External credential vault in RPA Hub

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of External credential vault in RPA Hub

    The external credential vault feature in RPA Hub enables secure retrieval of robot credentials, application credentials, or Time-based One-time Password (TOTP) seeds during automation execution. This allows robots running in customer environments to access sensitive data without storing it directly in the ServiceNow instance.

    Show full answer Show less

    How External Credential Vault Integration Works

    • Robots request sensitive data through GraphQL API calls to RPA Hub when needed, such as login credentials for applications like SAP.
    • The External Credential checkbox on credential forms controls the data source:
      • If unchecked, credentials are stored and retrieved from the ServiceNow instance.
      • If checked, credentials or TOTP seeds are fetched from a configured external credential vault (e.g., CyberArk, Azure Key Vault).
    • When using an external vault, RPA Hub triggers a subflow that calls the vault's REST API either directly or via a MID Server residing in the customer environment, depending on organizational preferences.

    Key Configuration and Security Considerations

    • Ensure the external credential settings are configured so that sensitive data is not stored or logged in the ServiceNow instance.
    • Set the Reporting field to Off for the external credential vault subflow to prevent capturing or logging sensitive data.
    • Outbound request logging can be enabled to monitor third-party service access and assist in debugging integrations.

    Practical Benefits for ServiceNow Customers

    • Enables secure, centralized management of credentials without exposing sensitive data in ServiceNow.
    • Supports integration with popular external vault solutions, enhancing compliance and security.
    • Provides flexible connectivity options (direct or via MID Server) tailored to customer infrastructure and security policies.
    • Helps maintain audit trails and monitor outbound requests while safeguarding sensitive information.

    With the external credential vault feature, you can retrieve robot credentials, application credentials, or Time-based One-time Password (TOTP) seed.

    External credential vault integration with RPA Hub

    The following diagram shows the integration of an external credential vault with RPA Hub.

    A robot resides in the customers' environment. If the robot requires sensitive data during the automation execution, then the robot makes a GraphQL Application Programming Interface (API) call to the RPA Hub. An example of the sensitive data is user name and password details while logging in to an SAP application.

    Based on the input provided in the External Credential check box, either on a robot credential form, an application credential form, or a TOTP authenticator form:
    • If the input is false (if the check box isn’t selected), the credentials are saved or retrieved from the instance.
    • If the input is true (if the check box is selected in the robot credential form, an application credential form), the credentials are fetched from a configured external credential vault. If the check box is selected in the TOTP authenticator form, the seed is fetched from a configured external credential vault.
    For more information about configuring these fields, see Create a robot credential in RPA Hub, Create an application credential in RPA Hub, and Create a TOTP authenticator in RPA Hub.

    Examples of an external credential vault are CyberArk, Azure key Vault, and so on.

    If the External Credential check box isn’t enabled, the API returns the data stored in the Password2 field of the ServiceNow instance and then the robot uses the sensitive data for the automation execution.

    If the External Credential check box is enabled, the credentials are fetched from a configured external credential vault. In this scenario, the API internally triggers a subflow. This subflow makes a REST API call to the external credential vault. You can route this REST API call via MID Server. Or, you can directly establish a connection with the external credential vault. This implementation is dependent on your organizational requirements. The MID Server resides in the customers' environment. For more information about MID Server, see MID Server.

    After the REST API call fetches the credential from the vault, the credentials are sent to the robot.

    Figure 1. Integration of external credential vault with RPA Hub
    Integration of external credential vault with RPA Hub.

    Important information

    You must configure the external credential settings appropriately, so that the data isn’t stored or logged in the ServiceNow instance.

    Verify that the value of the Reporting field is set to Off for the subflow of your external credential vault, for example Demo CyberArk Subflow. This setting verifies that the sensitive data isn’t captured or logged. For more information about configuring this setting, see Activate flow reporting.

    To configure the external credential vault in RPA Hub, see Steps to configure an external credential vault in RPA Hub.

    Outbound request logging enables you to understand what third party services your instance accesses and the volume of outbound requests. Additionally, logging can provide valuable information when debugging outbound integrations. For more information about system logging or outbound logging, see Configure outbound logging and Outbound web service logging properties.