Skip to main content


This page explains how to use Okta as the identity provider (IdP) to manage access to API Portals.


You can use Okta as IdP for Traefik Hub.

Okta is an identity and access management (IAM) service that provides authentication and authorization.

Once Okta is enabled and successful configured in the dashboard, Traefik Hub will synchronize user and groups from Okta into Traefik Hub.

After the first initial sync, Traefik Hub will sync once an hour with Okta.

When authenticating to the API Portal, the user is matched against the latest known synchronization point in the Traefik Hub database.

Traefik Hub will not list automatically all users after synchronization. Users will be only listed after a first successful login into Traefik Hub.

Shared Data Between Traefik Hub and Okta

The following data is shared between Traefik Hub and Okta:

  • Organization URL: URL of your Okta organization.
  • Issuer URL: The full URL of the Okta authorization server.
  • Token Okta API token: Used to authenticate requests to Okta APIs (encrypted).
  • Users and Groups: Configured in the Okta instance settings.

Before You Begin


If you replace your Traefik Hub internal IdP with an external IdP, all users, user groups, and tokens created by the internal IdP will be deleted.

This action is irreversible!

This article assumes that you already have a configured Okta tenant.


Once you configured your Okta account settings, Traefik Hub will automatically create an integration application in Okta and will sync your groups from Okta to Traefik Hub.

Good to know

Users will only be listed in Traefik Hub after a successful login into an API Portal.

First, select Auth settings in the left navigation menu to get to the ID provider overview page in the dashboard.

Dashboard overview

Now, on the IdP overview page, select Okta on the external IdP provider.

IdP selection dialog, selecting Keycloak

In the next step, configure your Okta settings, the URL of your Okta organization, the full URL of your Okta authorization server and the token.

Organization URLURL of your Okta organization. Typical the org URL is the tenant name (the subdomain), and then the domain name. For example, https://my-org.okta.comYes
Issuer URLThe full URL of the Okta authorization server. For example, You can find more info about authorization servers in the Okta documentationYes
TokenOkta API token, used to authenticate requests to Okta APIs.Yes

Dialog box about the Okta configuration

Once you're done, you can test your configuration by selecting Test connection.

Dialog showing that the configuration works

If the connection is working, save your configuration by selecting Save.

In the last step, you have to confirm the configuration changes.


Please make sure to read the displayed message and follow the needed steps for confirmation!

If you already have users and groups configured, these accounts and all related user data, including tokens, will be deleted from Traefik Hub.

Please do not try to change your configuration during the synchronization process!

Traefik Hub will sync with your Okta tenant immediately after confirming your configuration.

From then on, Traefik Hub is configured to use Okta as its IdP.

The user overview page in the dashboard will not automatically show all users.
Users will only be listed after a successful login into an API Portal.


Traefik Hub will automatically sync every 60 minutes with your Okta tenant.
After a first successful synchronization, you can initiate a sync at any time by selecting the Synchronize button.

Initiate Okta synchronization

Login with Okta

Head over to your API Portal and login with Okta.

Login with Okta

  • Learn how to use JWT for API requests in the API Portal.