Configure an OAuth Client credential grant
Configure the OAuth Client Credentials Grant for secure machine-to-machine authentication without user interaction. It authenticates applications using client credentials and grants-controlled API access with scoped permissions.
Before you begin
Role required: oauth_admin, mi_admin, admin
Procedure
- Navigate to Machine Identity Console > Inbound integrations > New integration > OAuth - Client credential grant.
-
Update the text fields in the Details form with the appropriate information.
Table 1. Details form Field Description Name The name of the OAuth entity. Provider name Enter the name of the service provider you want to integrate with. Example: Microsoft, Google, Zoom, SAP, etc. Note:Provider name is a mandatory field.Client ID The unique ID assigned to identify the application. Client Secret The secret key that only the application and the authorization server can identify. The application uses this key to authenticate and obtain access tokens. Comments Add any notes about this configuration. Active Select to use for authentication and authorization requests; when unselected, the record is saved but remains inactive and will not process any requests. -
Perform the following steps to add auth scope to the configuration:
- Select Create auth scope if you want to define a new scope.
- Select a scope from the Auth scope drop-down.
- Enter API names in Limit authorization to the following APIs to narrow access.
- Use + Add another row to assign additional scopes to your configuration.
-
Select Allow access only to APIs in selected scope in the Scope validation settings to restricts access to listed scopes only.
Note:You can choose not to select Set Allow access only to APIs in selected scope for broader access permitted by user controls and API policies.
- Optional:
Update the text fields in the Advanced options (optional) form with the appropriate information.
Table 2. Advanced options form Field Description Enforce token restriction The Enforce token restriction option limits the client to accessing only the APIs specified in the REST API Access Policies. If you unselect it, the client can access other REST APIs based on the user ACL permissions. Token Format Format of token to generate. Options: - JWT
- Opaque
Note:- The jwks url is available in the location:
api/now/oauth/jwks. - The rotated (inactive keys) from jwks response is removed after 105 days default.
Access token lifespan Duration (in seconds) for which the OAuth access token remains valid before it expires. Note:The default value is 1800 seconds. -
Select Save.
A new OAuth Client credential grant is created.