> ## Documentation Index
> Fetch the complete documentation index at: https://docs.neoagent.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Creating the OAuth Application

> Set up a ServiceNow OAuth Application Registry entry so Neo Agent can connect to your instance

Neo Agent connects to ServiceNow using the OAuth 2.0 **Authorization Code grant**. Each customer registers a dedicated OAuth Application Registry entry in their own ServiceNow instance — Neo never has access to your credentials directly.

This page walks through creating that OAuth application in ServiceNow.

## How Neo Agent Permissions Work

Neo Agent uses **two layers of access control** to keep your ServiceNow data safe:

1. **ServiceNow OAuth Application** (what you configure here) — sets the *maximum* API access available, controlled by the role of the user the agent authenticates as.
2. **Neo Agent Dashboard** — where you choose exactly what Neo can do. You configure **permission groups** that control which areas Neo can read, write, or ignore — and whether actions require technician approval first.

Think of it like onboarding a new team member: you give them an account so they *can* access the areas they need, then their manager decides which tasks they actually work on. The ServiceNow OAuth app is the ceiling — Neo Agent's dashboard settings are the actual controls.

<Tip>
  Granting API permissions here does not mean Neo Agent will use them all. It simply ensures Neo *can* operate when you enable a capability in the dashboard. You stay in control of what Neo actually does.
</Tip>

## Creating the OAuth Application

<Steps>
  <Step title="Find Application Registry">
    In ServiceNow, use the navigation search (top-left) to find **System OAuth → Application Registry** and open it.

    <Frame caption="Search for 'system oauth' and click Application Registry in the results">
      <img src="https://mintcdn.com/neoagent/enpQfQhg_kNStBLx/images/servicenow/sn-find-application-registry.png?fit=max&auto=format&n=enpQfQhg_kNStBLx&q=85&s=b6b3e73510f145d4231f670f760c0fac" alt="Searching for System OAuth → Application Registry" width="3404" height="1734" data-path="images/servicenow/sn-find-application-registry.png" />
    </Frame>
  </Step>

  <Step title="Create a new OAuth integration">
    You'll land on the Application Registries list. Click **New** (top-right) to create a new OAuth app.

    <Frame caption="The Application Registry list — click New (top-right) to begin">
      <img src="https://mintcdn.com/neoagent/enpQfQhg_kNStBLx/images/servicenow/sn-new-application-registry.png?fit=max&auto=format&n=enpQfQhg_kNStBLx&q=85&s=fd1ddb96b65b65441e8e61bc4368b736" alt="Application Registry list page" width="3416" height="816" data-path="images/servicenow/sn-new-application-registry.png" />
    </Frame>

    ServiceNow asks **What kind of OAuth application?** Choose **New Inbound Integration Experience** (the first option).

    <Frame caption="Pick 'New Inbound Integration Experience' — entries marked [Deprecated UI] still work but are flagged for removal in a future SN release">
      <img src="https://mintcdn.com/neoagent/enpQfQhg_kNStBLx/images/servicenow/sn-application-registry-new-integration-type.png?fit=max&auto=format&n=enpQfQhg_kNStBLx&q=85&s=a97719d0991a9e0345b0dbeffc4ce8f0" alt="OAuth application kind selector" width="1368" height="622" data-path="images/servicenow/sn-application-registry-new-integration-type.png" />
    </Frame>

    The new Inbound Integrations page opens. Click **New integration** to continue.

    <Frame caption="The Inbound Integrations page — click 'New integration' (top-right)">
      <img src="https://mintcdn.com/neoagent/enpQfQhg_kNStBLx/images/servicenow/sn-application-registry-new.png?fit=max&auto=format&n=enpQfQhg_kNStBLx&q=85&s=f614f3db2837c09bdc5d585b1afd4bc1" alt="Inbound Integrations list page" width="3420" height="886" data-path="images/servicenow/sn-application-registry-new.png" />
    </Frame>
  </Step>

  <Step title="Pick the OAuth grant type">
    ServiceNow asks you to **Select your application connection type**. Choose **OAuth - Authorization code grant** (the first option).

    <Frame caption="Pick 'OAuth - Authorization code grant' — Neo uses this so every action is attributed to a specific user in your audit trail">
      <img src="https://mintcdn.com/neoagent/enpQfQhg_kNStBLx/images/servicenow/sn-select-application-type.png?fit=max&auto=format&n=enpQfQhg_kNStBLx&q=85&s=07404300c4c04d9f8ebd7a0b890f35bb" alt="OAuth application connection type selector" width="1616" height="1504" data-path="images/servicenow/sn-select-application-type.png" />
    </Frame>

    <Info>
      Neo uses the **Authorization Code grant** deliberately so every action Neo takes (notes, state changes, time entries) is attributed to the OAuth user in your ServiceNow audit logs. Other grant types either lose user attribution (Client credentials, JWT) or require Neo to know the user's password directly (Resource owner password) — none are appropriate.
    </Info>
  </Step>

  <Step title="Configure application details">
    Fill in the basic information for the new OAuth application:

    <Frame caption="The New record form — Name, Provider, Redirect URLs, and the auto-generated Client ID and Client Secret">
      <img src="https://mintcdn.com/neoagent/GQlcZoUOtCEqkVy5/images/servicenow/sn-new-app-record.png?fit=max&auto=format&n=GQlcZoUOtCEqkVy5&q=85&s=2f0ccb5924043371c29680294ffc493a" alt="OAuth application form filled in" width="2980" height="1374" data-path="images/servicenow/sn-new-app-record.png" />
    </Frame>

    Configure the following fields:

    <ParamField path="Name" type="string" required>
      A descriptive name like `Neo Agent` or `Neo Agent Integration`. This appears in your ServiceNow audit logs whenever Neo authenticates.
    </ParamField>

    <ParamField path="Redirect URL" type="string" required>
      Set this to exactly:

      ```
      https://dashboard.neoagent.io/oauth/servicenow/callback
      ```

      This is where ServiceNow sends the authorization code back to Neo after consent. The URL must match exactly — extra trailing slashes or query parameters will fail.
    </ParamField>

    <ParamField path="Refresh Token Lifespan" type="integer">
      The default of `8,640,000` seconds (100 days) is recommended. Shorter lifespans force more frequent reconnects.
    </ParamField>

    <ParamField path="Access Token Lifespan" type="integer">
      The default of `1800` seconds (30 minutes) is fine. Neo refreshes access tokens automatically using the refresh token.
    </ParamField>

    Leave **Active** checked. Save the record — ServiceNow will auto-generate a **Client ID** and **Client Secret**.

    <Warning>
      Copy the **Client Secret** as soon as it's generated. ServiceNow displays it in plain text on the form, but if you navigate away and the field gets re-encrypted in some configurations, you may need to regenerate it.
    </Warning>
  </Step>

  <Step title="Create the Neo service account user">
    ServiceNow's Authorization Code grant runs **as a specific user** — and that user choice is permanent for the lifetime of the integration. Every note, comment, state change, time entry, and ticket assignment Neo creates is attributed to that user in your audit trail. The `assigned_to` field on tickets Neo claims also points at that user.

    **Strongly recommended: create a dedicated `Neo Agent` service-account user before connecting.** Don't reuse a personal admin account or a shared "integration" user that already handles other systems — Neo's actions will be indistinguishable from theirs.

    Create the user with:

    * A clear `user_name` like `neo.agent` and display name like `Neo Agent (Service Account)` so audit-log readers immediately recognize automated activity
    * The `itil` role (so it can read and update task-family records, be assigned tickets, and post customer-visible comments)
    * Table API read/write on the parent `task` table and every subclass your agents will work with — `incident`, `sc_request`, `sc_req_item`, `sc_task`, `change_request`, `problem`
    * Table API read/write on `sys_journal_field` (notes), `task_time_worked` (time entries), `sys_user` and `sys_user_group` (assignment lookups), and any custom `u_*` columns your agents need to set
    * **The `email_api_send` role** if you plan to use Neo's "Email (sent via PSA)" notification mode. This is what lets Neo POST to `/api/now/v1/email` — the same path the SN UI Email tab uses. Skip this role if you only need note-based notifications; Neo will surface a clear inbox alert if it's missing and you try to send.
    * Active = true. Don't enable email notifications on this user — Neo doesn't need them and they create noise
    * A password you can sign in with (you'll log into ServiceNow as this user during the connect step)

    <Warning>
      **The user you sign in as during OAuth consent — not the user who set up this OAuth app — is who Neo operates as.** OAuth Application Registry doesn't bind to a specific user; the binding happens at consent time. If a different person is signed in when they click "Allow", *their* account becomes Neo's identity. See the [connect step](/integrations/psa/servicenow/connecting-to-neo) for how to make sure the right user is signed in.
    </Warning>

    <Tip>
      **Why this matters:**

      * **Audit trail clarity**: a single `Neo Agent` author makes it trivial to filter automated actions from human technician work
      * **Separation of duties**: the service account can be locked down to exactly what Neo needs, separate from human admin permissions
      * **Resilience to staff changes**: an admin leaving the org doesn't break the integration if Neo wasn't acting as them
      * **Compliance**: shows up cleanly in security reviews — "automated agent, scoped permissions" instead of "an unspecified admin account doing 10× normal work"
    </Tip>
  </Step>

  <Step title="Save your credentials">
    After saving, the form shows the application's authentication credentials (visible in the screenshot above) — **Client ID** and **Client Secret**. Make note of:

    * **Client ID** — a unique identifier (string of letters and numbers)
    * **Client Secret** — the password-equivalent (treat it like a password, don't share)
    * **Your instance URL** — for example `https://acme.service-now.com` (no trailing slash, no path)

    You'll enter all three into the Neo Agent dashboard in the next step.

    <Check>
      Before continuing, confirm:

      * The OAuth application is **Active**
      * The Redirect URL is exactly `https://dashboard.neoagent.io/oauth/servicenow/callback`
      * You've saved the Client ID and Client Secret somewhere secure
      * You've created a dedicated **Neo Agent service account** user (not a personal admin account) with the `itil` role and Table API read/write on the task family
      * You know the password for the service account user — you'll need to sign into ServiceNow as that user on the next page
    </Check>
  </Step>
</Steps>

## What's Next?

Once you've created the OAuth application, you're ready to [connect ServiceNow to Neo Agent](/integrations/psa/servicenow/connecting-to-neo) using:

* The Client ID from your OAuth application
* The Client Secret from your OAuth application
* Your ServiceNow instance URL
* A login **for the Neo service account user you just created** — *not* a personal admin account