Okta uses a cookie-based authentication mechanism to maintain a user's authentication Session across web requests. The Okta Sessions API provides operations to create and manage authentication Sessions for users in your Okta organization.
Notes:
- Some browsers block third-party cookies by default, which disrupts Okta functionality in certain flows. See Mitigate the impact of third-party cookie deprecation.
- The Sessions API doesn't support direct authentication. Direct authentication is supported through the Authentication API or through OIDC using the Resource Owner Password flow.
Okta uses an HTTP session cookie to provide access to your Okta organization and applications across web requests for an interactive user agent such as a web browser. A session cookie has an expiration configurable by an administrator for the organization and is valid until the cookie expires or the user closes the Session (logout) or browser application.
A session token is a one-time bearer token that provides proof of authentication and may be redeemed for an interactive SSO session in Okta in a user agent. Session tokens can only be used once to establish a Session for a user and are revoked when the token expires.
Okta provides a very rich Authentication API to validate a user's primary credentials and secondary MFA factor. A session token is returned after successful authentication, which can be later exchanged for a session cookie that uses one of the following flows:
Note: Session tokens are secrets and should be protected at rest and during transit. A session token for a user is equivalent to having the user's actual credentials.
Retrieves information about the Session specified by the given session ID
Success
Bad Request
Forbidden
Not Found
Too Many Requests
{- "amr": [
- "pwd"
], - "createdAt": "2019-08-24T14:15:22Z",
- "expiresAt": "2019-08-24T14:15:22Z",
- "id": "l7FbDVqS8zHSy65uJD85",
- "idp": {
- "id": "01a2bcdef3GHIJKLMNOP",
- "type": "ACTIVE_DIRECTORY"
}, - "lastFactorVerification": "2019-08-24T14:15:22Z",
- "lastPasswordVerification": "2019-08-24T14:15:22Z",
- "login": "user@example.com",
- "status": "ACTIVE",
- "userId": "00u0abcdefGHIJKLMNOP",
- "_links": {
- "self": {
- "hints": {
- "allow": [
- "DELETE"
]
}
},
}
}Revokes the specified Session
No Content
Forbidden
Not Found
Too Many Requests
{- "errorCode": "E0000006",
- "errorSummary": "You do not have permission to perform the requested action",
- "errorLink": "E0000006",
- "errorId": "sampleNUSD_8fdkFd8fs8SDBK",
- "errorCauses": [ ]
}Refreshes an existing Session using the id for that Session. A successful response contains the refreshed Session with an updated expiresAt timestamp.
Success
Forbidden
Not Found
Too Many Requests
{- "amr": [
- "pwd"
], - "createdAt": "2019-08-25T14:17:22Z",
- "expiresAt": "2019-08-25T14:17:22Z",
- "id": "l7FbDVqS8zHSy65uJD85",
- "idp": {
- "id": "01a2bcdef3GHIJKLMNOP",
- "type": "ACTIVE_DIRECTORY"
}, - "lastFactorVerification": "2019-08-24T14:15:22Z",
- "lastPasswordVerification": "2019-08-24T14:15:22Z",
- "login": "user@example.com",
- "status": "ACTIVE",
- "userId": "00u0abcdefGHIJKLMNOP",
- "_links": {
- "self": {
- "hints": {
- "allow": [
- "DELETE"
]
}
},
}
}