ServiceNow provides various REST API endpoints that can be used to interact with an instance. The most well-known endpoint is the Table API which can be used to create, read, update and delete records, as well as perform other operations.
There are several ways to authenticate against the ServiceNow REST APIs for Inbound REST API Requests (Requests to your instance from the outside). Here is an overview of the different authentication schemes:
- Basic Authentication: The default authentication scheme(opens in a new tab) for the REST API is Basic Authentication. This requires a username and password to be provided with each request.
- Multi-Factor Authentication(opens in a new tab): ServiceNow supports Multi-Factor Authentication (MFA) for REST API requests. This requires a username, password and MFA code to be provided with each request.
- Certificate-based or Mutual Authentication(opens in a new tab): Certificate-based authentication lets you mutually authenticate user logins or inbound API requests using certificates from a trusted Certificate Authority (CA).
Basic Authentication is the default and should work out-of-the-box. However, if you've set up Single-Sign-On or Multi-Factor Authentication for logging in on the web platform because those schemes don't rely on a password, those users might not have a password set on their sys_user record.
Without a password set on the sys_user record a user won't be able to authenticate against the REST API using Basic Authentication.
This is easily resolved by setting a password on their sys_user record. This does not side-step the SSO/2FA authentication on the web interface, but it does allow these users to authenticate against the REST API using a username and password only.
Multi-Factor Authentication and Certificate-based authentication both require some configuration on the instance. Sometimes getting those configurations implemented requires waiting on various layers of bureaucracy. In those cases (and others), it would be helpful if we could authenticate against the REST API without having to configure anything.
This post is about how we can retrieve two different session tokens which when used together allow for a logged in user to authenticate against the ServiceNow REST API.
One major benefit of session-token (or cookie) based authentication is that it allows you to ineract with the REST API without having to set up any additional authentication schemes or make any other configuration changes.
Although ServiceNow does mention the possibility of cookie based authentication against its REST APIs, it is not documented in detail. I'll try to do so in the post.
Click here to read more and visit the blog with Jesse, ServiceNow Solution Architect at BitHawk AG.