Guest user access for Web Embeddables

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Guest user access for Web Embeddables

    This feature enables ServiceNow customers to allow unauthenticated users (guest users) to access specific Web Embeddables components on third-party websites without requiring login. Currently, guest access supports the Knowledge article component and Catalog item component, displaying content only if it is explicitly made public.

    Show full answer Show less

    Key Features

    • Guest user support: Allows visitors to view public knowledge articles and catalog items embedded on your website without authentication.
    • Security controls: Administrators can mitigate bot access by enforcing CAPTCHA and require guest embeddable sessions to be created only on trusted third-party websites using JWT token verification.
    • Plugin activation: Enable the snguestcomponent plugin to activate guest user support for Web Embeddables.
    • Global code integration: Updated global code must be embedded in your website’s HTML to handle guest session creation, authentication upgrades upon login, and session teardown on logout.
    • Authentication configuration: To manage seamless login and logout between your website and embedded components, configure ACLs using OpenID Connect (OIDC).
    • Session verification control: Set the system property glide.embedded.session.trust.verification.enabled to require JWT token validation for guest sessions. By default, this is enabled to ensure sessions originate from trusted sources.

    Key Outcomes

    • Enhanced user experience: Visitors can immediately access public knowledge and catalog content embedded on your website without friction, improving engagement.
    • Secure guest access: Ensures guest sessions are validated through JWT tokens, reducing unauthorized or bot access.
    • Seamless session management: Supports session upgrade from guest to authenticated users and vice versa, maintaining coherent user state across embedded components and your site.
    • Administrative control: Admins can specify which content is public and manage guest session behaviors and security via system properties and ACL configurations.

    Enable unauthenticated users to access Web Embeddables components on your third-party website without logging in.

    Guest user support overview

    Provide unauthenticated users with access to Web Embeddables components on your website without requiring them to log in. Currently, the following components are available for guest users:
    • Knowledge article component
    • Catalog item component
    The components display content only if the content such as article or catalog items are explicitly made public. As an administrator, you can avoid bot access by enforcing CAPTCHA and enforce embeddable session created on trusted third-party website sessions created on a trusted third-party website through JWT tokens.

    Guest user support activation

    Activate the Web Components for Guest (sn_guest_component) plugin to enable guest user support on your website. For more information on how to activate the plugin, see Activate Web Embeddables. After you activate the plugin, copy the global code for your module. In your website's HTML file, paste the global code where the module is embedded. The updated global code enables guest sessions and handles authentication for visitors.

    Enable the component ACLs

    You must configure auto-login and log out using OpenID Connect (OIDC) authentication to enable single and simultaneous login and logout in your website and embedded components. For more information, see Configure ACL for guest access.

    Guest user system properties

    Set the following system property to control how guest sessions are created and verified for Web Embeddables.
    Table 1. System property
    Property Description Behavior
    glide.embedded.session.trust.verification.enabled Enable verification to confirm that the guest embeddable session is created on a trusted third-party website. The verification happens through JWT token. When set to true, the system checks for a JWT token before creating an embedded guest session. When set to false, the system bypasses token validation and creates a guest embedded session without verification.

    By default, the property is set to true.

    JWT token should be passed using the value for the key: guestTokenCallback available in the global code.

    Global code implementation

    For pages supporting both guest and authenticated sessions, the global code implementation is as follows:
    • On page load: Uncomment await startGuestSession(). This establishes an anonymous session so guest components (for example, a public-facing virtual agent or knowledge widget) render immediately without requiring the user to sign in.
    • After you log in : Uncomment await login(). This upgrades the session to an authenticated one, causing authenticated components to load for that user. Guest components are replaced or supplemented by the logged-in experience depending on your configuration.
    • On logout: Uncomment await logout() to tear down the authenticated session and return to the guest state if needed.
    Note:
    guestTokenCallback is required in init() for guest sessions to work. This callback must return a valid guest JWT token for your instance. Without it, startGuestSession() fails validation.

    To display content in the guest components, make knowledge articles and catalog items public.

    Guest users can access the Web Embeddables components designated as public on your website without logging in.