What you’ll need
- Okta Super Admin or a Read-Only Admin role.
- The ability to create an API token in your Okta tenant.
- Three minutes.
Set it up
Create an API token in Okta
In Okta Admin, go to Security → API → Tokens and click Create Token.Name it
Axiom Layer. Copy the token value — you won’t be able to see it again.Find your Okta domain
Your Okta domain looks like
acme.okta.com or acme.oktapreview.com. You can copy it from the URL bar of the Okta Admin console.Paste both into Layer
In Layer, go to Integrations, find Okta, and click Connect. Paste your Okta domain and API token, then click Connect.
What gets synced
| Object | Fields | Refresh cadence |
|---|---|---|
| Users | login, email, status, last login | Every 6 hours |
| Groups | name, description, member logins | Every 6 hours |
| Apps | app name, provider, total assigned users | Every 6 hours |
| App assignments | user → app links, assignment date | Every 6 hours |
Per-user app access
Layer fetches each Okta user’s assigned applications from/api/v1/users/{userId}/appLinks and creates:
- One App asset per distinct Okta-managed application (visible in the Apps view).
- One Uses relationship per user → app pairing, with the original Okta assignment date stored as
assigned_atmetadata.
Required token permissions
The token inherits the role of the admin who created it. Read-Only Admin is sufficient — Layer never writes to your Okta tenant.Troubleshooting
401 Unauthorized on first sync
401 Unauthorized on first sync
Some apps aren't showing up
Some apps aren't showing up
Apps that have no assigned users or groups won’t appear. Apps in the Okta Integration Network catalog but not added to your tenant also won’t appear — only apps actually configured in your Okta tenant are returned.