OAuth implicit grants

ServiceNow instances support the implicit grant of an access token.

The implicit grant type, also known as implicit grant code flow, allows the access token to be given directly to the client application via the user agent, which is typically the web browser or mobile device. No refresh tokens are granted. The end user must still grant access to the protected resource on the instance, just as with standard authorization code grant flow.

OAuth implicit grant flow process

Just as with the standard authorization code flow process, the client application makes a request to use the restricted resource on the instance and the end user approves it. The request is in the form of a URL sent to the instance. The URL must include the following parameters:
  • client_id=(the necessary client ID). This is mandatory to identify which protected resource the client application wants access to.
  • response_type=token. This is mandatory to request the access token directly (as opposed to asking for an authorization code). The value must be token for implicit grants. In the standard authorization code flow example, the response type is code.
  • redirect_uri=(a URL): The location where the token is sent.

The authorization server sends the access token, rather than an authorization code, to client application via the user agent.

Here is an example GET request to receive the JSON payload of data for the Incident [incident] table:
If the user grants access, the token is included in the redirect (callback) URL: