Skip to main content

Example SRM Script for OAuth Token Authorization

This example script for Scriptable Request Modification (SRM) uses OAuth to authenticate with a target endpoint during an HTTP request. The script is not limited to OAuth and you can configure it to work with other authorization services.

Ensure you have read the SRM Script Requirements.

This script does the following:

  • Creates and sends a request to an access token URL.
  • Parses the response for the returned bearer token.
  • Adds the bearer token as a header on the original request for authentication.
  • Saves the bearer token in the global scope for reuse on subsequent requests to the target URL.
const clientId = "your-client-ID";

var bearerToken = null;

function run() {

if (bearerToken === null) {
let tokenRequest = createTokenRequest();
bearerToken = fetchToken(tokenRequest)


function createTokenRequest() {
let username = "your-OAuth-username";
let password = "your-OAuth-password";
let grantType = "password";

let tokenRequest = httpClient.createRequest("https://your-api/token");
tokenRequest.addHeader("content-type", "application/x-www-form-urlencoded");
tokenRequest.setBody("grant_type=" + grantType + "&client_id=" + clientId + "&username=" + username + "&password=" + password);

return tokenRequest;

function fetchToken(tokenRequest) {
let response = tokenRequest.send();
let message = response.message().asString();
let parsedBearerToken = JSON.parse(message).access_token;

return parsedBearerToken;

function updateRequestHeaders(token) {
request.addHeader("authorization", "Bearer " + token);
request.addHeader("client_id", clientId);

In this example, the global object named httpClient is available to scripts upon each call to the initial run() function. The following sections describe the functions and properties of this global object.

HttpClient Object Function

This table describes the function and return type for the HttpClient object.

createRequest(url)ClientRequestReturns a new instance of the ClientRequest class object that sends the request to the target URL. You specify the target URL as a string for the url parameter. To set properties for the ClientRequest object, use the functions in the ClientRequest Object Functions table. Ensure you set the properties on the specific instance of the ClientRequest object that this function returns.

ClientRequest Object Functions

This table describes the functions and return type for the ClientRequest object.

addHeader(name, value)NullAdds a header to the headers array for this request. Both parameter values are strings. If a header with the specified name already exists, this function adds an additional header with the same name.
setUrl(url)NullSets the URL for this ClientRequest as a string. Typically, the URL is already set when the object is instantiated. However, this function can set the URL if the value is null.
setBody(body)NullSets the body on this ClientRequest as a string. Ensure that you add the appropriate Content-Type header for the type of body you want to send in the request. Common body types are application/x-www-form-urlencoded and key-value. For example: param1=data1&param2=data2&param3=data3.
setMethod(name)NullSets the HTTP method for this ClientRequest as a string. The value is usually a GET or POST, but other common values are PUT, PATCH, and DELETE.
setVersion(version)NullSets the HTTP version for this ClientRequest as a string. The default is HTTP/1.1.
send()ModifiableHttpResponseReturns a ModifiableHttpResponse class object, which is a basic implementation of an HTTP response. To get properties for the ModifiableHttpResponse object, use the functions in the ModifiableHttpResponse Object Functions table.

ModifiableHttpResponse Object Functions

This table describes the functions and return type for the ModifiableHttpResponse object.

body()Byte ArrayReturns the body message of the response. The body contains a series of bytes encoded in UTF-8, by default, unless the headers specify a different encoding.
asString()StringReturns the response body message as a string. Veracode recommends that you use this function to simplify parsing the response.
status()StringReturns the HTTP response status code as a string. For example, 200 OK or 404 NOT FOUND.
headers()List<Header>Returns the response headers as an iterable list.