Integrations

OAuth 2.0 in ServiceNow: All Four Flows Explained

ServiceNow supports all four standard OAuth 2.0 grant types. Which one you use depends on the integration scenario. Here is each flow explained with configuration steps and when to use it.

OAuth 2.0 Provider setup

Before configuring any OAuth flow, navigate to System OAuth > Application Registry and create an OAuth provider record for your external application. This is where client_id and client_secret are generated.

Flow 1: Client Credentials (most common for server-to-server)

Use when: a server or service needs to call ServiceNow APIs without a user context. No user login required. The calling application authenticates as itself.

POST /oauth_token.do
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&client_id=[your_client_id]
&client_secret=[your_client_secret]

Response: access_token with expiry. Store and reuse until expiry, then re-request.

Flow 2: Authorization Code (for user-delegated access)

Use when: a third-party application needs to act on behalf of a specific ServiceNow user. Involves a browser redirect for user login.

Step 1: Redirect user to:
GET /oauth_auth.do?response_type=code&client_id=[id]&redirect_uri=[uri]

Step 2: User logs in, ServiceNow redirects back with ?code=[auth_code]

Step 3: Exchange code for token:
POST /oauth_token.do
grant_type=authorization_code&code=[auth_code]&client_id=[id]&client_secret=[secret]&redirect_uri=[uri]

Flow 3: Resource Owner Password Credentials (avoid in new integrations)

Use when: migrating a legacy integration that used username/password. Not recommended for new work — exposes user credentials to the calling app.

POST /oauth_token.do
grant_type=password&username=[user]&password=[pass]&client_id=[id]&client_secret=[secret]

Flow 4: JWT Bearer Token

Use when: calling ServiceNow from a system that already has a JWT (Okta, Azure AD, etc.). ServiceNow validates the JWT signature against a configured public key.

Setup requires configuring a JWT Provider in System OAuth > JWT Providers with the issuer, audience, and signing key.

Token refresh

Access tokens expire (default 30 minutes for ServiceNow). Use the refresh_token returned with Authorization Code flow to get new access tokens without re-authenticating:

POST /oauth_token.do
grant_type=refresh_token&refresh_token=[token]&client_id=[id]&client_secret=[secret]

Outbound OAuth (ServiceNow calling external systems)

For ServiceNow calling out to OAuth-protected APIs, configure an OAuth Profile at System OAuth > OAuth Profiles and reference it via a Connection Alias — then it is available in Flow Designer and REST Messages automatically.

Want the complete reference?

This article is part of the NowSpectrum knowledge library. Browse all products for cheat sheets, interview prep, and deep-dive reference guides.

Browse All Products →