Set up OAuth provider with JWT Bearer grant type

Zurich Platform security

Release

zurich

ft:locale

en-US

ft:publication_title

Zurich Platform security

ft:clusterId

psec

bundleId

psec

workflow

Platform

Set up OAuth provider with JWT Bearer grant type

Release version: Zurich

Updated July 31, 2025

2 minutes to read

JSON Web Tokens (JWTs) enable the capability to configure server-to-server API interactions between ServiceNow and external API providers without requiring any user intervention. This support enables Integration Hub or other automated tasks using JWTs to configure API and Service integrations with different providers.

Before you begin

Role required: admin

About this task

The following tasks show how ServiceNow can be set up to use JWTs for OAuth 2.0 client authentication and authorization grants. ServiceNow is the OAuth client, and you can configure an OAuth provider, such as Box or Docusign.

Procedure

Upload Java Key Store certificate
Attach a JKS certificate to your instance to use to enable the JWT client authentication.
Configure a JWT signing key
Create a JWT signing key to assign to your Java KeyStore (JKS) certificate.
Create a JWT provider with a JWT signing key
Add a JWT provider to your ServiceNow instance.
Connect to a third-party OAuth provider
Create a third-party OAuth provider with a JWT Bearer as the default grant type in the ServiceNow Application Registry.
Specify an OAuth profile
Open the OAuth entity profile of the OAuth provider and assign a JWT provider.

Upload Java Key Store certificate

You can attach a Java KeyStore (JKS) certificate to your instance to use to enable the JWT client authentication.

Before you begin

Role required: admin

Procedure

Navigate to All > Multi-Provider SSO > x509 Certificate.

Fill in the form as needed.

Option	Description
Name	A unique name for your certificate.
Notify on expiration	Designate whom to notify when the certificate expires.
Warn in days to expire	Send an email notification to your certificate manager before your certificate expires.
Active	Enables the certificate to use for token requests.
Type	The type of certificate you are uploading.
Expires in days	The amount of days until the certificate expires.
Key store password	The password associated with the certificate.
Short description

Click Submit.

Configure a JWT signing key

Create a JSON Web Token (JWT) signing key to assign to your Java KeyStore (JKS) certificate,

Before you begin

Role required: admin

Note:

If you want to add X.509 Certificate SHA-1 Thumbprint int (x5t) to the header as part of the JWT Key, you must configure the form and add the X.509 Certificate SHA-1 Thumbprint int (x5t) field.

Procedure

Navigate to All > System OAuth > JWT Keys.

Fill in the form as needed.

Option	Description
Name	A unique name for your JWT Key signing configuration.
Signing Keystore	The keystore designated when signing the JWT.
Key ID	The Key ID (kid) helps identify which key is used when multiple keys are used to sign tokens. Note: If you configure this field, the Key ID claim is included in the JWT. If you do not configure this field, your JWT will not have a Key ID claim.
Signing Algorithm	The algorithm to use to sign with the JWT key. RSA 256 is the only algorithm available.
Signing Key Password	The password associated with the signing key.
Active	Designate that the JWT key alias is actively referenced from a JWT provider.

Click Submit.

Create a JWT provider with a JWT signing key

Add a JSON Web Token (JWT) provider to your ServiceNow instance.

Before you begin

Role required: admin

Procedure

Navigate to All > System OAuth > JWT Provider.

Fill in the form and click Submit.

Option	Description
Name	A unique name for your JWT provider configuration.
Expiry Interval (sec)	The lifespan of the tokens, in seconds, generated by the JWT provider.
Signing Configuration	The ServiceNow JWT signing key configuration to apply.