My experience with Scripted Rest APIs and some good practices

Mohit Kaushik · ‎11-29-2023

I am sure most of you guys might be aware of it already, however, I would like to share my experience while working on Scripted REST APIs. Scripted REST APIs are a powerful way to create custom endpoints for your ServiceNow applications, and to expose data and functionality to external systems. They are also easy to create and maintain.
Before we proceed further, it is important to understand when to choose scripted REST APIs. We need to know if we are not recreating something which is already available, we need to make sure that we are not complicating a simpler solution.

When to choose or go with Scripted REST APIs

There can be many reasons to it for e.g., security: where you don’t want an external system to have full access to your table, flexibility for the payload, fancy authentications, more restrictions, scripting to communicate between tables or reusable methods over different API resources, etc. In my case there were two strong reasons to not choose table APIs:

My organization does not want the table APIs to be directly available due to security reasons as it is hard to track who and how many times the table APIs have been accessed and it can even spoil your ServiceNow data if accessed wrongly.
The requirements were to get custom payload which could not be possible with table APIs.

Now that we are clear when to choose scripted REST APIs, lets deep dive into the good practices for it.

Authentication: Avoid basic authentication and go for OAuth wherever possible. OAuth is more secure and advanced to authenticate. In this article I will not be explaining what OAuth is, but below links can help you understand about it and how to set it up for your APIs. https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/administer/security/concept/c...

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0778194
Once you are done with setting up OAuth profile, make sure you enforce it, so that nobody can get access your APIs with the help of basic authentication. In order to achieve this, you need to setup REST API access policies.
Authorization: Now that you have been authenticated, next step should be authorization, this can be achieved with the help of ACLs. You need to perform two major changes:
- Remove the default ACL (Scripted REST External Default) selected in your scripted API resources and create a new ACL of type REST_Endpoint and add it to your resource. The default ACL contains snc_internal role which exposes your API to all the users in your organization.
- Use GlideRecordSecure in place of GlideRecord to enforce the table level ACLs to your APIs. This will validate if the user is having access to read/write/create/delete on your table or not.

Follow REST API conventions: Use the appropriate conventions for specific usage. GET should only be used to query data/read data and not for any other purpose. POST must create records, PUT and PATCH to modify existing records, DELETE to delete records.
Versioning: Once we have secured our APIs we can move on to the next and very important part which is called versioning. This is one of the best features as it helps in creating multiple different versions of same API resource (as per the modifications in the requirements) without breaking the existing integration. We can have multiple active versions of our API, and all can be accessed just by appending version in the API resource URL. To utilize it more properly we should configure the API without a default version which will force the API consumers to specify a version in their request and get the appropriate response.
Informative HTTP status code and error messages: Return the appropriate HTTP status code to help the consumers understand the success or failure of the request. In case of failure, return appropriate error message/information along with your error code which allows the client to understand the problem without having to refer the API documentation.
Documentation: This is one of the most important parts of your development. A good documentation is equivalent to the best development. Once an API is published, API documentation makes sure another party (both internally and externally) knows what it can be used for and how it should be used.
Consider an example, you purchased Wireless headphones /Airdopes (wireless earbuds) and it came without a manual, how much difficult it will be for you to understand its functionalities like: how many times to tap on the earbud to go forward or backward in your music library, how to pick a call, how to access AI assistant and many more. Just like this, documentation helps you understand how and what to access in this API.
Test cases: Create your test cases to verify if you are getting the desired result. You should get the correct response status code, you should get appropriate message/information, you should get the payload in the desired format, you should receive correct error code etc. You can use postman, ATFs or any other REST client application that supports automated testing.

Note: To increase the security or restriction a bit more you can use authentication scopes. In below mentioned video series you can read about it more.

Below are some useful links which can help you understand and learn Scripted REST APIs in ServiceNow.

YouTube series on Scripted REST APIs
Scripted REST APIs in ServiceNow

Hit the helpful button if you liked it or found it helpful. Bookmark it for further updates!

Regards,

Mohit Kaushik

Developer and Community MVP 2023

SUBHAM_SHAW_SN · ‎12-07-2023

Lovely article. This could be a game changer for a person appearing for an interview. 🙂

Venkanna G · ‎04-16-2024

super, informative

Viji Rohan · ‎05-30-2024

Hello,

Thanks, for sharing the knowledge.

I have a question on using the same scripted rest api for two different tables by creating separate resources. I have a requirement to ingest vulnerability data into ServiceNow from an external source. The data could be for VRM or AVR (Application vulnerability). The tables for VRM & AVR are different. Instead of creating two scripted REST endpoints, is it a good practice to use the same scripted REST as the external system is the same. I had always created a separate scripted REST API in the past like Incident, change etc., Need some inputs please if there are any drawbacks of using the same scripted REST for two different purposes. The benefits expected out of this is specific to my organization wherein we have an intermediate platform within the intranet (a kind of proxy api or jump box) to route the requests to ServiceNow. Every REST API endpoint needs to be onboarded to this platform which is expensive in time, effort and ongoing maintenance. Instead of two endpoints being onboarded, we are looking to have one endpoint which can combine two requirements. The consuming application is the same in this case to so that there is no issue in the authentication being shared.

Vishal_1 · ‎10-25-2024

I want to understand how ACL's are evaluated between table API and Scripted rest API. In my understanding if we are using table API then table level acl will be evaluated but that is not in the case of scripted rest API.

Mohit Kaushik · ‎11-07-2024

@Vishal_1
There are two ways to evaluate ACLs:

1. Use GlideRecordSecure in place of GlideRecord this will automatically adhere the table level ACLs

2. Create custom ACL of type REST_Endpoint and incorporate your table ACLs through roles or conditions.

Mohit Kaushik · ‎11-07-2024

@Viji Rohan,
Sorry for late response, as per your requirements, you can use same API with different resources to handle your requirements. There are no drawbacks unless until you have specific validations and securities in place, so that only authorized people can access the correct resource. It is even more useful and easy to maintain within single API endpoint.