keys
Creates, updates, deletes, gets or lists a keys resource.
Overview
| Name | keys |
| Type | Resource |
| Id | okta.apps.keys |
Fields
The following fields are returned by SELECT queries:
- list_application_keys
- get_application_key
| Name | Datatype | Description |
|---|---|---|
created | string (date-time) | Timestamp when the object was created (example: 2017-03-28T01:11:10.000Z) |
e | string | RSA key value (public exponent) for Key binding |
expiresAt | string (date-time) | Timestamp when the certificate expires |
kid | string | Unique identifier for the certificate |
kty | string | Cryptographic algorithm family for the certificate's keypair. Valid value: RSA |
lastUpdated | string (date-time) | Timestamp when the object was last updated |
n | string | RSA modulus value that is used by both the public and private keys and provides a link between them |
use | string | Acceptable use of the certificate. Valid value: sig |
x5c | array | X.509 certificate chain that contains a chain of one or more certificates |
x5t#S256 | string | X.509 certificate SHA-256 thumbprint, which is the base64url-encoded SHA-256 thumbprint (digest) of the DER encoding of an X.509 certificate |
| Name | Datatype | Description |
|---|---|---|
created | string (date-time) | Timestamp when the object was created (example: 2017-03-28T01:11:10.000Z) |
e | string | RSA key value (public exponent) for Key binding |
expiresAt | string (date-time) | Timestamp when the certificate expires |
kid | string | Unique identifier for the certificate |
kty | string | Cryptographic algorithm family for the certificate's keypair. Valid value: RSA |
lastUpdated | string (date-time) | Timestamp when the object was last updated |
n | string | RSA modulus value that is used by both the public and private keys and provides a link between them |
use | string | Acceptable use of the certificate. Valid value: sig |
x5c | array | X.509 certificate chain that contains a chain of one or more certificates |
x5t#S256 | string | X.509 certificate SHA-256 thumbprint, which is the base64url-encoded SHA-256 thumbprint (digest) of the DER encoding of an X.509 certificate |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list_application_keys | select | subdomain | Lists all key credentials for an app | |
get_application_key | select | subdomain | Retrieves a specific Application Key Credential by kid | |
generate_application_key | insert | validityYears, subdomain | Generates a new X.509 certificate for an app key credential > Note: To update an Application with the newly generated key credential, use the Replace an Application request with the new credentials.signing.kid value in the request body. You can provide just the Signing Credential object instead of the entire Application Credential object. | |
clone_application_key | exec | targetAid, subdomain | Clones an X.509 certificate for an Application Key Credential from a source app to a target app. For step-by-step instructions to clone a credential, see Share application key credentials for IdPs across apps. > Note: Sharing certificates isn't a recommended security practice. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
subdomain | string | The domain of your organization. This can be a provided subdomain of an official okta domain (okta.com, oktapreview.com, etc) or one of your configured custom domains. (default: my-org) |
targetAid | string | Unique key of the target Application |
validityYears | integer | Expiry years of the Application Key Credential |
SELECT examples
- list_application_keys
- get_application_key
Lists all key credentials for an app
SELECT
created,
e,
expiresAt,
kid,
kty,
lastUpdated,
n,
use,
x5c,
x5t#S256
FROM okta.apps.keys
WHERE subdomain = '{{ subdomain }}' -- required;
Retrieves a specific Application Key Credential by kid
SELECT
created,
e,
expiresAt,
kid,
kty,
lastUpdated,
n,
use,
x5c,
x5t#S256
FROM okta.apps.keys
WHERE subdomain = '{{ subdomain }}' -- required;
INSERT examples
- generate_application_key
- Manifest
Generates a new X.509 certificate for an app key credential
> Note: To update an Application with the newly generated key credential, use the Replace an Application request with the new credentials.signing.kid value in the request body. You can provide just the Signing Credential object instead of the entire Application Credential object.
INSERT INTO okta.apps.keys (
validityYears,
subdomain
)
SELECT
'{{ validityYears }}',
'{{ subdomain }}'
RETURNING
created,
e,
expiresAt,
kid,
kty,
lastUpdated,
n,
use,
x5c,
x5t#S256
;
# Description fields are for documentation purposes
- name: keys
props:
- name: validityYears
value: integer
description: Required parameter for the keys resource.
- name: subdomain
value: string
description: Required parameter for the keys resource.
Lifecycle Methods
- clone_application_key
Clones an X.509 certificate for an Application Key Credential from a source app to a target app.
For step-by-step instructions to clone a credential, see Share application key credentials for IdPs across apps.
> Note: Sharing certificates isn't a recommended security practice.
EXEC okta.apps.keys.clone_application_key
@targetAid='{{ targetAid }}' --required,
@subdomain='{{ subdomain }}' --required;