OAuth authorization code grant flow

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of OAuth authorization code grant flow

    The OAuth authorization code grant flow in ServiceNow enables secure access to resources via REST APIs without exposing user credentials. Instead of using username and password, users authenticate directly with an OAuth server, which can be a third-party provider or a ServiceNow instance acting as the authorization server.

    Show full answer Show less

    This flow requires the user who owns the restricted resource to authorize access and allows them to revoke tokens anytime to terminate access.

    Authorization code grant flow process

    • Step 1: The client application initiates a REST GET request via the user agent to request an authorization code. The user must specify the authorization URL, token URL, client ID, client secret, and select Authorization Code as the grant type. The user must be logged into the ServiceNow instance and explicitly allow or deny access through a UI prompt.
    • Step 2: Upon user approval, the ServiceNow instance sends an authorization code to the client’s specified Redirect (callback) URL.
    • Step 3: The client exchanges the authorization code for an access token and a refresh token by making a POST request to the ServiceNow token endpoint. The access token authenticates future REST API calls, while the refresh token allows obtaining new access tokens.

    The access token is then used in REST API requests to retrieve data securely. For example, querying the Incident table returns JSON-formatted data.

    Key features

    • Supports use of ServiceNow as an OAuth authorization server or third-party OAuth providers.
    • Ensures user credentials are never exposed to the client application.
    • User control over access authorization and token revocation.
    • Integration compatibility with Multi-SSO, SAML 2.0 Update 1, multifactor authentication, and mobile interfaces.
    • Refresh tokens enable seamless continued access without repeated user consent.

    Practical considerations for ServiceNow customers

    • Configure OAuth application registry records correctly, including Redirect URLs, client IDs, and secrets.
    • Ensure end users are authenticated to the ServiceNow instance when granting access tokens.
    • Manage issued tokens within ServiceNow to revoke access as necessary.
    • Use the access token securely in REST API calls to access authorized data.

    Authorization code grant flow allows a user to access a resource by authenticating directly with an OAuth server that trusts the resource, in contrast with authenticating with username/password credentials.

    This implementation of OAuth authorization code flow allows access to a resource via REST. The authorization code framework gets the access token through the authorized URL that the user configures rather than requiring the user to enter a username/password. The username/password are never exposed to the client that is requesting access to the resource.

    A ServiceNow instance as the authorization server

    The OAuth server is typically a third-party authorization server. You can also specify a ServiceNow instance as the authorization server that issues the tokens for authorization code flow.

    The user who owns the restricted resource must authorize access. The user can also revoke the issued access token at any time to terminate access.

    Authorization code grant flow process

    The Authorization code grant flow process consists of these three steps:

    In step one, the client application or website initiates a REST API call in the form of a GET request to the instance via the user agent. Typically, the REST call is initiated when the end user clicks a button or a link on the client application or website to request an access token. In the client application, the end user also has to specify the authorization URL, token URL, client ID, and client secret. For an explanation of these items, see the field descriptions in this topic: Use a third-party OAuth provider. If the client asks for a grant type, the end user must select Authorization Code.

    Example GET request from the client application to the instance: 
    https://myinstance.service-now.com/oauth_auth.do?response_type=code&redirect_uri={the_redirect_url}&client_id={the_client_identifier}
    Note:
    The response_type must be code to use the standard OAuth code grant flow.
    The end user must manually allow access to the restricted resource on the instance. In the ServiceNow implementation, the end user must be logged into the instance. The instance prompts the end user with a UI page that has Allow and Deny buttons.

    The item that the client application is actually requesting the token from is the OAuth provider application registry record that you created, also known as the authorization endpoint (see Use a third-party OAuth provider). The auth code is sent from the authorization endpoint to the client. It does not go to the client directly but to the Redirect URL that you specify on the authorization endpoint form. This URL is also known as a callback URL. You can obtain this URL from the client application or website.

    Example response from the instance to the client application, providing an authorization code:
    https/http://{callbackURL}?code={the actual auth code}

    Now that the client application has the authorization code, the client uses the code to request the access token. The authorization code proves that the user has consented in step 1.

    Example POST request from the client application to the ServiceNow instance that provides the auth code and requests the access token: 
    https://myinstance.service-now.com/oauth_token.do?grant_type=authorization_code&code={the auth code}&redirect_uri={the_same_redirect_url}&client_id={the_same_client_identifier}&client_secret={client_secret_value}

    The endpoint on the instance returns an access token and a refresh token. The refresh token can be used to request additional access tokens.

    You can manage the tokens, including revoking the token, in the instance. See Manage OAuth tokens.

    The client application uses the access token to authenticate to the REST API. After authenticating the client application, the REST API returns the requested data in a JSON payload.

    Example GET request for the JSON payload of data for the Incident [incident] table:
    https://myinstance.service-now.com/api/now/table/incident?access_token={the_token}
    Note:
    The system also supports OAuth implicit grants, also known as implicit grant code flow.

    Integration support

    Authorization code flow supports the following integrations on the instance:
    • Multi-SSO
    • SAML 2.0 Update 1
    • Multifactor authentication

    The mobile interface is also supported.