If you are not familiar with OAuth, check out What is an OAuth token.
There is a ServiceNow API that can be used to do a number of different things, such as creating an alert or incident in ServiceNow. The first step in using the ServiceNow API is to generate the oAuth access token (aka bearer token) that will be used when submitting a GET or POST request to ServiceNow. There are a number of different tools that can be used to submit the GET request for the oAuth access token, such as curl, Java, Perl, PowerShell, Python, et cetera.
The following curl command can be used to obtain an OAuth access token and refresh token using the ServiceNow REST API, also known as a Bearer token.
AVOID TROUBLE
If the values being passed in, such as username or password, contain certain special character, the special characters will need to be ASCII hex . For example, the $ character would need to be replaced with %24. The - (dash) character does not need to be replaced by ASCII hex. Refer to https://www.ascii-code.com
curl
--insecure
--request POST
--header "Content-Type: application/x-www-form-urlencoded"
--url "https://example.service-now.com/oauth_token.do"
--data 'username=john.doe&
scope=useraccount&
grant_type=password&
password=your_password&
client_secret=your_secret&
client_id=your_id'
Something like this should be returned. Notice that both the access token and refresh token are returned.
{
"access_token": "wVgJu0-5tODq7s2m86a-X8jgsyASLTpx43dN-5aKGWttJO2OPyRIIlWInASig--XdvOljzNgvqxl-9MZ7nimrQ",
"refresh_token": "Sdmxfafze10ljwQhRPMtplxIeiudw4RD0fA5rrLgPYotA7CpaCeNKU2HwSKPVoai8KA68Onl7-OsT7TtfgNLtg",
"scope": "useraccount",
"token_type": "Bearer",
"expires_in": 31536000
}
And here is now you would get a new access token using the refresh token.
curl
--insecure
--request POST
--header "Content-Type: application/x-www-form-urlencoded"
--url "https://example.service-now.com/oauth_token.do"
--data 'grant_type=refresh_token&
refresh_token=your_refresh_token&
client_id=your_id&
client_secret=your_secret'
When debugging, the -v (verbose) flag can be used.
curl
--insecure
--request POST
--header "Content-Type: application/x-www-form-urlencoded"
--url "https://example.service-now.com/oauth_token.do"
--data 'username=john.doe&
scope=useraccount&
grant_type=password&
password=your_password&
client_secret=your_secret&
client_id=your_id'
-v
Which should return something like this.
> POST /oauth_token.do HTTP/1.1
> User-Agent: curl/7.29.0
> Host: example.service-now.com
> Accept: */*
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 161
>
* upload completely sent off: 161 out of 161 bytes
< HTTP/1.1 200 OK
< Server: snow_adc
< Date: Wed, 05 Jan 2022 05:24:27 GMT
< Content-Type: application/json;charset=utf-8
< Content-Length: 276
< Connection: keep-alive
< Set-Cookie: BIGipServerpool_example=92afc691f5eb0e5306dec5eb83bde1d1; httponly; secure; path=/; SameSite=None
< Set-Cookie: JSESSIONID=C113816C6083A4FF7B5FBDCFDBB85FC4; Path=/; HttpOnly; secure; SameSite=None
< Set-Cookie: glide_user=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly; secure; SameSite=None
< Set-Cookie: glide_user_session=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly; secure; SameSite=None
< Set-Cookie: glide_user_route=glide.90b5485e14763482289746b7aefbb23e; Max-Age=2147483647; Expires=Mon, 23-Jan-2090 08:38:34 GMT; Path=/; HttpOnly; secure; SameSite=None
< X-Is-Logged-In: false
< X-Transaction-ID: 83943d2a1b74
< Cache-Control: no-store
< Pragma: no-cache
< Strict-Transport-Security: max-age=63072000; includeSubDomains
<
* Connection #0 to host example.service-now.com left intact
Did you find this article helpful?
If so, consider buying me a coffee over at 