PrepIQ Okta Certified Developer Ultimate Exam, Exams of Technology

Designed for developers integrating applications with Okta, this practice exam features questions on building and securing apps using OAuth, OIDC, SCIM, and Okta APIs. It evaluates skills in token-based authentication, session design, secure coding, application lifecycle integration, and troubleshooting application-level identity issues. Ideal for backend, frontend, and full-stack developers.

Typology: Exams

2025/2026

Available from 04/26/2026

shilpi-jain-3
shilpi-jain-3 🇮🇳

2.5

(11)

80K documents

1 / 49

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
PrepIQ Okta Certified Developer
Practice Ultimate Exam Readiness
Test
**Question 104.** Which Okta System Log event type is generated when a user
successfully completes MFA?
A) `mfa.challenge.success`
B) `user.mfa.challenge_success`
C) `user.authentication.multifactor_success`
D) `mfa.factor.verify_success`
**Answer:** A
**Explanation:** The `mfa.challenge.success` event records a successful MFA
verification for a user.
**Question 105.** In Okta, which API endpoint retrieves the list of active OAuth
clients (applications) in an org?
A) `GET /api/v1/apps`
B) `GET /api/v1/clients`
C) `GET /api/v1/oauth2/clients`
D) `GET /api/v1/authorizationServers`
**Answer:** A
**Explanation:** The Apps endpoint returns all registered applications, including
OAuth clients.
**Question 106.** Which claim in an ID Token can be used to indicate the
authentication context class (e.g., password vs. MFA) required for the session?
A) `acr`
B) `amr`
C) `auth_time`
D) `azp`
**Answer:** A
**Explanation:** `acr` (Authentication Context Class Reference) conveys the level
of authentication that was performed.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31

Partial preview of the text

Download PrepIQ Okta Certified Developer Ultimate Exam and more Exams Technology in PDF only on Docsity!

Practice Ultimate Exam Readiness

Test

Question 104. Which Okta System Log event type is generated when a user successfully completes MFA? A) mfa.challenge.success B) user.mfa.challenge_success C) user.authentication.multifactor_success D) mfa.factor.verify_success Answer: A Explanation: The mfa.challenge.success event records a successful MFA verification for a user. Question 105. In Okta, which API endpoint retrieves the list of active OAuth clients (applications) in an org? A) GET /api/v1/apps B) GET /api/v1/clients C) GET /api/v1/oauth2/clients D) GET /api/v1/authorizationServers Answer: A Explanation: The Apps endpoint returns all registered applications, including OAuth clients. Question 106. Which claim in an ID Token can be used to indicate the authentication context class (e.g., password vs. MFA) required for the session? A) acr B) amr C) auth_time D) azp Answer: A Explanation: acr (Authentication Context Class Reference) conveys the level of authentication that was performed.

Practice Ultimate Exam Readiness

Test

Question 107. When using the Okta Sign-In Widget, which configuration option disables the “Remember Me” checkbox? A) features.rememberMe = false B) features.autoLogin = false C) allowRememberMe = false D) rememberMe = false Answer: A Explanation: Setting features.rememberMe to false removes the checkbox from the widget UI. Question 108. Which Okta SDK method retrieves the current user's profile in a Node.js environment? A) client.getUser() B) client.users.getCurrentUser() C) client.getCurrentUser() D) client.users.get() Answer: D Explanation: client.users.get(userId) fetches a user’s profile; the current user’s ID can be obtained from the session token. Question 109. Which HTTP status code indicates that the request was successful but there is no content to return? A) 200 B) 204 C) 202 D) 301 Answer: B Explanation: 204 No Content signals a successful request with an empty body.

Practice Ultimate Exam Readiness

Test

Question 113. When configuring a Custom Authorization Server, what does the defaultResource setting define? A) The default audience for tokens when no aud claim is supplied. B) The URL of the primary API protected by the server. C) The default scope list applied to every client. D) The issuer URL used in token validation. Answer: A Explanation: defaultResource sets the default audience (resource server identifier) for tokens. Question 114. Which of the following is a recommended practice for handling Refresh Tokens in a SPA? A) Store them in a secure HttpOnly cookie. B) Store them in localStorage. C) Keep them in a global JavaScript variable. D) Never use Refresh Tokens in a SPA; instead, use short-lived Access Tokens with silent re-authentication. Answer: D Explanation: SPAs should avoid long-lived Refresh Tokens; the recommended pattern is short-lived Access Tokens combined with silent token renewal via iframe or the prompt=none flow. Question 115. Which Okta System Log event type indicates that a user was deactivated? A) user.lifecycle.deactivate B) user.account.deactivate C) user.status.change D) user.lifecycle.suspend Answer: A Explanation: The user.lifecycle.deactivate event logs a user deactivation.

Practice Ultimate Exam Readiness

Test

Question 116. Which claim in an ID Token is used to convey the time at which the user authenticated with the strongest method listed in acr? A) auth_time B) iat C) nbf D) exp Answer: A Explanation: auth_time records the epoch time of the most recent authentication event. Question 117. In the Okta Management SDK for JavaScript, which method deletes a group by its ID? A) client.deleteGroup(groupId) B) client.groups.delete(groupId) C) client.groups.remove(groupId) D) client.groups.del(groupId) Answer: B Explanation: The SDK follows the pattern client.groups.delete(groupId). Question 118. Which OAuth 2.0 parameter is used to request that the Authorization Server return an ID Token directly in the authorization response (i.e., the Implicit flow)? A) response_type=id_token B) response_type=code C) response_type=token D) response_type=code id_token Answer: A Explanation: response_type=id_token tells the server to return an ID Token in the fragment part of the redirect URI.

Practice Ultimate Exam Readiness

Test

Question 122. Which Okta API header provides a unique identifier for tracing a request through Okta’s backend? A) X-Okta-Request-ID B) X-Trace-ID C) X-Okta-Trace D) X-Request-ID Answer: A Explanation: X-Okta-Request-ID is returned on every API response for debugging. Question 123. Which of the following is NOT a valid grant type that can be enabled for an Okta OIDC application? A) Authorization Code B) Implicit C) Client Credentials D) Password Reset Answer: D Explanation: “Password Reset” is not an OAuth grant type. Question 124. Which claim in an ID Token can be used by a resource server to verify that the token was issued for the correct client? A) aud B) sub C) exp D) iss Answer: A Explanation: The aud claim should contain the client’s ID, allowing the resource server to confirm the token’s intended audience.

Practice Ultimate Exam Readiness

Test

Question 125. In Okta, what does the “Just-In-Time (JIT) Provisioning” setting on an Identity Provider control? A) Whether users are provisioned automatically on first login. B) Whether users are created only after admin approval. C) Whether users are synced daily via a batch job. D) Whether users are deactivated after 30 days of inactivity. Answer: A Explanation: JIT provisioning creates the Okta user record at the moment of first successful authentication via the IdP. Question 126. Which Okta System Log event type is emitted when a user’s password is reset by an administrator? A) user.password.reset_success B) user.account.password_reset C) user.password.change_admin D) user.lifecycle.password_reset Answer: A Explanation: The user.password.reset_success event records a successful admin-initiated password reset. Question 127. Which claim in an ID Token is used to convey the user’s preferred language? A) locale B) lang C) language D) preferred_language Answer: A Explanation: locale is a standard OIDC claim indicating the user’s language/region preference.

Practice Ultimate Exam Readiness

Test

Question 131. Which Okta policy can enforce that users must change their password after a certain number of days? A) Password Policy – Expiration B) Sign-On Policy – Session Timeout C) MFA Policy – Frequency D) Account Lockout Policy Answer: A Explanation: The Password Policy’s expiration setting forces periodic password changes. Question 132. Which claim in an Access Token is commonly used by a resource server to identify the user who authorized the request? A) sub B) aud C) iss D) exp Answer: A Explanation: sub (subject) uniquely identifies the user in the token. Question 133. Which Okta SDK method creates a new group and returns its ID? A) client.createGroup({profile: {name: 'Team A'}}) B) client.groups.create({profile: {name: 'Team A'}}) C) client.groups.add({name: 'Team A'}) D) client.group.create({name: 'Team A'}) Answer: B Explanation: The JavaScript SDK uses client.groups.create(payload). Question 134. Which OAuth 2.0 response type combination is required to obtain both an ID Token and an Access Token in a single response (Hybrid Flow)?

Practice Ultimate Exam Readiness

Test

A) code id_token B) id_token token C) code token D) code id_token token Answer: B Explanation: The Hybrid Flow uses response_type=id_token token to return both tokens directly. Question 135. Which Okta System Log event type indicates that a user successfully completed a password reset via the self-service portal? A) user.password.reset_success B) user.account.password_reset_self C) user.selfservice.password_reset D) user.password.change_success Answer: A Explanation: The user.password.reset_success event is logged for successful self-service password resets. Question 136. Which claim in an ID Token indicates the authentication method reference(s) used (e.g., pwd, mfa)? A) amr B) acr C) auth_method D) factor Answer: A Explanation: amr (Authentication Methods References) lists the methods employed during authentication. Question 137. When using the Okta Sign-In Widget, which callback is invoked after the widget has rendered but before any user interaction?

Practice Ultimate Exam Readiness

Test

B) POST /api/v1/users/schema C) POST /api/v1/meta/schemas/user D) POST /api/v1/schemas/user Answer: A Explanation: The endpoint POST /api/v1/meta/schemas/user/default adds custom attributes to the default user schema. Question 141. Which of the following is a valid reason to use the resource parameter in an OAuth token request? A) To request a token for a specific API resource when multiple audiences are defined. B) To indicate the client’s redirect URI. C) To specify the grant type. D) To set the token’s expiration time. Answer: A Explanation: The resource parameter tells the Authorization Server which audience (API) the token should be issued for. Question 142. In Okta, which policy determines the maximum session lifetime for a user’s web session? A) Session Policy B) Sign-On Policy Sign-On Policy does not control session length. Answer: A Explanation: Session Policies define idle and absolute timeouts for user sessions. Question 143. Which claim in an Access Token can be used by a resource server to enforce scope-based authorization? A) scope

Practice Ultimate Exam Readiness

Test

B) aud C) sub D) iss Answer: A Explanation: The scope claim lists the permissions granted to the token holder. Question 144. Which Okta System Log event type is generated when a user’s MFA factor is enrolled? A) mfa.factor.enroll_success B) user.mfa.enroll C) mfa.enrollment.success D) user.factor.enroll_success Answer: A Explanation: mfa.factor.enroll_success records a successful MFA enrollment. Question 145. Which OAuth 2.0 parameter is used to request that the Authorization Server return a Refresh Token? A) access_type=offline (Google-specific) – Not standard in Okta. B) prompt=consent C) offline_access scope D) response_type=code refresh_token Answer: C Explanation: Including the offline_access scope signals that a Refresh Token should be issued. Question 146. Which Okta API endpoint retrieves the list of factors (MFA methods) that are available for enrollment for a specific user? A) GET /api/v1/users/{id}/factors/catalog B) GET /api/v1/users/{id}/factors

Practice Ultimate Exam Readiness

Test

C) scope D) iss Answer: A Explanation: aud may contain multiple audience identifiers; the client checks that its own client ID is present. Question 150. Which Okta System Log event type indicates that a user’s session was terminated via the logout endpoint? A) user.session.end B) session.end C) user.logout D) session.terminate Answer: A Explanation: user.session.end records a session termination. Question 151. Which claim in an ID Token is used to convey the user’s birthdate, if the profile scope is requested? A) birthdate B) date_of_birth C) dob D) birth_date Answer: A Explanation: birthdate is a standard OIDC claim included with the profile scope. Question 152. In Okta, which endpoint is used to retrieve the JWKS for a specific Custom Authorization Server? A) GET /oauth2/{authServerId}/v1/keys B) GET /oauth2/v1/keys C) GET /api/v1/authorizationServers/{id}/keys

Practice Ultimate Exam Readiness

Test

D) GET /oauth2/{authServerId}/.well-known/jwks.json Answer: A Explanation: The endpoint /oauth2/{authServerId}/v1/keys returns the JWKS for that server. Question 153. Which Okta policy type can enforce a specific password length and complexity requirements? A) Password Policy B) Sign-On Policy C) MFA Policy D) Session Policy Answer: A Explanation: Password Policies define length, character class, and other complexity rules. Question 154. Which claim in an Access Token can be used by a resource server to determine the token’s issuance time? A) iat B) exp C) nbf D) auth_time Answer: A Explanation: iat (issued at) records the Unix timestamp when the token was created. Question 155. Which Okta API endpoint revokes all tokens associated with a specific user session? A) POST /api/v1/users/{id}/sessions/{sessionId}/revoke B) POST /api/v1/sessions/{sessionId}/revoke C) POST /api/v1/users/{id}/tokens/revoke

Practice Ultimate Exam Readiness

Test

Answer: A Explanation: Setting features.forgotPassword to true displays the link. Question 159. Which claim in an ID Token can be used to indicate the user’s gender? A) gender B) sex C) profile_gender D) user_gender Answer: A Explanation: gender is a standard OIDC claim. Question 160. Which Okta API endpoint is used to create a new OAuth client (application) of type “service”? A) POST /api/v1/apps with signOnMode=SERVICE B) POST /api/v1/apps with appType=service C) POST /api/v1/clients D) POST /api/v1/apps with applicationType=service Answer: A Explanation: Creating a Service app involves posting to /api/v1/apps and setting signOnMode to SERVICE. Question 161. Which claim in an Access Token identifies the resource server that the token is intended for? A) aud B) azp C) iss D) sub Answer: A

Practice Ultimate Exam Readiness

Test

Explanation: aud designates the audience (resource server) of the token. Question 162. Which Okta System Log event type indicates that a user’s MFA factor was removed? A) mfa.factor.delete_success B) user.mfa.factor_removed C) mfa.factor.unenroll_success D) user.factor.delete_success Answer: C Explanation: mfa.factor.unenroll_success logs successful removal of a factor. Question 163. Which OAuth 2.0 parameter is used to request that the Authorization Server return an ID Token in the token response (Hybrid flow)? A) response_type=code id_token B) response_type=id_token token C) response_type=code token D) response_type=code id_token token Answer: D Explanation: The Hybrid flow can request all three (code id_token token) to receive a code, ID Token, and Access Token. Question 164. Which Okta API header should be included to indicate the request’s originating IP when behind a reverse proxy? A) X-Forwarded-For B) X-Real-IP C) Forwarded D) Client-IP Answer: A Explanation: X-Forwarded-For is the standard header for passing client IP through proxies.