Skip to page contentSkip to chat
ServiceNow support
    • Community
      Ask questions, give advice, and connect with fellow ServiceNow professionals.
      Developer
      Build, test, and deploy applications
      Documentation
      Find detailed information about ServiceNow products, apps, features, and releases.
      Impact
      Accelerate ROI and amplify your expertise.
      Learning
      Build skills with instructor-led and online training.
      Partner
      Grow your business with promotions, news, and marketing tools
      ServiceNow
      Learn about ServiceNow products & solutions.
      Store
      Download certified apps and integrations that complement ServiceNow.
      Support
      Manage your instances, access self-help, and get technical support.
Client REST API authentication request for logged in users - Support and Troubleshooting
  • >
  • Knowledge Base
  • >
  • Support and Troubleshooting (Knowledge Base)
  • >
  • Client REST API authentication request for logged in users
KB0565021

Client REST API authentication request for logged in users


22315 Views Last updated : Jul 24, 2025 public Copy Permalink English (Original)
  • English (Original)
  • Japanese
KB Summary by Now Assist

Issue

Beginning with the Geneva release, the Client REST API has a security setting to avoid Cross-Site Request Forgery (CSRF) attacks. CSRF is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user's Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

The security setting for a CSRF attack is only included in Geneva and later releases. 

Symptoms

An authentication dialog is displayed even if the user is already logged in. To see the additional authentication request, follow these steps:

  1. Log in to an instance in Geneva as an admin.
  2. Open the following URL on your instance:

    /api/now/table/incident?sysparm_query=active=true^ORDERBYDESCsys_updated_on^caller_id=javascript:gs.getUserID()^ORopened_by=javascript:gs.getUserID()&sysparm_display_value=true&sysparm_fields=number,short_description,description,sys_updated_on,closed_at,incident_state,opened_at,caller_id,state,sys_id,resolved_at&sysparm_limit=1&stamp=1454246237320.


    • If you click Cancel, you receive:
      <response>
      <error>
      <message>User Not Authenticated</message>
      <detail>Required to provide Auth information</detail>
      </error>
      <status>failure</status>
      </response>

Cause

Client REST APIs have a security setting to avoid CSRF attacks. As an authenticated user, your session is a UI session. Opening a new tab or browser window and trying to navigate to the REST endpoint enforces CSRF validation on that user session. The new tab/window does not have a valid CSRF token so the end result is non-authentication (HTTP 401).

Resolution

One solution is to enter the password again when prompted by the REST call. Then the REST requests will not ask for a password again.

There are three alternative workarounds:

  1. Set glide.security.use_csrf_token to false (not recommended)
  2. Translate the REST call to a GlideAjax call (for more information, see GlideAjax in the product documentation)
  3. Include the 'X-userToken':window.g_ck  in the header of your REST call:
    >>>> --from community-----------------------------------
    >>>> https://community.servicenow.com/message/881147 
    >>>> you can get token from window object using window.g_ck and 
    >>>> set the header like this 'X-userToken':window.g_ck in your http call.
    >>>> 
    >>>> 
    >>>>       $scope.getAllActive = function(){
    >>>>             $http({
    >>>>              method: 'GET',
    >>>>              url: $scope.url + "",
    >>>>             headers: {
    >>>>                        'X-UserToken' : window.g_ck
    >>>>                                     }
    >>>>            }).
    >>>>            success( function(data, status) {
    >>>>            $scope.numbers = data.result;
    >>>>            }).
    >>>>            error ( function(data, status) {
    >>>>      $scope.numbers= [{"number": "Error fetching list"}];
    >>>>            });
    >>>>                        };
    >>>>

     

 Note: Our development team recommends using the third workaround option and including the 'X-userToken':window.g_ck in the REST call header.

Related Links

REST API Security


The world works with ServiceNow.

Sign in for more! There's more content available only to authenticated users Sign in for more!
Did this KB article help you?
Did this KB article help you?

How would you rate your Now Support digital experience?

*

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

What can we improve? Please select all that apply.

What are we doing well? Please select all that apply.

Tell us more

*

Do you expect a response from this feedback?

  • Terms and conditions
  • Privacy statement
  • GDPR
  • Cookie policy
  • © 2025 ServiceNow. All rights reserved.