Best practice around storing external API tokens.

philmayfield
Kilo Contributor

I am working on integrating a few end points of our api into an incident form so our users can automatically create records on creation, or manually on update.  The UI side of things are pretty straight forward, where I'm a little hung up on is with making the api calls.  Specifically, the storage of the users API bearer token.  Our API employs the Authorization Request Header Field method, where the header includes something like:

Authorization: Bearer abc123

Where "abc123" is the API token.  I can simply add this to the header option of a Rest Message and it works, but it seems insecure to have that hanging around in plain text, and redundant if I need multiple end points.

Is there a better place to store that info?

6 REPLIES 6

Manoj Kumar16
Giga Guru

Tokens are stored under Manage Tokens module in ServiceNow, when you call the rest API in the script you can simply set the header and the token by doing a query in the manage tokens table.

Are you using Outbound Rest Call ?

Thanks for the quick reply, I'm digging into it now.  And yes I'm making an outbound rest call on creation of an incident.

Tony Chatfield1
Kilo Patron

Hi, as Kumamano indicated yopu should store your tokens in oauth_credential table - where they are encrypted.

You can then call and decode the field token_received with a simple script and GlideEncrypter().decrypt()
- I would always create a dedicated script-include to contain all my integration specific code.

Thanks for the reply Tony!  I think I'm still having some mental block here.  In exploring the oauth_credential table, I do see the encrypted token_received column.  I was able to get things working, but I had to make a new view for the oauth_credential table so that I could edit the token_received field, and a new column (I called name) to query against.  Does that seem reasonable?  I feel a little like I'm jumping through hoops to get the record into the table.  Is there a more direct approach?