Working with the Okta API, an API key can be used to authenticate calls. One would assume that the API key would be specified in Postman’s “Authorization” tab, but nope.

For some inscrutable reason, when using the standard Authorization API Key method in Postman, the following cryptic error message is excreted:

{ "errorCode": "E0000005", "errorSummary": "Invalid session", "errorLink": "E0000005", "errorId": "oa...BQ", "errorCauses": []}

This error message is… not particularly helpful, and neither the Okta docs nor Googling produces any clues as to the problem cause.

As it turns out, the solution is to set Authorization to "No Auth", and add a Header named Authorization with the value of "SSWS {{apikey}}", where {{apikey}} is the value of an API Token generated using the https://yourorg.okta.com/admin/access/api/tokens page.

So, there you have it, I hope this post saves some poor soul in the future.