Is it possible to validate OAuth 2.0 token in Custom Inbound API

Nisar3 · ‎01-19-2025

We have a custom inbound API and under it a resource (sys_ws_operation). When the consumer hits this resource, is there a way to validate if the token received in the header is valid (i.e. the same that ServiceNow gave to the client)?

(function process( /*RESTAPIRequest*/ request, /*RESTAPIResponse*/ response) {

// check token here and verify is it's valid
   
})(request, response);

Ankur Bawiskar · ‎01-19-2025

@Nisar3

are you using OAuth 2.0 here?

I think you have created a scripted REST API and willing to check if the endpoint was hit with OAuth details or not

If yes then check this link

Inbound Rest endpoint restricted to OAUTH Authentication

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader

View solution in original post

Nisar3 · ‎01-19-2025

That makes sense but I'm confused as to how would ServiceNow know that my custom API will need to validate for OAuth? I mean where is the link defined between the API and authentication? Like whenever someone hits the API, how does ServiceNow know that it should check for OAuth token?

Ankur Bawiskar · ‎01-19-2025

@Nisar3

when somebody hits your endpoint and you have given OAuth details to them i.e. client id and client secret, we usually give basic auth details as well.

Now coming to your question how does ServiceNow know if the incoming API request has to be enforced using OAuth or Basic, so we cannot enforce to use OAuth, the link I shared will help you to enforce them to use OAuth token and not just basic auth

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
✨ Certified Technical Architect || ✨ 9x ServiceNow MVP || ✨ ServiceNow Community Leader