers.
    • id (string) — User ID.
    • status (string) — User status.

okta_create_user

  • data (json) — The created Okta user object.
  • metadata (json) — User identifiers.
    • id (string) — User ID.
    • status (string) — User status.

okta_list_groups

  • data (json) — Array of Okta group objects.
  • metadata (json) — List metadata.
    • count (number) — Number of groups returned.

YAML Example

okta_1:
  type: okta
  name: "Okta"
  inputs:
    operation: "okta_list_users"
    orgUrl: "https://your-org.okta.com"
    search: 'profile.email co "example.com"'
    limit: 50
    apiToken: "{{OKTA_API_TOKEN}}"
  connections:
    outgoing:
      - target: next-block-id

Create-and-activate a user:

okta_create:
  type: okta
  name: "Okta"
  inputs:
    operation: "okta_create_user"
    orgUrl: "https://your-org.okta.com"
    firstName: "Jane"
    lastName: "Doe"
    email: "jane.doe@example.com"
    login: "jane.doe@example.com"
    apiToken: "{{OKTA_API_TOKEN}}"
  connections:
    outgoing:
      - target: next-block-id

Tips

  • Auth setup: Generate an API token in the Okta Admin console (Security → API → Tokens). The token is sent as Authorization: SSWS <token>, not OAuth or a standard Bearer header. Store it as an environment variable and reference it with {{OKTA_API_TOKEN}} so it never appears in plaintext.
  • org URL format: Use your full org domain (e.g. https://your-org.okta.com or a custom domain). A trailing slash is trimmed automatically.
  • Search expressions: Both okta_list_users and okta_list_groups accept Okta's filter/search syntax. Operators include sw (starts with), co (contains), eq (equals) — e.g. profile.email co "example.com" for users or profile.name sw "Engineering" for groups. The users list caps at 200 results per call via limit.
  • Chaining outputs: After okta_get_user or okta_create_user, downstream blocks can read {{okta_1.metadata.id}} and {{okta_1.metadata.status}}; list operations expose the array on {{okta_1.data}} and a {{okta_1.metadata.count}}.