How to programmatically create admin-level API tokens on Jenkins behind Okta SSO?

We manage a fleet of Jenkins instances that are secured with Okta SSO (SAML).
Our goal is to programmatically generate API tokens with administrative privileges for a generic service account to support automation workflows across these controllers.

We currently use Matrix-Based Authorization to manage user and group permissions. We attempted to add a generic service account to the existing IAM/IdP group that has administrative rights, but this did not grant admin access inside Jenkins. Since these Jenkins controllers run in production, we cannot restart or modify the security realm.

Questions:

1. What is the best way to programmatically create admin-level API tokens for a service account when Jenkins is using an external IdP (Okta/SAML) and does not store local users?
2. How can we ensure that a service account reliably receives admin privileges under Matrix-Based Authorization when IdP group membership is not being mapped as expected?
3. Is there a recommended or community-supported pattern for managing service accounts and generating API tokens in Jenkins environments secured by Okta SSO?
4. Can API tokens be created via Groovy/Jenkins CLI without requiring UI login or a restart?

Any guidance, best practices, or examples from others with similar SAML/Okta Jenkins setups would be greatly appreciated.

Thank you!

There are no special admin-level API tokens in Jenkins. API tokens are always bound to a user and the permissions are set via the Auth strategy (Matrix Auth in your case). So you must setup Okta in a way so that the group membership of the service user is seen by Jenkins. Or you directly add the username to matrix auth permissions and grant the user admin permissions.

I would recommend that you setup a test instance where you can freely play around with the security realm to see if any changes there allow you to see the group.