How to generate oauth token with grant type=client_credentials in service now

ChethanB4037292
Tera Contributor

How to generate oauth token with grant type=client_credentials in service now, When I tried with System Oauth-> Application registery -> New -> w/o redirecting url . Still when I make curl post with grant_type=client_credentials and respective client Id ,secret it throws 401 unauthorized error, but when I tried with grant_type=password and username,password along with client id,secret I can able to generate bearer token. I want to generate with grant_type=client credentials.

 

 

Thanks in advance.

7 REPLIES 7

AndersBGS
Tera Patron
Tera Patron

Hi @ChethanB4037292 ,

 

Please read this articles. Based on the information provided I made it work: https://sapphirenow.dev/post/oauth-part-2/ and https://sapphirenow.dev/post/wdc-oauth-part-1/

 

If my answer has helped with your question, please mark my answer as the accepted solution and give a thumbs up.

Best regards
Anders

Rising star 2024
MVP 2025
linkedIn: https://www.linkedin.com/in/andersskovbjerg/

_ukasz Rybicki
Giga Guru

Steps

  1. Install required plugins

    • Ensure these are active: OAuth 2.0 (com.snc.platform.security.oauth), REST API Provider (com.glide.rest), Authentication Scope (com.glide.auth.scope), REST API Auth Scope Plugin (com.glide.rest.auth.scope) (ServiceNow).

  2. Enable Client Credentials grant

    • In System Properties (sys_properties.list), create/update:

      Name: glide.oauth.inbound.client.credential.grant_type.enabled  
      Type: true|false  
      Value: true
    • Default = false; must be true to allow this flow (ServiceNow).

  3. Create OAuth client registry entry

    • Navigate to System OAuth > Application Registry > New

    • Select Create an OAuth API endpoint for external clients, fill Name, Client ID/Secret (redirect URLs optional), and save (ServiceNow).

  4. Add & set OAuth Application User

    • On the registry form: Configure → Form Layout, add OAuth Application User (reference sys_user), save.

    • Populate with an active user having required roles (e.g. admin) (ServiceNow Support).

  5. Request the token

    curl -X POST "https://<instance>.service-now.com/oauth_token.do" \
      -H "Authorization: Basic $(echo -n '<CLIENT_ID>:<CLIENT_SECRET>' | base64)" \
      -H "Content-Type: application/x-www-form-urlencoded" \
      -d "grant_type=client_credentials"

    – returns JSON { "access_token":"…","token_type":"Bearer","expires_in":… } (ServiceNow).

Troubleshooting

  • 401 Unauthorized → verify the system property is true and OAuth Application User is set/active (ServiceNow Support).

  • Scopes → optionally include &scope=<scope1> <scope2> in the POST body if you’ve defined API Auth Scopes.

Sources

  1. Up your OAuth2.0 Game in Washington DC with Inbound Client Credentials, ServiceNow Community Blog – plugin & registry setup (1.2 yrs) (ServiceNow)

  2. Create the Client Credentials system property, ServiceNow Docs – how to enable glide.oauth.inbound.client.credential.grant_type.enabled (1.3 yrs) (ServiceNow)

  3. Client Credentials grant type for Inbound OAuth is supported, ServiceNow KB KB1645212 – confirms need for OAuth Application User (11 mos) (ServiceNow Support)

  4. SOLVED: OAuth 2.0 Access Denied, ServiceNow Community – curl example using grant_type=client_credentials (7 mos) (ServiceNow)

ChethanB4037292
Tera Contributor

Hi @AndersBGS , nice it was very helpful thanks!!!

 

One more query I have, how to validate the oauth bearer token recieving from external system in service now, I tried with enable require authentication for scripted rest api but it always says 401 even I pass with valid oauth bearer token (Authorization: Bearer {token}) in header.

ChethanB4037292
Tera Contributor

Hi @_ukasz Rybicki ,

thanks for the help really appreciate that.!!!

 

One more query I have, how to validate the oauth bearer token recieving from external system in service now, I tried with enable require authentication for scripted rest api but it always says 401 even I pass with valid oauth bearer token (Authorization: Bearer {token}) in heade