Okta API Token
Detects Okta API tokens, which begin with 00 and are followed by 40 base64url characters. Because the structure is short and generic, corroborative Okta context is important to confirm a real token. A leaked token grants Okta admin API access.
- Type
- regex
- Engine
- universal
- Confidence
- medium
- Confidence justification
- Medium confidence: the 00 prefix plus 40 base64url chars is not highly distinctive and can collide with other 42-char identifiers, so Okta corroborative keywords are required for reliable detection.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security
- Scope
- wide
- Risk rating
- 9
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9_-])00[A-Za-z0-9_-]{40}(?![A-Za-z0-9_-])Corroborative evidence keywords
okta, okta.com, SSWS, api token, api_token, OKTA_API_TOKEN, authorization
Proximity: 300 characters
Should match
Authorization: SSWS 00ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn— Okta API token with SSWS scheme, 00 prefix + 40 charsOKTA_API_TOKEN=001234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcd— Labelled Okta token in an env assignment00zZyYxXwWvVuUtTsSrRqQpPoOnNmMlLkKjJiIhH_-— Okta token with - and _ in the body
Should not match
00aBcDeFgHiJkLmNoPqRsTuVwXyZ012345— Too short to be a valid Okta token (under 40 body chars)11ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn— Wrong prefix (11 instead of 00)configure the okta api token in your SSWS authorization header— Prose mention without a token value
Known false positives
- Other 42-character identifiers that happen to start with 00 (e.g. some hashes or IDs). Mitigation: Require corroborative Okta keywords (okta, SSWS) within proximity before alerting.
- Documentation or examples showing placeholder 00... strings. Mitigation: Check for placeholder markers (example, xxxx) and require Okta context.