REST API security

By default, the REST API uses basic authentication or OAuth to enforce access controls to web resources.

Access control lists (ACLs) defined for tables are enforced to restrict access to data.

The user ID that is used for authentication is subject to access control in the same way as an interactive user. Each request requires the proper authentication information. Ensure that each request includes an Authorization header with the credentials you want to use. There is no support for inbound mutual authentication.

To allow access to tables without any authentication and authorization, add the table name to the Public Pages [sys_public] table with a status of Active. ACLs defined on tables are still enforced, and it is the customer's responsibility to deactivate ACLs on tables.

REST supports cookies for binding to the existing session.


ServiceNow-defined ACLs are defined for the following REST APIs:

  • Table API
  • Aggregate API
  • Import Set API
  • Attachment API
The ACLs have the same name as the service. For example, the ACL defined for the REST Table API is named Table API.
Note: The names of these ACLs should never be changed or modified.
These ACLs are deactivated by default, but can be activated on a per API basis. If the REST API ACL is activated for a platform REST API, a user must have the snc_platform_rest_api_access role to make a request to that REST API.
Note: The snc_platform_rest_api_access role replaces the deprecated rest_service role.