External credential vault in RPA Hub

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of External Credential Vault in RPA Hub

    The external credential vault feature in RPA Hub allows retrieval of sensitive credentials such as robot credentials, application credentials, or Time-based One-time Password (TOTP) seeds during automation execution. This integration enhances security by enabling robots to access necessary data without exposing it within the ServiceNow instance.

    Show full answer Show less

    Key Features

    • Credential Retrieval: Robots can retrieve sensitive data via GraphQL API calls to RPA Hub, depending on whether the external credential check box is selected.
    • Integration with External Vaults: Supports integration with various external credential vaults like CyberArk and Azure Key Vault.
    • MID Server Connectivity: Allows routing API calls through a MID Server or direct connections, based on organizational needs.
    • Sensitive Data Protection: Ensures sensitive data is not stored or logged in the ServiceNow instance by configuring relevant settings.

    Key Outcomes

    By utilizing the external credential vault, ServiceNow customers can ensure secure handling of credentials during automation processes. Proper configuration prevents sensitive data from being logged, thereby enhancing security and compliance. Additionally, outbound request logging provides insights into third-party service interactions, aiding in debugging and monitoring efforts.

    With the external credential vault feature, you can retrieve robot credentials, application credentials, or Time-based One-time Password (TOTP) seed.

    External credential vault integration with RPA Hub

    The following diagram shows the integration of an external credential vault with RPA Hub.

    A robot resides in the customers' environment. If the robot requires sensitive data during the automation execution, then the robot makes a GraphQL Application Programming Interface (API) call to the RPA Hub. An example of the sensitive data is user name and password details while logging in to an SAP application.

    Based on the input provided in the External Credential check box, either on a robot credential form, an application credential form, or a TOTP authenticator form:
    • If the input is false (if the check box isn’t selected), the credentials are saved or retrieved from the instance.
    • If the input is true (if the check box is selected in the robot credential form, an application credential form), the credentials are fetched from a configured external credential vault. If the check box is selected in the TOTP authenticator form, the seed is fetched from a configured external credential vault.
    For more information about configuring these fields, see Create a robot credential in RPA Hub, Create an application credential in RPA Hub, and Create a TOTP authenticator in RPA Hub.

    Examples of an external credential vault are CyberArk, Azure key Vault, and so on.

    If the External Credential check box isn’t enabled, the API returns the data stored in the Password2 field of the ServiceNow instance and then the robot uses the sensitive data for the automation execution.

    If the External Credential check box is enabled, the credentials are fetched from a configured external credential vault. In this scenario, the API internally triggers a subflow. This subflow makes a REST API call to the external credential vault. You can route this REST API call via MID Server. Or, you can directly establish a connection with the external credential vault. This implementation is dependent on your organizational requirements. The MID Server resides in the customers' environment. For more information about MID Server, see MID Server.

    After the REST API call fetches the credential from the vault, the credentials are sent to the robot.

    Figure 1. Integration of external credential vault with RPA Hub
    Integration of external credential vault with RPA Hub.

    Important information

    You must configure the external credential settings appropriately, so that the data isn’t stored or logged in the ServiceNow instance.

    Verify that the value of the Reporting field is set to Off for the subflow of your external credential vault, for example Demo CyberArk Subflow. This setting verifies that the sensitive data isn’t captured or logged. For more information about configuring this setting, see Activate flow reporting.

    To configure the external credential vault in RPA Hub, see Steps to configure an external credential vault in RPA Hub.

    Outbound request logging enables you to understand what third party services your instance accesses and the volume of outbound requests. Additionally, logging can provide valuable information when debugging outbound integrations. For more information about system logging or outbound logging, see Configure outbound logging and Outbound web service logging properties.