To avoid sharing an Okta API key with a large number of people, I built a lambda in AWS that handles the interaction with Okta. The client authenticates with the lambda using OAuth, eliminating the need to share any private information with users. If you don't want to run the lambda and have access to an API key, calls to Okta can still be done directly in the client.
In addition, Okta MFA policies (both application and domain level) are now supported with the following factors:
Okta Verify (both push and OTP)
Google Authenticator
OTP via SMS
OTP via Voice call