Is there a way to interact with the REST API without passing username/password?

bkundu · ‎12-05-2023

Hi ServiceNow Community,

I am new to ServiceNow, and I am trying to make inbound requests to the ServiceNow Table REST api to retrieve records from a table. I want to know if there is any way to authenticate the request without passing in the username/password?

I am aware that I can use the OAuth2 endpoint to retrieve an access token, but for the very first call to it, I would still need to pass the username and password. I came across this article which makes it seem like basic authentication is required for all inbound API requests, so not sure if it's possible?

Probably unrelated, but I also came across Digest Token Authentication in the documentation, but it seems like that is only for user logins? Can that be used for authenticating my requests?

Thanks.

SanjivMeher · ‎12-05-2023

There are two types of authentication. Basic and oAuth. In basic you will have to pass the username and password.

In case of oAuth, from Servicenow you can generate a Client ID and Client Secret and use that to generate an access token and refresh token. Everytime you make a call to ServiceNow, you need to generate a new access token and then make the call. So you dont actually pass the username password for oauth

Please mark this response as correct or helpful if it assisted you with your question.

Randheer Singh · ‎12-05-2023

Hi @bkundu ,
Based on the type of integration, you are looking into you can choose the appropriate authentication method for your APIs. Apart from basic authentication and OAuth resource owner password grant, you have four other alternatives.

1. If this is a user-initiated integration, you can use the authorization code grant flow.
2. if this is a system-to-system integration you can use the JWT bearer grant type.

3. If you have an ID token from a 3rd party OIDC provider, you can also use that for API authentication.

4. We also support certificate-based authentication for APIs.

We also recommend the use of auth scope and API access policies for added security.
Thanks,

Randheer

Amit Gujarathi · ‎12-05-2023

HI @bkundu ,
I trust you are doing great,

there are several methods you can consider:

Authorization Code Grant Flow: This is suitable for user-initiated integrations. It involves a two-step process where the user first authenticates and authorizes the application, which in turn receives an authorization code that can be exchanged for an access token.
JWT Bearer Grant Type: Ideal for system-to-system integrations, this method uses JSON Web Tokens (JWT) as bearer tokens. It is particularly useful when you want to establish trust between two systems without user intervention.
Third-Party OIDC Provider Token: If you have an ID token from a third-party OpenID Connect (OIDC) provider, you can use it for API authentication. This method leverages existing identity management systems.
Certificate-Based Authentication: This method uses digital certificates to authenticate users or systems. It's highly secure as it requires the certificate to be present for authentication.

Was this answer helpful?

Please consider marking it correct or helpful.

Your feedback helps us improve!

Thank you!

Regards,

Amit Gujrathi

Craig H · ‎12-19-2023

I'd like to follow up on this question as I am in a similar situation.

I'm trying to use the table REST API (specifically GET, PUT and POST) and would like to pass a clientID and clientSecret rather than username and password.

My current function (python) which works fine is as:

def get_servicenow_data(url):
    headers = {'Content-Type': 'application/json', 'Accept': 'application/json'}
    response = requests.get(url, auth=(userName, password), headers=headers)
    data = response.json()
    return data

where my URL is along the lines of:

https://{instance}.service-now.com/api/now/table/idea/{id}

Could you shed some light on adaptations/an example of switching this up to use clientID and clientSecret instead?

Thanks!