As part of our December 2025 release of Now Assist AI Agents, we’re introducing AI agent interoperability over the Google Agent2Agent protocol. Follow the below instructions to set up your ServiceNow AI Agents as secondary agents (acting as A2A server).
Instance Requirements
- Platform version:
- Yokohama Patch 11+ (January 2026)
- Zurich Patch 4+ (December 2025)
- Application version:
- Now Assist AI Agents 6.0.x+ (December 2025 release)
Application Settings
- Turn on external agents (AI Agent Studio > Settings)
- Allow ServiceNow to access External AI agents:
- Set sn_aia.external_agents.enabled: true
- Allow third party to access ServiceNow AI Agents:
- Set sn_aia.internal_agents.enabled_external: true
- Allow ServiceNow to access External AI agents:
Service Account/User Setup
- Create service/user account in User [sys_user] table
- Make sure user is Active: true
- Password needs reset: false
- Locked out: false
- Assign role to run ServiceNow AI Agents
- sn_aia.integration (recommended – basic run time access)
- sn_aia_admin (testing only – full AI Agent write/create access)
- Assign any necessary application roles (e.g., itil)
- Assign any necessary integration roles
- rest_service
- snc_platform_rest_api_access
Select the AI Agent
- Get the sys_id of one of your AI agents to prepare to make the A2A API call
- Go to All > AI Agent Studio > Create and manage
- Select AI agents list.
- Select your AI agent.
- Go the AI agent page to get the Agent Card URL. Alternatively, you can construct the endpoint URI manually. Take note and copy the sys_id of the AI agent from the browser bar. Alternatively, you can navigate to the AI Agents [sn_aia_agent] table and copy the sys_id from the AI agent record row directly:
- As of the Now Assist AI Agents 6.1.x release, the Agent Card URL is displayed directly in the Studio configuration. Note that this is now using the Agent Card V2 endpoint, and not the Agent Card V1 endpoint in the later example screenshot. Both should work as of Q1 2026:
- In addition, ensure that Enable this AI agent for discovery is toggled on for your AI Agent. This sets the associated AI Agent Config [sn_aia_agent_config] record’s External discoverable value to be true.
- Under Select channels and status, ensure that your AI agent is Active.
(For Postman or for testing with no callback) Messaging Channel
- If testing with Postman or curl command and you do not have a functional callback URL, then you must set your Messaging Channel to Synchronous.
- Go to AI Agent Studio > Settings.
- Select External AI agents > Discoverability.
- Set "Allow third party to access ServiceNow AI Agents" to "On".
- Set Communication mode to "Synchronous".
- Alternatively, go to Messaging Channels [sys_cs_channel] list.
- Add Synchronous field to your personalized list columns.
- If necessary, switch to the Now Assist AI Agents application scope.
- Set the value for AI Agent A2A Channel record to be Synchronous is true:
- For asynchronous scenarios (recommended for user experience and performance), set up a callback URL in the External Agent Callback Registry [sn_aia_external_agent_callback_registry] table.
(Informational) AI Agent A2A API
- To view the Scripted REST API for A2A, go to All > System Web Services > Scripted REST APIs
- Select AI Agent A2A API:
- Go the Resources related list. These are the Scripted REST Resources (endpoints) of the A2A Scripted REST API:
- As of the Google A2A 0.3.0 version alignment, the Scripted REST Resource Agent Card - Direct Discovery is marked as Requires authentication = false. Change this to true if you want to require authentication for the Agent Card Direct Discovery.
- Note that our test examples will execute a GET on the Agent Card. If Requires Authentication = false, then it’s not really a valid authentication test. Set Requires Authentication = true to test the authentication.
- Also note that ServiceNow A2A has separate endpoints for Agent Card discovery and Agent Execution. Additionally, as of December 2025, there is a V2 version for each endpoint:
- (GET) Agent Card V1: /api/sn_aia/a2a/id/{agent_id}/well_known/agent_json
- (GET) Agent Card V2: /api/sn_aia/a2a/v2/agent_card/id/{agent_id}
- (POST) Agent Execution V1: /api/sn_aia/a2a/v1/agent/id/{agent_id}
- (POST) Agent Execution V2: /api/sn_aia/a2a/v2/agent/id/{agent_id}
Create Application Registry for OAuth Endpoint
- Go to System OAuth > Application Registry.
- Select New.
- Select Create an OAuth API endpoint for external clients:
- On the new Application Registry form:
- Enter a Name (e.g., A2A OAuth External Agents)
- Client ID field will be automatically populated.
- Upon saving, the Client Secret field will be automatically generated as well.
- Under Auth Scopes mapping, add the a2aauthscope record.
- Save the Application Registry record.
Authentication Profiles OAuth
- Go to System Web Services > API Access Policies > Inbound Authentication Profile
- Create New (or modify existing OAuth in External AIA for A2A policy)
- Select Type is OAuth, and pick the OAuth Entity that you created before:
For OAuth with Authorization (Bearer) Token
- Refer to these resources:
- On the Application Registry record, set the following fields:
- Client Type: Integration as a Service
- Default Grant type: Authorization Code
- Redirect URL: https://<your instance name>.service-now.com/login.do
- Active: true
- In Postman, construct a GET request, like this:
- Method: GET
- URL: https://<your instance name>.service-now.com/api/sn_aia/a2a/id/<your AI Agent ID>/well_known/agent_json
- Auth Type: OAuth 2.0
- Add authorization data to: Request Headers
- Token: (empty until you pull a token)
- Header Prefix: Bearer
- Token Name: <enter a name for your token>
- Grant type: Authorization Code
- Callback URL: https://<your instance name>.service-now.com/login.do
- Authorize using browser: false, unchecked
- Auth URL: https://<your instance name>.service-now.com/oauth_auth.do
- Access Token URL: https://<your instance name>.service-now.com/oauth_token.do
- Client ID: <your Client ID value from the Application Registry record in ServiceNow>
- Client Secret: <your Client Secret value from the Application Registry record in ServiceNow>
- Scope: (leave blank, response should select a2aauthscope by default)
- State: <enter some random value, but keep it unique between each request send>
- Client Authentication: Send as Basic Auth header
- Refresh Token URL: (will be populated automatically by other fields)
- In Postman, select the Get New Access Token button
- This will create a new popup modal window
- It will redirect to a ServiceNow login page. Enter the credentials of your username and password that you would like to use for this connection:
- You will receive a prompt asking to deny or allow the request. Choose Allow:
- If successful, you will receive a confirmation message like this:
- Then Postman will display your access and refresh tokens. Select Use Token to continue the request process in Postman:
- The token details will be automatically populated in the Token section of your Postman request:
- In Postman, select Send to send the request:
- Verify that you get a 200 OK response in the console, with the Agent Card returned for the AI Agent sys_id that you selected.
- cURL command alternate:
curl --location 'https://<your instance name>.service-now.com/api/sn_aia/a2a/id/<your AI Agent ID>/well_known/agent_json' \
--header 'Authorization: Bearer <your OAuth token>' \
For OAuth with Client Credentials
- Reference:
- Update (or create if it’s not already there) this system property: glide.oauth.inbound.client.credential.grant_type.enabled
- Value: true
- Use Global scope if unsure
- On the ServiceNow Application Repository form, add the following fields to the form:
- Default Grant Type [default_grant_type]
- OAuth Application User [user]
- On the Application Repository record, set the following:
- Default Grant Type: Client Credentials
- OAuth Application User: <select the user account you want to use>
- Active: true
- Remaining fields can be the same as OAuth for Authorization Code setup
- In Postman, construct the following request, very similar to the previous section for OAuth for Authorization Code.
- Grant type: Client Credentials
- Client Authentication: Send as Basic Auth header
- The remaining steps are the same as OAuth for Authorization Code:
- In Postman, select the Get New Access Token button
- This will create a new popup modal window.
- If the session is currently unauthenticated, it will redirect to a ServiceNow login page.
- Enter the credentials of your username and password that you would like to use for this connection:
- You will receive a prompt asking to deny or allow the request. Choose Allow.
- Then Postman will display your access and refresh tokens. Select Use Token to continue the request process in Postman.
- The token details will be automatically populated in the Token section of your Postman request:
- In Postman, select Send to send the request.
- Verify that you get a 200 OK response in the console, with the Agent Card returned for the AI Agent sys_id that you selected.
For OAuth with Resource Owner Password Credentials
- Very similar setup to above steps in OAuth for Authorization Code and OAuth for Client Credentials
- In ServiceNow Application Registry record, set the following:
- Default Grant type: Resource Owner Password Credentials
- In Postman, add the following to your request:
- Grant type: Password Credentials
- Username: <your user record’s username>
- Password: <your user account’s password>
For Federated Token Authentication
- Refer to this Community article:
API Key for Authentication
- Go to All > System Web Services > API Access Policies > Inbound Authentication Profiles
- Select New
- Select Create API Key authentication profiles
- Name: <enter a name>
- Auth Parameter: x-sn-apikey (for Type = Auth Header)
- Go to All > System Web Services > API Access Policies > REST API Key
- Select New
- Fill in the following fields:
- Name
- Description
- User: <select your user/service account>
- Auth Scope: a2authscope
- Save or update
- Your API key will be generated in the Token field
API Access Policies (for OAuth or API Key)
- Go to System Web Services > API Access Policies > REST API Access Policies
- Select AI Agent A2A API Access Policy
- Under Inbound authentication profiles, add your Authentication Profile from above in the list
Testing API Key for Authentication
- Open Postman
- Create a new GET request:
- Method: GET
- URL: https://<your instance name>.service-now.com/api/sn_aia/a2a/id/<your AI Agent ID>/well_known/agent_json
- Under Headers, add:
- x-sn-apikey: <your API key you generated>
- In Postman, select Send to send the request.
- Verify that you get a 200 OK response in the console, with the Agent Card returned for the AI Agent sys_id that you selected.
- cURL command alternate:
curl --location 'https://<your instance name>.service-now.com/api/sn_aia/a2a/id/<your AI agent ID>/well_known/agent_json' \
--header 'x-sn-apikey: <your API key you generated>'
Testing API Key with another ServiceNow Instance
- On the A2A client ServiceNow instance, login as an Admin.
- Go to IntegrationHub > Connections & Credential Aliases.
- Select New.
- Fill in the following fields:
- Name: <enter name of your connection>
- Type: Connection and Credential
- Connection type: HTTP
- Default Retry Policy: Default HTTP Retry Policy
- Configuration Template: (none)
- Save the Connection Alias record.
- In Connections related list, select New.
- Fill in the following fields:
- Name: <enter name of your connection>
- Credential: (empty for now)
- Connection alias: <select parent Connection Alias record>
- Connection URL: https://<your A2A server instance name>.service-now.com/api/sn_aia/a2a/id/<your AI Agent ID>/well_known/agent_json
- Active: true
- Save the Connection record.
- Go to IntegrationHub > Credentials.
- Select New.
- Create a new record, like this:
- In the interceptor, select Secondary Bot Static Token Credential. This gives us the headers that we need to authenticate with a REST API key.
- Fill in the following fields:
- Name: <enter name of your credential>
- Active: true
- Header: x-sn-apikey
- Static Token: <your API key you generated in the other instance>
- Authorization Algorithm: Second Bot Static Token Auth
- Type: sn_va_as_service_static_token
- Credential alias: <none>
- Save the Credential record.
- Fill in the following fields:
- Fill in the following fields:
- On the parent Connection record, select the created Credential in the Credential field.
- Save the Connection record.
- In A2A client ServiceNow instance, go to AI Agent Studio > Create and manage.
- Go to the AI agents sub-list.
- Select the Add dropdown, and pick External.
- Select Agent2Agent (A2A) Protocol in the popup modal.
- Walk through the guided setup and choose your above Connection Alias as your external provider.
- If necessary, repeat the process for Agent Execution Connection Alias.
Testing OAuth 2.0 with another ServiceNow Instance
- Prerequisites:
- Make sure your Application Registry record for OAuth is created on your A2A server ServiceNow instance (see earlier steps).
- On A2A client ServiceNow instance, login as an Admin.
- Go to System OAuth > Application Registry.
- Select Connect to a third party OAuth Provider – Outbound:
- Fill in the following fields:
- Name: <enter name of your Application Registry>
- Client ID: <same Client ID from A2A server ServiceNow’s Application Registry>
- Client Secret: <same Client Secret from A2A server ServiceNow’s Application Registry>
- OAuth API Script: (empty)
- Default Grant type: <matches value from A2A server ServiceNow’s Application Registry>
- Active: true
- Authorization URL: <A2A server ServiceNow instance>.service-now.com/oauth_auth.do
- Token URL: <A2A server ServiceNow instance>.service-now.com/oauth_token.do
- Token Revocation URL: (empty)
- Redirect URL: <this A2A client ServiceNow instance>.service-now.com/oauth_redirect.do
- Save the Application Registry record. The OAuth Entity Profiles section should automatically generate a record.
- On A2A server ServiceNow instance, login as an Admin.
- Go to System OAuth > Application Registry.
- Select your Application Registry you created as a prerequisite.
- Set the Redirect URL to the same as what you had created in the A2A client ServiceNow instance.
- Save the Application Registry record.
- Return to your A2A client ServiceNow instance.
- Go to IntegrationHub > Connections & Credential Aliases.
- Select New.
- Fill in the following fields:
- Name: <enter name of your connection>
- Type: Connection and Credential
- Connection type: HTTP
- Default Retry Policy: Default HTTP Retry Policy
- Configuration Template: (none)
- Fill in the following fields:
- Save the Connection Alias record.
- In Connections related list, select New.
- Fill in the following fields:
- Name: <enter name of your connection>
- Credential: (empty for now)
- Connection alias: <select parent Connection Alias record>
- Connection URL: https://<your A2A server instance name>.service-now.com/api/sn_aia/a2a/id/<your AI Agent ID>/well_known/agent_json
- Active: true
- Fill in the following fields:
- Save the Connection record.
- Go to IntegrationHub > Credentials.
- Select New.
- Create a new record, like this:
- In the interceptor, select OAuth 2.0 Credentials.
- Fill in the following fields:
- Name: <enter name of your Credential>
- Active: true
- OAuth Entity Profile: <select OAuth default_profile generated from Application Registry record>
- Integration Type: System
- Save the OAuth 2.0 Credential record.
- On the parent Connection record, select the created Credential in the Credential field.
- Save the Connection record.
- Return to the Credential record.
- In the Related Links, select the Get OAuth Token button:
- If grant type is Authorization Code, you should receive a popup like this:
- Select the Allow button.
- If necessary, login into the A2A server instance via the popup window.
- On the OAuth 2.0 Credential record, the token should show as available, with an expiration date:
- In A2A client ServiceNow instance, go to AI Agent Studio > Create and manage.
- Go to the AI agents sub-list.
- Select the Add dropdown, and pick External.
- Select Agent2Agent (A2A) Protocol in the popup modal.
- Walk through the guided setup and choose your above Connection Alias as your external provider.
- If necessary, repeat the process for Agent Execution Connection Alias.
Debug and Troubleshooting
- Setting these system properties may help when you review logs:
- com.snc.platform.security.oauth.debug: true
- glide.auth.debug.enabled: true
- Flow Designer reporting (Flow Designer > Flow Administration > Settings)
- A2A Flows:
- External AI Agent Card – A2A Protocol
- External AI Agent Provider – A2A Protocol
- AI Agent A2A Message Responder
- Settings (for sub-production/development only):
- Reporting: Trace
- Logging: Debug
- A2A Flows:
- Tables with meaningful data:
- Execution Plan [sn_aia_execution_plan]
- External Agent Execution History [sn_aia_external_agent_exec_history]
Hi @warren_chan,
I have configured an AI Agent in Instance A. When prompted, the AI Agent collects the required details and successfully creates a case in the target table. In the AI Agent configuration, I have enabled "Allow third party access to this AI Agent".
In Instance B, I added the above created AI Agent as an external agent(secondary agent) using the A2A Protocol by giving the Agent Card URL of above created AI Agent. During the external agent setup, it was able to discover the above created AI Agent and its been activated and I configured API key as the authentication mechanism. Note: In Instance B, in the AI Agent Studio Settings the "Allow third party to access ServiceNow AI Agents" is enabled.
However, when I attempt to test or invoke this external AI Agent from Instance B from testing playground, the execution is being cancelled, and the AI Agent displays this message "Sorry, there was a problem on my side trying to complete this request. Try asking again later."
I have included a screenshot below for your reference, which shows that agent execution was cancelled and with the message displayed by the AI Agent.
I have also included the Instance Specifications below
Instance A
Platform Version : Zurich Patch 4
Application Version : Now Assist AI Agents, Version 6.0.23
Instance B
Platform Version : Yokohama Patch 11
Application Version : Now Assist AI Agents, Version 6.0.23
Could you help me understand why the execution is being cancelled and help me in resolving this issue and also you can let me know whether there are any additional configurations, permissions, or prerequisites to be followed.
Thank you for your support in advance and please keep me notified if any further details required.
Hi @warren_chan,
Thanks for the information. I have defined two separate connection endpoints in the Client Instance - one dedicated to Agent Card Discovery and the other for Agent Execution/Invocation.
Connection & Credential Aliases
For Agent Card Discovery :
- Created a new sys_alias connection, http_connection & credential
- Connection URL : https://{instance A}.service-now.com/api/sn_aia/a2a/id/{Agent ID}/well_known/agent_json
- Created New Credential I have defined the api key header as x-sn-apikey and pasted the static token <the API key that I generated in the Instance A>
I used this Agent Card Discovery Endpoint in the "Discover and Activate" of AI Agent
For Agent Card Invocation:
- Created a new sys_alias connection, http_connection & credential
- Connection URL : https://{instance A}.service-now.com/api/sn_aia/a2a/v1/agent/id/{agent id}
- Created New Credential I have defined the api key header as x-sn-apikey and pasted the static token <the API key that I generated in the Instance A>
I used this Agent Card Invocation Endpoint in the "Define the Specialty" under Add Authentication of AI Agent
I’ve reviewed all configuration steps again to ensure everything is aligned, but I still see the following error during testing: "Sorry, there was a problem on my side trying to complete this request. Try asking again later." and the AI Agent Execution also shows as cancelled.
Could you share, if there are any additional troubleshooting steps, logs, or resources that could help identify what’s triggering the cancellation—and how to make the execution succeed—I’d really appreciate it. I’m happy to review anything that can point me in the right direction.
Thanks again for your support!
