When ServiceNow acts as an OAuth client for outbound integrations to third-party applications, understanding how refresh token expiration works is essential for maintaining seamless connectivity. One area that often causes confusion is the difference between fixed expiration and rolling expiration patterns—and how ServiceNow handles each.
Let's break it down.
OAuth Standards Context
The OAuth 2.0 specification (RFC 6749) does not mandate a specific refresh token expiration behavior. Providers may implement fixed expiration, rolling expiration, or no expiration at all. Rolling refresh tokens (where validity extends on each use) is a common pattern but not standardized.
OAuth 2.1 and RFC 9700 (Security Best Current Practice) recommend refresh token rotation, where a new refresh token is issued on each use. When this occurs, the client should store and use the new token. However, whether the expiration date also extends is still provider-specific.
This flexibility means OAuth providers implement varying approaches:
- Fixed expiration – Token expires X days after issuance, regardless of usage
- Rolling expiration – Token validity extends each time the refresh token is used (e.g., +30 days on each token refresh)
- No expiration – Token remains valid until explicitly revoked
Neither approach is "right" or "wrong"—they're design choices based on each provider's security model.
How ServiceNow Handles Refresh Token Expiration
For outbound OAuth integrations, ServiceNow stores the refresh token expiration as a timestamp calculated at initial authorization. This value is based on the "Refresh Token Lifespan" configured in the Application Registry (oauth_entity table).
When a token refresh occurs, ServiceNow uses the existing refresh token to obtain a new access token. However, by default, ServiceNow does not update the stored refresh token expiration date. This behavior works well for providers using fixed expiration.
But what about providers that use rolling expiration? Consider a provider like DocuSign with "extended scope" enabled—each time you use the refresh token, DocuSign extends its validity by another 30 days. To fully leverage this pattern, ServiceNow needs to know it should also extend its stored expiration date on each token refresh.
The Control: "Extend Refresh Token Expiry"
Starting from the Yokohama release, ServiceNow provides a field called "Extend Refresh Token Expiry" in the OAuth Application Registry. This gives administrators explicit control over how ServiceNow handles refresh token expiration for outbound integrations.
| Setting | Behavior |
|---|---|
| Enabled | Each time ServiceNow uses the refresh token, it extends the stored expiration date in oauth_credential by the configured Refresh Token Lifespan. Supports rolling expiration providers like DocuSign. |
| Disabled | Refresh token expiration remains fixed from the original authorization date. Token expires on the originally calculated date regardless of usage. Suitable for providers with fixed expiration. |
Why This Control Was Introduced
- Provider Diversity – OAuth providers implement varying refresh token lifecycle patterns. Some use fixed expiration, others use rolling expiration, and some issue new tokens on each refresh.
- Customer Flexibility – Administrators need control over this behavior based on their specific provider's requirements. A one-size-fits-all approach would break integrations with one pattern or the other.
- Backward Compatibility – Existing integrations relying on fixed expiration behavior should not be disrupted, hence the opt-in checkbox approach.
How to Enable It
The field isn't displayed on the form by default. Here's how to add it:
- Navigate to System OAuth > Application Registry
- Open your OAuth provider configuration
- If you don't see the "Extend Refresh Token Expiry" field:
- Right-click on the form header
- Click Configure > Form Builder
- Search for "Extend Refresh Token Expiry" in the left sidebar
- Drag and drop it onto the form
- Save
- Enable the checkbox
- Save the configuration
- Re-authorize the OAuth connection to apply the new behavior
Important Distinction: Token Rotation vs. Expiration Extension
These are separate concepts that sometimes get conflated:
- Token Rotation – Provider issues a new refresh token on each use (old one is invalidated)
- Expiration Extension – Provider extends the existing token's validity on each use
Some providers do one, some do both, some do neither. The "Extend Refresh Token Expiry" field specifically addresses the expiration extension pattern.
Summary
Understanding your OAuth provider's refresh token behavior is key to a smooth outbound integration. ServiceNow's "Extend Refresh Token Expiry" field gives you the control to match ServiceNow's behavior with your provider's expectations—whether that's fixed or rolling expiration.
When in doubt, check your provider's OAuth documentation for details on their refresh token lifecycle.
