# Update an OAuth 2.0 access token from a service

An [OAuth 2.0](https://auth0.com/intro-to-iam/what-is-oauth-2) access token stored as a [secret](https://docs.appfarm.io/reference/security/secrets) can be updated from a [service](https://docs.appfarm.io/reference/services). This can be used to refresh the token, either on demand from the [API explorer](https://docs.appfarm.io/reference/services/api-explorer), from [another service or app](https://docs.appfarm.io/library/action-nodes/run-service), or using a [schedule](https://docs.appfarm.io/reference/operations/schedules).

Before you create this service:

* You must first create the [secret](https://docs.appfarm.io/reference/security/secrets) where the access token should be stored. The secret must be environment-specific and cannot be locked.
* The [user](https://docs.appfarm.io/reference/security/users) or [service account](https://docs.appfarm.io/reference/security/service-accounts) that runs the service must have a role that has been granted the [permission](https://docs.appfarm.io/reference/security/permissions) **Update Secret from Service** > `SECRET_NAME`.
* You should have the documentation for the external API available, as you will need to construct a web request to fetch the new access token and map the token sent in the response.

To see how to run the service on a set schedule, for example every 24 hours, see Run a service on a schedule.

## 1. Create/choose a service

If you have an existing service that you use for integration with the external API, you can open that service.

If you do not have an existing service, or if you you want to create a new service specifically to update the secret, create a new service.

1. Under [Services](https://create.appfarm.io/support/services), click **New Service**.
   1. Enter a name.
   2. Click **Create Service**.

## 2. Create a new endpoint

When called, the endpoint will trigger an action that runs a [Web request](https://docs.appfarm.io/library/action-nodes/web-request) to an external API to refresh the token. The token returned is temporarily stored in a Service variable before the secret is updated.

In the service:

1. Add a new endpoint or use the default endpoint that is created.
   1. Enter a **Name**.
   2. Check **Enable Log** to create a [log](https://docs.appfarm.io/reference/operations/logs) entry every time the endpoint is run.
   3. Verify that `GET` is selected under **Methods**.
2. Go to the **Data** tab.
   1. Click **Service Variables** in the list of data sources.
   2. Click **Add Runtime Property**.
   3. Enter a name. This variable will be used for temporarily storing the token.
3. Go to the **Actions** tab.
   1. Add a new action.
   2. Add an [Update object action node](https://docs.appfarm.io/library/action-nodes/update-object).
      1. For the **Data Source** property, select `Service Variables`.
      2. Under **Values on update**, set the token Service variable to null. This ensures the value is reset every time the service is run.
   3. Add an [Web request action node](https://docs.appfarm.io/library/action-nodes/web-request).
      1. Configure the request to fetch a new access token as per the format required by the external API.
      2. Add a **Result Mapping**.
      3. For the **Data Source** property, select `Service variables`.
      4. Map the access token key in the response to the token Service variable.
   4. Add an [If action node](https://docs.appfarm.io/library/action-nodes/if).
      1. For the **Condition** property, create a [condition](https://docs.appfarm.io/reference/platform-concepts/conditions) that checks if the token Service variable  has a value.
   5. Inside the If action node, add an [Update secret action node](https://docs.appfarm.io/library/action-nodes/update-secret).
      1. For the **Secret** property, select the secret you have created to store the access token.
      2. For the **Value** property, bind it to the Service variable containing the access token.
4. Go to the **Endpoints** tab.
   1. For the **Process Action** property, select the action you just created.

Test the service to ensure the access token is returned and the secret is updated. Remember that the [user](https://docs.appfarm.io/reference/security/users) or [service account](https://docs.appfarm.io/reference/security/service-accounts) that runs the service must have a role that has been granted the [permission](https://docs.appfarm.io/reference/security/permissions) **Update Secret from Service** > `SECRET_NAME`.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.appfarm.io/how-to/workflow-automation/update-an-oauth-2.0-access-token-from-a-service.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.