Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free Okta Certified Developer Practice Questions

Pass your Okta Certified Developer exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
~60% Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

A developer uses `PUT /api/v1/apps/{appId}` to update an app and omits required properties that were present in the existing app object. What is the risk?

A
B
C
D
to track
Same family resources

Explore More Okta Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Okta Certified Administrator

Practice Questions

Okta Certified Consultant

Practice Questions

Okta Certified Professional

Practice Questions
2026 Statistics

Key Facts: Okta Certified Developer Exam

60%

Pass Rate

Okta (published)

60

Exam Questions

Okta

$300

Exam Fee

Okta

90 min

Exam Duration

Okta

2 years

Certification Validity

Okta

$140K+

Avg Identity Developer Salary

Industry data 2024

The Okta Certified Developer exam has 60 questions in 90 minutes with a 60% passing score. It covers five domains: OAuth 2.0 & OIDC (30%), SDKs & APIs (25%), Sign-In Widget (20%), Lifecycle Hooks (15%), and Authorization Server (10%). The $300 exam is proctored online via Webassessor. No prerequisite certification is required. Valid for 2 years.

Sample Okta Certified Developer Practice Questions

Try these sample questions to test your Okta Certified Developer exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which OAuth 2.0 grant type should a developer use when building a server-side web application that can securely store a client secret?
A.Authorization Code Flow with client secret
B.Authorization Code Flow with PKCE
C.Client Credentials Flow
D.Implicit Flow
Explanation: Server-side web applications (confidential clients) can securely store a client secret because the code runs on a server not accessible to end users. The Authorization Code Flow with client secret is the standard choice: the server exchanges the authorization code for tokens using the client ID and secret, ensuring tokens are never exposed in the browser.
2A developer is building a single-page application (SPA) that needs to authenticate users with Okta. Which OAuth 2.0 flow is most appropriate?
A.Authorization Code Flow with PKCE
B.Authorization Code Flow with client secret
C.Client Credentials Flow
D.Resource Owner Password Credentials (ROPC) Flow
Explanation: SPAs are public clients — their code runs in the browser where a client secret would be visible to any user. PKCE (Proof Key for Code Exchange) replaces the client secret with a dynamically generated code verifier/challenge pair, providing security for public clients without embedding a static secret. PKCE is the current best practice for SPAs.
3A developer needs a background service to call a protected API without user interaction. Which Okta OAuth 2.0 flow and credential type should be used?
A.Client Credentials Flow using a service application's client ID and client secret (or private key JWT)
B.Authorization Code Flow with PKCE, using the service account's credentials
C.Device Authorization Flow, where the service polls for approval
D.Implicit Flow with no user context required
Explanation: Client Credentials Flow is the correct OAuth 2.0 grant type for machine-to-machine (M2M) scenarios with no user interaction. The service authenticates directly to Okta's token endpoint using its client ID and secret (or private key JWT for higher security). The resulting access token is used to call the protected API.
4What is the primary purpose of the `id_token` returned in an OpenID Connect (OIDC) authorization flow?
A.To convey information about the authenticated user (identity claims) to the client application for display and session establishment
B.To authorize API calls on behalf of the user by being sent in HTTP Authorization headers
C.To serve as a refresh token so the application can obtain new access tokens without user re-authentication
D.To encrypt the user's password for secure transmission to the application
Explanation: The ID token is an OIDC-specific JWT that contains identity claims about the authenticated user — such as sub (unique identifier), email, name, and auth_time. It is used by the client application to know who the user is and to establish an application session. It should NOT be sent to APIs; that is the role of the access token.
5A developer is implementing token validation in their API server. What is the recommended method for validating an Okta-issued JWT access token?
A.Retrieve Okta's public JSON Web Key Set (JWKS) from the authorization server's JWKS endpoint, then use the public key to verify the JWT signature locally
B.Send the token to Okta's token introspection endpoint on every API request
C.Decode the JWT payload with base64 without signature verification to read the claims
D.Call the Okta Users API to verify the subject claim matches an active user
Explanation: The recommended approach is local JWT validation: fetch Okta's JWKS from the authorization server's /.well-known/oauth-authorization-server endpoint, cache the keys, and use the appropriate public key (matched by the token's 'kid' header claim) to verify the JWT signature, expiry, issuer, and audience. This is stateless and avoids a network round-trip per request.
6Which Okta SDK method is used in the Okta JavaScript SDK (`@okta/okta-auth-js`) to initiate an authorization code flow with PKCE and redirect the user to Okta's login page?
A.`authClient.signInWithRedirect({ scopes: ['openid', 'profile', 'email'] })`
B.`authClient.getToken({ responseType: 'code' })`
C.`authClient.login({ pkce: true })`
D.`authClient.authorize()`
Explanation: `signInWithRedirect()` in the Okta Auth JS SDK initiates the OAuth 2.0 Authorization Code flow with PKCE by default. It constructs the authorization URL with the necessary parameters (code_challenge, state, nonce) and redirects the user's browser to Okta's authorization endpoint. After authentication, Okta redirects back to the configured `redirectUri`.
7A developer wants to embed the Okta Sign-In Widget into their web application. What is the minimum configuration required to initialize the widget?
A.The Okta org domain (`issuer` or `baseUrl`) and the OIDC `clientId` of the registered application
B.The Okta API token and the admin email address
C.The SAML Entity ID and the ACS URL of the application
D.The Okta Access Gateway hostname and the application path
Explanation: The Okta Sign-In Widget requires at minimum the Okta org domain (to know where to authenticate) and the OIDC `clientId` (to identify which application the user is signing into). Additional configuration (scopes, redirectUri, customization options) is common but these two values are the required foundation.
8What is the difference between the Okta-hosted Sign-In Widget and an embedded Sign-In Widget implementation?
A.The Okta-hosted widget is served from Okta's servers (user is redirected to the Okta domain); the embedded widget runs on the application's own domain within the application's HTML page
B.The Okta-hosted widget only supports SAML; the embedded widget supports OIDC
C.The Okta-hosted widget requires the Okta Browser Plugin; the embedded widget does not
D.There is no functional difference; both require the same security configuration
Explanation: The Okta-hosted widget (recommended for most use cases) redirects users to the Okta domain to log in, then redirects back. The embedded widget is included in the application's own HTML — the login form renders within the app's domain. Embedded provides seamless UX but carries more responsibility for security configuration and custom domain requirements.
9A developer needs to protect a React application's routes so that only authenticated users can access certain pages. Using `@okta/okta-react`, which component provides this route-level protection?
A.`<SecureRoute>` — a component that checks authentication status and redirects to the Okta login page if the user is not authenticated
B.`<ProtectedRoute>` from React Router — redirects unauthenticated users to the app's own login page
C.`<AuthRequired>` — a custom higher-order component that wraps protected routes
D.`<OktaAuth>` — the provider component that wraps the entire app
Explanation: `<SecureRoute>` from `@okta/okta-react` is the Okta-specific protected route component. When a user attempts to navigate to a SecureRoute and is not authenticated, the component automatically triggers the Okta authentication flow (calling `signInWithRedirect()`). After authentication, the user is redirected back to the originally requested URL.
10A developer is building an API protected by Okta. The API needs to validate that the incoming access token has the scope `reports:read`. How should this validation be implemented in a Node.js API?
A.Use the `@okta/jwt-verifier` library to verify the JWT signature and claims, then check that the `scp` array in the token payload includes `reports:read`
B.Call the Okta Users API with the token and check the user's group memberships for a 'Reports' group
C.Decode the base64 JWT payload without signature verification and check the `scope` string
D.The API should call the Okta Groups API to verify the user is in the required group every time a request arrives
Explanation: The `@okta/jwt-verifier` library validates the JWT signature (using JWKS), checks expiry, issuer, and audience. After successful verification, the API can inspect the `scp` (scopes) array claim in the token payload to confirm the required scope is present. This is stateless and efficient.

About the Okta Certified Developer Exam

The Okta Certified Developer certification validates expertise in building applications with Okta's developer platform. It covers OAuth 2.0 grant types (Authorization Code, PKCE, Client Credentials, Device Authorization), OpenID Connect, JWT validation, Okta SDKs (Auth JS, React, Angular, Node), the Sign-In Widget, Lifecycle Inline Hooks (Token, Registration, Import), custom authorization server configuration, and the Okta Management API.

Questions

100 scored questions

Time Limit

90 minutes

Passing Score

60%

Exam Fee

$300 (Okta / Kryterion Webassessor)

Okta Certified Developer Exam Content Outline

30%

OAuth 2.0 & OIDC

Authorization Code Flow (with client secret and with PKCE), Client Credentials Grant, Device Authorization Grant, implicit flow (deprecated), OIDC token types (id_token, access_token, refresh_token), JWT validation (JWKS, signature, claims), state and nonce, redirect URI security, token introspection vs local validation, token revocation, refresh token rotation, offline_access scope, and acr_values

25%

Okta SDKs & APIs

Okta Auth JS SDK (signInWithRedirect, handleLoginCallback, getUser, isAuthenticated, tokenManager), framework SDKs (okta-react SecureRoute, Security component; okta-angular OktaAuthInterceptor, isAuthenticated$; okta-vue), oidc-middleware for Express.js, jwt-verifier for API servers, Management API (Users, Groups, Apps — CRUD, pagination, Collection), error handling (429 rate limits, 401, exponential backoff)

20%

Sign-In Widget

Widget initialization (baseUrl/issuer, clientId, redirectUri), Okta-hosted vs embedded deployment, features configuration object, i18n customization, custom domain prerequisite, authorization server selection, username pre-population, profile enrollment and progressive profiling, social IdP display, and callback handling

15%

Lifecycle Hooks

Token Inline Hook (when to use vs static claims, adding claims via commands protocol, HTTP 200 response format), Registration Inline Hook (allow/deny command, domain validation), Import Inline Hook (user-level import decisions), hook endpoint verification (challenge-response handshake), HMAC signature validation, and Event Hook vs Inline Hook distinction

10%

Authorization Server & Custom Apps

Default org authorization server vs custom authorization server, audience field and aud claim validation, custom scopes (resource:action convention), custom claims (expression vs Token Inline Hook), groups claim configuration (Groups.startsWith filter), access policies and client conditions, OIDC discovery document, and service application OAuth 2.0 scopes (okta.users.read, okta.groups.manage)

How to Pass the Okta Certified Developer Exam

What You Need to Know

  • Passing score: 60%
  • Exam length: 100 questions
  • Time limit: 90 minutes
  • Exam fee: $300

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

Okta Certified Developer Study Tips from Top Performers

1Build sample applications — the exam is scenario-based; reading documentation without coding will not prepare you adequately
2Know all OAuth 2.0 grant types cold: Authorization Code + PKCE (SPAs/mobile), Authorization Code + secret (server-side), Client Credentials (M2M), Device Authorization (CLI/IoT), and why Implicit and ROPC are deprecated
3Understand JWT structure: header (alg, kid), payload (iss, sub, aud, exp, iat, scp, groups), and signature validation using JWKS
4Practice the Inline Hook response format: HTTP 200 with a `commands` array containing command type + value objects — not flat JSON, not HTTP 4xx
5Use a free Okta Developer Edition org to configure a custom authorization server, add custom claims, and test token contents with the Okta token inspector

Frequently Asked Questions

What is the Okta Certified Developer exam format?

The exam has 60 multiple-choice questions in 90 minutes with a 60% passing score. It is proctored online via Kryterion Webassessor. Questions are code-scenario and API-scenario based — candidates are shown code snippets, API responses, or implementation scenarios and asked to identify the correct approach, debug issues, or select the right OAuth 2.0 flow.

What programming languages are tested on the Okta Certified Developer exam?

The exam is not language-specific. Questions reference Okta's JavaScript SDK concepts (signInWithRedirect, SecureRoute, handleLoginCallback) because these are the most commonly used, but the core OAuth 2.0 and OIDC concepts apply to any language. Node.js/Express and React examples appear most frequently in study materials.

Why should I use PKCE instead of a client secret for my SPA?

Single-page applications are public clients — all JavaScript code is visible in the browser. A client secret embedded in a SPA would be exposed to every user. PKCE (Proof Key for Code Exchange) replaces the static secret with a cryptographic challenge: the app generates a random code verifier, hashes it as a code challenge, and proves ownership at token exchange. An attacker who intercepts the authorization code cannot use it without the original code verifier.

What is a Token Inline Hook and when should I use it?

A Token Inline Hook fires when Okta is about to mint an OAuth 2.0 access token or ID token. Your external endpoint receives the token context and can return additional claims via Okta's command protocol. Use it when claim data must come from an external system not available in the Okta user profile (e.g., a legacy entitlement database). For profile-based claims, use static claim expressions — they are simpler and have no latency.

What career roles does the Okta Certified Developer certification target?

The Developer certification targets application developers, security engineers, and solutions architects who build identity-integrated applications. Roles include IAM Developer, Identity Platform Engineer, Software Engineer (security focus), and Developer Advocate. Developers with Okta certification can command salaries of $120,000–$160,000+ depending on experience and location.