OAuth API request parameters
Summarize
Summary of OAuth API Request Parameters
This guide outlines the OAuth API request parameters necessary for accessing tokens, essential for integrating with ServiceNow. Proper formatting and specific parameters are critical for successful token requests.
Show less
Key Features
- Content-Type Requirement: Use
application/x-www-form-urlencodedfor requests;application/jsonwill lead to an unspecified error. - Grant Types:
password: Requires user credentials (username and password).refreshtoken: Uses an existing refresh token.
- Required Parameters:
clientid: Unique ID for the client application.clientsecret: Secret string for communication authorization.
Key Outcomes
Requests using user credentials yield both an access token and a refresh token, contingent on the user's active status. It is crucial to ensure that user credentials are transmitted securely via TLS encryption. Alternatively, requests using a refresh token will return only a new access token if the refresh token is still valid, enhancing security by minimizing user credential transmission.
Examples provided illustrate how to structure the requests for both methods, ensuring customers can implement this functionality effectively within their ServiceNow environment.
Learn about the OAuth API request parameters that access token requests use.
| Request parameter | Description |
|---|---|
| grant_type | [Required] The type of credentials authorizing the request for an access
token. This parameter must have one of the following values:
|
| client_id | [Required] Auto-generated unique ID of the client application requesting the access token. |
| client_secret | [Required] Shared secret string that the instance and the OAuth application use to authorize communications with one another. |
| username | User account name that authorizes the access token request. This parameter is required for access token requests with a grant_type of password. |
| password | Password for the user account that authorizes the access token request. This parameter is required for access token requests with a grant_type of password. |
| refresh_token | Existing refresh token that authorizes the access token request. This parameter is required for access token requests with a grant_type of refresh_token. |
Requests Using User Credentials
The instance requires clients to provide user login credentials when first authorizing the client or when authorizing the creation of a new refresh token. This type of request always returns two tokens:
- An access token
- A refresh token
The instance verifies that the user is active, not currently locked out, and has an interactive session. If any of these conditions are false, the instance does not produce an access token. Access requests made within the expiration time of the access token always return the current access token.
The following example illustrates requesting an access token with a set of user credentials (Spaces have been added to improve readability).
$ curl -d"grant_type=password&client_id=be3aeb583ace210011c15b24a43e25d8
&client_secret=client_password
&username=admin&password=admin"
https://instancename.service-now.com/oauth_token.doRequests Using a Refresh Token
The instance can use an existing refresh token to create a new access token. This type of request returns only an access token. The instance confirms that the refresh token has not expired before generating a new access token. Access requests made within the refresh token expiration time always return the current refresh token. Transmitting refresh tokens is generally more secure than transmitting user credentials. The following example illustrates requesting an access token with an existing refresh token (Spaces have been added to improve readability).
$ curl -d"grant_type=refresh_token&client_id=be3aeb583ace210011c15b24a43e25d8
&client_secret=client_password
&refresh_token=w599voG89897rGVDmdp12WA681r9E5948c1CJTPi8g4HGc4NWaz62k6k1K0FMxHW40H8yOO3Hoe"
https://instancename.service-now.com/oauth_token.do