Hi @Tushar   I did not understand. SerivceNow is acting as oauth provider. So when ever there is an incoming request to ServiceNow to access its resources, ServiceNow will issue tokens.

In which scenario its 30 mins vs 30 days? Can you give a scenario to better understand.

Hi @Suggy 

Apologies for the confusion. Let me clarify the scenario:

When ServiceNow acts as an OAuth provider, it means that external applications or clients can request access to specific resources (such as data or APIs) hosted on the ServiceNow instance using OAuth 2.0 authorization framework.

In this context, there are two types of access tokens that can be issued:

1. Instance-Issued Tokens: These are access tokens issued by the ServiceNow instance to clients or applications that are registered and authenticated with the instance. These tokens have a default lifespan of 30 minutes.

2. Third-Party Tokens: These are access tokens issued to external third-party applications that request access to ServiceNow resources. These applications may or may not be registered and authenticated with the ServiceNow instance. Third-party tokens can have a lifespan of 30 days.

Scenario:

1. Instance-Issued Tokens: Suppose a user logs in to the ServiceNow instance (Resource Owner). An external application (Client) wants to access some specific resources on the instance on behalf of the user. The client application initiates the OAuth flow and requests an access token from the ServiceNow instance. If the user grants permission, the instance issues an access token to the client application. This token will be valid for 30 minutes from the time it was issued. Within this 30-minute window, the client can use the access token to access the authorized resources on the ServiceNow instance without needing to prompt the user for authentication again.

2. Third-Party Tokens: In this scenario, an external third-party application (not necessarily registered or authenticated with the instance) wants to access ServiceNow resources. The third-party application initiates the OAuth flow and requests an access token from the ServiceNow instance. If the instance grants permission, it can issue a third-party access token to the application. Unlike instance-issued tokens, third-party tokens can have a lifespan of 30 days. This means that the third-party application can use the issued token to access the authorized resources on the ServiceNow instance for a longer period, up to 30 days, without needing to re-authenticate or request a new token frequently.

In summary, the 30-minute lifespan is for access tokens issued to registered clients of the ServiceNow instance, while the 30-day lifespan is for access tokens issued to external third-party applications requesting access to ServiceNow resources. The actual lifespan of tokens can be configured based on your requirements and security policies.

Please, don't forget to mark my answer as correct if it solves your issue or mark it as helpful if it is relevant for you!

Regards,
Tushar