Documentation

Get started with Backup Okta in under 10 minutes

Prerequisites

1. Apify Account

Create a free account at apify.com. The free tier includes enough compute for regular backups.

2. Okta API Access

You need one of the following:

Option A: OAuth 2.0 (Recommended)

  1. In Okta Admin → Applications → Create App Integration
  2. Select "API Services"
  3. Configure with public/private key pair
  4. Grant required scopes (see below)

Option B: API Token

  1. In Okta Admin → Security → API → Tokens
  2. Create a new token
  3. Assign appropriate admin role

Required OAuth Scopes

For full backup coverage, grant these scopes:

okta.users.read
okta.groups.read
okta.apps.read
okta.policies.read
okta.authorizationServers.read
okta.roles.read
okta.schemas.read
okta.brands.read
okta.domains.read
okta.trustedOrigins.read
okta.networkZones.read
okta.idps.read
okta.eventHooks.read
okta.inlineHooks.read
okta.profileMappings.read
okta.logs.read

For restore operations, add the corresponding .manage scopes.

3. Workflows Access (Optional)

To backup Okta Workflows, you need:

  • Username and password for an Okta admin with Workflows access
  • Note: There is no official Workflows API; we use session-based auth

Quick Start

Step 1: Open the Actor

Go to Backup Okta on Apify and click "Try for free".

Step 2: Configure Input

Fill in the required fields:

{
  "operation": "backup",
  "oktaDomain": "your-org.okta.com",
  "oktaApiToken": "your-api-token"
}

Or with OAuth:

{
  "operation": "backup",
  "oktaDomain": "your-org.okta.com",
  "oktaClientId": "your-client-id",
  "oktaPrivateKey": "-----BEGIN RSA PRIVATE KEY-----\n..."
}

Step 3: Run

Click "Start" and wait for the backup to complete. Duration depends on org size (1-60 minutes).

Step 4: View Results

After completion, find your backup files in the run's Key-Value Store:

  • OKTA_SNAPSHOT.json - Full backup
  • OKTA_DIFF_EVENTS.json - Changes since last backup
  • OKTA_WORKFLOWS.zip - Workflows backup (if enabled)
  • LAST_REPORT.json - Summary report

Operations

Backup

{
  "operation": "backup",
  "oktaDomain": "your-org.okta.com",
  "oktaApiToken": "your-token",
  "includeWorkflows": true,
  "incrementalMode": true
}

Restore (Dry Run)

{
  "operation": "restore",
  "oktaDomain": "your-org.okta.com",
  "oktaApiToken": "your-token",
  "dryRun": true
}

This generates a restore plan without making changes.

Restore (Execute)

Warning: This makes real changes to your Okta org. Always run dry-run first and test in a sandbox.

{
  "operation": "restore",
  "oktaDomain": "your-org.okta.com",
  "oktaApiToken": "your-token",
  "dryRun": false,
  "confirmRestore": "RESTORE",
  "allowDeletes": false
}

Common Configurations

Daily Backup Schedule

In Apify, set up a schedule to run the actor daily:

  1. Go to your actor run
  2. Click "Schedule"
  3. Set cron expression: 0 2 * * * (2 AM daily)
  4. Save the input configuration

Backup Specific Resources Only

{
  "operation": "backup",
  "resources": ["groups", "apps", "policies"]
}

Exclude Large/Slow Resources

{
  "operation": "backup",
  "excludeResources": ["logs", "userAppAssignments"]
}

Incremental Backup

{
  "operation": "backup",
  "incrementalMode": true,
  "incrementalLookbackHours": 24
}

Troubleshooting

401 Unauthorized

  • Check that your API token hasn't expired
  • Verify the token has the required admin roles
  • Ensure the oktaDomain is correct (no https://)

403 Forbidden

  • The token/OAuth app lacks required scopes
  • Some resources require Super Admin role
  • Check Okta's System Log for details

Rate Limiting

  • The actor handles rate limits automatically with exponential backoff
  • Large orgs may take longer due to rate limit pauses
  • Consider running during off-peak hours

Workflow Backup Fails

  • Workflows require username/password auth (not API token)
  • Verify the user has Workflows access
  • MFA on the account may cause issues

Restore Skips Resources

  • Some resources are read-only (schemas, features)
  • Directory-sourced users (AD/LDAP) cannot be modified via API
  • Check OKTA_RESTORE_RESULTS.json for details

Best Practices

Testing

  1. Create an Okta sandbox/preview org
  2. Run backups against both production and sandbox
  3. Practice restores in sandbox first

Monitoring

  • Enable Apify email notifications for failed runs
  • Check LAST_REPORT.json for backup summaries
  • Monitor OKTA_DIFF_EVENTS.json for unexpected changes (drift detection)

Retention

  • Configure Apify data retention based on compliance needs
  • Consider exporting critical backups to your own storage
  • The actor maintains timestamped backups in AVAILABLE_BACKUPS.json

Full Documentation

For complete documentation including all 70+ supported resources, input parameters, and advanced configuration, see the full documentation on the Apify actor page.