Skip to main content

Get credentials

1

Create an OIDC app

In the Okta Admin Console, go to Applications > Create App Integration and choose OIDC - OpenID Connect with application type Web Application.Set the Sign-in redirect URI to:
https://your-app.com/api/kavach/auth/oauth/callback/okta
2

Copy your credentials

From the app settings, copy the Client ID and Client Secret. Your domain is shown at the top of the console: your-org.okta.com.

Configuration

lib/kavach.ts
import { createKavach } from 'kavachos';
import { oauth, oktaProvider } from 'kavachos/auth';

const kavach = await createKavach({
  database: { provider: 'postgres', url: process.env.DATABASE_URL! },
  secret: process.env.KAVACH_SECRET!,
  baseUrl: 'https://your-app.com',
  plugins: [
    oauth({
      providers: [
        oktaProvider(
          process.env.OKTA_DOMAIN!,        // your-org.okta.com
          process.env.OKTA_CLIENT_ID!,
          process.env.OKTA_CLIENT_SECRET!,
        ),
      ],
    }),
  ],
});

OKTA_DOMAIN=your-org.okta.com
OKTA_CLIENT_ID=...
OKTA_CLIENT_SECRET=...

Scopes

Default scopes: openid, profile, email
ScopeWhat it unlocks
openidOIDC authentication, issues ID token
profileName, locale, and profile metadata
emailEmail address and verification status
groupsGroup membership (requires group claim in Okta)
offline_accessRefresh token support
For Okta Identity Engine orgs, the domain may be a custom domain. Use the exact domain shown in your Okta Admin Console rather than the default okta.com subdomain.

Endpoints

MethodPathDescription
GET/auth/oauth/authorize/oktaRedirect to Okta
GET/auth/oauth/callback/oktaHandle callback
Last modified on April 17, 2026