ServiceNow REST API access policy consideration when using multiple auth types for API connections

When creating a API Access policy in ServiceNow, it’s critical to consider what inbound authentication profiles you will need to add.

Your API Access policy dictates what authentication methods are allowed to access ServiceNow’s API. If you have only SquaredUp making API calls to your ServiceNow instance, the minimum requirement in this scenario would be to have OAuth as an allowed method within your authentication profile.

But if you multiple applications making API calls then you need to consider what method of authentication they are using and have individual authentication profiles for each method being used, for example one application can use Basic and another might use OAuth, in this scenario you need 2 authentication profiles, one being for basic and the other for OAuth.

If you only add a authentication profile for OAuth into your API Access policy, then your application using basic will fail to connect and return a “401 - user is not authorised” message as basic authentication method is not on the allowed list.

Luckily creating these profiles In ServiceNow is fairly straightforward. All you need to do is browse into “Inbound Authentication Profile > Click New > Create standard http authentication profiles > Specify this profile to use Basic Auth” . Then you add the Auth profile into your REST API access policy.

To help visualise the above, I am providing the individual steps taken within ServiceNow with screenshots below.

  1. Inbound Authentication Profile:

  1. Click New

  1. Click Create standard http authentication profiles

  1. Set the profile to use type Basic Auth, below is an example of how it should look. You can set the type to be OAuth, Token etc if needed instead.

Once created, you will then browse into your API Access policy and add the created authentication profile as shown below:

2 Likes