Is it possible to restrict an OAuth token to be used for only 1 REST API?

subhadeep1618
Tera Guru

‎07-20-2025 09:02 PM - edited ‎07-20-2025 09:02 PM

Hello Everyone,

 

What I have done in ServiceNow?

  1. developed my own scripted REST API, e.g., /api/12345/incident_webhook
  2. created an application in OAuth application registry, e.g., OAuth_App_1
  3. created a new REST API Auth Scope for the above REST API (given in 1st point)
  4. added this Auth scope to "OAuth_App_1" 

Testing in Postman:

  1. generated a token using OAuth_App_1's client secret, client id and credentials of an ITIL user
  2. called the REST API (/api/12345/incident_webhook) using this bearer token
  3. everything is working fine, getting a 200 response code, getting the desired results
  4. next, I called a Table API (OOTB defined) (e.g. /api/now/table/incident) using the same bearer token
  5. and here also I got a 200 response code and the desired results

My requirement is as follows:

In the 5th step above, I want a 'failure' response code.

That is, I don't want any other API (scripted or OOTB) to be consumable through the same OAuth/bearer token.

Is it possible to impose such a restriction?

Any help or guidance would be much appreciated.


Please mark this post as a solution and also as helpful, if this resolves your issue or query.

Thanks,
Subhadeep Ghosh.
0 Helpfuls
  • 358 Views
4 REPLIES 4

Ankur Bawiskar
Tera Patron
Tera Patron

‎07-20-2025 09:50 PM

@subhadeep1618 

I don't think you can block/restrict using the same token for the OOTB Table API since either the 3rd party can use Basic Auth or the OAuth token.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Sateesh Kumar D
ServiceNow Employee
ServiceNow Employee

‎07-20-2025 11:45 PM

Hi Subhadeep,

 

OAuth token are governed by time duration, not usage count. To get closer to your intended behaviour, you may consider the following options:

1) Adjust the Refresh Token Lifespan:

 

Set a shorter Refresh Token Lifespan in your Application Registry. This forces more frequent token refresh, reducing the likelihood of the same token being reused across multiple integrations.

2)Force Token Renewal via Script:

IF you mush enforce a new token for each transaction, you can include logic at the end of your REST MESSAGE script to trigger the UI Action "Get OAuth Token", which will retrieve a fresh token.

Note:

If your use case involves creating a webhook, you may find the following article helpful:

https://www.servicenow.com/community/developer-forum/working-with-webhooks/m-p/3179425

 

0 Helpfuls

Pranesh072
Mega Sage
Mega Sage

‎07-21-2025 12:06 AM

Once you have the access token you can access the all the system resource unless you manually restrict them using the acls - (refer acl type = REST_Endpoint in your instance). 

 

Other option is to create a separate role for your endpoint and service account, so even if same token is used for table api it will not return any data due to missing of itil role. 

0 Helpfuls

subhadeep1618
Tera Guru

‎07-21-2025 06:42 AM

None of these are helpful, it seems like ServiceNow is not yet equipped for this 1-to-1 OAuth Entity to REST API restriction. Let's hope they improve the Auth Scope in the upcoming versions.


Please mark this post as a solution and also as helpful, if this resolves your issue or query.

Thanks,
Subhadeep Ghosh.
0 Helpfuls