Create an Okta application with grant_type urn:openid:params:grant-type:ciba enabled and configure it with the client_notification_endpoint (for the ping mode) or use poll mode
Configure the Custom Authenticator that the CIBA push notification will target; in Okta, this uses the Okta Devices SDK to deliver out-of-band push to the user's enrolled device
From the consumption device (e.g. call center agent's app), POST to the Okta backchannel authentication endpoint with login_hint (user identifier), scope, and binding_message (a short code displayed to both the agent and user for correlation)
The AS returns auth_req_id, expires_in, and interval; use these to poll the token endpoint with grant_type urn:openid:params:grant-type:ciba and the auth_req_id
When the user approves on their device, the token endpoint returns id_token, access_token, and optionally refresh_token; when pending, it returns authorization_pending and you should continue polling
For Rich Authorization Requests (RAR) integration, include authorization_details in the CIBA request to send transaction details to the user's device for review before approval
Known gotchas
Okta's CIBA implementation requires the user to be enrolled in a compatible push authenticator before CIBA can be used for them; CIBA will fail with unknown_user_id or no delivery mechanism if the enrollment is absent
The binding_message must be short (Okta recommends under 20 characters) and must be displayed in the native push notification — do not embed sensitive data in it
Poll interval must be respected; polling more frequently than the returned interval value results in slow_down errors and a forced interval increase
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp