# ServiceNow Vulnerability Configuration Guide This guide walks you through configuring ServiceNow Vulnerability Response for use with Synqly's Vulnerabilities Connector. ServiceNow supports token (API key) authentication or basic authentication with a username and password. Select the appropriate tab in Step 1: - **API key (recommended):** Token authentication with an inbound REST API key. Requires the Washington DC ServiceNow release or later. - **Username and password:** Use a dedicated service account when your instance does not support API keys. After authentication is set up, configure the integration using the values from your chosen path. ## Prerequisites ### Log in and create a service account 1. **Log in to ServiceNow** as an admin. 2. **Create a service account (recommended).** A dedicated account avoids broken integrations if an employee account is deactivated. Go to **All > Organization > Users**, select **New**, set **User ID** (required), select **Internal Integration User**, and complete any other required fields. Open the new user, go to the **Roles** tab, select **Edit...**, and add the `admin` collection. The `admin` role is currently required for the Vulnerabilities connector to function. We plan to document a least-privilege role set in a later revision of this guide. Configuration API Key (Recommended) The preferred method is token authentication. For more details, see [this guide from ServiceNow](https://www.servicenow.com/community/developer-advocate-blog/inbound-rest-api-keys/ba-p/2854924). API keys require the Washington DC ServiceNow release or later. Earlier instances need username and password; use the **Username and Password** tab. ### 1. Verify the API Key plugin In **All > Admin Center > Application Manager**, search for **HMAC Authentication** and confirm **API Key and HMAC Authentication** (`com.glide.tokenbased_auth`) is activated. Activate it if it is not. ### 2. Elevate role Open the user menu (face icon), choose **Elevate Role**, and select **security_admin** so you can configure API access. ### 3. Create the Inbound Authentication Profile Go to **All > System Web Services > API Access Policies > Inbound Authentication Profile**. Click **New**, then **Create API Key authentication profiles**. Give the profile a **name** that reflects an integration API key. In **Auth Parameter**, add **Auth Header** with the `x-sn-apikey` header. Click **Submit**. ### 4. Create an API Key Go to **All > System Web Services > API Access Policies > REST API Key**. Click **New**, set a **name** for the key, and set **User** to the service account you created above (that user must have the `admin` role). Click **Save**. Use the lock icon to view and copy the token. Store it securely. ### 5. Set the API Access Policy Go to **All > System Web Services > API Access Policies > REST API Access Policies** and click **New** (this may take a moment). - **Name:** A descriptive name. - **REST API:** **Table API**. - **Inbound authentication profiles:** Add the **Inbound Authentication Profile** you created in step 3, then **Submit**. ### 6. Identification and Reconciliation API access policy The **Identification and Reconciliation API** (IRE) is a separate REST surface from the **Table API**. Go to **All > System Web Services > API Access Policies > REST API Access Policies** and click **New**. - **Name:** A descriptive name (for example, **Synqly IRE**). - **REST API:** **Identification and Reconciliation API** (the path resolves to `now/identifyreconcile`). - **Application:** **Global** (leaving the Global checkbox unchecked is fine when that matches your other policies). - Leave **Apply to all methods / resources / versions** selected—IRE is effectively POST-only. - **Inbound authentication profiles:** Add the **same** profile you added on the **Table API** policy in step 5, then **Submit**. Confirm the new policy is **Active** with the scopes you expect. ### Configure the integration (API key) **URL** The root URL of your ServiceNow instance, for example `https://.service-now.com/`. **Token** The API key value from step 4. Username and Password For instances that do not support API keys, use basic authentication with the service account you created above. ### 1. Set a password In **All > Organization > Users**, open the service account and set a password. Save the **User ID** and password securely; you will use them in Synqly. ### Configure the integration (basic auth) **URL** The root URL of your ServiceNow instance, for example `https://.service-now.com/`. **Username** The **User ID** of the service account. **Password** The password for that user.