How to get your API keys
This section will illustrate how to get your Okta FGA API keys to call the API.
Before you start
You must have an Okta FGA account. You can sign up for one on the Okta FGA dashboard.
Step by Step
When using the Okta FGA SDKs or calling the API you will need:
- A Store ID
- A Client ID (not needed for the Playground environment)
- A Client Secret (not needed for the Playground environment)
In order to get your Store ID and your API keys, follow the steps below:
- Management Dashboard (Production)
- Playground
Management Dashboard
01. Settings page
To obtain your API keys, select "Settings" from the Dashboard's sidebar menu.
02. Create client and obtain client secret
- If you do not have the client secret, you will be presented with the Create Client button. Click this Create Client button.
- Enter the client name in the provided text box. This client name will make it easier to identify your clients in the future.
- Select the permission set(s) required for this specific client. Click the Create button when done.
- A popup window will confirm the client has been successfully created. Make sure to copy the Store ID, Client ID, and Client Secret values. Click Continue once you have saved these values in a secure location.
You will not be able to see the client secret again after this step. It will need to be regenerated if it is ever lost or compromised in any way.
03. Setting relevant environment variables
| Env var/Locality | US | Europe | Australia |
|---|---|---|---|
FGA_API_URL | https://api.us1.fga.dev | https://api.eu1.fga.dev | https://api.au1.fga.dev |
FGA_API_AUDIENCE | https://api.us1.fga.dev/ | https://api.eu1.fga.dev/ | https://api.au1.fga.dev/ |
FGA_API_TOKEN_ISSUER | fga.us.auth0.com | fga.us.auth0.com | fga.us.auth0.com |
FGA_STORE_ID | see above | see above | see above |
FGA_CLIENT_ID | see above | see above | see above |
FGA_CLIENT_SECRET | see above | see above | see above |
04. Obtain bearer token
If the API is to be invoked via the API Docs viewer or directly instead of through SDKs, you will need to obtain access token for use in later steps:
# Not needed when calling the Playground API
curl -X POST \
https://fga.us.auth0.com/oauth/token \
-H 'content-type: application/json' \
-d '{"client_id":"'$FGA_CLIENT_ID'","client_secret":"'$FGA_CLIENT_SECRET'","audience":"'$FGA_API_AUDIENCE'","grant_type":"client_credentials"}'
# The response will be returned in the form
# {
# "access_token": "eyJ...Ggg",
# "expires_in": 86400,
# "scope": "read:tuples write:tuples check:tuples ... write:authorization-models",
# "token_type": "Bearer"
# }
# Store this `access_token` value in environment variable `FGA_BEARER_TOKEN`
FGA_SERVER_URL = 'https://api.us1.fga.dev/' // 'https://api.eu1.fga.dev/' for EU and 'https://api.au1.fga.dev/' for AU
Playground
01. Obtain store ID
The store ID is a unique identifier that uniquely identify the store. To obtain the store ID:
-
Click on the three dots button on the top-right of the screen
-
Select Copy Store ID on the top-right of the screen
-
The store ID is in the clipboard. Store this value in
FGA_STORE_IDenvironment variable.
02. Setting relevant environment variables
| Env var/Locality | Playground |
|---|---|
FGA_API_URL | https://api.playground.fga.dev |
FGA_API_AUDIENCE | N/A |
FGA_API_TOKEN_ISSUER | N/A |
FGA_STORE_ID | see above |
FGA_CLIENT_ID | N/A |
FGA_CLIENT_SECRET | N/A |