Allow CORS Origins for OAuth Endpoints
Use a system property to configure to specify which domains are allowed to make cross-origin requests.
ServiceNow can function as an OAuth authorization server, a resource server, or both simultaneously. When browser-based applications must access ServiceNow's OAuth endpoints, such as the authorization server metadata, protected resource metadata, or token endpoint, the browser's same-origin policy blocks these cross-origin requests by default. Configure the Access-Control-Allow-Origin header for these endpoints to specify which domains are allowed to make cross-origin requests.
When integrating third-party solutions with ServiceNow OAuth functionality, ensure that the glide.oauth.cors.allowed.origin system property exists in the System Properties [sys_properties] table, and holds the external domain(s) required for Cross Origin Resource Sharing (CORS) functionality.
More information
| Attribute | Description |
|---|---|
| Configuration name | glide.oauth.cors.allowed.origin |
| Configuration type | System Properties (/sys_properties_list.do) |
| Data type | String |
| Recommended value | Varies based on use case. This property can one of these values:
Dica: There's no dynamic list for allow-listing multiple hostnames. Use an asterisk(*) to access the OAuth endpoints from multiple domains. |
| Default value | empty string |
| Fallback value | empty string |
| Category | Configuration |
| Security risk |
|
| Functional impact | This property can be used to connect MCP clients to the instance when the client exists entirely in the browser, and does not make token or discovery calls via a backend call to the ServiceNow platform. |
| Dependencies and prerequisites | None |