What you’ll need
- Okta Super Admin or a Read-Only Admin role.
- The ability to create an API token in your Okta tenant.
- Three minutes.
Set it up
Create an API token in Okta
In Okta Admin, go to Security → API → Tokens and click Create Token.Name it
Axiom Layer. Copy the token value — you won’t be able to see it again.Find your Okta domain
Your Okta domain looks like
acme.okta.com or acme.oktapreview.com. You can copy it from the URL bar of the Okta Admin console.Paste both into Layer
In Layer, go to Integrations, find Okta, and click Connect. Paste your Okta domain and API token, then click Connect.
What gets synced
| Object | Fields | Refresh cadence |
|---|---|---|
| Users | login, email, status, last login | Every 6 hours |
| Groups | name, description, member logins | Every 6 hours |
| App assignments | app name, assigned users, assigned groups | Every 6 hours |
Required token permissions
The token inherits the role of the admin who created it. Read-Only Admin is sufficient — Layer never writes to your Okta tenant.Troubleshooting
401 Unauthorized on first sync
401 Unauthorized on first sync
Some apps aren't showing up
Some apps aren't showing up
Apps that have no assigned users or groups won’t appear. Apps in the Okta Integration Network catalog but not added to your tenant also won’t appear — only apps actually configured in your Okta tenant are returned.