Skip to main content

Okta Management

Yellow.ai's integration with Okta Management allows you to connect your Okta account directly to your agent, enabling it to perform real-time identity and access management operations — from creating and managing users and groups to handling MFA factors, app assignments, and audit logs — without leaving the conversation.

What can you build with this?

Common use cases include an IT helpdesk agent (unlock accounts, reset passwords, expire credentials), an onboarding/offboarding agent (create users, assign apps, deactivate accounts), and an access management agent (add users to groups, manage MFA factors, view audit logs).

Supported Actions

ActionDescription
Create UserCreates a new user in Okta.
Get UserFetches a user's profile by ID or login.
Update UserUpdates profile fields for an existing user.
Delete UserDeactivates and deletes a user from Okta.
Activate UserActivates a staged or deactivated user.
Deactivate UserDeactivates an active user.
Suspend UserSuspends an active user.
Unsuspend UserRestores a suspended user to active status.
Unlock UserUnlocks a user who has been locked out.
Reset PasswordTriggers a password reset for a user.
Expire PasswordExpires a user's current password, forcing a change on next login.
Change PasswordChanges a user's password using their old and new passwords.
Create GroupCreates a new group in Okta.
Get GroupFetches a group's details by ID.
Update GroupUpdates the name or description of an existing group.
Delete GroupDeletes a group from Okta.
List GroupsLists all groups, with optional search and limit.
Add User to GroupAssigns a user to a group.
Remove User from GroupRemoves a user from a group.
Get ApplicationFetches details of an Okta application by ID.
Assign App to UserAssigns an application to a user.
Unassign App from UserRemoves an application assignment from a user.
List FactorsLists all MFA factors enrolled for a user.
Enroll FactorEnrolls a new MFA factor for a user.
Reset FactorDeletes an enrolled MFA factor so a user can re-enroll.
Get Audit LogsRetrieves system log events with optional filters and date range.
Get Pending ApprovalsLists users in a group (useful for approval queue flows).

Integrating Okta Management with Yellow.ai

In a two-tier environment, you can connect an integration app in the Development environment. In a three-tier environment, you can connect the integration app either in Staging or Sandbox. All connected integrations are available in the live environment.

To integrate Yellow.ai with Okta Management, follow the steps below:

  1. Switch to the Development/Staging environment and go to Extensions > Integrations > Tools > Okta Management. Alternatively, use the Search box to quickly find the required integration.

  2. In Give account name, enter a unique name for the integration. You can use only lowercase alphanumeric characters and underscores (_).

  3. Enter your Domain URL. This is your Okta org URL, for example: https://dev-12345.okta.com.

  4. Enter your API Token. To generate one, log in to the Okta Admin Console, go to Security > API > Tokens, click Create Token, and copy the token value here.

    note

    The API token must have admin privileges to manage users and groups.

  5. Click Connect.

  6. To connect another account, click +Add Account and repeat the steps above. You can add a maximum of 15 accounts.

Okta Management integration setup screen in Yellow.ai showing the Domain URL and API Token fields

Accessing Okta Management Functions via Agent Flow

Once integrated, you can drop Okta Management action nodes anywhere in your agent flows.

  1. Go to Automation and create or open a flow that suits your use case.
  2. Navigate to the point in the conversation where you want to add the node. Click Add Node, then go to Integrations and select Okta Management.
note

When multiple accounts are connected, select the appropriate account for each node. This lets you route different actions through different Okta accounts within the same agent.

Okta Management node selection in the Yellow.ai Automation flow builder

Action Nodes

Create User

Creates a new user record in Okta. You can optionally activate the user immediately upon creation.

Required parameters:

ParameterTypeDescription
First NameStringUser's first name.
Last NameStringUser's last name.
EmailStringUser's primary email address.
Login (Email)StringThe login identifier — typically the same as the email.

Optional parameters:

ParameterTypeDescription
Mobile PhoneStringUser's mobile phone number.
Secondary EmailStringAn alternate email address.
Activate UserBooleanSet to true to activate the user immediately upon creation. Defaults to false.

Sample response:

{
  "id": "00ub0oNGTSWTBKOLGLNR",
  "status": "STAGED",
  "created": "2024-01-15T10:30:00.000Z",
  "activated": null,
  "lastLogin": null,
  "lastUpdated": "2024-01-15T10:30:00.000Z",
  "passwordChanged": null,
  "profile": {
    "firstName": "Jordan",
    "lastName": "Lee",
    "email": "[email protected]",
    "login": "[email protected]",
    "mobilePhone": "+1-555-123-4567",
    "secondEmail": null
  },
  "credentials": {
    "provider": {
      "type": "OKTA",
      "name": "OKTA"
    }
  }
}

📖 Okta API Reference — Create User

Get User

Fetches the full profile of a user by their Okta User ID or login (email).

Required parameters:

ParameterTypeDescription
Search ByStringChoose to look up the user by User ID or Login (Email).
Search ValueStringThe actual ID or login value to search for.

Sample response:

{
  "id": "00ub0oNGTSWTBKOLGLNR",
  "status": "ACTIVE",
  "created": "2024-01-15T10:30:00.000Z",
  "activated": "2024-01-15T10:35:00.000Z",
  "lastLogin": "2024-05-20T08:12:00.000Z",
  "lastUpdated": "2024-05-20T08:12:00.000Z",
  "passwordChanged": "2024-02-01T09:00:00.000Z",
  "profile": {
    "firstName": "Jordan",
    "lastName": "Lee",
    "email": "[email protected]",
    "login": "[email protected]",
    "mobilePhone": "+1-555-123-4567",
    "secondEmail": null
  },
  "credentials": {
    "password": {},
    "provider": {
      "type": "OKTA",
      "name": "OKTA"
    }
  }
}

📖 Okta API Reference — Get User

Update User

Updates one or more profile fields for an existing user. Only the fields you pass will be changed — all others remain untouched.

Required parameters:

ParameterTypeDescription
User ID or LoginStringThe Okta User ID or login of the user to update.

Optional parameters:

ParameterTypeDescription
First NameStringUpdated first name.
Last NameStringUpdated last name.
EmailStringUpdated email address.
Mobile PhoneStringUpdated mobile phone number.
Secondary EmailStringUpdated secondary email address.

Sample response:

{
  "id": "00ub0oNGTSWTBKOLGLNR",
  "status": "ACTIVE",
  "created": "2024-01-15T10:30:00.000Z",
  "lastUpdated": "2024-05-29T11:00:00.000Z",
  "profile": {
    "firstName": "Jordan",
    "lastName": "Lee-Smith",
    "email": "[email protected]",
    "login": "[email protected]",
    "mobilePhone": "+1-555-999-8888",
    "secondEmail": "[email protected]"
  }
}

📖 Okta API Reference — Update User

Delete User

Deactivates and permanently removes a user from Okta. Optionally sends a notification email to the user upon deletion.

Required parameters:

ParameterTypeDescription
User ID or LoginStringThe Okta User ID or login of the user to delete.

Optional parameters:

ParameterTypeDescription
Send EmailBooleanSet to true to send the user a notification email upon deletion.

Sample response:

{
  "status": 204,
  "message": "User successfully deactivated and deleted."
}
note

A successful delete returns HTTP 204 No Content. The response body is empty on success. The sample above is a Yellow.ai wrapper response for display in the agent flow.

warning

This action is irreversible — ensure your flow includes a confirmation step before executing.

📖 Okta API Reference — Delete User

Activate User

Activates a user who is in STAGED or DEPROVISIONED status. Optionally sends an activation email with a link to set up their account.

Required parameters:

ParameterTypeDescription
User IDStringThe Okta User ID of the user to activate.

Optional parameters:

ParameterTypeDescription
Send EmailBooleanSet to true to send the activation email to the user.

Sample response:

{
  "activationUrl": "https://dev-12345.okta.com/welcome/XE6wE17zmphl3KqAPFxO",
  "activationToken": "XE6wE17zmphl3KqAPFxO"
}
note

activationUrl is only returned when Send Email is false. When Send Email is true, Okta sends the link directly to the user and the response body is empty.

📖 Okta API Reference — Activate User

Deactivate User

Deactivates an active user, transitioning their status to DEPROVISIONED. The user loses all access to Okta apps and services.

Required parameters:

ParameterTypeDescription
User IDStringThe Okta User ID of the user to deactivate.

Sample response:

{
  "status": 200,
  "message": "User successfully deactivated.",
  "userId": "00ub0oNGTSWTBKOLGLNR",
  "userStatus": "DEPROVISIONED"
}

📖 Okta API Reference — Deactivate User

Suspend User

Suspends an active user. A suspended user cannot sign in but their account and data are preserved. Useful for temporary offboarding or security holds.

Required parameters:

ParameterTypeDescription
User IDStringThe Okta User ID of the user to suspend.

Sample response:

{
  "status": 200,
  "message": "User successfully suspended.",
  "userId": "00ub0oNGTSWTBKOLGLNR",
  "userStatus": "SUSPENDED"
}

📖 Okta API Reference — Suspend User

Unsuspend User

Restores a suspended user back to ACTIVE status, re-enabling their login access.

Required parameters:

ParameterTypeDescription
User IDStringThe Okta User ID of the user to unsuspend.

Sample response:

{
  "status": 200,
  "message": "User successfully unsuspended.",
  "userId": "00ub0oNGTSWTBKOLGLNR",
  "userStatus": "ACTIVE"
}

📖 Okta API Reference — Unsuspend User

Unlock User

Unlocks a user account that has been locked out due to too many failed sign-in attempts, restoring their ability to log in.

Required parameters:

ParameterTypeDescription
User IDStringThe Okta User ID of the user to unlock.

Sample response:

{
  "status": 200,
  "message": "User successfully unlocked.",
  "userId": "00ub0oNGTSWTBKOLGLNR",
  "userStatus": "ACTIVE"
}

📖 Okta API Reference — Unlock User

Reset Password

Triggers a password reset for a user. If Send Email is enabled, the user receives a reset link via email. Otherwise, the reset URL is returned in the response for admin use.

Required parameters:

ParameterTypeDescription
User IDStringThe Okta User ID of the user whose password should be reset.

Optional parameters:

ParameterTypeDescription
Send EmailBooleanSet to true to send the password reset email to the user. Set to false to return the reset URL in the response instead.

Sample response:

{
  "resetPasswordUrl": "https://dev-12345.okta.com/reset_password/XE6wE17zmphl3KqAPFxO"
}
note

resetPasswordUrl is only returned when Send Email is false. When Send Email is true, Okta delivers the link directly to the user and the response body is empty.

📖 Okta API Reference — Reset Password

Expire Password

Expires a user's current password immediately. On their next login, the user will be forced to set a new password. Returns a temporary password that can be shared with the user if needed.

Required parameters:

ParameterTypeDescription
User IDStringThe Okta User ID of the user whose password should be expired.

Sample response:

{
  "tempPassword": {
    "value": "TmpP@ssw0rd123"
  }
}

📖 Okta API Reference — Expire Password

Change Password

Changes a user's password by verifying their current password and setting a new one. Both the old and new passwords must be provided.

Required parameters:

ParameterTypeDescription
User IDStringThe Okta User ID of the user.
Old PasswordObjectAn object with a value field containing the user's current password.
New PasswordObjectAn object with a value field containing the desired new password.

Sample response:

{
  "credentials": {
    "password": {},
    "provider": {
      "type": "OKTA",
      "name": "OKTA"
    }
  }
}
note

A successful change returns the updated credentials object. The password field is always returned as an empty object {} — Okta never exposes actual password values in responses.

📖 Okta API Reference — Change Password

Create Group

Creates a new Okta group with a name and optional description. Groups are used to manage app assignments, policies, and access control at scale.

Required parameters:

ParameterTypeDescription
Group NameStringThe display name for the new group.

Optional parameters:

ParameterTypeDescription
DescriptionStringA short description of the group's purpose.

Sample response:

{
  "id": "00g1emaKYZTWRYYRRTSK",
  "created": "2024-01-15T10:30:00.000Z",
  "lastUpdated": "2024-01-15T10:30:00.000Z",
  "lastMembershipUpdated": "2024-01-15T10:30:00.000Z",
  "type": "OKTA_GROUP",
  "profile": {
    "name": "Engineering Team",
    "description": "All engineering department employees"
  },
  "objectClass": ["okta:user_group"]
}

📖 Okta API Reference — Create Group

Get Group

Fetches the details of an Okta group using its Group ID.

Required parameters:

ParameterTypeDescription
Group IDStringThe unique ID of the group to retrieve.

Sample response:

{
  "id": "00g1emaKYZTWRYYRRTSK",
  "created": "2024-01-15T10:30:00.000Z",
  "lastUpdated": "2024-05-20T08:00:00.000Z",
  "lastMembershipUpdated": "2024-05-18T14:22:00.000Z",
  "type": "OKTA_GROUP",
  "profile": {
    "name": "Engineering Team",
    "description": "All engineering department employees"
  },
  "objectClass": ["okta:user_group"]
}

📖 Okta API Reference — Get Group

Update Group

Updates the name and/or description of an existing Okta group.

Required parameters:

ParameterTypeDescription
Group IDStringThe unique ID of the group to update.
Group NameStringThe new name for the group.

Optional parameters:

ParameterTypeDescription
DescriptionStringUpdated description for the group.

Sample response:

{
  "id": "00g1emaKYZTWRYYRRTSK",
  "created": "2024-01-15T10:30:00.000Z",
  "lastUpdated": "2024-05-29T11:45:00.000Z",
  "lastMembershipUpdated": "2024-05-18T14:22:00.000Z",
  "type": "OKTA_GROUP",
  "profile": {
    "name": "Engineering Team - Backend",
    "description": "Backend engineering team members"
  }
}

📖 Okta API Reference — Update Group

Delete Group

Permanently deletes an Okta group. This does not delete the users who were members of the group.

Required parameters:

ParameterTypeDescription
Group IDStringThe unique ID of the group to delete.

Sample response:

{
  "status": 204,
  "message": "Group successfully deleted."
}
note

A successful delete returns HTTP 204 No Content. The response body is empty on success. The sample above is a Yellow.ai wrapper response.

warning

This action is irreversible — ensure your flow includes a confirmation step before executing.

📖 Okta API Reference — Delete Group

List Groups

Returns a list of all groups in your Okta org. Supports an optional search query and result limit.

Optional parameters:

ParameterTypeDescription
Search QueryStringA search string to filter groups by name.
LimitNumberMaximum number of groups to return.

Sample response:

[
  {
    "id": "00g1emaKYZTWRYYRRTSK",
    "created": "2024-01-15T10:30:00.000Z",
    "lastUpdated": "2024-05-20T08:00:00.000Z",
    "lastMembershipUpdated": "2024-05-18T14:22:00.000Z",
    "type": "OKTA_GROUP",
    "profile": {
      "name": "Engineering Team",
      "description": "All engineering department employees"
    }
  },
  {
    "id": "00g2xyzABCTWRYYRRXYZ",
    "created": "2024-02-01T09:00:00.000Z",
    "lastUpdated": "2024-05-10T07:30:00.000Z",
    "lastMembershipUpdated": "2024-05-10T07:30:00.000Z",
    "type": "OKTA_GROUP",
    "profile": {
      "name": "HR Team",
      "description": "Human resources team"
    }
  }
]

📖 Okta API Reference — List Groups

Add User to Group

Assigns an existing Okta user to a group. Both the User ID and Group ID are required.

Required parameters:

ParameterTypeDescription
Group IDStringThe unique ID of the target group.
User IDStringThe unique ID of the user to add.

Sample response:

{
  "status": 204,
  "message": "User successfully added to group.",
  "userId": "00ub0oNGTSWTBKOLGLNR",
  "groupId": "00g1emaKYZTWRYYRRTSK"
}
note

A successful add returns HTTP 204 No Content. The response body is empty on success. The sample above is a Yellow.ai wrapper response.

📖 Okta API Reference — Add User to Group

Remove User from Group

Removes an Okta user from a group. The user account itself is not affected.

Required parameters:

ParameterTypeDescription
Group IDStringThe unique ID of the group.
User IDStringThe unique ID of the user to remove.

Sample response:

{
  "status": 204,
  "message": "User successfully removed from group.",
  "userId": "00ub0oNGTSWTBKOLGLNR",
  "groupId": "00g1emaKYZTWRYYRRTSK"
}
note

A successful removal returns HTTP 204 No Content. The response body is empty on success. The sample above is a Yellow.ai wrapper response.

📖 Okta API Reference — Remove User from Group

Get Application

Fetches the details of an Okta application using its Application ID. Returns the app's name, label, current status, sign-on mode, and settings.

Required parameters:

ParameterTypeDescription
Application IDStringThe unique ID of the Okta application to retrieve.

Sample response:

{
  "id": "0oabkvBLDEKCNXBMBWKR",
  "name": "template_saml_2_0",
  "label": "Sample SAML App",
  "status": "ACTIVE",
  "created": "2023-06-01T08:00:00.000Z",
  "lastUpdated": "2024-05-15T10:00:00.000Z",
  "signOnMode": "SAML_2_0",
  "settings": {
    "app": {
      "audienceRestriction": "https://www.example.com/audience",
      "postBackURL": "https://www.example.com/sso/saml"
    }
  }
}

📖 Okta API Reference — Get Application

Assign App to User

Assigns an Okta application to a specific user, granting them access to that app.

Required parameters:

ParameterTypeDescription
Application IDStringThe unique ID of the application to assign.
User IDStringThe unique ID of the user to assign the application to.

Optional parameters:

ParameterTypeDescription
Assignment ScopeStringThe scope of the assignment (e.g., USER).

Sample response:

{
  "id": "00u15s1KDETTQMQYABRL",
  "externalId": null,
  "created": "2024-05-29T11:00:00.000Z",
  "lastUpdated": "2024-05-29T11:00:00.000Z",
  "scope": "USER",
  "status": "ACTIVE",
  "syncState": "DISABLED",
  "credentials": {
    "userName": "[email protected]"
  }
}

📖 Okta API Reference — Assign App to User

Unassign App from User

Removes an application assignment from a user, revoking their access to that app.

Required parameters:

ParameterTypeDescription
Application IDStringThe unique ID of the application.
User IDStringThe unique ID of the user to unassign.

Sample response:

{
  "status": 204,
  "message": "Application successfully unassigned from user.",
  "userId": "00ub0oNGTSWTBKOLGLNR",
  "appId": "0oabkvBLDEKCNXBMBWKR"
}
note

A successful unassignment returns HTTP 204 No Content. The response body is empty on success. The sample above is a Yellow.ai wrapper response.

📖 Okta API Reference — Unassign App from User

List Factors

Returns all MFA factors currently enrolled for a user, including their type, provider, and activation status. Use this node to retrieve a factorId before calling Reset Factor.

Required parameters:

ParameterTypeDescription
User IDStringThe unique ID of the user whose factors to list.

Sample response:

[
  {
    "id": "ufs2bysphxKODSZKWVCT",
    "factorType": "token:software:totp",
    "provider": "GOOGLE",
    "status": "ACTIVE",
    "created": "2024-01-20T09:00:00.000Z",
    "lastUpdated": "2024-01-20T09:00:00.000Z",
    "profile": {
      "credentialId": "[email protected]"
    }
  },
  {
    "id": "sms2gt8gzgEBPUWBIFHN",
    "factorType": "sms",
    "provider": "OKTA",
    "status": "ACTIVE",
    "created": "2024-01-21T10:00:00.000Z",
    "lastUpdated": "2024-01-21T10:00:00.000Z",
    "profile": {
      "phoneNumber": "+1-555-123-4567"
    }
  }
]

📖 Okta API Reference — List Factors

Enroll Factor

Enrolls a new MFA factor for a user. Requires specifying the factor type and provider. The factor will be in PENDING_ACTIVATION status until the user completes verification.

Required parameters:

ParameterTypeDescription
User IDStringThe unique ID of the user to enroll a factor for.
Factor TypeStringThe type of factor to enroll (e.g., token:software:totp, sms).
ProviderStringThe factor provider (e.g., GOOGLE, OKTA).

Sample response:

{
  "id": "uftm3iHSGFQXHCUSDAND",
  "factorType": "token:software:totp",
  "provider": "GOOGLE",
  "status": "PENDING_ACTIVATION",
  "created": "2024-05-29T11:30:00.000Z",
  "lastUpdated": "2024-05-29T11:30:00.000Z",
  "profile": {
    "credentialId": "[email protected]"
  },
  "_embedded": {
    "activation": {
      "timeStep": 30,
      "sharedSecret": "JBSWY3DPEHPK3PXP",
      "encoding": "base32",
      "keyLength": 6,
      "qrcode": {
        "href": "https://dev-12345.okta.com/api/v1/users/00ub0oNGTSWTBKOLGLNR/factors/uftm3iHSGFQXHCUSDAND/qr/00fukNElRS_Tz6k-CFhg3pH4KO2dj2guhmaapXWbc4",
        "type": "image/png"
      }
    }
  }
}

📖 Okta API Reference — Enroll Factor

Reset Factor

Deletes a specific enrolled MFA factor for a user, allowing them to re-enroll. Use this when a user loses their phone or needs to reset their authenticator app. Call List Factors first to obtain the factorId.

Required parameters:

ParameterTypeDescription
User IDStringThe ID of the user whose factor you want to reset.
Factor IDStringThe ID of the specific MFA factor to delete. Obtained from List Factors.

Sample response:

{
  "status": 204,
  "message": "MFA factor successfully deleted. The user can now re-enroll.",
  "userId": "00ub0oNGTSWTBKOLGLNR",
  "factorId": "ufs2bysphxKODSZKWVCT"
}
note

A successful reset returns HTTP 204 No Content. The response body is empty on success. The sample above is a Yellow.ai wrapper response.

📖 Okta API Reference — Reset Factor

Get Audit Logs

Retrieves system log events from Okta, with optional date range filtering, custom filter expressions, and result limits. Useful for security audits, compliance checks, or building an activity-monitoring agent.

Optional parameters:

ParameterTypeDescription
SinceString (ISO date)Start of the date range to query (e.g., 2026-01-01T00:00:00Z).
UntilString (ISO date)End of the date range to query.
FilterStringAn SCIM filter expression to narrow results (e.g., by event type).
LimitNumberMaximum number of log entries to return.

Sample response:

[
  {
    "actor": {
      "id": "00ub0oNGTSWTBKOLGLNR",
      "type": "User",
      "alternateId": "[email protected]",
      "displayName": "Admin User"
    },
    "client": {
      "ipAddress": "203.0.113.42",
      "geographicalContext": {
        "city": "Bangalore",
        "country": "India"
      }
    },
    "eventType": "user.session.start",
    "outcome": {
      "result": "SUCCESS"
    },
    "published": "2026-05-29T08:12:00.000Z",
    "severity": "INFO",
    "target": [
      {
        "id": "00ub0oNGTSWTBKOLGLNR",
        "type": "User",
        "alternateId": "[email protected]",
        "displayName": "Jordan Lee"
      }
    ]
  }
]

📖 Okta API Reference — Get Audit Logs

Get Pending Approvals

Lists all users currently in a specified group. Useful for building approval queue or access-request workflows where a group represents users awaiting review.

Required parameters:

ParameterTypeDescription
Group IDStringThe unique ID of the group to list members for.

Optional parameters:

ParameterTypeDescription
LimitNumberMaximum number of users to return.

Sample response:

[
  {
    "id": "00ub0oNGTSWTBKOLGLNR",
    "status": "ACTIVE",
    "created": "2024-01-15T10:30:00.000Z",
    "activated": "2024-01-15T10:35:00.000Z",
    "lastLogin": "2026-05-28T09:00:00.000Z",
    "lastUpdated": "2026-05-28T09:00:00.000Z",
    "profile": {
      "firstName": "Jordan",
      "lastName": "Lee",
      "email": "[email protected]",
      "login": "[email protected]"
    }
  },
  {
    "id": "00uc1pExGOQAVXZSMATP",
    "status": "ACTIVE",
    "created": "2024-03-10T08:00:00.000Z",
    "activated": "2024-03-10T08:05:00.000Z",
    "lastLogin": "2026-05-27T11:00:00.000Z",
    "lastUpdated": "2026-05-27T11:00:00.000Z",
    "profile": {
      "firstName": "Priya",
      "lastName": "Sharma",
      "email": "[email protected]",
      "login": "[email protected]"
    }
  }
]

📖 Okta API Reference — List Group Users

Error Reference

All Okta Management action nodes return structured errors. The following codes may appear in the agent's error path:

Error StatusCodeHTTP StatusWhat it meansHow to fix
INVALID_FIELD_VALUE8001400One or more parameters are missing, the wrong type, or incorrectly formatted.Check that all required fields are present and values are valid.
AUTHENTICATION_FAILURE8002401The API token is invalid, expired, or missing.Regenerate the API token in Okta under Security > API > Tokens and update it in your Yellow.ai integration config.
RESOURCE_NOT_FOUND8002–8003404The specified user, group, application, or factor does not exist.Verify that the ID or login value is correct and the resource exists in Okta.
DUPLICATE_USER8003409A user already exists with the provided login.Check for an existing account with the same login before creating a new one.
RESOURCE_ACCESS_DENIED9001403The API token does not have permission to perform this action.Check the token's admin scope in the Okta Admin Console under Security > API.
API_LIMIT_REACHED9002429The Okta API rate limit has been reached.Reduce the frequency of requests or implement retry logic with backoff in your agent flow.