OAuth API request parameters
Summarize
Summary of OAuth API Request Parameters
The OAuth API allows ServiceNow customers to request access tokens using specific parameters. It is essential to use the content typeapplication/x-www-form-urlencodedto avoid errors.
Show less
Key Features
- Grant Types: There are two primary methods to obtain an access token:
- Password: Requires user credentials (username and password).
- Refresh Token: Uses an existing refresh token to obtain a new access token.
- Required Parameters:
- granttype: Identifies the type of authorization.
- clientid: Unique identifier for the client application.
- clientsecret: Shared secret for communication authorization.
- User Credentials: Must be provided for password grant type requests, ensuring the user is active and not locked out.
- Security: TLS encryption is used to protect user credentials during transmission.
Key Outcomes
When requesting an access token with user credentials, the response includes both an access token and a refresh token. For requests using a refresh token, only a new access token is returned, assuming the refresh token is valid. This process enhances security by reducing the need to transmit user credentials frequently.
Learn about the OAuth API request parameters that access token requests use.
| Request parameter | Description |
|---|---|
| grant_type | [Required] The type of credentials authorizing the request for an access
token. This parameter must have one of the following values:
|
| client_id | [Required] Auto-generated unique ID of the client application requesting the access token. |
| client_secret | [Required] Shared secret string that the instance and the OAuth application use to authorize communications with one another. |
| username | User account name that authorizes the access token request. This parameter is required for access token requests with a grant_type of password. |
| password | Password for the user account that authorizes the access token request. This parameter is required for access token requests with a grant_type of password. |
| refresh_token | Existing refresh token that authorizes the access token request. This parameter is required for access token requests with a grant_type of refresh_token. |
Requests Using User Credentials
The instance requires clients to provide user login credentials when first authorizing the client or when authorizing the creation of a new refresh token. This type of request always returns two tokens:
- An access token
- A refresh token
The instance verifies that the user is active, not currently locked out, and has an interactive session. If any of these conditions are false, the instance does not produce an access token. Access requests made within the expiration time of the access token always return the current access token.
The following example illustrates requesting an access token with a set of user credentials (Spaces have been added to improve readability).
$ curl -d"grant_type=password&client_id=be3aeb583ace210011c15b24a43e25d8
&client_secret=client_password
&username=admin&password=admin"
https://instancename.service-now.com/oauth_token.doRequests Using a Refresh Token
The instance can use an existing refresh token to create a new access token. This type of request returns only an access token. The instance confirms that the refresh token has not expired before generating a new access token. Access requests made within the refresh token expiration time always return the current refresh token. Transmitting refresh tokens is generally more secure than transmitting user credentials. The following example illustrates requesting an access token with an existing refresh token (Spaces have been added to improve readability).
$ curl -d"grant_type=refresh_token&client_id=be3aeb583ace210011c15b24a43e25d8
&client_secret=client_password
&refresh_token=w599voG89897rGVDmdp12WA681r9E5948c1CJTPi8g4HGc4NWaz62k6k1K0FMxHW40H8yOO3Hoe"
https://instancename.service-now.com/oauth_token.do