REST Outbound Interview Questions

1. What is an Outbound REST Integration in ServiceNow?

It refers to ServiceNow acting as a REST client, sending requests (GET,

POST, PUT, DELETE) to external systems/APIs. It’s commonly used for:

• Creating tickets in third-party systems

• Fetching data from external databases or services
• Synchronizing records across platforms

2. How do you make an outbound REST call in ServiceNow?

• Use RESTMessageV2() class in a script

• Create a REST Message record in System Web Services >
Outbound > REST Message
• Example:

var r = new sn_ws.RESTMessageV2('REST Pro le', ‘POST');

r.setStringParameterNoEscape('param', 'value');
var response = r.execute();

3. Where do you con gure authentication for an outbound REST API?

• In the REST Message record under the Authentication section

• Types:

◦ Basic Auth
◦ OAuth 2.0
◦ Mutual TLS
◦ No Auth (rare)
◦
4. How can you send JSON in the body of an outbound REST API call?

Use:
var r = new sn_ws.RESTMessageV2(...);
r.setRequestHeader("Content-Type", "application/json");
r.setRequestBody(JSON.stringify({
short_description: "Example",
priority: "1"
}));
fi
fi
5. How do you handle response and errors from an outbound REST
call?

Use try-catch:
try {
var response = r.execute();
var body = response.getBody();
var httpStatus = response.getStatusCode();
} catch (ex) {
gs.error("Integration failed: " + ex.message);
}

6. How can you pass dynamic values in an outbound REST message?

• Use variables in the REST Message (e.g., https://api.site.com/user/

${userId})
• Call setStringParameterNoEscape('userId', '123') in the script to
populate dynamically.

7. What is the use of REST Message Function in ServiceNow?

Functions (GET, POST, etc.) de ne:

• Endpoint
• HTTP Method
• Request format (headers/body)
• Authentication settings

Each function is a variation of how you communicate with an API

endpoint.

8. What are common issues faced in outbound integrations and how do

you troubleshoot?

• Authentication failures – Check credentials/token/endpoint

• SSL/TLS errors – Certi cate issues
• Wrong HTTP method – Ensure correct verb is used
• Timeouts – Set appropriate timeout, test connectivity
• Use the REST API logs: System Logs > Outbound HTTP Requests
fi
fi
 9. How can you test a REST Message without writing a script?

• Use the “Test” button on the REST Message Function

• Fill in parameters and click “Test” to view request/response details

10. Can you make REST calls from a background script or business
rule?

Yes, but it depends:

• In Business Rule (after insert/update) – yes, but use

r.executeAsync() to avoid UI delay
• In Scheduled Jobs / Script Includes / Flows – recommended for
better performance and reusability

11. Di erence between execute() and executeAsync()?

Function Description
execute() Synchronous – waits for response
executeAsync( Asynchronous – returns immediately, handles callback
) separately

12. How do you integrate ServiceNow with an OAuth 2.0 protected

API?

• Create an OAuth pro le in System OAuth > Application Registry

• Choose Authorization Code Grant or Client Credentials
• Use this pro le in your REST Message’s Authentication type

13. How can you handle pagination in outbound REST API calls?

• Loop until all pages are fetched:

var nextUrl;
do {
var r = new sn_ws.RESTMessageV2(...);
if (nextUrl) r.setEndpoint(nextUrl);
var response = r.execute();
var body = JSON.parse(response.getBody());
nextUrl = body.next_page_url;
} while (nextUrl);
ff
fi
fi
14. How can you log outbound REST calls for auditing?

• Use gs.info() or custom logging table.

• Enable “Log requests and responses” in REST Message
• Use sys_http_log table to view logs Question on Scripted REST API

————————————————————————————————

INBOUND REST API INTEGRATION – INTERVIEW QUESTIONS

1. What is an Inbound REST API Integration in ServiceNow?

An Inbound REST API allows external systems to send HTTP requests

to ServiceNow to perform CRUD operations (Create, Read, Update,
Delete). This is commonly used for integrating third-party tools with
ServiceNow (e.g., sending incidents from a monitoring tool).

2. How do you expose a table as a REST endpoint in ServiceNow?

By using the Table API (Out-of-the-box REST API), you can expose any
table by:

• Ensuring web service access is enabled for the table.

• Using the URL format:
https://<instance>.service-now.com/api/now/table/<table_name>
• Authenticated users with appropriate roles (like rest_api_explorer,
web_service_admin, or custom roles) can access it.

3. How can you secure inbound REST APIs in ServiceNow?

• Authentication: Basic Auth, OAuth 2.0, Mutual TLS

• Roles and ACLs: Control access to records and elds
• IP Restrictions: Limit access to certain IPs (optional)
• Rate Limiting: Avoid abuse by setting API rate limits

4. How can you test an inbound REST API?

• Use Postman, cURL, or ServiceNow REST API Explorer

• Example using Postman:
◦ URL: https://instance.service-now.com/api/now/table/incident
fi
 ◦ Method: POST
◦ Header: Authorization: Basic <base64_credentials>
◦ Body: JSON payload to create/update data

5. How do you handle errors in inbound REST APIs?

ServiceNow returns:

• 200 OK – Success
• 201 Created – New record created
• 400 Bad Request – Invalid input
• 401 Unauthorized – Authentication issue
• 403 Forbidden – ACL denied
• 404 Not Found – Wrong URL or record not found
Always log errors in a custom log or use IntegrationHub > Error
Handling.

6. How can you handle rate limiting in ServiceNow REST APIs?

• ServiceNow doesn’t have built-in rate limiting per user, but you can:

◦ Use API usage tracking via sys_ws_usage.

◦ Write a custom Scripted REST API to count requests per
source over time.
◦ Use external API Gateway (e.g., Apigee) to rate-limit tra c.

7. How do you authenticate inbound REST API requests in

ServiceNow?

• Basic Authentication (username/password)

• OAuth 2.0 (preferred for external apps)
• Mutual TLS (X.509 certi cate-based)
• Token-based access for custom solutions

8. What happens if you send a malformed JSON payload to the Table

API?

• You’ll receive a 400 Bad Request error.

• No record will be created.
fi
ffi
 • Use Postman’s Pre-request Script to validate JSON or handle errors
gracefully.

9. How can you restrict access to speci c records in an API call?

• Through ACLs: Apply row-level and eld-level security.

• Use addQuery() or addEncodedQuery() in a Scripted REST API to
restrict based on user role or data.

10. How can you return only selected elds in a REST API response?

Answer:

• Use sysparm_ elds=name,short_description,priority

• This works in both Table API and Scripted API using
GlideRecord.setLimit() and getValue()

————————————————————————————————

SCRIPTED REST API – INTERVIEW QUESTIONS

1. What is a Scripted REST API in ServiceNow?

A Scripted REST API lets developers de ne custom endpoints using

JavaScript (Glide scripting). Useful when:

• Default Table API is not enough

• Complex processing, validations, or transformation logic is required
before storing data

2. How do you create a Scripted REST API?

1. Navigate to: System Web Services > Scripted REST APIs

2. Create a new API with a name and namespace
3. Under that API, de ne Resources (GET, POST, PUT, DELETE)
4. Write your logic in the Script eld using request, response, and gs

3. What objects are available in a Scripted REST Resource?

• request: Provides info about the incoming request (headers, query

params, body)
fi
fi
fi
fi
fi
fi
fi
 • response: Use to set status code or headers
• response.setBody(): Used to return response payload
• current: GlideRecord object if tied to a table
• input: Parsed request body (for POST/PUT)

Sample: Scripted REST POST Resource to create an incident

(function process(request, response) {

var body = request.body.data;
var inc = new GlideRecord('incident');
inc.initialize();
inc.short_description = body.short_description;
inc.caller_id = body.caller_id;
inc.insert();
response.setStatus(201);
response.setBody({ result: 'Incident Created', sys_id: inc.sys_id });
})(request, response);

4. How do you secure a Scripted REST API?

• De ne requires authentication
• Use basic auth or OAuth 2.0
• Assign roles at the API level or within the script
• Use gs.hasRole() or gs.hasRoleExactly() to do role-based logic
inside the script

5. How do you implement pagination in a Scripted REST API response?

• Accept sysparm_o set and sysparm_limit as query params.

• Apply them on GlideRecord:

gr.setLimit(parseInt(request.queryParams.limit || 10));
gr.setO set(parseInt(request.queryParams.o set || 0));

• Return pagination metadata in the response.

6. Can you call another REST API from within a Scripted REST API?

Yes. Use sn_ws.RESTMessageV2() to call external APIs.

Example:
fi
ff
ff
ff
var r = new sn_ws.RESTMessageV2('REST Pro le Name',
'methodName');
r.setStringParameterNoEscape('param_name', 'value');
var response = r.execute();

7. How do you ensure only speci c roles can use a Scripted REST API?

• At the Scripted API level, assign a role.

• In the script

if (!gs.hasRole('api_user')) {
response.setStatus(403);
response.setBody({ error: 'Forbidden' });
return;
}

8. Can you return custom headers in Scripted REST API responses?

Yes.
response.setHeader("X-Custom-Header", "value");
Useful for passing meta info or pagination tokens.

9. How do you validate incoming payloads in Scripted REST APIs?

• Check request.body.data
• Validate all required elds manually
• Example:
if (!input.short_description) {
response.setStatus(400);
response.setBody({ error: 'short_description is required' });
return;
}

10. How to handle exceptions in Scripted REST API cleanly?

Wrap logic in a try-catch block:

try {
// logic
} catch (ex) {
gs.error(ex.message);
response.setStatus(500);
fi
fi
fi
 response.setBody({ error: ex.message });
}

12. Di erence between Scripted REST API and Script Include + REST?

Scripted REST Script Include (REST-

Feature
API enabled)
REST-specific design Yes No
Custom endpoint URLs Yes No
Use in processors/UI Limited Broad
Flexible response
Yes Not as customizable
format

13.What is the default access control type for Scripted REST API
access control?

REST Endpoint is access control type for Scripted REST API access
control

14.What is the default access control for scripted REST APIs?

A default Access Control, Scripted REST External Default, is applied

to all new Scripted REST APIs.

15. Default access control of scripted rest api denies access for whom?

The default Access Control (Scripted REST External Default) denies

access to the Scripted REST API to any user with
the snc_external role.

16. Which section de nes the supported request and response format
in scripted REST API?

The Content Negotiation section de nes the supported request and

response formats.

17.what are the default supported request and response format?

The default for the request and response is to allow:

• application/json
ff
fi
fi
 • application/xml
• text/xml

18.How you can change the default request and response format?

To change the list of supported formats, click the Override default

supported request formats option or the Override default supported
response formats option.

19. How we can direct user to the documentation of API

Use the Documentation section to direct users to the Scripted REST

API documentation

20.What is request header?

A REST request header contains parameters (metadata) that de ne the

HTTP(S) interaction.
Example: Authorization, Accept, Content-Type

21.What is query parameters?

Query parameters control what information developers using the API

can pass in the API request URL.

22.How we can make a query parameter mandatory?

We can set the query parameter mandatory by setting it is required

=‘true’

23. What are scripted REST API resources?

A REST API is a collection of REST resources. REST resources are

unique data representations that have at least one URI.

An HTTP method de nes each resource:

• GET : Retrieve or fetch data from server
• POST : Creates a new resource on server ex:incident
• PUT : Replace a resource completely
• PATCH : Update a part of the resource
• DELETE : delete a resource
fi
fi
24.If the scripted REST API response format is di erent from resource
response format which will be followed.

Resources can override settings inherited from the Scripted REST API.

25.How we can create and populate properties on the response object?

A resource script is a server-side JavaScript that creates and populates

properties on the response object. The response object is returned to
the application that invoked the resource.

26. What are the di erent properties of the request object?

The properties of the request object are:

• body : The body object provides access to the request body.

• pathParams : The pathParams object allows script access to path
parameters passed in the request URL. The available path
parameters are determined by the Scripted REST Service
resources.
• queryParams:The queryParams object allows script access to the
query parameters from the web service request.
• queryString:The queryString string contains the entire query
added to the endpoint URI.
• uri : The uri string contains the request URI, excluding domain
information.
• url : The url string contains the entire request URL.
• headers:The headers object contains all headers property value
pairs from the request.
• getHeader():The getHeader method returns a string containing the
value of a speci c header from the web service request.
• getSupportedResponseContentTypes() :
The getSupportedResponseContentTypes() method returns an
array of string values where each string is a content type, such
as application/json.

27. The error codes are initiated from which namespace?

The error object must be instantiated from the sn_ws_err namespace.

28. What are prede ned error objects?

fi
ff
fi
ff
 Status Error Object Description
Code

400 BadRequestError Error in the request,

such as incorrect syntax

404 NotFoundError Requested resource is

not available

406 NotAcceptableError The Accept header

value is not allowed

409 ConflictError There is a conflict in the

request

415 UnsupportedMediaTypeError The requested media

type is not supported

29. Create a custom error object?

(function run(request, response) {

var myError = new sn_ws_err.ServiceError();
myError.setStatus(442);
myError.setMessage('Invalid value in path parameter');
myError.setDetail('We recognized the path parameter you sent,
but the value you requested does not exist in the database.');
return myError;
})(request,response);

30. How we can enable and disable versioning in scripted REST API?

To enable scripted REST API click on related list enable versioning

once it is enabled we can not disable the versioning.

31. What is WEB API dashboard in performance analytics or REST &

SOAP API analytics in Platform Analytics
The Usage by WEB API dashboard displays analytic data on a per API
basis. Developers can view:
• API Usage by Resource (Last 30 Days)
• API Usage by Method (Daily)
• REST API Usage by Version (Daily)
• API Usage (Monthly)

31. What role is required to access the REST API Explorer

The REST API Explorer is available to users with

the rest_api_explorer role or the admin role

————————————————————————————————

Scenarios

Scenario 1: External Tool Sending Alerts to ServiceNow

Question: A monitoring tool (like Zabbix, SolarWinds, or Datadog) sends

alerts to ServiceNow. You need to create incidents automatically. How
will you handle this in ServiceNow?

Answer Outline:

• Use Inbound REST API (either Table API or Scripted API).

• For simple mapping, use Table API (incident table).
• For custom logic (like severity mapping, deduplication), use
Scripted REST API.
• Authenticate via Basic Auth or OAuth.
• Validate payload, transform if needed, create incident.
• Send appropriate HTTP status and response back.

Scenario 2: Payload Requires Complex Validation

Question: Your inbound request contains a nested JSON object with

multiple sub-objects. You need to validate required elds and only then
create a record. How will you do this?

Answer Outline:
fi
 • Use Scripted REST API for full control.
• Use request.body.data to parse nested JSON.
• Validate required elds manually (e.g., if (!data.user || !
data.alert.description)).
• Handle error response with response.setStatus(400) and custom
error message.
• Only insert record if data is complete.

Scenario 3: Two Systems Talking – You Only Need Some Fields

Question: An external system sends a huge payload, but you only need
to store 3 elds. How will you design your integration?

Answer Outline:

• Use Scripted REST API to extract only needed elds.

• Optionally discard the rest of the data.
• This avoids unnecessary storage, improves performance, and
maintains control.
• Might store incoming payload as a log (for troubleshooting/audit).

Scenario 4: Create Multiple Related Records in One Call

Question: You get a request to create a parent record (e.g., Change

Request) and multiple child tasks (e.g., Change Tasks). How do you
handle this?

Answer Outline:

• Use Scripted REST API.

• Parse parent object → insert parent GlideRecord → get sys_id
• Loop through children → insert child records → reference parent
sys_id
• Return all sys_ids in response for traceability

Scenario 5: Secure a Scripted REST API from Unauthorized Access

Question: You exposed a Scripted REST API to a trusted vendor. How

do you make sure only they can access it?
fi
fi
fi
Answer Outline:

• Use OAuth 2.0 for stronger security (better than basic auth).
• Issue a client ID and secret to the vendor.
• Restrict access by assigning roles to the API.
• In script, use:
if (!gs.hasRole('api_vendor')) {
response.setStatus(403);
response.setBody({error: 'Access Denied'});
return;
}

Scenario 6: Handle Duplicate Record Requests

Question: An external app is sending duplicate requests. You want to

prevent the same record from being created twice. How will you
implement idempotency?

Answer Outline:

• Ask external system to send a unique reference ID in payload.

• Check existing records using that reference before inserting:
var gr = new GlideRecord('incident');
gr.addQuery('external_ref_id', data.ref_id);
gr.query();
if (!gr.hasNext()) {
// insert
}

Scenario 7: Logging and Troubleshooting API Failures

Question: How do you handle logging when an API call fails due to a
bad request or unexpected error?

Answer Outline:

• Use gs.error() or a custom logging table.

• Store raw request data, timestamp, and error message.
 • Return meaningful response to client with response.setStatus() and
response.setBody()
• Optionally send alert/email on repeated failures.

Scenario 8: Performance Concerns with Scripted REST API

Question: Your Scripted REST API is becoming slow with high volume.
How will you optimize it?

Answer Outline:

• Use e cient GlideRecord queries (indexed elds, addActiveQuery()

etc.)
• Limit returned elds (use setLimit() and setDisplayValue(false))
• Avoid nested loops
• Consider asynchronous processing (like scheduling background
script)
• Implement pagination for large GET responses

Scripted REST API – Scenario-Based Questions

Scenario 9: Validate and Transform Data Before Insertion

Use request.body.data to validate required fields and transform
input before inserting into the database.
Scenario 10: Custom Response Based on Business Logic
After processing input, return a custom status and message using
response.setBody().
Scenario 13: Secure API for a Specific Role Only

Check gs.hasRole('desired_role') in script. If not authorized, set

status to 403 and return error.
Scenario 14: Handle Multiple Methods in One API

Create different resources (GET, POST, PUT) under one Scripted

REST API and write different logic for each.
ffi
fi
fi
Scenario 15: Logging All API Access Attempts
Log request time, user, and payload in a custom log table inside
the process function.
Outbound REST API – Scenario-Based Questions

Scenario 1: Sending an Incident to an External System

Create a Business Rule (After Insert) on the incident table. Use

RESTMessageV2().executeAsync() to send the incident data
securely and efficiently.
Scenario 2: Integration with an OAuth-Protected API

Register an OAuth application using Client Credentials. Configure

the REST Message to use the OAuth profile and send data using
RESTMessageV2.
Scenario 3: Retry on Failure

Use a Script Include with retry logic.

Attempt the REST call up to 3 times with delay using gs.sleep().
Log failure after maximum retries.
Scenario 4: Handle Response Mapping

Parse the JSON response from the external API and extract only
the required fields to use or store.
Scenario 5: Need to Call External API with Dynamic URL

Configure endpoint with variables like ${userId}.

Use setStringParameterNoEscape() to pass dynamic values.
Scenario 6: Scheduled Data Sync

Use Scheduled Script Execution to call external API daily. Parse

and update ServiceNow records accordingly.

Scenario 7: Conditional Data Push Based on Field Change

Trigger a Business Rule on field change (e.g., assignment group).

Use REST call conditionally when the field changes.
Scenario 8: Handling API Pagination

Loop through paginated results using a 'next' key or offset

parameter. Use setEndpoint() inside a loop.
Scenario 9: External System Requires Header with Token

Set custom headers like X-API-KEY using setRequestHeader() in

RESTMessageV2.
Scenario 10: Logging & Monitoring API Failures

Log failures using gs.error() or a custom table. Enable request/

response logging in REST Message. Create a dashboard or alert
system.