Do Client Secret expires, if created and configured for Inbound integration in Application Registry

Go to solution
Anil9866
Tera Expert

yesterday

Hello folks...

I've configured an inbound integration about 4months ago.
Configuration: 

Integration type - Inbound

Created an Application Registry of type Client Credentials grant type.
Now I'm concerned about, when does this client secret will expire. Usually for other integrations in my application, they do rotate for every 90days. It is over 3 months, still it is retrieving a valid token to connect to API and get the Response. 
Note: I didn't configured any custom expiry duration.

May I know, in general, what would be the expiry days/months of a client secret configured in above scenarios.
Thanks in advance
#ClientSecret #ClientSecretExpiry #Client Credentials Grant Type

0 Helpfuls
  • 376 Views
3 ACCEPTED SOLUTIONS

Go to solution
aruncr0122
Mega Guru

yesterday

Hi @Anil9866 ,

 

In ServiceNow Application Registry, the client secret does not expire automatically and remains valid until manually regenerated or revoked. Access tokens and refresh tokens do have expiry, but there is no default time-based expiry for the client secret itself. Any 90-day rotation is usually an organizational security policy, not enforced OOB by ServiceNow.

 

View solution in original post

Go to solution
Rushi Savarkar
Mega Sage
Mega Sage

yesterday

Hello @Anil9866 

Access Token: This is the short-lived string used to call the API. These typically expire in 30 to 60 minutes. Your integration handles this by using the Client Secret to "ask" for a new token automatically.

 

Client Secret: This is essentially the password for your application. Unlike tokens, secrets do not usually expire unless a specific Expiration Date was set during the initial configuration.

 

If you didn't configure a custom duration, the "default" depends entirely on the platform you are using.

 

  • ServiceNow: Never expires by default (unless a specific expiration date is selected during configuration).

  • Azure AD (Entra ID): Usually forced to a specific window, typically 6 months, 1 year, or 2 years.

  • Salesforce: Never expires (managed via the Consumer Secret within the Connected App).

  • AWS IAM: Never expires, though rotation is highly recommended and often enforced via internal IAM policies.

 

 

If my response helped you, please accept the solution and mark it as helpful.
Thank You!

View solution in original post

Go to solution
Ankur Bawiskar
Tera Patron
Tera Patron

yesterday

@Anil9866 

client id and client secret never expires, token gets expired based on what 3rd party has configured in their API

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader

View solution in original post

7 REPLIES 7

Go to solution
aruncr0122
Mega Guru

yesterday

Hi @Anil9866 ,

 

In ServiceNow Application Registry, the client secret does not expire automatically and remains valid until manually regenerated or revoked. Access tokens and refresh tokens do have expiry, but there is no default time-based expiry for the client secret itself. Any 90-day rotation is usually an organizational security policy, not enforced OOB by ServiceNow.

 

Go to solution
Anil9866
Tera Expert
In response to aruncr0122

20 hours ago

Got it. Thank you @aruncr0122  for your response. 

0 Helpfuls

Go to solution
Rushi Savarkar
Mega Sage
Mega Sage

yesterday

Hello @Anil9866 

Access Token: This is the short-lived string used to call the API. These typically expire in 30 to 60 minutes. Your integration handles this by using the Client Secret to "ask" for a new token automatically.

 

Client Secret: This is essentially the password for your application. Unlike tokens, secrets do not usually expire unless a specific Expiration Date was set during the initial configuration.

 

If you didn't configure a custom duration, the "default" depends entirely on the platform you are using.

 

  • ServiceNow: Never expires by default (unless a specific expiration date is selected during configuration).

  • Azure AD (Entra ID): Usually forced to a specific window, typically 6 months, 1 year, or 2 years.

  • Salesforce: Never expires (managed via the Consumer Secret within the Connected App).

  • AWS IAM: Never expires, though rotation is highly recommended and often enforced via internal IAM policies.

 

 

If my response helped you, please accept the solution and mark it as helpful.
Thank You!

Go to solution
Anil9866
Tera Expert
In response to Rushi Savarkar

20 hours ago

Got it, thank you @Rushi Savarkar  for your detailed explanation.

0 Helpfuls