Okta · Capability

Okta API — User

Okta API — User. 52 operations. Lead operation: Okta List Users. Self-contained Naftiko capability covering one Okta business surface.

Run with Naftiko OktaUser

What You Can Do

GET
Listusers — Okta List Users
/v1/api/v1/users
POST
Createuser — Okta Create User
/v1/api/v1/users
PUT
Setlinkedobjectforuser — setlinkedobjectforuser
/v1/api/v1/users/{associateduserid}/linkedobjects/{primaryrelationshipname}/{primaryuserid}
GET
Getuser — Okta Get User
/v1/api/v1/users/{userid}
PUT
Updateuser — Okta Update User
/v1/api/v1/users/{userid}
POST
Partialupdateuser — Update a user's profile or credentials with partial update semantics.
/v1/api/v1/users/{userid}
DELETE
Deactivateordeleteuser — Okta Delete User
/v1/api/v1/users/{userid}
GET
Listapplinks — Okta Get Assigned App Links
/v1/api/v1/users/{userid}/applinks
GET
Listuserclients — Lists all client resources for which the specified user has grants or tokens.
/v1/api/v1/users/{userid}/clients
GET
Listgrantsforuserandclient — Lists all grants for a specified user and client
/v1/api/v1/users/{userid}/clients/{clientid}/grants
DELETE
Revokegrantsforuserandclient — Revokes all grants for the specified user and client
/v1/api/v1/users/{userid}/clients/{clientid}/grants
GET
Listrefreshtokensforuserandclient — Lists all refresh tokens issued for the specified User and Client.
/v1/api/v1/users/{userid}/clients/{clientid}/tokens
DELETE
Revoketokensforuserandclient — Revokes all refresh tokens issued for the specified User and Client.
/v1/api/v1/users/{userid}/clients/{clientid}/tokens
GET
Getrefreshtokenforuserandclient — Gets a refresh token issued for the specified User and Client.
/v1/api/v1/users/{userid}/clients/{clientid}/tokens/{tokenid}
DELETE
Revoketokenforuserandclient — Revokes the specified refresh token.
/v1/api/v1/users/{userid}/clients/{clientid}/tokens/{tokenid}
POST
Changepassword — Okta Change Password
/v1/api/v1/users/{userid}/credentials/change-password
POST
Changerecoveryquestion — Okta Change Recovery Question
/v1/api/v1/users/{userid}/credentials/change-recovery-question
POST
Post — Okta Forgot Password
/v1/api/v1/users/{userid}/credentials/forgot-password
GET
Listusergrants — Lists all grants for the specified user
/v1/api/v1/users/{userid}/grants
DELETE
Revokeusergrants — Revokes all grants for a specified user
/v1/api/v1/users/{userid}/grants
GET
Getusergrant — Gets a grant for the specified user
/v1/api/v1/users/{userid}/grants/{grantid}
DELETE
Revokeusergrant — Revokes one grant for a specified user
/v1/api/v1/users/{userid}/grants/{grantid}
GET
Listusergroups — Okta Get Member Groups
/v1/api/v1/users/{userid}/groups
GET
Listuseridentityproviders — Okta Listing IdPs associated with a user
/v1/api/v1/users/{userid}/idps
POST
Activateuser — Okta Activate User
/v1/api/v1/users/{userid}/lifecycle/activate
POST
Deactivateuser — Okta Deactivate User
/v1/api/v1/users/{userid}/lifecycle/deactivate
POST
Expirepassword — Okta Expire Password
/v1/api/v1/users/{userid}/lifecycle/expire-password-temppassword-false
POST
Expirepasswordandgettemporarypassword — Okta Expire Password
/v1/api/v1/users/{userid}/lifecycle/expire-password-temppassword-true
POST
Reactivateuser — Okta Reactivate User
/v1/api/v1/users/{userid}/lifecycle/reactivate
POST
Resetfactors — Okta Reset Factors
/v1/api/v1/users/{userid}/lifecycle/reset-factors
POST
Resetpassword — Okta Reset Password
/v1/api/v1/users/{userid}/lifecycle/reset-password
POST
Suspenduser — Okta Suspend User
/v1/api/v1/users/{userid}/lifecycle/suspend
POST
Unlockuser — Okta Unlock User
/v1/api/v1/users/{userid}/lifecycle/unlock
POST
Unsuspenduser — Okta Unsuspend User
/v1/api/v1/users/{userid}/lifecycle/unsuspend
GET
Getlinkedobjectsforuser — Get linked objects for a user, relationshipName can be a primary or associated relationship name
/v1/api/v1/users/{userid}/linkedobjects/{relationshipname}
DELETE
Removelinkedobjectforuser — Delete linked objects for a user, relationshipName can be ONLY a primary relationship name
/v1/api/v1/users/{userid}/linkedobjects/{relationshipname}
GET
Listassignedrolesforuser — Lists all roles assigned to a user.
/v1/api/v1/users/{userid}/roles
POST
Assignroletouser — Assigns a role to a user.
/v1/api/v1/users/{userid}/roles
GET
Getuserrole — Gets role that is assigne to user.
/v1/api/v1/users/{userid}/roles/{roleid}
DELETE
Removerolefromuser — Unassigns a role from a user.
/v1/api/v1/users/{userid}/roles/{roleid}
GET
Listapplicationtargetsforapplicationadministratorroleforuser — Lists all App targets for an `APP_ADMIN` Role assigned to a User. This methods return list may include full Applications or Instances. The response for an instance will have an `ID` value, while Application will not have an ID.
/v1/api/v1/users/{userid}/roles/{roleid}/targets/catalog/apps
PUT
Addallappsastargettorole — Success
/v1/api/v1/users/{userid}/roles/{roleid}/targets/catalog/apps
PUT
Addapplicationtargettoadminroleforuser — Success
/v1/api/v1/users/{userid}/roles/{roleid}/targets/catalog/apps/{appname}
DELETE
Removeapplicationtargetfromapplicationadministratorroleforuser — Success
/v1/api/v1/users/{userid}/roles/{roleid}/targets/catalog/apps/{appname}
PUT
Addapplicationtargettoappadminroleforuser — Okta Add App Instance Target to App Administrator Role given to a User
/v1/api/v1/users/{userid}/roles/{roleid}/targets/catalog/apps/{appname}/{applicationid}
DELETE
Removeapplicationtargetfromadministratorroleforuser — Okta Remove App Instance Target to App Administrator Role given to a User
/v1/api/v1/users/{userid}/roles/{roleid}/targets/catalog/apps/{appname}/{applicationid}
GET
Listgrouptargetsforrole — Success
/v1/api/v1/users/{userid}/roles/{roleid}/targets/groups
PUT
Addgrouptargettorole — Success
/v1/api/v1/users/{userid}/roles/{roleid}/targets/groups/{groupid}
DELETE
Removegrouptargetfromrole — Success
/v1/api/v1/users/{userid}/roles/{roleid}/targets/groups/{groupid}
DELETE
Clearusersessions — Removes all active identity provider sessions. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user.
/v1/api/v1/users/{userid}/sessions
GET
Listusersubscriptions — Okta List subscriptions of a User
/v1/api/v1/users/{userid}/subscriptions
GET
Getusersubscriptionbynotificationtype — Okta Get the subscription of a User with a specific notification type
/v1/api/v1/users/{userid}/subscriptions/{notificationtype}

MCP Tools

okta-list-users

Okta List Users

read-only idempotent
okta-create-user

Okta Create User

setlinkedobjectforuser

setlinkedobjectforuser

idempotent
okta-get-user

Okta Get User

read-only idempotent
okta-update-user

Okta Update User

idempotent
update-user-s-profile-credentials-partial

Update a user's profile or credentials with partial update semantics.

okta-delete-user

Okta Delete User

idempotent
okta-get-assigned-app-links

Okta Get Assigned App Links

read-only idempotent
lists-all-client-resources-which

Lists all client resources for which the specified user has grants or tokens.

read-only idempotent
lists-all-grants-specified-user

Lists all grants for a specified user and client

read-only idempotent
revokes-all-grants-specified-user

Revokes all grants for the specified user and client

idempotent
lists-all-refresh-tokens-issued

Lists all refresh tokens issued for the specified User and Client.

read-only idempotent
revokes-all-refresh-tokens-issued

Revokes all refresh tokens issued for the specified User and Client.

idempotent
gets-refresh-token-issued-specified

Gets a refresh token issued for the specified User and Client.

read-only idempotent
revokes-specified-refresh-token

Revokes the specified refresh token.

idempotent
okta-change-password

Okta Change Password

okta-change-recovery-question

Okta Change Recovery Question

okta-forgot-password

Okta Forgot Password

lists-all-grants-specified-user-2

Lists all grants for the specified user

read-only idempotent
revokes-all-grants-specified-user-2

Revokes all grants for a specified user

idempotent
gets-grant-specified-user

Gets a grant for the specified user

read-only idempotent
revokes-one-grant-specified-user

Revokes one grant for a specified user

idempotent
okta-get-member-groups

Okta Get Member Groups

read-only idempotent
okta-listing-idps-associated-user

Okta Listing IdPs associated with a user

read-only idempotent
okta-activate-user

Okta Activate User

okta-deactivate-user

Okta Deactivate User

okta-expire-password

Okta Expire Password

okta-expire-password-2

Okta Expire Password

okta-reactivate-user

Okta Reactivate User

okta-reset-factors

Okta Reset Factors

okta-reset-password

Okta Reset Password

okta-suspend-user

Okta Suspend User

okta-unlock-user

Okta Unlock User

okta-unsuspend-user

Okta Unsuspend User

get-linked-objects-user-relationshipname

Get linked objects for a user, relationshipName can be a primary or associated relationship name

read-only idempotent
delete-linked-objects-user-relationshipname

Delete linked objects for a user, relationshipName can be ONLY a primary relationship name

idempotent
lists-all-roles-assigned-user

Lists all roles assigned to a user.

read-only idempotent
assigns-role-user

Assigns a role to a user.

gets-role-that-is-assigne

Gets role that is assigne to user.

read-only idempotent
unassigns-role-user

Unassigns a role from a user.

idempotent
lists-all-app-targets-app

Lists all App targets for an `APP_ADMIN` Role assigned to a User. This methods return list may include full Applications or Instances. The response for an instance will have an `ID` value, while Application will not have an ID.

read-only idempotent
success

Success

idempotent
success-2

Success

idempotent
success-3

Success

idempotent
okta-add-app-instance-target

Okta Add App Instance Target to App Administrator Role given to a User

idempotent
okta-remove-app-instance-target

Okta Remove App Instance Target to App Administrator Role given to a User

idempotent
success-4

Success

read-only idempotent
success-5

Success

idempotent
success-6

Success

idempotent
removes-all-active-identity-provider

Removes all active identity provider sessions. This forces the user to authenticate on the next operation. Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user.

idempotent
okta-list-subscriptions-user

Okta List subscriptions of a User

read-only idempotent
okta-get-subscription-user-specific

Okta Get the subscription of a User with a specific notification type

read-only idempotent

Capability Spec

okta-user.yaml Raw ↑ 
naftiko: 1.0.0-alpha2
info:
  label: Okta API — User
  description: 'Okta API — User. 52 operations. Lead operation: Okta List Users. Self-contained Naftiko capability covering
    one Okta business surface.'
  tags:
  - Okta
  - User
  created: '2026-05-19'
  modified: '2026-05-19'
binds:
- namespace: env
  keys:
    OKTA_API_KEY: OKTA_API_KEY
capability:
  consumes:
  - type: http
    namespace: okta-user
    baseUri: https://your-subdomain.okta.com
    description: Okta API — User business capability. Self-contained, no shared references.
    resources:
    - name: api-v1-users
      path: /api/v1/users
      operations:
      - name: listusers
        method: GET
        description: Okta List Users
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: q
          in: query
          type: string
          description: Finds a user that matches firstName, lastName, and email properties
        - name: after
          in: query
          type: string
          description: Specifies the pagination cursor for the next page of users
        - name: limit
          in: query
          type: integer
          description: Specifies the number of results returned
        - name: filter
          in: query
          type: string
          description: Filters users with a supported expression for a subset of properties
        - name: search
          in: query
          type: string
          description: Searches for users with a supported filtering  expression for most properties
        - name: sortBy
          in: query
          type: string
        - name: sortOrder
          in: query
          type: string
      - name: createuser
        method: POST
        description: Okta Create User
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: activate
          in: query
          type: boolean
          description: Executes activation lifecycle operation when creating the user
        - name: provider
          in: query
          type: boolean
          description: Indicates whether to create a user with a specified authentication provider
        - name: nextLogin
          in: query
          type: string
          description: With activate=true, set nextLogin to "changePassword" to have the password be EXPIRED, so user must
            change it the next time they log in.
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-v1-users-associatedUserId-linkedObjects-primaryRelationshipName-primaryUserI
      path: /api/v1/users/{associatedUserId}/linkedObjects/{primaryRelationshipName}/{primaryUserId}
      operations:
      - name: setlinkedobjectforuser
        method: PUT
        description: ''
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: associatedUserId
          in: path
          type: string
          required: true
        - name: primaryRelationshipName
          in: path
          type: string
          required: true
        - name: primaryUserId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId
      path: /api/v1/users/{userId}
      operations:
      - name: getuser
        method: GET
        description: Okta Get User
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
      - name: updateuser
        method: PUT
        description: Okta Update User
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: strict
          in: query
          type: boolean
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: partialupdateuser
        method: POST
        description: Update a user's profile or credentials with partial update semantics.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: strict
          in: query
          type: boolean
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
      - name: deactivateordeleteuser
        method: DELETE
        description: Okta Delete User
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: sendEmail
          in: query
          type: boolean
    - name: api-v1-users-userId-appLinks
      path: /api/v1/users/{userId}/appLinks
      operations:
      - name: listapplinks
        method: GET
        description: Okta Get Assigned App Links
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-clients
      path: /api/v1/users/{userId}/clients
      operations:
      - name: listuserclients
        method: GET
        description: Lists all client resources for which the specified user has grants or tokens.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-clients-clientId-grants
      path: /api/v1/users/{userId}/clients/{clientId}/grants
      operations:
      - name: listgrantsforuserandclient
        method: GET
        description: Lists all grants for a specified user and client
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: clientId
          in: path
          type: string
          required: true
        - name: expand
          in: query
          type: string
        - name: after
          in: query
          type: string
        - name: limit
          in: query
          type: integer
      - name: revokegrantsforuserandclient
        method: DELETE
        description: Revokes all grants for the specified user and client
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: clientId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-clients-clientId-tokens
      path: /api/v1/users/{userId}/clients/{clientId}/tokens
      operations:
      - name: listrefreshtokensforuserandclient
        method: GET
        description: Lists all refresh tokens issued for the specified User and Client.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: clientId
          in: path
          type: string
          required: true
        - name: expand
          in: query
          type: string
        - name: after
          in: query
          type: string
        - name: limit
          in: query
          type: integer
      - name: revoketokensforuserandclient
        method: DELETE
        description: Revokes all refresh tokens issued for the specified User and Client.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: clientId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-clients-clientId-tokens-tokenId
      path: /api/v1/users/{userId}/clients/{clientId}/tokens/{tokenId}
      operations:
      - name: getrefreshtokenforuserandclient
        method: GET
        description: Gets a refresh token issued for the specified User and Client.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: clientId
          in: path
          type: string
          required: true
        - name: tokenId
          in: path
          type: string
          required: true
        - name: expand
          in: query
          type: string
        - name: limit
          in: query
          type: integer
        - name: after
          in: query
          type: string
      - name: revoketokenforuserandclient
        method: DELETE
        description: Revokes the specified refresh token.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: clientId
          in: path
          type: string
          required: true
        - name: tokenId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-credentials-change_password
      path: /api/v1/users/{userId}/credentials/change_password
      operations:
      - name: changepassword
        method: POST
        description: Okta Change Password
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: strict
          in: query
          type: boolean
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-v1-users-userId-credentials-change_recovery_question
      path: /api/v1/users/{userId}/credentials/change_recovery_question
      operations:
      - name: changerecoveryquestion
        method: POST
        description: Okta Change Recovery Question
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-v1-users-userId-credentials-forgot_password
      path: /api/v1/users/{userId}/credentials/forgot_password
      operations:
      - name: post
        method: POST
        description: Okta Forgot Password
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-grants
      path: /api/v1/users/{userId}/grants
      operations:
      - name: listusergrants
        method: GET
        description: Lists all grants for the specified user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: scopeId
          in: query
          type: string
        - name: expand
          in: query
          type: string
        - name: after
          in: query
          type: string
        - name: limit
          in: query
          type: integer
      - name: revokeusergrants
        method: DELETE
        description: Revokes all grants for a specified user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-grants-grantId
      path: /api/v1/users/{userId}/grants/{grantId}
      operations:
      - name: getusergrant
        method: GET
        description: Gets a grant for the specified user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: grantId
          in: path
          type: string
          required: true
        - name: expand
          in: query
          type: string
      - name: revokeusergrant
        method: DELETE
        description: Revokes one grant for a specified user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: grantId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-groups
      path: /api/v1/users/{userId}/groups
      operations:
      - name: listusergroups
        method: GET
        description: Okta Get Member Groups
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-idps
      path: /api/v1/users/{userId}/idps
      operations:
      - name: listuseridentityproviders
        method: GET
        description: Okta Listing IdPs associated with a user
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-lifecycle-activate
      path: /api/v1/users/{userId}/lifecycle/activate
      operations:
      - name: activateuser
        method: POST
        description: Okta Activate User
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: sendEmail
          in: query
          type: boolean
          description: Sends an activation email to the user if true
          required: true
    - name: api-v1-users-userId-lifecycle-deactivate
      path: /api/v1/users/{userId}/lifecycle/deactivate
      operations:
      - name: deactivateuser
        method: POST
        description: Okta Deactivate User
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: sendEmail
          in: query
          type: boolean
    - name: api-v1-users-userId-lifecycle-expire_password?tempPassword=false
      path: /api/v1/users/{userId}/lifecycle/expire_password?tempPassword=false
      operations:
      - name: expirepassword
        method: POST
        description: Okta Expire Password
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-lifecycle-expire_password?tempPassword=true
      path: /api/v1/users/{userId}/lifecycle/expire_password?tempPassword=true
      operations:
      - name: expirepasswordandgettemporarypassword
        method: POST
        description: Okta Expire Password
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-lifecycle-reactivate
      path: /api/v1/users/{userId}/lifecycle/reactivate
      operations:
      - name: reactivateuser
        method: POST
        description: Okta Reactivate User
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: sendEmail
          in: query
          type: boolean
          description: Sends an activation email to the user if true
    - name: api-v1-users-userId-lifecycle-reset_factors
      path: /api/v1/users/{userId}/lifecycle/reset_factors
      operations:
      - name: resetfactors
        method: POST
        description: Okta Reset Factors
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-lifecycle-reset_password
      path: /api/v1/users/{userId}/lifecycle/reset_password
      operations:
      - name: resetpassword
        method: POST
        description: Okta Reset Password
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: sendEmail
          in: query
          type: boolean
          required: true
    - name: api-v1-users-userId-lifecycle-suspend
      path: /api/v1/users/{userId}/lifecycle/suspend
      operations:
      - name: suspenduser
        method: POST
        description: Okta Suspend User
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-lifecycle-unlock
      path: /api/v1/users/{userId}/lifecycle/unlock
      operations:
      - name: unlockuser
        method: POST
        description: Okta Unlock User
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-lifecycle-unsuspend
      path: /api/v1/users/{userId}/lifecycle/unsuspend
      operations:
      - name: unsuspenduser
        method: POST
        description: Okta Unsuspend User
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-linkedObjects-relationshipName
      path: /api/v1/users/{userId}/linkedObjects/{relationshipName}
      operations:
      - name: getlinkedobjectsforuser
        method: GET
        description: Get linked objects for a user, relationshipName can be a primary or associated relationship name
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: relationshipName
          in: path
          type: string
          required: true
        - name: after
          in: query
          type: string
        - name: limit
          in: query
          type: integer
      - name: removelinkedobjectforuser
        method: DELETE
        description: Delete linked objects for a user, relationshipName can be ONLY a primary relationship name
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: relationshipName
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-roles
      path: /api/v1/users/{userId}/roles
      operations:
      - name: listassignedrolesforuser
        method: GET
        description: Lists all roles assigned to a user.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: expand
          in: query
          type: string
      - name: assignroletouser
        method: POST
        description: Assigns a role to a user.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: disableNotifications
          in: query
          type: boolean
        - name: body
          in: body
          type: object
          description: Request body (JSON).
          required: true
    - name: api-v1-users-userId-roles-roleId
      path: /api/v1/users/{userId}/roles/{roleId}
      operations:
      - name: getuserrole
        method: GET
        description: Gets role that is assigne to user.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: roleId
          in: path
          type: string
          required: true
      - name: removerolefromuser
        method: DELETE
        description: Unassigns a role from a user.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: roleId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-roles-roleId-targets-catalog-apps
      path: /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps
      operations:
      - name: listapplicationtargetsforapplicationadministratorroleforuser
        method: GET
        description: Lists all App targets for an `APP_ADMIN` Role assigned to a User. This methods return list may include
          full Applications or Instances. The response for an instance will have an `ID` value, while Application will not
          have an ID.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: roleId
          in: path
          type: string
          required: true
        - name: after
          in: query
          type: string
        - name: limit
          in: query
          type: integer
      - name: addallappsastargettorole
        method: PUT
        description: Success
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: roleId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-roles-roleId-targets-catalog-apps-appName
      path: /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps/{appName}
      operations:
      - name: addapplicationtargettoadminroleforuser
        method: PUT
        description: Success
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: roleId
          in: path
          type: string
          required: true
        - name: appName
          in: path
          type: string
          required: true
      - name: removeapplicationtargetfromapplicationadministratorroleforuser
        method: DELETE
        description: Success
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: roleId
          in: path
          type: string
          required: true
        - name: appName
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-roles-roleId-targets-catalog-apps-appName-applicationId
      path: /api/v1/users/{userId}/roles/{roleId}/targets/catalog/apps/{appName}/{applicationId}
      operations:
      - name: addapplicationtargettoappadminroleforuser
        method: PUT
        description: Okta Add App Instance Target to App Administrator Role given to a User
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: roleId
          in: path
          type: string
          required: true
        - name: appName
          in: path
          type: string
          required: true
        - name: applicationId
          in: path
          type: string
          required: true
      - name: removeapplicationtargetfromadministratorroleforuser
        method: DELETE
        description: Okta Remove App Instance Target to App Administrator Role given to a User
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: roleId
          in: path
          type: string
          required: true
        - name: appName
          in: path
          type: string
          required: true
        - name: applicationId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-roles-roleId-targets-groups
      path: /api/v1/users/{userId}/roles/{roleId}/targets/groups
      operations:
      - name: listgrouptargetsforrole
        method: GET
        description: Success
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: roleId
          in: path
          type: string
          required: true
        - name: after
          in: query
          type: string
        - name: limit
          in: query
          type: integer
    - name: api-v1-users-userId-roles-roleId-targets-groups-groupId
      path: /api/v1/users/{userId}/roles/{roleId}/targets/groups/{groupId}
      operations:
      - name: addgrouptargettorole
        method: PUT
        description: Success
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: roleId
          in: path
          type: string
          required: true
        - name: groupId
          in: path
          type: string
          required: true
      - name: removegrouptargetfromrole
        method: DELETE
        description: Success
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: roleId
          in: path
          type: string
          required: true
        - name: groupId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-sessions
      path: /api/v1/users/{userId}/sessions
      operations:
      - name: clearusersessions
        method: DELETE
        description: Removes all active identity provider sessions. This forces the user to authenticate on the next operation.
          Optionally revokes OpenID Connect and OAuth refresh and access tokens issued to the user.
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: oauthTokens
          in: query
          type: boolean
          description: Revoke issued OpenID Connect and OAuth refresh and access tokens
    - name: api-v1-users-userId-subscriptions
      path: /api/v1/users/{userId}/subscriptions
      operations:
      - name: listusersubscriptions
        method: GET
        description: Okta List subscriptions of a User
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
    - name: api-v1-users-userId-subscriptions-notificationType
      path: /api/v1/users/{userId}/subscriptions/{notificationType}
      operations:
      - name: getusersubscriptionbynotificationtype
        method: GET
        description: Okta Get the subscription of a User with a specific notification type
        outputRawFormat: json
        outputParameters:
        - name: result
          type: object
          value: $.
        inputParameters:
        - name: userId
          in: path
          type: string
          required: true
        - name: notificationType
          in: path
          type: string
          required: true
    authentication:
      type: apikey
      key: Authorization
      value: '{{env.OKTA_API_KEY}}'
      placement: header
  exposes:
  - type: rest
    namespace: okta-user-rest
    port: 8080
    description: REST adapter for Okta API — User. One Spectral-compliant resource per consumed operation, prefixed with /v1.
    resources:
    - path: /v1/api/v1/users
      name: api-v1-users
      description: REST surface for api-v1-users.
      operations:
      - method: GET
        name: listusers
        description: Okta List Users
        call: okta-user.listusers
        with:
          q: rest.q
          after: rest.after
          limit: rest.limit
          filter: rest.filter
          search: rest.search
          sortBy: rest.sortBy
          sortOrder: rest.sortOrder
        outputParameters:
        - type: object
          mapping: $.
      - method: POST
        name: createuser
        description: Okta Create User
        call: okta-user.createuser
        with:
          activate: rest.activate
          provider: rest.provider
          nextLogin: rest.nextLogin
          body: rest.body
        outputParameters:
        - type: object
          mapping: $.
    - path: /v1/api/v1/users/{associateduserid}/linkedobjects/{primaryrelationshipname}/{primaryu

# --- truncated at 32 KB (75 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/okta/refs/heads/main/capabilities/okta-user.yaml