The Okta Access Gateway API enables you to configure your Access Gateway configuration through API requests. For information about using Access Gateway through the Admin Console, see the Access Gateway documentation.
\nAccess Gateway is a reverse proxy-based virtual appliance that protects on-premises applications that rely on HTTP headers, Kerberos tokens, and other legacy methods. It offers URL-based authentication and protects access to on-premises apps that don't support federation with user authentication and single sign-on capabilities of Okta. Since Access Gateway is behind the firewall, it lets external users access on-premises web-based apps without the need for traditional VPNs. When it's deployed, all browser traffic flows first to Access Gateway and then to the back-end protected app. This allows Access Gateway to monitor every request that a user accesses, perform authorization, and add the appropriate headers and tokens to the request.
\n\n\nNote: The Access Gateway API is available on version
\n2025.10.0and later.
To use Access Gateway APIs you must first enable the API on Access Gateway which generates a client ID and the private and public key pair. See Enable the Access Gateway API.
\nUsing the private key retrieved from Access Gateway, sign a JSON Web Token (JWT) with the following header and payload:
\n\n\nNote: For information about creating and signing a JWT, see Build a JWT for Client Authentication and How to generate a JWT for Okta Access Gateway APIs.
\n
Header:
\n{\n \"alg\": \"RS256\",\n \"typ\": \"JWT\"\n}Payload:
\n{\n \"iss\": \"<client_id>\",\n \"sub\": \"<client_id>\",\n \"aud\": \"https://<oag-hostname>\",\n \"exp\": \"<5 minutes into the future>\",\n \"iat\": \"<Current timestamp>\",\n \"scope\": \"<Scopes requested with the access token, which controls access to Access Gateway resources>\"\n}See the following table for descriptions of the claims in the JWT payload:
\n| Claim | \nDescription | \nType | \n
|---|---|---|
iss | \nRequired. The issuer of the token. This value must be the same as the client_id of the application that you're accessing. | \nString | \n
sub | \nRequired. The subject of the token. This value must be the same as the client_id of the application that you're accessing. | \nString | \n
aud | \nRequired. The full URL of the resource that you're trying to access using the JWT to authenticate. For example: https://<oag-hostname>. | \nString | \n
exp | \nRequired. The token expiration time in seconds since January 1, 1970 UTC (UNIX timestamp), for example, 1555594819. This claim fails the request if the expiration time is more than one hour in the future or if the token is already expired. | \nInteger | \n
iat | \nOptional. When the token was issued in seconds since January 1, 1970 UTC (UNIX timestamp), for example, 1555591219. If specified, it must be a time before the request is received. | \nInteger | \n
scope | \nRequired. The scopes requested with the AUTHN_TOKEN, which control access to Access Gateway resources. | \nString | \n
The signed JWT is used as an AUTHN_TOKEN to retrieve the ACCESS_TOKEN. Send a request to the /api/v2/oauth/token endpoint\nwith the request payload containing the following parameters as URL-encoded form data:
'grant_type': 'client_credentials'\n'client_assertion_type': 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'\n'client_assertion': '<signed_jwt>'\n'scope': '<Scopes requested with the access token, which controls access to Access Gateway resources>'The ACCESS_TOKEN is returned in the response.
All calls to the Okta Access Gateway API need to have an HTTP Authorization header with a value of\n{ACCESS_TOKEN}.
For more information about the request for an ACCESS_TOKEN, see the Access Tokens API.
\n\nNote: Access tokens may expire at any time. Any code that uses access tokens must be prepared to handle HTTP 401 Unauthorized errors by creating a new
\nAUTHN_TOKENand requesting anACCESS_TOKEN.
Use the following scopes in your AUTHN_TOKEN to control access to Access Gateway resources:
| Scope | \nDescription | \n
|---|---|
okta.oag.app.manage | \nAllows the app to create and manage apps in your Access Gateway. | \n
okta.oag.app.read | \nAllows the app to read app details in your Access Gateway. | \n
okta.oag.cert.read | \nAllows the app to read certificate details. | \n
okta.oag.idp.manage | \nAllows the app to create and manage identity providers. | \n
okta.oag.idp.read | \nAllows the app to read identity providers. | \n