Generate an Okta API token from your administrator account or create an OAuth 2.0 service app with the okta.logs.read scope; service apps are preferred for production integrations
Query the System Log with GET /api/v1/logs; use the since and until query parameters (ISO 8601 timestamps) to bound the time range, and the filter parameter with an expression like eventType eq 'user.session.start' to narrow results
The response is a JSON array of log event objects; implement polling by storing the self link from the Link response header and using it as the starting point for the next poll
Parse each event's eventType, outcome.result (SUCCESS or FAILURE), actor, target, and client fields for security-relevant attributes; map eventTypes of interest (policy violations, MFA challenges, suspicious activity) to alert conditions
For near-real-time delivery, use Okta's Event Hooks feature to register a webhook endpoint that Okta will POST to for specific eventType patterns without requiring you to poll
Index log events into your SIEM by forwarding them from your collector; preserve the uuid field as the deduplication key to avoid processing the same event twice
Known gotchas
The System Log API has a rate limit that varies by Okta edition; aggressive polling intervals can exhaust the rate limit and return 429 errors — use the Link header cursor-based approach and a polling interval of at least one minute
Log data is retained for a limited time depending on your Okta plan; export to long-term storage before the retention window expires if compliance requires it
Event Hook delivery is at-least-once; your endpoint must be idempotent and deduplicate events using the uuid field
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp