This flow is used in legacy or highly controlled environments where secure alternatives aren't feasible. The client app directly collects and sends user credentials to ServiceNow to obtain an access token, making it suitable only for trusted internal use.
Avant de commencer
Role required: oauth_admin, mi_admin, admin
Pourquoi et quand exécuter cette tâche
This procedure outlines how a trusted client application obtains an access token by directly handling user credentials and uses it to access ServiceNow APIs.
The user logs in through the app, which sends both its own credentials and the user's to ServiceNow. ServiceNow validates the credentials and issues an access token that the app uses to call APIs.
Figure 1. Resource owner password credential grant workflow
Procédure
The user logs in to the client application.
The client application sends a token request to with the following parameters:
Client ID and client secret.
Username and password of the user.
Example
Method: POST
Endpoint: https://<servicenow_base_url>/oauth_token.do
Headers: Content-Type: application/x-www-form-urlencoded
Tableau 1. Token Request Parameters
Parameter
Required
Description
grant_type
Yes
Specifies the OAuth grant type.
client_id
Yes
The unique identifier for your client application.
Format: YOUR_CLIENT_ID
client_secret
Yes
The client application's secret key.
Format: YOUR_CLIENT_SECRET
username
Yes
The user’s ServiceNow username.
password
Yes
The user’s ServiceNow password.
scope
Optional
Defines the level of access requested.
Example:
incident_read
incident_write
ServiceNow validates both the client and user credentials, and returns the access token.
The client uses the access token to call ServiceNow APIs.
Example
Method: GET
Endpoint: https://<servicenow_base_url/api/now/incident
Authorization: Bearer YOUR_ACCESS_TOKEN
ServiceNow validates the access token, and returns the API response.