74
/ 100
1 month ago
glama

ServiceNow MCP Server

Connects Microsoft Copilot Studio to ServiceNow Service Catalog, enabling users to search catalog items, fill Adaptive Card order forms, and place orders from within a Copilot Studio agent.

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings
No credential exfiltration, no sensitive file access, no obfuscation
Static analysis found nothing flowing your secrets to unexpected places.
Open source with a license and README
Anyone can audit the code, the license is declared, and the publisher documents what it does.
🔐
You'll be asked for 7 credentials: ENTRA_BEARER_TOKEN, ENTRA_CLIENT_SECRET, ENTRA_DCR_REGISTRATION_TOKEN, FUNCTION_KEY, SERVICENOW_CLIENT_SECRET, SERVICENOW_PASSWORD, SERVICENOW_REQUIRE_CALLER_ACCESS_TOKEN
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// required environment variables
This server reads these from process.env. You'll be asked to provide them before it can run.
configCORS_ALLOWED_ORIGINS_(empty)_ Comma-separated browser origins for CORS-enabled endpoints
configENTRA_ALLOWED_AUDIENCES_(empty)_ Comma-separated extra aud values to accept (custom App ID URIs)
configENTRA_ALLOW_ANY_TENANTfalse Accept any Microsoft tenant token
configENTRA_AUDIENCEExpected aud in tokens; defaults to api://<ENTRA_CLIENT_ID>
configENTRA_AUTH_DISABLEDEdit local.settings.json -- is true by default for local use
🔐 secretENTRA_BEARER_TOKENset =<access-token>
configENTRA_CLIENT_IDNote Application (client) ID =
🔐 secretENTRA_CLIENT_SECRET2. Certificates & secrets > New client secret -- copy the value immediately =
configENTRA_DCR_ALLOW_UNAUTHENTICATEDfalse Allow open Dynamic Client Registration when no token is configured
🔐 secretENTRA_DCR_REGISTRATION_TOKEN_(unset)_ Bearer token required on POST /oauth/register
configENTRA_OAUTH_SCOPESapi://<ENTRA_CLIENT_ID>/access_as_user openid profile offline_access Scopes advertised in OIDC discovery
configENTRA_OBO_DOWNSTREAM_SCOPE
configENTRA_OBO_ENABLED
configENTRA_TENANT_IDNote Directory (tenant) ID =
configENTRA_TRUSTED_TENANT_IDS_(empty)_ Accepted remote tenant IDs (multi-tenant scenarios)
🔐 secretFUNCTION_KEY
configITEM_SYS_ID
configLOG_INCLUDE_CALLER_IDENTITYfalse Attach caller oid/upn to every log entry. Off by default to keep PII out of App Insights
configLOG_INCLUDE_ERROR_STACKfalse Include error stack traces in error log entries
configLOG_LEVELinfo Minimum log level emitted to stdout: debug, info, warn, or error
configMCP_ENDPOINT_URLazd env get-values findstr
configORDER_VARIABLES_JSON
configPORT
configREQUESTED_FOR
configSEARCH_QUERY$env: = "laptop"
configSERVICENOW_CLIENT_IDazd env set "<sn-client-id>"
🔐 secretSERVICENOW_CLIENT_SECRETazd env set "<sn-client-secret>"
configSERVICENOW_INSTANCE_URLazd env set "https://<instance>.service-now.com"
configSERVICENOW_OAUTH_CLIENT_AUTH_STYLEauto OAuth client auth style: request_body or basic
configSERVICENOW_OAUTH_GRANT_TYPEauto Override grant type: password or client_credentials
configSERVICENOW_OAUTH_TOKEN_PATH/oauth_token.do ServiceNow token endpoint path
🔐 secretSERVICENOW_PASSWORDazd env set "<integration-user-password>"
configSERVICENOW_REQUESTED_FOR_CALLER_FIELDScallerUpn Entra token claims to use as identity source
configSERVICENOW_REQUESTED_FOR_DIAGNOSTICSfalse Include requested_for diagnostics in tool/API responses
configSERVICENOW_REQUESTED_FOR_DIAGNOSTICS_INCLUDE_PIIfalse Include raw caller identifiers in diagnostics (for short-lived troubleshooting only)
configSERVICENOW_REQUESTED_FOR_FALLBACK_TO_CALLER_VALUEtrue Fall back to UPN if no sys_user match
configSERVICENOW_REQUESTED_FOR_LOOKUP_FIELDSemail,user_name sys_user fields for identity resolution
🔐 secretSERVICENOW_REQUIRE_CALLER_ACCESS_TOKENfalse When true, refuse calls without x-servicenow-access-token (per-user ACL enforcement)
configSERVICENOW_USERNAMEazd env set "<integration-user>"
// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance — verified publishers only
We have 4 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[![M8ven Score](https://m8ven.ai/badge/mcp/pavecer-mcp-server-servicenow-0ih15r)](https://m8ven.ai/mcp/pavecer-mcp-server-servicenow-0ih15r)
commit: bab317a358cb6b81a336dcc6b133930f71f57adc
code hash: 4ba18560478b6886ae199464044e5ba78ca03e480e6252d633a433347983d38d
verified: 6/10/2026, 10:15:09 AM
view raw JSON →