This article provides some additional information on how to manage Oauth token stored in ServiceNow.
The tokens are stored in 'oauth_credential' table . The tokens can be found under System oAuth -> Manage Tokens
Some of the important columns in this table.
Token - Value of the token issued by ServiceNow instance .
Type - Determines if the token is 'Access Token' or 'Refresh Token'
Expires - Data/Time when the Access or Refresh Token expire .
Token Received - Value of the token issued by a 3rd party OAuth Provider . This value is in encrypted format .
Token Expiration and Validity:
Access Token :
By default, an instance issues access tokens with a 30-minute lifespan in the scenario where the instance is the OAuth provider. For third-party tokens, 30 days.
By default, an instance issues refresh tokens with a 100-day lifespan in the scenario where the instance is the OAuth provider. For third-party tokens, 365 days.
For tokens issued by ServiceNow the lifespan can be changed in the Application Registry (oauth_entity) entry by changing the values in :'Access Token Lifespan' and 'Refresh Token Lifespan' . The value is in seconds.
For 3rd party tokens once the token is received the expiration may be changed by changing the value in 'Expires' column in the Manage Tokens (oauth_credential) section.
Everytime a new call is made to get a new access token (not by using grant_type=refresh_token) , the expiration of the current refresh token is also refreshed to a new time .
ServiceNow refresh tokens does have an expiration date but can set to a very large number (thousands of years) which essentially can make Refresh token not to expire .
Using this refresh token a new access token can be obtained (without the need to send username/password) using the grant_type=refresh_token
Access to an existing valid token can also be revoked using the steps below:
Click the Name to open the token.
Click Revoke Access to prevent access to the restricted resource.
oAuth tokens which are issued by the instance and which are received from 3rd party OAuth provider are stored in