Connection and Credential Aliases in ServiceNow: The Right Way to Store Integration Credentials

Hardcoding credentials in ServiceNow scripts is a security risk and a maintenance burden. When a password rotates, you have to find and update every script that contains it. Connection and Credential Aliases solve both problems — store credentials once in an encrypted record, reference them by name everywhere else.

What are Credential Aliases?

A Credential Alias is a named, encrypted credential record that scripts and Flow Designer steps reference by name rather than containing the actual credentials. When credentials change — password rotation, token refresh, new API key — you update the Alias record once. Every script, flow, and REST message using that alias automatically uses the new credentials without any code changes.

Credential records are stored in the sys_auth_credential table with the credentials encrypted at rest using ServiceNow's key management infrastructure.

Credential types

  • Basic Authentication — username and password, used for HTTP Basic Auth
  • API Key — single token or key sent as a header or query parameter
  • OAuth 2.0 — OAuth Client ID, Client Secret, and token management — see the OAuth 2.0 guide
  • Certificate-based (mTLS) — client certificate for mutual TLS authentication
  • SSH Key — SSH private key for MID Server-based connections
  • Windows Credentials — domain credentials for WMI/PowerShell via MID Server

Creating a Credential Alias

  1. Navigate to Connections & Credentials > Credentials
  2. Click New and select the credential type
  3. Fill in the name, credential values (username, password, token etc.)
  4. The credentials are encrypted on save — no one can read them back in plaintext
  5. The alias name is what you reference in scripts and Flow Designer

Connection Aliases

A Connection Alias combines a base URL with a Credential Alias. This means your scripts do not hardcode endpoint URLs either — they reference the Connection Alias and both the host URL and the credentials come from the secure record. When the integration endpoint changes, you update the Connection Alias once.

  1. Navigate to Connections & Credentials > Connections
  2. Create a new Connection record
  3. Set the Connection URL (base URL for the integration)
  4. Link to a Credential Alias
  5. Name the connection — this name is referenced in scripts

Using Credential Aliases in scripts (RESTMessageV2)

// Reference a named REST Message that uses a Connection Alias
var rm = new sn_ws.RESTMessageV2('Jira Integration', 'Create Issue');
// Credentials and base URL come from the Connection Alias configured
// on the named REST Message record — not hardcoded here
rm.setStringParameterNoEscape('summary', current.getValue('short_description'));
rm.setStringParameterNoEscape('project', 'OPS');
var response = rm.execute();

Using in Flow Designer

When adding a REST action step in Flow Designer, the Connection field accepts a Connection Alias name. Flow Designer injects the credentials automatically — no scripting, no hardcoded values. This is the recommended approach for all integrations built in Flow Designer.

// In Flow Designer REST action step:
// Connection: [Select your Connection Alias]
// HTTP Method: POST
// Path: /rest/api/2/issue
// Body: JSON payload using data pills
// Credentials are injected automatically from the Connection Alias

Rotating credentials — the key benefit

When an external service rotates its API key or you need to update a password:

  1. Navigate to the Credential Alias record
  2. Update the credential value
  3. Save

That is it. Every flow, REST message, and script using that alias immediately uses the new credential on their next execution. No code changes, no hunting through Business Rules, no deployment required.

Never hardcode credentials

// WRONG — credentials in code
var rm = new sn_ws.RESTMessageV2();
rm.setRequestHeader('Authorization', 'Bearer sk-abc123hardcoded');

// RIGHT — credential alias
var rm = new sn_ws.RESTMessageV2('My API', 'Get Data');
// Credentials come from the Connection Alias on the named REST Message

Related guides:

Credential types and when to use each

ServiceNow supports several credential types in the Credential record. Basic Auth stores a username and password — appropriate for development and simple internal APIs. API Key stores a single token passed as a header — common for SaaS APIs that use bearer token authentication without OAuth. OAuth 2.0 stores client ID and secret and handles token exchange and refresh automatically — use for any production integration that supports OAuth. Mutual TLS stores a client certificate — used for highly secure integrations where certificate-based authentication is required. Match the credential type to what the external system actually requires; do not use a more complex credential type than necessary.

Multi-instance credential management

In multi-instance environments (development, test, production), each instance typically needs its own credentials for external systems — development connects to staging APIs, production connects to production APIs. Use the same Connection Alias name across instances but configure different Credential records on each instance. The integration scripts reference the alias name, not the credential directly — so promoting a Update Set that contains the Connection Alias configuration does not overwrite the instance-specific credential. This is the correct pattern for managing environment-specific credentials without manual script changes during deployment.

Related: RESTMessageV2 · OAuth 2.0 · IntegrationHub spokes · MID Server

The Three Layers: Connection, Credential, and Alias

Understanding how these three components relate to each other prevents the configuration confusion that most people encounter when setting up integrations for the first time. A Credential record stores the actual secret — a username and password, an API key, or an OAuth token. A Connection record stores the non-secret connectivity details — the base URL, timeout settings, and any default headers. A Connection and Credential Alias ties these together under a named identifier that your integration scripts reference. The alias is what you put in your RESTMessageV2 or IntegrationHub spoke configuration — it abstracts the underlying credentials so that the same script works across dev, test, and production instances simply by swapping the alias target, without any code change.

Credential Types and When to Use Each

ServiceNow supports several credential types: Basic Auth (username + password), API Key (a single token sent as a header), OAuth 2.0 (with token refresh), Certificate-based, and SSH. Basic Auth and API Key are the simplest to configure and cover the majority of REST integrations. OAuth 2.0 is required when the target system uses token-based authentication with expiry — ServiceNow handles the token refresh cycle automatically once the OAuth profile is configured. Certificate-based credentials are used for mutual TLS integrations where the target server requires a client certificate, common in banking and healthcare integrations. SSH credentials are specific to Discovery and scripted SSH connections to Linux hosts via the MID Server.

Cross-Environment Credential Management

The alias pattern solves a significant operational problem in multi-environment ServiceNow setups. In a typical dev → test → production pipeline, each environment connects to different endpoints: development might connect to a sandbox Salesforce org, test to a Salesforce staging environment, and production to the live Salesforce instance. With aliases, the alias name (e.g., salesforce_crm) stays constant in your integration code across all environments. Only the underlying Credential and Connection records differ per environment — and those are preserved through clone preservers so they are not overwritten when production is cloned to lower environments. This separation eliminates an entire class of post-clone credential reconfiguration work.

Governance and Rotation

Centralising credentials in the Credentials module creates a governance foundation that scattered, hardcoded credentials cannot provide. You can audit every place a given credential is used by looking at what Connections reference it, and rotate the credential in one place knowing all integrations using that alias will automatically pick up the new value. For organisations subject to SOC 2 or PCI-DSS requirements, this auditability is essential — you need to demonstrate that credentials are not embedded in scripts and that rotation is systematic rather than manual. The Update Sets process for credential records requires care: credential records should generally be managed through preservers and environment-specific configuration rather than transported in Update Sets, which would overwrite target environment credentials with source environment values.

Troubleshooting Alias Resolution Failures

When an integration fails with a credentials error, the diagnostic path starts with verifying alias configuration. Check that the alias name in the integration script matches the alias record name exactly (case-sensitive). Verify that the Credential attached to the alias has not expired — OAuth tokens have expiry dates, and API keys are sometimes rotated by external systems without ServiceNow being updated. Check that the Connection record's base URL is correct for the current environment. For integrations using the MID Server, verify that the MID Server has network access to the target endpoint — a valid credential against an unreachable URL produces timeout errors that can look like authentication failures in logs. The debugging guide covers log analysis patterns for integration failures.

Alias Naming Conventions

Consistent alias naming across your instance makes integration code readable and maintenance straightforward. A good convention uses a format like system_environment_purpose: salesforce_prod_crm, slack_prod_notifications, workday_prod_hr. This naming makes it immediately clear which external system the alias connects to, which environment it targets, and what it is used for. When an alias name follows a consistent pattern, the integration code itself serves as documentation — a developer reading getConnection('salesforce_prod_crm') understands the target without needing to look up the alias record. Document all aliases in a central registry (a custom table or a SharePoint document) that includes the external system owner and the credential rotation schedule, enabling proactive credential management rather than reactive updates when credentials expire.

OAuth Token Lifecycle Management

OAuth 2.0 credentials in ServiceNow automatically refresh access tokens when they expire, but this requires the stored refresh token to be valid. Refresh tokens have longer expiry windows than access tokens (often 30-90 days) and can be invalidated by the target system's security policies (password resets, security policy changes, manual token revocation). When an integration fails with an authentication error after working correctly for weeks or months, an expired or invalidated refresh token is a common cause. The fix is to re-authenticate the OAuth profile by triggering the authorization flow again from the OAuth Provider record. For critical integrations, configure a monitoring alert that detects repeated 401 errors from a specific target system and notifies the integration owner — catching token invalidation within minutes of occurrence rather than discovering it through user-reported integration failures.

The complete integrations reference

The NowSpectrum Integrations Guide covers REST, OAuth 2.0, IntegrationHub, MID Server, credential management, and 50 interview Q&As.

Get the Integrations Guide →
← Back to all posts