Configure an OAuth Client credential grant

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read

    • Configure the OAuth Client Credentials Grant for secure machine-to-machine authentication without user interaction. It authenticates applications using client credentials and grants-controlled API access with scoped permissions.

    Before you begin

    Role required: oauth_admin, mi_admin, admin

    Procedure

    1. Navigate to Machine Identity Console > > Inbound integrations > > New integration > OAuth Client credential grant.
      The OAuth Client credential configuration page appears.
    2. Update the text fields in the Details form with the appropriate information.
      Table 1. Details form
      Field Description
      Name The name of the OAuth entity.
      Provider name Enter the name of the service provider you want to integrate with. Example: Microsoft, Google, Zoom, SAP, etc
      Client ID The unique ID assigned to identify the application.
      Client Secret The secret key that only the application and the authorization server can identify. The application uses this key to authenticate and obtain access tokens.

      Select the Active check box.

    3. Update the text fields in the Advanced options (optional) form with the appropriate information.
    4. Update the text fields in the Auth scope (optional) form with the appropriate information.
      The authentication scope defines the level of access an application has to a resource. Select the authentication scope for the specific REST APIs you want to access.
      Table 2. Auth scope form
      Field Description
      Auth scope The level of access an application has to a resource. The authentication scope restricts the actions that an access token can perform on APIs or data.
      Limit authorization The names of the APIs for which you want to restrict authorization.
      Allow access only to APIs in selected scope Enable the option for the integration to only access APIs that are explicitly listed in the selected scopes.
      1. Select Create new auth scope to add a new auth scope.
    5. Update the text fields in the Advanced options (optional) form with the appropriate information.
      Table 3. Advanced options form
      Field Description
      Enforce token restriction The Enforce token restriction option limits the client to accessing only the APIs specified in the REST API Access Policies. If you unselect it, the client can access other REST APIs based on the user ACL permissions.
      Token Format Format of token to generate. Options:
      • JWT
      • Opaque
      Note:
      • The jwks url is available in the location: api/now/oauth/jwks.
      • The rotated (inactive keys) from jwks response after is removed after 105 days default.
      Access token lifespan Duration (in seconds) for which the OAuth access token remains valid before it expires.
      Note:
      The default value is 1800 seconds.
    6. Select Save.
      A new OAuth Client credential grant is created.
    7. Go to All > Inbound integrations > Application Registries to view the newly created client credential grant.