Vonage Protection Suite for Okta Vonage Protection Suite for Okta

Vonage Protection Suite for Okta

Maria Scieranska

What’s New in Version 2.0

Version 2.0 introduces three changes to how the connector is configured and managed.

Named tokens. Tokens can now be assigned a human-readable name at creation. The token name replaces the truncated hash identifier across the Dashboard, Recent OTP Activity, and Recent Auth Events views, making it easier to distinguish tokens in multi-token deployments.

Instance-level configuration. In v1.0, Identity Insights settings, Fraud Defender configuration, and rate limits were encoded per token at the point of generation. In v2.0, these settings have moved to a dedicated Configuration tab and apply uniformly to all tokens on the instance. Adding or rotating a token no longer requires reconfiguring security policies.

Custom OTP Message Templates. Administrators can now configure custom message templates for OTP delivery, with support for per-locale and per-channel (SMS/Voice) overrides. This enables organisations to deliver OTP messages in the end user's local language and apply brand-specific wording. Custom Template Management requires account-level enablement — contact your Vonage Account Manager or Support to activate.

Upgrading from v1.6 to v2.0

v1.6 and v2.0 are not compatible. There is no in-place upgrade path. v2.0 must be deployed as a new VCR instance. The token model, instance-level claims, and state storage keys have changed. Tokens, usage statistics, and OTP activity from your v1.6 instance cannot be migrated and will not carry over. Reconfigure your Okta Telephony Inline Hook and Event Hook with the credentials generated from your new v2.0 instance before decommissioning the v1.6 deployment.

Table of Contents

  1. Introduction
  2. Key Benefits
  3. Prerequisites
  4. Architecture Overview
  5. User Roles
  6. For Admin User — Installation & Configuration Guide
    Step 1: Deploy the Connector on Vonage Cloud Runtime
    Step 2: Configure the Connector (Admin Application)
    Step 3: Configure Okta Server
    Step 4: Verify the Connector’s Connectivity
    Step 5: Test the Integration
    Step 6: Managing and Rotating Your Authentication Token
    Troubleshooting & Log Access
    How to Get Help
  7. For End Users — OTP Delivery Experience

Introduction

The Vonage Protection Suite for Okta is a self-service, no-code connector built on Vonage Cloud Runtime (VCR). It integrates directly into your Okta Identity Engine via Telephony Inline Hooks to deliver One-Time Passwords (OTPs) through SMS and Voice channels, powered by Vonage Verify.
Before any OTP is delivered, the connector can execute optional pre-delivery security checks through Identity Insights — including number validation and carrier lookups— screening destination numbers against mobile operator databases to block fraud before it happens.
During OTP delivery, Vonage Fraud Defender provides an additional layer of protection with SMS pumping detection, geographic permissions, and velocity controls.
This creates a two-layer security model:

  • Layer 1 — Identity Insights (Pre-OTP): Screens the destination number before the OTP is sent. Flags or blocks compromised numbers, saving delivery costs.
  • Layer 2 — Fraud Defender (During OTP): SMS pumping protection, geographic permissions, and velocity controls during delivery. Included free with Verify.

The connector is deployed on Vonage Cloud Runtime and distributed through the Vonage Cloud Runtime (VCR) Marketplace. Enterprises discover, install, configure their Okta tenant, and are live — without any Vonage operational intervention.

Use of the Vonage Protection Suite is subject to the Vonage Terms of Use and Okta Connector Supplemental Terms.

Key Benefits

  • Self-service, no-code setup: Deploy and configure the connector through Vonage Cloud Runtime Marketplace. No developer resources or custom middleware required.
  • OTP delivery via Vonage Verify: Intelligent routing, automatic SMS-to-Voice fallback, and global reach across 200+ countries with automatic sender ID management.
  • Two-layer fraud intelligence: Pre-OTP number screening (Identity Insights) combined with delivery-time fraud protection (Fraud Defender) — a combination no competitor currently offers in their Okta integration.
  • Speed to value: Self-service onboarding enables signup to the first OTP delivery in minutes. Production-ready MFA in days, not months.
  • Token-based security: Secure, rotatable authentication tokens encode security policies for every OTP delivery. 24-hour grace period for seamless rotation.
  • Real-time monitoring: Built-in dashboard with OTP delivery counters, recent activity logs, and authentication event tracking.

Prerequisites

  • An active Okta tenant with Okta Identity Engine (OIE) and phone authenticator enabled.
  • Admin access to the Okta Admin Console (to configure Inline Hooks and Event Hooks).
  • A Vonage API account with an API Key.
  • Access to the Vonage Customer Dashboard and Vonage Cloud Runtime (Advanced Subscription).

Note: The Vonage Cloud Runtime Advanced tier is required for production deployments of this connector to ensure reliable handling of peak authentication volumes. This subscription is activated by your Vonage Customer Success Associate (CSA) as part of the deployment process. No action is required from the customer; your CSA will handle the activation before your connector instance goes live.

Architecture Overview

The connector sits between the Okta Identity Engine and Vonage’s Communication APIs, intercepting Okta’s Telephony Inline Hook to orchestrate OTP delivery. Okta remains the verification authority throughout the flow — it generates the OTP, passes it to the connector, and validates it when the user enters it.

 

a1.png

The data flow works as follows:

  1. Okta generates a one-time password and calls the Vonage connector via the Telephony Inline Hook, passing the OTP and the customer’s phone number.
  2. If Identity Insights is enabled, the connector screens the destination number against mobile operator databases (number validity, carrier lookup). Based on the result, the connector can block, flag-and-deliver, or proceed.
  3. The connector sends the OTP via Vonage Verify, which handles intelligent channel routing (SMS/Voice), automatic fallback, sender ID management, and Fraud Defender protections.
  4. The end user receives the OTP on their phone and enters it in Okta’s interface.
  5. Okta validates the OTP and grants access. The connector returns a success/fail response to Okta.

Two-Layer Fraud Intelligence Model

Layer Product When It Runs What It Does Cost
Layer 1 (Pre-OTP) Identity Insights Before OTP is sent Screens number against carrier databases: validity, carrier. Blocks fraud before delivery. Per-request (optional)
Layer 2 (During OTP) Fraud Defender During OTP delivery SMS pumping protection, geographic permissions, velocity controls, rate limiting. Advanced: Free with Verify. Premium: Paid.

User Roles

This guide is organized by the primary user role involved in deploying and operating the connector:

Role Responsibilities Relevant Sections
Admin / IT Deploys the connector on VCR, configures Identity Insights and token policies, sets up Okta Inline and Event Hooks, manages token rotation and revocation, monitors OTP delivery. Section 6: Installation & Configuration Guide
End User Receives OTPs via SMS or Voice during Okta authentication flows. No configuration required from the end user. Section 7: OTP Delivery Experience

For Admin User — Installation & Configuration Guide

This section walks the administrator through the complete setup process, from deploying the connector on Vonage Cloud Runtime to configuring Okta and verifying the integration. Follow the steps in order.

Step 1: Deploy the Connector on Vonage Cloud Runtime

Deploy a new instance of the Vonage Protection Suite for Okta from the VCR Marketplace.

image (20).png
  • Select Your API Key and Deploy a New Instance

    In the Vonage dashboard, select your API key, then click "Deploy a new instance" for the "Vonage Protection Suite for Okta" application.

    image20.png
     

  • Configuration Type

    Version 1.0 offers one deployment configuration: Standard. Select "Standard" and click "Continue".

    image11.png
     

  • Fill in the Configuration Details
    Region and instance name: Choose the region for your instance and provide a unique, concise name.

    image15.png

    - Vonage Number (optional): If configured, this number is used as the sender ID for SMS. Must be in E.164 digits-only format (international number without the "+" sign). If not configured, the Brand Name below is used instead. For voice calls, this value is ignored — the caller number is randomly selected by Vonage Verify.
    - Brand Name (mandatory): The OTP message body will use this brand name for SMS. For voice calls, this value is ignored.
    - Voice Call Fallback (mandatory): When enabled, the connector automatically retries via voice call if SMS delivery fails.

    image1.png

Select "Continue" to deploy the instance.

Step 2: Configure the Connector (Admin Application)

After deployment, launch the connector’s Admin Application to configure security policies and generate authentication tokens.

2a. Launch the Admin Application

image17.png

Authenticate using your Vonage credentials.

image18.png

2b. Dashboard Tab

The Dashboard tab provides real-time visibility into OTP delivery and authentication activity.

image13.png

Counters

The Counters section displays the following metrics:

  • Total SMS: Total SMS delivery attempts (success + failure).
  • SMS Success: SMS deliveries completed successfully.
  • SMS Blocked: SMS deliveries blocked by Identity Insights or Fraud Defender.
  • Total Voice: Total voice delivery attempts (success + failure).
  • Voice Success: Voice deliveries completed successfully.
  • Voice Blocked: Voice deliveries blocked.

Recent OTP Activity

The last 10 OTP delivery events across all tokens, showing Timestamp, Destination (masked), Channel (SMS/Voice), Status (SUCCESS/FAILED/FLAGGED), Description, Latency, and Token identifier.

  • Timestamp: When the delivery was attempted.
  • Destination: The masked phone number.
  • Channel: SMS or VOICE.
  • Status: SUCCESS, FAILED, or FLAGGED (amber, for flag-and-deliver).
  • Description: Click the eye icon to view the full failure or flag reason.
  • Latency: Time taken to complete the delivery in milliseconds.
  • Token: The truncated token identifier.

Recent Auth Events

The last 10 authentication events received from Okta, showing Timestamp, Token, Event type, Factor, Outcome, User, and Request ID.

  • Timestamp: When the event was published.
  • Token: The truncated token identifier.
  • Event: The Okta event type (e.g. user.authentication.auth_via_mfa).
  • Factor: The authentication factor (e.g. SMS_FACTOR, CONVERSION).
  • Outcome: SUCCESS, FAILURE, or UNKNOWN.
  • User: The Okta actor ID.
  • Request: The authentication request ID.

2c. Tokens Tab

The tokens tab displays all generated tokens with their current status:

image23.png
  • Active: The token is valid and in use.
  • Grace Period: A newer token has replaced this one. Both tokens work simultaneously during a 24-hour transition window.
  • Expired: The token has passed its expiration date.
  • Revoked: The token has been manually revoked and can no longer be used.

Add a Token

Token Name

The name of the token is a way to have a human readable token, which will be displayed across the application instead of a cryptic hash.

Token Expiration

Select the validity period for the generated token. Options: 24 hours, 7 days, 30 days, 90 days, or Never. Shorter expiration periods improve security but require more frequent rotation.

Rotate a Token

Rotating generates a new token with the same name and expiration time as the original. The old token enters a 24-hour grace period during which both tokens are accepted. Use rotation to regularly cycle credentials without downtime.

Revoke a Token

Revoking immediately disables a token. Use this if a token has been compromised or is no longer needed. Revocation is immediate and irreversible.

2d. Configuration Tab

The token authenticates requests between Okta and the Vonage Connector. The configuration is common for every token.

image1.png

Identity Insights Configuration

Identity Insights is a Vonage API that queries mobile operator databases in real-time to assess the risk profile of a phone number. Within the Okta connector, it operates as a pre-OTP screening layer — checks run before the OTP is sent, and the connector takes action based on the results you configure above.

Each enabled check is billed per request. Number Format & Validity is free. Original Carrier Lookup and Current Carrier Lookup are charged per request. Pricing details are available on the Vonage pricing page.

Identity Insights Overview: https://www.vonage.com/communications-apis/identity-insights/features/  https://developer.vonage.com/en/identity-insights/overview

Toggle "Enable Identity Insights" on, then select the checks to apply.

Select Checks

Checks are available per the selected insight level:

  • Number Format & Validity: Validates the phone number format and checks if the number is reachable.
  • Original Carrier Lookup: Identifies the carrier the number was originally assigned to. Flags VoIP and virtual numbers.
  • Current Carrier Lookup: Identifies the carrier currently serving the number. Detects ported numbers.

Geographic and Channel Filters

These filters restrict OTP delivery based on the phone number’s geographic or network attributes.

  • Country Allowlist: Enter ISO 3166-1 alpha-2 country codes (e.g., US, GB, DE). Only numbers associated with these countries will be allowed. Leave empty to allow all countries.

When Number Is Flagged

Choose the action to take when a destination number is flagged during verification checks:

  • Block OTP: The OTP is not delivered. You can see the status in ‘Recent OTP Activity’. 
  • Flag and Deliver: The OTP is delivered but the event is flagged (amber status) in the dashboard for review.
  • Only Log: The check result is logged but no action is taken. The OTP is delivered normally.

Fraud Defender Configuration

Fraud Defender provides delivery-time fraud protection for all OTP traffic sent through the connector. It operates as Layer 2 in the connector's two-layer security model — protecting against SMS pumping, artificially inflated traffic (AIT), and traffic burst attacks during OTP delivery.

Tier Selection

Fraud Defender Advanced is included at no additional cost with Verify and is shown as "Included" in the connector's configuration panel. Fraud Defender Premium is available as a paid upgrade — contact your Account Manager to enable it.

Important: Fraud Defender Advanced is included with your Verify traffic, but advanced protections such as AIT Protection and SMS Burst Protection require separate activation and configuration in the Vonage Dashboard. These protections are not automatically enabled. To set up Fraud Defender for your account, follow the onboarding guide: https://developer.vonage.com/en/fraud-defender/getting-started

What you can configure in the Vonage Dashboard:

Rate Limit

The rate limit setting in the connector limits OTP delivery to a maximum number of requests per phone number within a 10-minute window (default: 5). This protects against repeated OTP requests targeting the same number. 

Token Expiration

Select the validity period for the generated token. Options: 24 hours, 7 days, 30 days, 90 days, or Never. Shorter expiration periods improve security but require more frequent rotation.

2d. Record the Generated Token

After configuring security policies and generating the token, record the following details. These are required for Okta configuration in the next step:

  • Telephony Webhook URL
  • Event Webhook URL
  • Auth Header Name
  • Token Secret
image14.png

Step 3: Configure Okta Server

With the connector deployed and a token generated, configure your Okta tenant to route telephony events through the Vonage connector.

3a. Configure the Telephony Inline Hook

Sign in to your Okta Admin Console. Navigate to Workflow › Inline Hooks. Select the “Add Inline Hook”, then “Telephony”

image10.png

Fill in the hook details:

  • Name: Enter a descriptive name (e.g., "Vonage OTP").
  • URL: Paste the Telephony Webhook URL from the token generation dialog.
  • Authentication field: Paste the Auth Header Name.
  • Authentication secret: Paste the Token Secret.
image9.png

Select "Save".

3b. Configure the Event Hook

Navigate to Workflow › Event Hooks. Select "Create Event Hook".

Fill in the hook details:

  • Name: Enter a descriptive name (e.g., "Vonage Events").
  • URL: Paste the Event Webhook URL from the token generation dialog.
  • Authentication field: Paste the Auth Header Name.
  • Authentication secret: Paste the Token Secret (same token as the telephony hook).

In the REQUESTS section, subscribe to the following event type:

  • Authentication of user via MFA
image19.png

Click "Save & Continue".

Step 4: Verify the Connector’s Connectivity

After configuring both the Inline Hook and Event Hook in Okta, verify that the connection between Okta and the Vonage connector is active.

image21.png

Step 5: Test the Integration

Before going live, verify the integration using Okta’s built-in preview tool.

Prerequisites

Ensure phone authentication is enabled in your Okta org: Security › Authenticators › Phone.

image16.png

Run a Preview Test

Follow these steps to run a preview test:

  • Navigate to Workflow › Inline Hooks.
  • Find the telephony inline hook you created and click Actions › Preview.
  • In "Configure inline hook request", enter a test user’s information: data.userProfile (a user who has phone as a valid authenticator) and requestType (MFA enrollment, MFA verification, Account unlock, or Password reset).
  • Click "Generate request" to build the JSON payload.
  • Click "Edit" to modify the request if needed. Replace the default phone number (9876543210) with a real mobile number in E.164 format (e.g., +447700900000).
  • Click "View response" to trigger the hook. A successful response will show status: "SUCCESSFUL" with the delivery duration.

⚠️ If the connection between Okta and Vonage fails, Okta will not generate an OTP. Check the connector logs and verify the webhook URL and token are correct.

Step 6: Managing and Rotating Your Authentication Token

The authentication token secures communication between your Okta org and the Vonage connector. As a security best practice, you can rotate this token at any time, either from the Vonage Admin Panel or programmatically via the Token Management API. Rotation issues a new token while keeping the previous one valid for a 24-hour grace period, so you can update your Okta configuration with no interruption to OTP delivery.

Rotate a token - via Admin Panel

  1. Log in to the Admin Panel with your admin Vonage account

    image3.png
     
  2. Find the Token List section and identify the token that you would like to rotate

    image4.png
     
  3. Click on the 'Rotate' button to rotate the token

    image12.png
     
  4. Select the 'Confirm' button to rotate the token

    image6.png
     
  5. Your new token will be displayed. Note it down, as it is displayed only once.

    image2.png
     
  6. The new token is now visible on the list. The old token is marked with 'Rotated' status for the 24hr grace period, after which it will be expired.

    image30.png

Rotate a token - via API

OpenAPI specification + Postman Collection

okta-connector-token-management-v2.0.yaml

Vonage-Okta-API-2.0.postman_collection.json

Authentication

All endpoints are protected with HTTP Basic Auth. Include your credentials in every request.

The value is base64 encoded your Vonage API Key and Vonage API Secret joined with ':'

Basic base64(apiKey:apiSecret)

API Key must be the same key that is the owner of the Okta Connector instance

Fetch the Token List

Before rotating a token, you need its UUID. Use the List Tokens endpoint to retrieve all active tokens and their IDs.

GET /admin/tokens

Returns a map of all tokens associated with the instance. Each entry includes the token's ID, status, claims, and usage counters.

Request

GET /admin/tokens

Authorization: Basic <credentials>

Response — 200 OK

{

  "tokens": {

    "94c624db-d933-446c-be4d-bf35c0dbd13a": {

      "id": "94c624db-d933-446c-be4d-bf35c0dbd13a",

      "name": "Production Okta",

      "truncatedToken": "***",

      "expiresIn": "90d",

      "revoked": false,

      "revokedAt": null,

      "rotatedAt": null,

      "gracePeriodEnds": null,

      "createdAt": "2026-06-17T11:09:30.456Z",

      "expirationDate": "2026-09-15T11:09:30.000Z",

      "lastUsed": "2026-06-20T08:15:00.000Z",

      "smsSuccessCount": 0,

      "voiceSuccessCount": 0,

      "smsErrorCount": 0,

      "voiceErrorCount": 0,

      "smsBlockedCount": 0,

      "voiceBlockedCount": 0

    }

  }

}

Response Fields

id string (UUID) Unique identifier for the token — used for rotation, revocation, and other management operations
truncatedToken string Masked representation of the token value (full value is never shown after creation)
claims.expiresIn string Expiration duration the token was created with (e.g. 90d, 24h)
revoked boolean Whether the token has been revoked
createdAt string (ISO 8601) Timestamp when the token was created
expirationDate string (ISO 8601) Absolute date/time when the token expires
smsSuccessCount integer Number of successful SMS OTP deliveries
voiceSuccessCount integer Number of successful voice OTP deliveries
smsErrorCount integer Number of failed SMS OTP attempts
voiceErrorCount integer Number of failed voice OTP attempts
smsBlockedCount integer Number of SMS OTPs blocked (e.g. by fraud rules)
voiceBlockedCount integer Number of voice OTPs blocked

Tip — note down the ID: Copy the id value for the token you wish to rotate. You will need it in the next step. The id is linked to a token, so it will always be used to identify a distinct token, but when a new token is generated, both with generate and rotate endpoint, the new token will receive a new id.

Rotate the Token

Token rotation issues a new token with the same claims and a fresh timestamp, and begins the 24hr grace period for the previous token, after which it is invalidated.

POST /admin/rotate-token

Request

POST /admin/rotate-token

Authorization: Basic <credentials>

Content-Type: application/json

{

  "id": "3152b2c3-00b7-4900-b79c-77cfb2663b21"

}

Request Body

       
id string (UUID) Yes The UUID of the token to rotate. Obtain this from GET /admin/tokens

Response — 200 OK

{

  "newToken": "<token>",

  "newId": "<uuid>",

  "webhookUrl": "https://<instance-url>/...",

  "authHeaderName": "x-okta-auth"

}

Response Fields

newToken string The new signed token
newId string (UUID) UUID identifier for the newly issued token
webhookUrl string Webhook URL to (re-)configure in Okta
authHeaderName string HTTP header name used to pass the token in requests (e.g. x-okta-auth)

Important Notes

Save the new token immediately. The newToken value is only returned once at rotation time and cannot be retrieved again. Store it securely (e.g. in a secrets manager or Okta webhook configuration) before closing this response.

Record the new ID. The newId returned in the response is the identifier you will need for all future management operations on this token — including subsequent rotations and revocation. Note it down alongside the token.

After Rotation — Update Okta

Once you have rotated the token:

  1. Update your Okta Telephony Inline Hook configuration:
    • Go to Inline Hooks and edit the existing hook

      image14.png
    • Set the authentication field to authHeaderName (default: x-okta-auth).
    • Set the authentication secret value to the new newToken.

      image15.png
       
  2. Update your Okta Event Hook
    • Go to Event Hooks and select the existing hook

      image16.png
    • Set the authentication field to authHeaderName (default: x-okta-auth).
    • Set the authentication secret value to the new newToken.
      image17.png

Failure to update Okta will cause OTP delivery to fail once the old token is invalidated (24hr grace period).

Troubleshooting & Log Access

If OTPs are not being delivered or the Inline Hook is not functioning as expected, start with the following checks:

  • Verify credentials: Confirm that the Telephony Webhook URL, Event Webhook URL, Auth Header Name, and Token Secret entered in Okta exactly match the values from the token generation dialog.
  • Check hook status: In the Okta Admin Console, navigate to Workflow › Inline Hooks and verify the hook status is Active and verified.
  • Review the Dashboard: Check the connector’s Dashboard tab for recent OTP activity. Look for FAILED or FLAGGED events and click the description icon for error details.
  • Check Identity Insights flags: If OTPs are being blocked, review whether Identity Insights is flagging the destination number. Consider adjusting the "When number is flagged" action (Block → Flag and Deliver or Only Log) for testing.
  • Phone authenticator: Ensure phone authentication is enabled in Okta: Security › Authenticators › Phone.

End-to-End OTP Lifecycle — Tracing a Single Request

Every OTP delivery follows five stages. Each stage has its own log source. When troubleshooting, work through the stages in order — a failure at any stage prevents subsequent stages from executing.

Stage 1: Okta Sends the OTP Request

Where to look: Okta Admin Console › Reports › System Log

When a user triggers an authentication event (login, MFA enrollment, MFA verification, account unlock, or password reset), Okta generates the OTP and sends a Telephony Inline Hook request to the Vonage connector. The Okta System Log captures the outbound hook call, including the target URL, request status, and any errors if the connector was unreachable.

image12.png

Stage 2: Vonage Connector Receives and Processes the Request

Where to look: Vonage Cloud Runtime › Instances › Your Instance › Logs

The connector instance running on Vonage Cloud Runtime receives the Inline Hook payload from Okta. The VCR instance logs capture the incoming request.

image13.png

Stage 3: OTP Is Delivered to the End User

Where to look: Vonage Customer Dashboard › Message Logs

Vonage Verify routes the OTP through the appropriate channel (SMS or Voice) via the Messages API. The delivery event — including message status, carrier information, and any delivery errors — appears in the Vonage Customer Dashboard message logs.

What to check:

  • Message status: Look for the outbound message record. A "delivered" status confirms the OTP reached the carrier network. A "failed" or "rejected" status indicates a delivery problem.
  • Channel and sender: Verify the correct channel (SMS/Voice) and sender ID were used.
  • Fraud Defender: If the message does not appear at all, Fraud Defender may have blocked the request during delivery (e.g., SMS pumping detection or geographic permissions). In this case, no message is sent and no delivery charge is incurred.
  • Error codes: If delivery failed, note the provider error code. Reference the Vonage error codes documentation for details: developer.vonage.com/en/api-errors/messages
image8.png
image5.png

Stage 4: User Enters OTP → Okta Validates → Event Hook Fires

Where to look: Connector Admin Dashboard › Recent Auth Events

After the end user receives and enters the OTP in Okta’s interface, Okta validates the code. As the customer has configured the Event Hook (as described in Step 3b), Okta sends an asynchronous authentication event to the connector indicating whether the verification succeeded or failed. This event is what enables the connector to know that the OTP was successfully verified and the Verify conversion fee gets charged.

What to check:

  • Event received: In the connector’s Admin Dashboard, navigate to the Recent Auth Events section. Look for the authentication event corresponding to your test.
  • Event type: The event should show "user.authentication.auth_via_mfa" for a successful MFA verification.
  • Factor and outcome: Confirm the factor is correct (e.g., SMS_FACTOR) and the outcome shows SUCCESS. A FAILURE outcome means the user entered an incorrect OTP or the verification timed out.
  • Token: The truncated token identifier should match the token you configured in Okta.
image2.png
image3.png

Stage 5: Verify Conversion Recorded

Where to look: Vonage Customer Dashboard › Verify Logs

Once the connector receives the successful authentication event from Okta (Stage 4), it confirms the conversion with Vonage Verify. This marks the Verify request as successfully converted — meaning the OTP was delivered, received, entered correctly, and validated. The Verify conversion fee is applied at this point.

What to check:

  • Conversion status: In the Vonage Customer Dashboard Verify logs, locate the Verify request (by request ID from Stage 2). Confirm the status shows as "converted" or "successful".
  • Conversion fee: The Verify conversion fee is applied when the request transitions to converted status. This is the primary platform-level revenue event for each successful OTP.
  • Missing conversion: If the Verify log shows the OTP was delivered but never converted, check Stage 4. The most common causes are: the Event Hook is not configured in Okta, the hook failed to fire, or the user did not enter the OTP within the allowed time window.
image4.png

Error Codes & Identity Insights Reference

When an OTP request is blocked, fails, or is flagged, the connector returns a structured error visible in the Dashboard's Recent OTP Activity section. Click the eye icon next to any BLOCKED, FAILED, or FLAGGED entry to view the error detail. Each error contains a Code/Message and, for Identity Insights checks, a Sub-code explaining the specific reason.

Use the tables below to identify the cause and determine the corrective action.

Connector Error Codes

This table covers all error codes returned by the connector. The Response Type indicates how Okta interprets the response: claim_violation tells Okta the delivery was intentionally rejected (Okta may fall back to its native provider if configured), failure indicates the delivery could not be completed, and unexpected_failure indicates an unhandled error.

Code / Message Response Type Trigger Condition
P7391 claim_violation Invalid Okta payload — schema validation failed
S4223 claim_violation Stale event — eventTime is outside the allowed time range
D1485 claim_violation Duplicate eventId — replay attack detected
Velocity limit exceeded for this user claim_violation Fraud Defender velocity rule triggered
Identity Insight flagged: <reasons> claim_violation Identity Insights check failed with flag action set to Block (see sub-codes below)
Verify API delivery failed: <detail> claim_violation Verify API returned a 4xx/5xx error
The destination number is invalid failure Invalid number format passed to Verify
<error.message> unexpected_failure Any other unhandled error (network failure, timeout, etc.)

Identity Insights Sub-Codes

When the error message is "Identity Insight flagged: <reasons>", the reasons field contains one or more of the sub-codes below. Multiple sub-codes may appear separated by commas if several checks flagged the same number.

Sub-Code Meaning
Number is invalid Number failed format or validity check
NI:networkType Current carrier is virtual or unknown
NI:country Number's country is not in the per-insight allowlist
NI:countryOC Original carrier's country is not in the allowlist
NI:countryCC Current carrier's country is not in the allowlist
NI:CB Number's country is not in the flat allowedCountries list
NI:NT Original carrier network type is not in allowedNetworkTypes

Quick Reference: Where to Look at Each Stage

# Stage Log Source What You’re Confirming
1 Okta sends OTP request Okta Admin Console › System Log Hook fired, request reached Vonage
2 Connector processes request VCR › Instance Logs Request received, Identity Insights pass/fail, Verify API called
3 OTP delivered Vonage Dashboard › Message Logs Message sent, delivery status, channel and sender correct
4 User enters OTP, Okta validates Connector Dashboard › Recent Auth Events Auth event received, factor and outcome correct
5 Verify conversion recorded Vonage Dashboard › Verify Logs Request converted, conversion fee applied

How to Get Help

Best way (recommended): Vonage Help Center

https://api.support.vonage.com/hc/en-us/requests/new

Select the form titled "Using Vonage Connector” and then select your connector -> “Using Vonage Protection Suite for Okta" so the ticket is routed directly to the Okta Connector support group.

What to include (for faster resolution):

Your email address Customer contact
Subject Issue summary
Description Detailed issue description
API Key Vonage API Key (account ID only, not secret)
Request / Event ID Inline hook event ID (from Okta System Log – see)
Message ID  For delivery troubleshooting
Sender Type Brand ID / Number
Channel Used SMS / Voice (TTS)
Identity Insights Enabled Yes / No
Attachments Screenshots, logs, etc.

For End Users — OTP Delivery Experience

End users do not need to perform any configuration. Once the administrator has completed the setup in Section 6, the Vonage connector handles OTP delivery transparently. From the end user’s perspective, the authentication flow remains identical to their existing Okta experience:

  • The user initiates an authentication flow in Okta (login, MFA enrollment, MFA verification, account unlock, or password reset).
  • Okta prompts the user to verify via phone. The user selects SMS or Voice.
  • The OTP is delivered to the user’s phone via the Vonage connector (via Vonage Verify).
  • The user enters the OTP in Okta’s interface.
  • Okta validates the OTP and completes the authentication.

The Vonage connector operates entirely behind the scenes. If Voice Call Fallback is enabled, the connector automatically retries via voice call if SMS delivery fails — the user receives the OTP through the fallback channel without any additional action.

Articles in this section