Find your people. Pick a challenge. Ship something real. The CreatorCon Hackathon is coming to the Community Pavilion for one epic night. Every skill level, every role welcome. Join us on May 5th and learn more here.

Title: Automating OAuth Token Refresh for Scripted REST API (Inbound) – Without External Client Hand

DiveshTyagi
Giga Guru

6 hours ago

Hi everyone,

I’m working on an OAuth-based integration where ServiceNow is acting as the inbound system (Scripted REST API provider), and an external client (e.g., Postman or another system) consumes the API.

Current flow:

  • ServiceNow provides client_id and client_secret
  • External client generates access_token and refresh_token using /oauth_token.do
  • Client uses access_token to call the Scripted REST API

Requirement:
The client wants to avoid handling token refresh on their side. Instead, they are asking if ServiceNow can automatically manage or refresh tokens before expiry, so that inbound API calls continue to work without requiring the client to explicitly refresh tokens.

What I explored:

  • Scheduled Jobs in ServiceNow to refresh tokens
  • Using RESTMessageV2 to call /oauth_token.do
  • Storing tokens in system properties/custom tables
  • GlideOAuthClient approach

Challenge:
As per standard OAuth design, token generation and refresh are typically client responsibilities, not the resource server (ServiceNow inbound API). So this requirement seems to go against the usual pattern.

Questions:

  1. Is there any supported or recommended way in ServiceNow to auto-refresh OAuth tokens for inbound integrations?
  2. Has anyone implemented a workaround where ServiceNow manages token lifecycle on behalf of the client?
  3. Would using OAuth Entity Profiles / GlideOAuthClient help in this scenario, or is that only meant for outbound integrations?
  4. If not feasible, what would be the best alternative design to meet this requirement?

Any guidance, design suggestions, or real-world implementations would be really helpful.

0 Helpfuls
  • 146 Views
2 REPLIES 2

Ankur Bawiskar
Tera Patron

6 hours ago

@DiveshTyagi 

My thoughts

-> automatic token refresh is not something ServiceNow normally does on behalf of that external client

-> you can handle the token generation using some OOTB API but that's for outbound

-> the external consumer owns the access token and refresh token generation

💡 If my response helped, please mark it as correct and close the thread 🔒— this helps future readers find the solution faster! 🙏

Regards,
Ankur
Certified Technical Architect  ||  10x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Tanushree Maiti
Kilo Patron

6 hours ago

Hi @DiveshTyagi 

 

Use offline_access scope in Your OAuth 2.0 (oauth_entity) profile. It is a specialized permission that enables an application to request an access token and obtain a refresh token without requiring the user to be actively authenticated, enabling access to resources even when the user is not present or "offline" .

 

 

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:
0 Helpfuls