Authentication for Google A2A – ServiceNow as Secondary Agent

As part of our December 2025 release of Now Assist AI Agents, we’re introducing AI agent interoperability over the Google Agent2Agent protocol. Follow the below instructions to set up your ServiceNow AI Agents as secondary agents (acting as A2A server).

 

Instance Requirements

• Platform version:
  • Yokohama Patch 11+ (January 2026)
  • Zurich Patch 4+ (December 2025)
• Application version:
  • Now Assist AI Agents 6.0.x+ (December 2025 release)

Application Settings

• Turn on external agents (AI Agent Studio > Settings)
  • Allow ServiceNow to access External AI agents:
    • Set sn_aia.external_agents.enabled: true
  • Allow third party to access ServiceNow AI Agents:
    • Set sn_aia.internal_agents.enabled_external: true

Service Account/User Setup

• Create service/user account in User [sys_user] table
  • Make sure user is Active: true
  • Password needs reset: false
  • Locked out: false
• Assign role to run ServiceNow AI Agents
  • sn_aia.integration (recommended – basic run time access)
  • sn_aia_admin (testing only – full AI Agent write/create access)
• Assign any necessary application roles (e.g., itil)
• Assign any necessary integration roles
  • rest_service
  • snc_platform_rest_api_access

Select the AI Agent

• Get the sys_id of one of your AI agents to prepare to make the A2A API call
  • Go to All > AI Agent Studio > Create and manage
  • Select AI agents list.
  • Select your AI agent.
• Take note and copy the sys_id of the AI agent from the browser bar. Alternatively, you can navigate to the AI Agents [sn_aia_agent] table and copy the sys_id from the AI agent record row directly:

 

• In addition, ensure that Enable this AI agent for discovery is toggled on for your AI Agent. This sets the associated AI Agent Config [sn_aia_agent_config] record’s External discoverable value to be true.
• Under Select channels and status, ensure that your AI agent is Active.

 

(For Postman or for testing with no callback) Messaging Channel

• If testing with Postman or curl command and you do not have a functional callback URL, then you must set your Messaging Channel to Synchronous.
• Go to Messaging Channels [sys_cs_channel] list.
• Add Synchronous field to your personalized list columns.
• If necessary, switch to the Now Assist AI Agents application scope.
• Set the value for AI Agent A2A Channel record to be Synchronous is true:

• For asynchronous scenarios (recommended for user experience and performance), set up a callback URL in the External Agent Push Notification [sn_aia_ea_push_notification_url] table.

(Informational) AI Agent A2A API

• To view the Scripted REST API for A2A, go to All > System Web Services > Scripted REST APIs
• Select AI Agent A2A API:

• Go the Resources related list. These are the Scripted REST Resources (endpoints) of the A2A Scripted REST API:

• As of the Google A2A 0.3.0 version alignment, the Scripted REST Resource Agent Card - Direct Discovery is marked as Requires authentication = false. Change this to true if you want to require authentication for the Agent Card Direct Discovery.
• Note that our test examples will execute a GET on the Agent Card. If Requires Authentication = false, then it’s not really a valid authentication test. Set Requires Authentication = true to test the authentication.
• Also note that ServiceNow A2A has separate endpoints for Agent Card discovery and Agent Execution. Additionally, as of December 2025, there is a V2 version for each endpoint:
  • (GET) Agent Card V1: /api/sn_aia/a2a/id/{agent_id}/well_known/agent_json
  • (GET) Agent Card V2: /api/sn_aia/a2a/v2/agent_card/id/{agent_id}
  • (POST) Agent Execution V1: /api/sn_aia/a2a/v1/agent/id/{agent_id}
  • (POST) Agent Execution V2: /api/sn_aia/a2a/v2/agent/id/{agent_id}

Create Application Registry for OAuth Endpoint

• Go to System OAuth > Application Registry.
• Select New.
• Select Create an OAuth API endpoint for external clients:

• On the new Application Registry form:
  • Enter a Name (e.g., A2A OAuth External Agents)
  • Client ID field will be automatically populated.
  • Upon saving, the Client Secret field will be automatically generated as well.
• Under Auth Scopes mapping, add the a2aauthscope record.

• Save the Application Registry record.

Authentication Profiles OAuth

• Go to System Web Services > API Access Policies > Inbound Authentication Profile
• Create New (or modify existing OAuth in External AIA for A2A policy)
• Select Type is OAuth, and pick the OAuth Entity that you created before:

For OAuth with Authorization (Bearer) Token

• Refer to these resources:
  • https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0725643
  • https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB2058755
  • https://www.servicenow.com/docs/bundle/zurich-platform-security/page/administer/security/concept/c_O...

• On the Application Registry record, set the following fields:
  • Client Type: Integration as a Service
  • Default Grant type: Authorization Code
  • Redirect URL: https://<your instance name>.service-now.com/login.do
  • Active: true

 

• In Postman, construct a GET request, like this:
  • Method: GET
  • URL: https://<your instance name>.service-now.com/api/sn_aia/a2a/id/<your AI Agent ID>/well_known/agent_json
    • Sample: https://empwchangai.service-now.com/api/sn_aia/a2a/id/5159a3e6fb422a101e62fbb202efdcf1/well_known/ag...
  • Auth Type: OAuth 2.0
  • Add authorization data to: Request Headers
  • Token: (empty until you pull a token)
  • Header Prefix: Bearer
  • Token Name: <enter a name for your token>
  • Grant type: Authorization Code
  • Callback URL: https://<your instance name>.service-now.com/login.do
  • Authorize using browser: false, unchecked
  • Auth URL: https://<your instance name>.service-now.com/oauth_auth.do
  • Access Token URL: https://<your instance name>.service-now.com/oauth_token.do
  • Client ID: <your Client ID value from the Application Registry record in ServiceNow>
  • Client Secret: <your Client Secret value from the Application Registry record in ServiceNow>
  • Scope: (leave blank, response should select a2aauthscope by default)
  • State: <enter some random value, but keep it unique between each request send>
  • Client Authentication: Send as Basic Auth header
  • Refresh Token URL: (will be populated automatically by other fields)

 

• In Postman, select the Get New Access Token button
• This will create a new popup modal window

• It will redirect to a ServiceNow login page. Enter the credentials of your username and password that you would like to use for this connection:

 

• You will receive a prompt asking to deny or allow the request. Choose Allow:

 

• If successful, you will receive a confirmation message like this:

• Then Postman will display your access and refresh tokens. Select Use Token to continue the request process in Postman:

 

• The token details will be automatically populated in the Token section of your Postman request:

• In Postman, select Send to send the request:

 

• Verify that you get a 200 OK response in the console, with the Agent Card returned for the AI Agent sys_id that you selected.

 

• cURL command alternate:

curl --location 'https://<your instance name>.service-now.com/api/sn_aia/a2a/id/<your AI Agent ID>/well_known/agent_json' \
--header 'Authorization: Bearer <your OAuth token>' \

 

For OAuth with Client Credentials

• Reference:
  • https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1645212
• Update (or create if it’s not already there) this system property: glide.oauth.inbound.client.credential.grant_type.enabled
  • Value: true
  • Use Global scope if unsure

 

• On the ServiceNow Application Repository form, add the following fields to the form:
  • Default Grant Type [default_grant_type]
  • OAuth Application User [user]
• On the Application Repository record, set the following:
  • Default Grant Type: Client Credentials
  • OAuth Application User: <select the user account you want to use>
  • Active: true
  • Remaining fields can be the same as OAuth for Authorization Code setup

 

• In Postman, construct the following request, very similar to the previous section for OAuth for Authorization Code.
  • Grant type: Client Credentials
  • Client Authentication: Send as Basic Auth header

 

• The remaining steps are the same as OAuth for Authorization Code:
  • In Postman, select the Get New Access Token button
  • This will create a new popup modal window.
  • If the session is currently unauthenticated, it will redirect to a ServiceNow login page.
  • Enter the credentials of your username and password that you would like to use for this connection:
  • You will receive a prompt asking to deny or allow the request. Choose Allow.
  • Then Postman will display your access and refresh tokens. Select Use Token to continue the request process in Postman.
  • The token details will be automatically populated in the Token section of your Postman request:

 

• In Postman, select Send to send the request.
• Verify that you get a 200 OK response in the console, with the Agent Card returned for the AI Agent sys_id that you selected.

For OAuth with Resource Owner Password Credentials

• Very similar setup to above steps in OAuth for Authorization Code and OAuth for Client Credentials
• In ServiceNow Application Registry record, set the following:
  • Default Grant type: Resource Owner Password Credentials
• In Postman, add the following to your request:
  • Grant type: Password Credentials
  • Username: <your user record’s username>
  • Password: <your user account’s password>

 

For Federated Token Authentication

• Refer to this Community article:
  • https://www.servicenow.com/community/platform-privacy-security-blog/federated-token-authentication-f...

API Key for Authentication

• Reference:
• https://www.servicenow.com/docs/bundle/zurich-platform-security/page/integrate/authentication/task/c...

• Go to All > System Web Services > API Access Policies > Inbound Authentication Profiles
• Select New
• Select Create API Key authentication profiles
  • Name: <enter a name>
  • Auth Parameter: x-sn-apikey (for Type = Auth Header)

 

 

• Go to All > System Web Services > API Access Policies > REST API Key
• Select New
• Fill in the following fields:
  • Name
  • Description
  • User: <select your user/service account>
  • Auth Scope: a2authscope
• Save or update
• Your API key will be generated in the Token field

 

API Access Policies (for OAuth or API Key)

• Go to System Web Services > API Access Policies > REST API Access Policies
• Select AI Agent A2A API Access Policy
• Under Inbound authentication profiles, add your Authentication Profile from above in the list

 

Testing API Key for Authentication

• Open Postman
• Create a new GET request:
  • Method: GET
  • URL: https://<your instance name>.service-now.com/api/sn_aia/a2a/id/<your AI Agent ID>/well_known/agent_json
  • Under Headers, add:
    • x-sn-apikey: <your API key you generated>
  • In Postman, select Send to send the request.
  • Verify that you get a 200 OK response in the console, with the Agent Card returned for the AI Agent sys_id that you selected.

 

• cURL command alternate:

curl --location 'https://<your instance name>.service-now.com/api/sn_aia/a2a/id/<your AI agent ID>/well_known/agent_json' \
--header 'x-sn-apikey: <your API key you generated>'

 

Testing API Key with another ServiceNow Instance

• On the A2A client ServiceNow instance, login as an Admin.
• Go to IntegrationHub > Connections & Credential Aliases.
• Select New.
  • Fill in the following fields:
    • Name: <enter name of your connection>
    • Type: Connection and Credential
    • Connection type: HTTP
    • Default Retry Policy: Default HTTP Retry Policy
    • Configuration Template: (none)
  • Save the Connection Alias record.
  • In Connections related list, select New.
    • Fill in the following fields:
      • Name: <enter name of your connection>
      • Credential: (empty for now)
      • Connection alias: <select parent Connection Alias record>
      • Connection URL: https://<your A2A server instance name>.service-now.com/api/sn_aia/a2a/id/<your AI Agent ID>/well_known/agent_json
      • Active: true
    • Save the Connection record.
    • Go to IntegrationHub > Credentials.
    • Select New.
    • Create a new record, like this:
      • In the interceptor, select Secondary Bot Static Token Credential. This gives us the headers that we need to authenticate with a REST API key.
      • Fill in the following fields:
        • Name: <enter name of your credential>
        • Active: true
        • Header: x-sn-apikey
        • Static Token: <your API key you generated in the other instance>
        • Authorization Algorithm: Second Bot Static Token Auth
        • Type: sn_va_as_service_static_token
        • Credential alias: <none>
      • Save the Credential record.

 

• On the parent Connection record, select the created Credential in the Credential field.
• Save the Connection record.
• In A2A client ServiceNow instance, go to AI Agent Studio > Create and manage.
• Go to the AI agents sub-list.
• Select the Add dropdown, and pick External.
• Select Agent2Agent (A2A) Protocol in the popup modal.
• Walk through the guided setup and choose your above Connection Alias as your external provider.
• If necessary, repeat the process for Agent Execution Connection Alias.

Testing OAuth 2.0 with another ServiceNow Instance

• Prerequisites:
  • Make sure your Application Registry record for OAuth is created on your A2A server ServiceNow instance (see earlier steps).
• On A2A client ServiceNow instance, login as an Admin.
• Go to System OAuth > Application Registry.
  • Select Connect to a third party OAuth Provider – Outbound:

 

• Fill in the following fields:
  • Name: <enter name of your Application Registry>
  • Client ID: <same Client ID from A2A server ServiceNow’s Application Registry>
  • Client Secret: <same Client Secret from A2A server ServiceNow’s Application Registry>
  • OAuth API Script: (empty)
  • Default Grant type: <matches value from A2A server ServiceNow’s Application Registry>
  • Active: true
  • Authorization URL: <A2A server ServiceNow instance>.service-now.com/oauth_auth.do
  • Token URL: <A2A server ServiceNow instance>.service-now.com/oauth_token.do
  • Token Revocation URL: (empty)
  • Redirect URL: <this A2A client ServiceNow instance>.service-now.com/oauth_redirect.do
• Save the Application Registry record. The OAuth Entity Profiles section should automatically generate a record.

 

• On A2A server ServiceNow instance, login as an Admin.
• Go to System OAuth > Application Registry.
• Select your Application Registry you created as a prerequisite.
  • Set the Redirect URL to the same as what you had created in the A2A client ServiceNow instance.
  • Save the Application Registry record.

 

• Return to your A2A client ServiceNow instance.
• Go to IntegrationHub > Connections & Credential Aliases.
• Select New.
  • Fill in the following fields:
    • Name: <enter name of your connection>
    • Type: Connection and Credential
    • Connection type: HTTP
    • Default Retry Policy: Default HTTP Retry Policy
    • Configuration Template: (none)
• Save the Connection Alias record.
• In Connections related list, select New.
  • Fill in the following fields:
    • Name: <enter name of your connection>
    • Credential: (empty for now)
    • Connection alias: <select parent Connection Alias record>
    • Connection URL: https://<your A2A server instance name>.service-now.com/api/sn_aia/a2a/id/<your AI Agent ID>/well_known/agent_json
    • Active: true

• Save the Connection record.
• Go to IntegrationHub > Credentials.
• Select New.
• Create a new record, like this:
  • In the interceptor, select OAuth 2.0 Credentials.
  • Fill in the following fields:
    • Name: <enter name of your Credential>
    • Active: true
    • OAuth Entity Profile: <select OAuth default_profile generated from Application Registry record>
    • Integration Type: System
  • Save the OAuth 2.0 Credential record.
• On the parent Connection record, select the created Credential in the Credential field.
• Save the Connection record.
• Return to the Credential record.
• In the Related Links, select the Get OAuth Token button:

 

• If grant type is Authorization Code, you should receive a popup like this:

 

• Select the Allow button.
• If necessary, login into the A2A server instance via the popup window.
• On the OAuth 2.0 Credential record, the token should show as available, with an expiration date:

 

• In A2A client ServiceNow instance, go to AI Agent Studio > Create and manage.
• Go to the AI agents sub-list.
• Select the Add dropdown, and pick External.
• Select Agent2Agent (A2A) Protocol in the popup modal.
• Walk through the guided setup and choose your above Connection Alias as your external provider.
• If necessary, repeat the process for Agent Execution Connection Alias.

Debug and Troubleshooting

• Setting these system properties may help when you review logs:
  • com.snc.platform.security.oauth.debug: true
  • glide.auth.debug.enabled: true
• Flow Designer reporting (Flow Designer > Flow Administration > Settings)
  • A2A Flows:
    • External AI Agent Card – A2A Protocol
    • External AI Agent Provider – A2A Protocol
    • AI Agent A2A Message Responder
  • Settings (for sub-production/development only):
    • Reporting: Trace
    • Logging: Debug
  • Tables with meaningful data:
    • Execution Plan [sn_aia_execution_plan]
    • External Agent Execution History [sn_aia_external_agent_exec_history]