ServiceNow MCP Server
Enables authenticated interaction with ServiceNow via its REST API using per-user OAuth 2.0 tokens. It provides tools for managing incidents, tasks, knowledge articles, and service catalog requests while maintaining user-specific permissions.
README
ServiceNow MCP Server
Secure, enterprise-ready MCP server for ServiceNow where every action runs as the authenticated user.
No shared service accounts. No ACL bypass. Full audit-trail fidelity.
β‘ Why This Exists
Instead of funneling every request through a shared service account, this server executes actions as the actual human user.
Because it uses per-user OAuth tokens, ServiceNow still enforces:
- each userβs ACLs and roles,
- their approval authority,
- and native user-level audit logging.
Result: safer automation, cleaner compliance, fewer permission hacks.
π₯ Core Capabilities
- Per-user OAuth 2.0 Authorization Code flow + refresh
- AES-256-GCM encrypted token storage in Redis
- Streamable HTTP MCP transport with per-session lifecycle
- Tool-level identity protections for sensitive operations
- Optional reconnect tokens for session persistence across server restarts
- Per-user rate limiting via Redis token bucket
- Input validation + normalized error responses
- CI-enforced build + test + coverage gate
π§ Architecture
flowchart LR
Client[MCP Client] --> MCP[ServiceNow MCP Server\nExpress + MCP SDK]
MCP --> Redis[(Redis\nEncrypted tokens + sessions)]
MCP --> SN[(ServiceNow REST APIs)]
MCP --> OAuth[OAuth 2.0\nPer-user delegation]
SN --> ACL[ACL + Role Enforcement]
SN --> Audit[Native Audit Trail]
Key modules:
src/index.tsβ startup/shutdown wiringsrc/server.tsβ HTTP app + MCP routes/session lifecyclesrc/auth/*β OAuth callback, encryption, token store, token refresh, reconnect tokenssrc/tools/*β tool implementations by domainsrc/middleware/*β rate limiting, error normalizationsrc/servicenow/*β API client + query helpers
π Quick Start
Prerequisites
- Node.js 22+
- Redis
- ServiceNow instance with OAuth app configured
Local Setup
npm install
cp .env.example .env
npm run generate-key
# paste generated key into TOKEN_ENCRYPTION_KEY in .env
npm run dev
Health check:
curl -s http://localhost:8080/health
Docker
docker compose up -d --build
One-shot Linux VM setup is available via setup.sh.
π ServiceNow Setup
- Go to System OAuth > Application Registry
- Create OAuth API endpoint for external clients
- Set redirect URI (example):
https://<host>:8080/oauth/callback - Copy client ID/secret into
.env
Required Role
Users should have snc_platform_rest_api_access for REST API access. Record-level ACLs still apply.
π§° Tools (18)
Incidents
search_incidentsget_incidentcreate_incidentupdate_incidentadd_work_note
Users and Groups
lookup_userlookup_groupget_my_profile
Knowledge
search_knowledgeget_article
Tasks and Approvals
get_my_tasksget_my_approvalsapprove_or_reject
Update Sets
change_update_setcreate_update_set
Service Catalog
search_catalog_itemsget_catalog_itemsubmit_catalog_request
π Security Guarantees
Server-side protections include:
create_incident: caller identity is server-controlledupdate_incident: protected audit/system fields are strippedsubmit_catalog_request: requester identity is server-controlledapprove_or_reject: approval ownership is verified
Also enforced:
sys_idand enum validation- payload sanitization
- normalized error responses
π Reconnect Tokens
After a server restart, in-memory MCP sessions are lost. Normally this requires re-doing the full OAuth flow. Reconnect tokens let clients skip re-auth by auto-mapping a new session to existing Redis-stored OAuth credentials.
How It Works
- Complete OAuth as normal
- Generate a reconnect token:
curl -X POST https://host:8080/oauth/reconnect-token \ -H "Content-Type: application/json" \ -d '{"user_sys_id": "..."}' - Update your MCP client URL to include the token:
{ "url": "https://host:8080/mcp?token=<hex>" } - On server restart, the client reconnects and is automatically authenticated
Token Management
- Tokens default to 100-day TTL (configurable via
RECONNECT_TOKEN_TTL), refreshed on each successful use - Revoke a specific token:
DELETE /oauth/reconnect-tokenwith{"user_sys_id": "...", "reconnect_token": "..."} - Revoke all tokens for a user:
DELETE /oauth/reconnect-tokenwith{"user_sys_id": "...", "revoke_all": true} - If a token is invalid or expired, the session silently falls through to normal (unauthenticated) behavior
βοΈ Configuration
| Variable | Required | Description |
|---|---|---|
SERVICENOW_INSTANCE_URL |
Yes | ServiceNow base URL |
SERVICENOW_CLIENT_ID |
Yes | OAuth client ID |
SERVICENOW_CLIENT_SECRET |
Yes | OAuth client secret |
OAUTH_REDIRECT_URI |
Yes | OAuth callback URL |
TOKEN_ENCRYPTION_KEY |
Yes | Base64 32-byte AES key |
REDIS_URL |
No | Redis URL (default redis://localhost:6379) |
MCP_PORT |
No | Server port (default 8080) |
RATE_LIMIT_PER_USER |
No | Requests/minute/user (default 60) |
RECONNECT_TOKEN_TTL |
No | Reconnect token TTL in seconds (default 8640000 / 100 days) |
β Testing and Quality
npm run build
npm test
npm run test:coverage
- Coverage thresholds are configured in
vitest.config.ts - CI runs build + tests + coverage gate on PRs and
main
π§― Troubleshooting
1) OAuth callback fails (TOKEN_EXCHANGE_FAILED)
Symptoms
/oauth/callbackreturns 500- logs show token exchange failure or
invalid_grant
Checks
OAUTH_REDIRECT_URIexactly matches the ServiceNow OAuth app redirect URI- client ID and secret are correct
- system clock is sane
Fix
- correct redirect/client credentials and restart server
- re-run auth flow from
/oauth/authorize
2) Auth works, but API calls return 403
Symptoms
- tool calls fail with insufficient permissions
Checks
- user has
snc_platform_rest_api_access - user has the needed table/record ACL permissions
Fix
- grant missing role or ACL permissions in ServiceNow
3) Redis connectivity issues
Symptoms
/healthreturns unhealthy- startup logs show Redis connection errors
Checks
- Redis is running and reachable
REDIS_URLis correct
Fix
- start Redis
- correct
REDIS_URL, then restart app
4) CI fails on coverage threshold
Symptoms
- GitHub Actions fails during
npm run test:coverage
Checks
- inspect uncovered lines in coverage output
- ensure changed logic has matching tests
Fix
- add targeted tests
- re-run locally with
npm run test:coverage
5) Reconnect token not working after restart
Symptoms
- Client connects with
?token=...but session is unauthenticated
Checks
- Token may be expired (default 100-day TTL)
- User's OAuth credentials may have been revoked or expired in Redis
- Token may have been explicitly revoked
Fix
- Generate a new reconnect token via
POST /oauth/reconnect-token - Re-authenticate via
/oauth/authorizeif OAuth credentials are gone
6) Tool says AUTH_REQUIRED after prior login
Symptoms
- tool requests re-auth unexpectedly
Checks
- refresh token may be expired/revoked
- session mapping may be missing/expired
Fix
- re-authenticate via
/oauth/authorize - confirm Redis persistence and restart behavior
Debug Command Cheat Sheet
# install + run
npm install
npm run dev
# quality gates
npm run build
npm test
npm run test:coverage
# health check
curl -s http://localhost:8080/health
# local redis quick check (when redis-cli is available)
redis-cli -u "$REDIS_URL" ping
# docker compose stack quick status
docker compose ps
docker compose logs -f
π€ Agent Instruction Files
AGENTS.mdCLAUDE.md.github/copilot-instructions.md
Alignment workflow validates expected consistency.
π Endpoints
| Path | Method | Purpose |
|---|---|---|
/health |
GET | Health status |
/oauth/authorize |
GET | Start OAuth flow |
/oauth/callback |
GET | OAuth callback/token exchange |
/oauth/reconnect-token |
POST | Generate a reconnect token |
/oauth/reconnect-token |
DELETE | Revoke reconnect token(s) |
/mcp |
POST | MCP initialize + tool calls |
/mcp?token=<hex> |
POST | MCP initialize with reconnect token |
/mcp |
GET | MCP notifications stream |
/mcp |
DELETE | Close MCP session |
Client Config Example (Claude Desktop)
{
"mcpServers": {
"servicenow": {
"type": "streamablehttp",
"url": "https://your-host:8080/mcp"
}
}
}
With a reconnect token for session persistence across restarts:
{
"mcpServers": {
"servicenow": {
"type": "streamablehttp",
"url": "https://your-host:8080/mcp?token=<your-reconnect-token>"
}
}
}
Built for secure, user-scoped AI operations in ServiceNow.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.