This guide explains how to use the ServiceNow REST API with OAuth 2.0 and PHP to access and manage data in the latest Yokohama release.
What Is OAuth 2.0 and How Does It Work with the ServiceNow REST API?
OAuth 2.0 is a method that enables external applications to securely communicate with your ServiceNow instance without requiring your username and password.
Let’s say you have an app (like Postman, a website, or another ServiceNow instance) that needs to read or write data in your ServiceNow system.
With OAuth 2.0, the app requests a special key (called an access token) to prove it’s authorized to access certain data.
Now, to get this Access Token and then the ServiceNow data, we need to follow the steps below:
Step 1: Create an OAuth Application in ServiceNow
In this step, we set up an OAuth Application for external systems to use.
- Log in to your service now instance
- In the Navigator search ‘System OAuth’.
- Go to Application Registry and click New to create a new Application.
- Choose Create an OAuth API endpoint for external clients.
- Fill in the Basic Information fields.
- Add a Redirect URL.
- Make sure to add an Auth Scope.
There are different OAuth 2.0 authentication flows in the ServiceNow REST API.
By which you can authenticate your application and ServiceNow, click here for more info.
We’ll use the Authorization code grant flow.
It uses a client secret as an extra authorization parameter to prevent spoofing servers.
Also, preferred for any server/cloud application.
Step 2: Authorize using OAuth 2.0
Redirect to ServiceNow authorization endpoint:
https://.service-now.com/oauth_auth.do
With the following parameters:
| Parameter | Description |
| response_type | Must be code for this authentication flow. |
| client_id | The Consumer Key from the connected app definition. |
| redirect_uri | The Callback URL from the OAuth app definition. |
| state | Used to maintain state between the request and callback. |
The final authorization URL will be as follows:
https://.service-now.com/oauth_auth.do?response_type=code&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&state=wk_state
This will redirect the user to the ServiceNow login window. After logging in, the app asks the user to ‘Allow access’ based on the selected OAuth scopes.
After successful authorization, the browser redirects to the callback URL (redirect_uri) with a code parameter. This code is then used to request the access token.
Step 3: Get Access Token
Create a POST request to the endpoint:
https://.service-now.com/oauth_token.do
With the following parameters:
| Parameter | Description |
| grant_type | The value must be authorization_code for this flow. |
| client_id | The Client ID from the OAuth app definition. |
| client_secret | The Client Secret from the OAuth app definition. Required for the Authorization code grant flow |
| redirect_uri | The Callback URL from the OAuth app definition. |
| code | The authorization code that the consumer must use to obtain the access and refresh tokens. |
Below presented is a cURL example for the token request:
/** Code for retrieving ServiceNow access token via cURL.
*
* @category ServiceNow
* @author Webkul Software Pvt Ltd <[email protected]>;
* @copyright 2025 webkul.com. All Rights Reserved.
* @license GNU General Public License version 2 or later; see LICENSE.txt
* @link http://webkul.uvdesk.com
*/
// POST body
$postFields = http_build_query([
'grant_type' => 'authorization_code',
'client_id' => CLIENT_ID,
'client_secret' => CLIENT_SECRET,
'redirect_uri' => REDIRECT_URI,
'code' => $code,
]);
// Initialize cURL
$ch = curl_init('https://'.SN_INSTANCE.'.service-now.com/oauth_token.do');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postFields);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Content-Type: application/x-www-form-urlencoded'
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);
curl_close($ch);
The return result contains a few parameters from which we would use the following:
| Parameter | Description |
| access_token | The access token acts as a session ID that the application uses for making requests. This token should be protected as though it were user credentials. |
| token_type | Value is the Bearer for all responses that include an access token. |
| refresh_token | A token that can be used in the future to obtain new access tokens. |
| expires_in | Validity of the access_token |
| scope | The permissions (scopes) that were granted. Helps you understand what the token allows access to. |
Step 4: Get Account Data via ServiceNow Rest API
Now we will use the response from step 3 to access data from ServiceNow.
Below presented is a cURL example to get Account Data:
/** Code to retrieve ServiceNow Account Data via cURL.. * * @category ServiceNow * @author Webkul Software Pvt Ltd <[email protected]>; * @copyright 2025 webkul.com. All Rights Reserved. * @license GNU General Public License version 2 or later; see LICENSE.txt * @link http://webkul.uvdesk.com */ $url = 'https://'.SN_INSTANCE.'.service-now.com/api/now/account'; $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, [ "Authorization: Bearer $accessToken", // ACCESS TOKEN FROM PREVIOUS STEP "Accept: application/json" ]); $res = curl_exec($ch); curl_close($ch);
To read more about different parameters, endpoints, and usability of the API, you may refer to the ServiceNow docs.
This blog gives a quick overview of setting up a basic REST connection with ServiceNow using minimal setup and simple concepts.
Hope it helps. For more info, check Reference Link 1 & Reference Link 2
Support
If you face any issues or have suggestions, feel free to create a ticket and share your feedback with us.
While this blog focused on ServiceNow, we also specialize in Salesforce CRM services, offering tailored consulting and implementation solutions.
Explore our complete range of CRM integrations and products visit eshopsync.com.
