TracecatHQ · jordan-umusu · Feb 4, 2026
diff --git a/frontend/src/client/schemas.gen.ts b/frontend/src/client/schemas.gen.ts
@@ -6510,10 +6510,17 @@ export const $CustomOAuthProviderCreate = {
       $ref: "#/components/schemas/OAuthGrantType",
     },
     authorization_endpoint: {
-      type: "string",
-      minLength: 8,
+      anyOf: [
+        {
+          type: "string",
+        },
+        {
+          type: "null",
+        },
+      ],
       title: "Authorization Endpoint",
-      description: "OAuth authorization endpoint URL",
+      description:
+        "OAuth authorization endpoint URL. Required for authorization_code grant type.",
     },
     token_endpoint: {
       type: "string",
@@ -6574,13 +6581,7 @@ export const $CustomOAuthProviderCreate = {
     },
   },
   type: "object",
-  required: [
-    "name",
-    "grant_type",
-    "authorization_endpoint",
-    "token_endpoint",
-    "client_id",
-  ],
+  required: ["name", "grant_type", "token_endpoint", "client_id"],
   title: "CustomOAuthProviderCreate",
   description: "Request payload for creating a custom OAuth provider.",
 } as const
@@ -9873,7 +9874,7 @@ export const $OAuth2AuthorizeResponse = {
 
 export const $OAuthGrantType = {
   type: "string",
-  enum: ["authorization_code", "client_credentials"],
+  enum: ["authorization_code", "client_credentials", "jwt_bearer"],
   title: "OAuthGrantType",
   description: "Grant type for OAuth 2.0.",
 } as const

diff --git a/frontend/src/client/services.custom.ts b/frontend/src/client/services.custom.ts
@@ -11,7 +11,7 @@ export type CustomOAuthProviderCreateRequest = {
   name: string
   description?: string | null
   grant_type: OAuthGrantType
-  authorization_endpoint: string
+  authorization_endpoint?: string | null
   token_endpoint: string
   scopes?: string[] | null
   provider_id?: string | null

diff --git a/frontend/src/client/types.gen.ts b/frontend/src/client/types.gen.ts
@@ -1941,9 +1941,9 @@ export type CustomOAuthProviderCreate = {
   description?: string | null
   grant_type: OAuthGrantType
   /**
-   * OAuth authorization endpoint URL
+   * OAuth authorization endpoint URL. Required for authorization_code grant type.
    */
-  authorization_endpoint: string
+  authorization_endpoint?: string | null
   /**
    * OAuth token endpoint URL
    */
@@ -3177,7 +3177,10 @@ export type OAuth2AuthorizeResponse = {
 /**
  * Grant type for OAuth 2.0.
  */
-export type OAuthGrantType = "authorization_code" | "client_credentials"
+export type OAuthGrantType =
+  | "authorization_code"
+  | "client_credentials"
+  | "jwt_bearer"
 
 /**
  * Settings for OAuth authentication.

diff --git a/frontend/src/components/integrations/create-custom-provider-dialog.tsx b/frontend/src/components/integrations/create-custom-provider-dialog.tsx
@@ -50,7 +50,11 @@ const formSchema = z.object({
     .max(512, { message: "Description must be 512 characters or fewer" })
     .optional()
     .or(z.literal("")),
-  grant_type: z.enum(["authorization_code", "client_credentials"]),
+  grant_type: z.enum([
+    "authorization_code",
+    "client_credentials",
+    "jwt_bearer",
+  ]),
   client_id: z
     .string()
     .trim()
@@ -68,7 +72,9 @@ const formSchema = z.object({
     .url({ message: "Enter a valid HTTPS URL" })
     .refine((value) => value.toLowerCase().startsWith("https://"), {
       message: "Authorization endpoint must use HTTPS",
-    }),
+    })
+    .optional()
+    .or(z.literal("")),
   token_endpoint: z
     .string()
     .trim()
@@ -103,6 +109,11 @@ const GRANT_OPTIONS = [
     title: "Client credentials",
     description: "Server-to-server access with tokens.",
   },
+  {
+    value: "jwt_bearer" as const,
+    title: "Private key JWT",
+    description: "Service app with private key authentication.",
+  },
 ]
 
 export function CreateCustomProviderDialog({
@@ -152,7 +163,8 @@ export function CreateCustomProviderDialog({
       grant_type: values.grant_type,
       client_id: values.client_id,
       client_secret: values.client_secret?.trim() || undefined,
-      authorization_endpoint: values.authorization_endpoint,
+      authorization_endpoint:
+        values.authorization_endpoint?.trim() || undefined,
       token_endpoint: values.token_endpoint,
       scopes: values.scopes ?? [],
     })
@@ -284,7 +296,9 @@ export function CreateCustomProviderDialog({
                 render={({ field }) => (
                   <FormItem>
                     <FormLabel>
-                      Client secret{" "}
+                      {grantType === "jwt_bearer"
+                        ? "Private key (PEM)"
+                        : "Client secret"}{" "}
                       {grantType === "authorization_code" && (
                         <span className="text-xs text-muted-foreground">
                           (optional)
@@ -293,7 +307,11 @@ export function CreateCustomProviderDialog({
                     </FormLabel>
                     <FormControl>
                       <Input
-                        placeholder="Client secret"
+                        placeholder={
+                          grantType === "jwt_bearer"
+                            ? "-----BEGIN RSA PRIVATE KEY-----"
+                            : "Client secret"
+                        }
                         type="password"
                         autoComplete="new-password"
                         {...field}
@@ -304,22 +322,24 @@ export function CreateCustomProviderDialog({
                 )}
               />
             </div>
-            <FormField
-              control={form.control}
-              name="authorization_endpoint"
-              render={({ field }) => (
-                <FormItem>
-                  <FormLabel>Authorization endpoint</FormLabel>
-                  <FormControl>
-                    <Input
-                      placeholder="https://example.com/oauth2/authorize"
-                      {...field}
-                    />
-                  </FormControl>
-                  <FormMessage />
-                </FormItem>
-              )}
-            />
+            {grantType !== "jwt_bearer" && (
+              <FormField
+                control={form.control}
+                name="authorization_endpoint"
+                render={({ field }) => (
+                  <FormItem>
+                    <FormLabel>Authorization endpoint</FormLabel>
+                    <FormControl>
+                      <Input
+                        placeholder="https://example.com/oauth2/authorize"
+                        {...field}
+                      />
+                    </FormControl>
+                    <FormMessage />
+                  </FormItem>
+                )}
+              />
+            )}
             <FormField
               control={form.control}
               name="token_endpoint"

diff --git a/frontend/src/lib/hooks.tsx b/frontend/src/lib/hooks.tsx
@@ -4601,7 +4601,8 @@ export function useCreateCustomProvider(workspaceId: string) {
         ...params,
         name: params.name.trim(),
         description: params.description?.trim() || undefined,
-        authorization_endpoint: params.authorization_endpoint.trim(),
+        authorization_endpoint:
+          params.authorization_endpoint?.trim() || undefined,
         token_endpoint: params.token_endpoint.trim(),
         client_id: params.client_id.trim(),
         client_secret: params.client_secret?.trim() || undefined,

diff --git a/packages/tracecat-registry/tracecat_registry/templates/tools/okta/activate_user.yml b/packages/tracecat-registry/tracecat_registry/templates/tools/okta/activate_user.yml
@@ -9,6 +9,11 @@ definition:
   secrets:
     - name: okta
       keys: ["OKTA_API_TOKEN"]
+      optional: true
+    - type: oauth
+      provider_id: okta
+      grant_type: jwt_bearer
+      optional: true
   expects:
     base_url:
       type: str | None
@@ -28,7 +33,7 @@ definition:
         method: POST
         url: ${{ inputs.base_url || VARS.okta.base_url }}/api/v1/users/${{ FN.url_encode(inputs.user_id) }}/lifecycle/activate
         headers:
-          Authorization: "SSWS ${{ SECRETS.okta.OKTA_API_TOKEN }}"
+          Authorization: "${{ \"Bearer \" + SECRETS.okta_oauth.OKTA_SERVICE_TOKEN || \"SSWS \" + SECRETS.okta.OKTA_API_TOKEN }}"
           Accept: "application/json"
           Content-Type: "application/json"
         params:

diff --git a/packages/tracecat-registry/tracecat_registry/templates/tools/okta/add_to_group.yml b/packages/tracecat-registry/tracecat_registry/templates/tools/okta/add_to_group.yml
@@ -9,6 +9,11 @@ definition:
   secrets:
     - name: okta
       keys: ["OKTA_API_TOKEN"]
+      optional: true
+    - type: oauth
+      provider_id: okta
+      grant_type: jwt_bearer
+      optional: true
   expects:
     base_url:
       type: str | None
@@ -27,7 +32,7 @@ definition:
         method: PUT
         url: ${{ inputs.base_url || VARS.okta.base_url }}/api/v1/groups/${{ inputs.group_id }}/users/${{ FN.url_encode(inputs.user_id) }}
         headers:
-          Authorization: "SSWS ${{ SECRETS.okta.OKTA_API_TOKEN }}"
+          Authorization: "${{ \"Bearer \" + SECRETS.okta_oauth.OKTA_SERVICE_TOKEN || \"SSWS \" + SECRETS.okta.OKTA_API_TOKEN }}"
           Accept: "application/json"
           Content-Type: "application/json"
   returns: ${{ steps.add_user.result.data }}
diff --git a/packages/tracecat-registry/tracecat_registry/templates/tools/okta/assign_group_to_app.yml b/packages/tracecat-registry/tracecat_registry/templates/tools/okta/assign_group_to_app.yml
@@ -9,6 +9,11 @@ definition:
   secrets:
     - name: okta
       keys: ["OKTA_API_TOKEN"]
+      optional: true
+    - type: oauth
+      provider_id: okta
+      grant_type: jwt_bearer
+      optional: true
   expects:
     base_url:
       type: str | None
@@ -47,7 +52,7 @@ definition:
         method: PUT
         url: ${{ inputs.base_url || VARS.okta.base_url }}/api/v1/apps/${{ inputs.app_id }}/groups/${{ inputs.group_id }}
         headers:
-          Authorization: "SSWS ${{ SECRETS.okta.OKTA_API_TOKEN }}"
+          Authorization: "${{ \"Bearer \" + SECRETS.okta_oauth.OKTA_SERVICE_TOKEN || \"SSWS \" + SECRETS.okta.OKTA_API_TOKEN }}"
           Accept: "application/json"
           Content-Type: "application/json"
         payload: ${{ steps.add_priority.result }}

diff --git a/packages/tracecat-registry/tracecat_registry/templates/tools/okta/clear_user_sessions.yml b/packages/tracecat-registry/tracecat_registry/templates/tools/okta/clear_user_sessions.yml
@@ -9,6 +9,11 @@ definition:
   secrets:
     - name: okta
       keys: ["OKTA_API_TOKEN"]
+      optional: true
+    - type: oauth
+      provider_id: okta
+      grant_type: jwt_bearer
+      optional: true
   expects:
     base_url:
       type: str | None
@@ -24,6 +29,6 @@ definition:
         method: DELETE
         url: ${{ inputs.base_url || VARS.okta.base_url }}/api/v1/users/${{ FN.url_encode(inputs.user_id) }}/sessions
         headers:
-          Authorization: "SSWS ${{ SECRETS.okta.OKTA_API_TOKEN }}"
+          Authorization: "${{ \"Bearer \" + SECRETS.okta_oauth.OKTA_SERVICE_TOKEN || \"SSWS \" + SECRETS.okta.OKTA_API_TOKEN }}"
           Accept: "application/json"
   returns: ${{ steps.clear_sessions.result.data }}
diff --git a/packages/tracecat-registry/tracecat_registry/templates/tools/okta/create_user.yml b/packages/tracecat-registry/tracecat_registry/templates/tools/okta/create_user.yml
@@ -9,6 +9,11 @@ definition:
   secrets:
     - name: okta
       keys: ["OKTA_API_TOKEN"]
+      optional: true
+    - type: oauth
+      provider_id: okta
+      grant_type: jwt_bearer
+      optional: true
   expects:
     base_url:
       type: str | None
@@ -65,7 +70,7 @@ definition:
         method: POST
         url: ${{ inputs.base_url || VARS.okta.base_url }}/api/v1/users
         headers:
-          Authorization: "SSWS ${{ SECRETS.okta.OKTA_API_TOKEN }}"
+          Authorization: "${{ \"Bearer \" + SECRETS.okta_oauth.OKTA_SERVICE_TOKEN || \"SSWS \" + SECRETS.okta.OKTA_API_TOKEN }}"
           Accept: "application/json"
           Content-Type: "application/json"
         params:

diff --git a/packages/tracecat-registry/tracecat_registry/templates/tools/okta/expire_password.yml b/packages/tracecat-registry/tracecat_registry/templates/tools/okta/expire_password.yml
@@ -9,6 +9,11 @@ definition:
   secrets:
     - name: okta
       keys: ["OKTA_API_TOKEN"]
+      optional: true
+    - type: oauth
+      provider_id: okta
+      grant_type: jwt_bearer
+      optional: true
   expects:
     user_id:
       type: str
@@ -28,5 +33,5 @@ definition:
         method: POST
         url: ${{ inputs.base_url || VARS.okta.base_url }}/api/v1/users/${{ FN.url_encode(inputs.user_id) }}/lifecycle/expire_password?revokeSessions=${{ inputs.revoke_sessions }}
         headers:
-          Authorization: "SSWS ${{ SECRETS.okta.OKTA_API_TOKEN }}"
+          Authorization: "${{ \"Bearer \" + SECRETS.okta_oauth.OKTA_SERVICE_TOKEN || \"SSWS \" + SECRETS.okta.OKTA_API_TOKEN }}"
   returns: ${{ steps.expire_password.result.data }}
diff --git a/...gistry/tracecat_registry/templates/tools/okta/expire_password_with_temporary_password.yml b/...gistry/tracecat_registry/templates/tools/okta/expire_password_with_temporary_password.yml
@@ -9,6 +9,11 @@ definition:
   secrets:
     - name: okta
       keys: ["OKTA_API_TOKEN"]
+      optional: true
+    - type: oauth
+      provider_id: okta
+      grant_type: jwt_bearer
+      optional: true
   expects:
     user_id:
       type: str
@@ -28,5 +33,5 @@ definition:
         method: POST
         url: ${{ inputs.base_url || VARS.okta.base_url }}/api/v1/users/${{ FN.url_encode(inputs.user_id) }}/lifecycle/expire_password_with_temp_password?revokeSessions=${{ inputs.revoke_sessions }}
         headers:
-          Authorization: "SSWS ${{ SECRETS.okta.OKTA_API_TOKEN }}"
+          Authorization: "${{ \"Bearer \" + SECRETS.okta_oauth.OKTA_SERVICE_TOKEN || \"SSWS \" + SECRETS.okta.OKTA_API_TOKEN }}"
   returns: ${{ steps.expire_password_with_temp_password.result.data }}
diff --git a/packages/tracecat-registry/tracecat_registry/templates/tools/okta/get_group_members.yml b/packages/tracecat-registry/tracecat_registry/templates/tools/okta/get_group_members.yml
@@ -9,6 +9,11 @@ definition:
   secrets:
     - name: okta
       keys: ["OKTA_API_TOKEN"]
+      optional: true
+    - type: oauth
+      provider_id: okta
+      grant_type: jwt_bearer
+      optional: true
   expects:
     base_url:
       type: str | None
@@ -44,7 +49,7 @@ definition:
         method: GET
         url: ${{ inputs.base_url || VARS.okta.base_url }}/api/v1/groups/${{ inputs.group_id }}/users
         headers:
-          Authorization: "SSWS ${{ SECRETS.okta.OKTA_API_TOKEN }}"
+          Authorization: "${{ \"Bearer \" + SECRETS.okta_oauth.OKTA_SERVICE_TOKEN || \"SSWS \" + SECRETS.okta.OKTA_API_TOKEN }}"
           Accept: "application/json"
         params: ${{ steps.build_params.result }}
   returns: ${{ steps.get_members.result.data }}
diff --git a/.../tracecat-registry/tracecat_registry/templates/tools/okta/get_groups_assigned_to_user.yml b/.../tracecat-registry/tracecat_registry/templates/tools/okta/get_groups_assigned_to_user.yml
@@ -9,6 +9,11 @@ definition:
   secrets:
     - name: okta
       keys: ["OKTA_API_TOKEN"]
+      optional: true
+    - type: oauth
+      provider_id: okta
+      grant_type: jwt_bearer
+      optional: true
   expects:
     base_url:
       type: str | None
@@ -44,7 +49,7 @@ definition:
         method: GET
         url: ${{ inputs.base_url || VARS.okta.base_url }}/api/v1/users/${{ FN.url_encode(inputs.user_id) }}/groups
         headers:
-          Authorization: "SSWS ${{ SECRETS.okta.OKTA_API_TOKEN }}"
+          Authorization: "${{ \"Bearer \" + SECRETS.okta_oauth.OKTA_SERVICE_TOKEN || \"SSWS \" + SECRETS.okta.OKTA_API_TOKEN }}"
           Accept: "application/json"
         params: ${{ steps.build_params.result }}
   returns: ${{ steps.get_groups.result.data }}