Connect Okta to Vanta so the users, groups, roles, applications, and password policies your team manages in Okta automatically power compliance tests, access reviews, and access requests.
⚠️Note: This is one of three separate Okta integrations. Each uses a different Okta app and must be set up independently:
Okta API integration (this guide): syncs directory data into Vanta.
Okta SSO: lets users log in to Vanta through Okta. See Okta: Integration Guide > Enable SSO.
Okta SCIM: provisions users and groups from Okta into Vanta. See Connecting Vanta & Okta (SCIM).
Setting up one does not configure the others. If a step here says "the Vanta API app," it is not the same as the Vanta SAML app (SSO) or your SCIM app.
What you'll do (~15 minutes)
Create an Okta API Services app and grant read-only scopes (~6 min)
Enter your Okta Domain and Client ID in Vanta (~2 min)
Paste Vanta's public key URL back into Okta and validate (~5 min)
Before you begin
Confirm all of the following before starting:
You are an Okta Super Administrator in the org you want to connect. This role is required both to create the API app and to assign the Super Administrator role to it — without the role assignment, Vanta cannot sync role data and validation will fail.
You have Vanta admin access.
You know your Okta Domain (e.g.,
company.okta.com). Vanta explicitly rejects Okta admin URLs (e.g.,company-admin.okta.com) and will return a validation error if you enter one.
💡 Tip: With multiple Vanta workspaces, you do not need to create a new Okta API app for each Workspace. A single Okta API app URL can connect to all of your Vanta Workspaces. Run the Vanta-side steps once per Workspace using the same Okta app.
Setup guide
Step 1: Create the Okta API Services app
Log in to Okta as a Super Administrator.
Go to Applications > Applications > Create App Integration.
Select API Services, click Next, name the app something that identifies it (e.g., Vanta API), and click Save.
Step 2: Configure scopes, DPoP, and the Super Administrator role
On the new app page:
Go to the Okta API Scopes tab and grant only these six read-only scopes:
okta.appGrants.readokta.apps.readokta.groups.readokta.policies.readokta.roles.readokta.users.read
⚠️ Note: Do not add scopes outside this list. Vanta validates that the granted scopes exactly match what it needs and will report unexpected scopes as an error.
On the General tab, under Client Credentials, click Edit and uncheck Require Demonstrating Proof of Possession (DPoP) header in token requests.
⚠️ Note on known Okta bug: After you save, reload the page and confirm this box is still unchecked. The setting sometimes silently reverts on first save.
Still on the General tab, assign the Super Administrator role to the app (under Admin Roles or the assignments section, depending on your Okta version).
ℹ️ Note: The Super Administrator role must be assigned to the app itself — not just to your user account. See Before you begin for details.
Still on the General tab, copy your Client ID (you’ll need it in the next step). Your Okta Domain is the URL you use to log in to Okta (e.g., company.okta.com), not the admin URL.
Step 3: Start the connection in Vanta
In Vanta, go to Integrations, find Okta in the Available tab, click View details and then click Connect.
Paste your Okta Domain (e.g., company.okta.com) and Okta Client ID into the fields, and click Next.
A modal with a public key URL will appear. Copy this URL — you will need it in Okta in the next step. Do not click Validate yet.
Step 4: Add Vanta's public key URL to Okta
Return to your Okta API app and go to the General tab > Edit.
Under Client credentials, select Public Key / Private Key.
Under Public Keys, select Use a URL to fetch keys dynamically.
Paste the URL you copied from Vanta into the field and click Save.
Step 5: Validate the connection
Return to the Vanta modal and click Validate.
On success, you'll be returned to the Integrations page with Okta shown as Connected.
Verify your connection
Changes made in Okta, including adding new users or updating groups, are not real-time and can take up to an hour to appear in Vanta. This is expected behavior.
Okta should appear under the Connected tab on your Integrations page.
Users synced from Okta will appear in the People section in Vanta.
Compliance tests powered by Okta data will populate under Tests.
Okta password policies will appear under Inventory > Password Policies.
Troubleshooting
Validation failed with a role or scope error
Likely cause: The Super Administrator role was not assigned to the API app, or one or more required scopes are missing or extra.
Fix: In Okta, open the app and assign the Super Administrator role. Confirm all six required scopes are granted under Okta API Scopes — and that no extra scopes are present. Retry Validate in Vanta.
Validation fails even after granting scopes and assigning the role
Likely cause: The DPoP setting silently re-enabled itself after save (known Okta bug), or your Okta Domain is pointing at an admin URL.
Fix: Reload the Okta app page and confirm Require Demonstrating Proof of Possession (DPoP) header in token requests is still unchecked. In Vanta, confirm the domain is your regular Okta domain (
company.okta.com), not the admin URL (company-admin.okta.com).
Users are missing from Vanta after the initial sync
Likely cause: IdP scoping may be enabled, which limits which users Vanta tracks to those assigned to the Vanta SAML app in Okta.
Fix: Go to Integrations > Okta > Configure scope and check whether Control scope with Okta is enabled. If it is, confirm the expected users or groups are assigned to the Vanta SAML app in Okta. If it is not, wait for the next hourly sync and re-check. See the Integration Guide for scoping details.
Groups are not appearing in Vanta
Likely cause: Groups do not sync automatically from the Okta API integration. You either need to import them manually via Dynamic IdP Groups, or set up the separate Okta SCIM integration and use Push Groups.
Fix: To import groups without SCIM, go to People > Groups > Add Group > Add from identity providers. To push groups automatically from Okta, set up [Okta SCIM] and use the Push Groups tab — SSO alone will not sync groups.
A user is shown as terminated in Vanta but is active in Okta
Likely cause: Vanta uses your HRIS, not Okta, as the source of truth for employment status. If the HRIS has a user marked as terminated, Vanta reflects that regardless of Okta status.
Fix: Check the user's status in your HR system. If they should be active, update them in the HRIS first — the change will propagate to Vanta on the next sync.
Additional resources
For complete configuration, data reference, scoping options, SSO and SCIM setup, and full troubleshooting, see the Okta: Integration Guide.