POST /api/v1/users/{userId}/credentials/change_recovery_question

ID of an existing Okta user

Default value: "application/json"

Specifies the authentication provider that validates the User's password credential. The User's current provider is managed by the Delegated Authentication settings for your organization. The provider object is read-only.

The name of the authentication provider

The type of authentication provider

Possible values:

• "ACTIVE_DIRECTORY"
• "OKTA"
• "LDAP"
• "FEDERATION"
• "IMPORT"
• "SOCIAL"

Specifies a secret question and answer that's validated (case insensitive) when a User forgets their password or unlocks their account. The answer property is write-only.

The answer to the recovery question

The recovery question

Specifies a password for a user.

When a User has a valid password, imported hashed password, or password hook, and a response object contains a password credential, then the password object is a bare object without the value property defined (for example, password: {}). This indicates that a password value exists. You can modify password policy requirements in the Admin Console by editing the Password authenticator: Security > Authenticators > Password (or for Okta Classic orgs, use Security > Authentication > Password).

For information on defaults and configuring your password policies, see Configure the password authenticator in the help documentation.

Specifies a hashed password to import into Okta. This allows an existing password to be imported into Okta directly from some other store. Okta supports the BCRYPT, SHA-512, SHA-256, SHA-1, MD5, and PBKDF2 hash functions for password import. A hashed password may be specified in a Password object when creating or updating a user, but not for other operations. See Create User with Imported Hashed Password for information on using this object when creating a user. When updating a User with a hashed password, the User must be in the STAGED status.

Algorithm used to generate the key. Only required for the PBKDF2 algorithm.

Possible values:

• "SHA512_HMAC"
• "SHA256_HMAC"

Size of the derived key in bytes. Only required for PBKDF2 algorithm.

The algorithm used to generate the hash using the password (and salt, when applicable).

Possible values:

• "BCRYPT"
• "PBKDF2"
• "MD5"
• "SHA-256"
• "SHA-512"
• "SHA-1"

The number of iterations used when hashing passwords using PBKDF2. Must be >= 4096. Only required for PBKDF2 algorithm.

For SHA-512, SHA-256, SHA-1, MD5, and PBKDF2, this is the actual base64-encoded hash of the password (and salt, if used). This is the Base64-encoded value of the SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest that was computed by either pre-fixing or post-fixing the salt to the password, depending on the saltOrder. If a salt was not used in the source system, then this should just be the Base64-encoded value of the password's SHA-512/SHA-256/SHA-1/MD5/PBKDF2 digest. For BCRYPT, this is the actual Radix-64 encoded hashed password.

Specifies whether salt was pre- or postfixed to the password before hashing. Only required for salted algorithms.

Governs the strength of the hash and the time required to compute it. Only required for BCRYPT algorithm.

Only required for salted hashes. For BCRYPT, this specifies Radix-64 as the encoded salt used to generate the hash, which must be 22 characters long. For other salted hashes, this specifies the Base64-encoded salt used to generate the hash.

Specify a password import inline hook to trigger verification of the User's password the first time the User signs in. This allows an existing password to be imported into Okta directly from some other store.

The type of password inline hook. Currently, must be set to default.

Specifies the password for a user. The Password Policy validates this password.