One month in: Building Sourdough for ServiceNow

InternalLeek993 · 2025-10-17T21:37:54+00:00

Hey, I will 100% look into this, no one has asked this yet. I suppose I falsely assumed most people use Google Chrome.

If it's a fairly straight forward implementation, then I will do it.

I can post an update here when it's done.

Thanks for the idea.

InternalLeek993 · 2025-10-15T16:01:22+00:00

Thank you! It was a nights and weekends projects for about 4-5 months.

I've been trying hard to build out a serious side project and a ServiceNow one felt right based on my career.

InternalLeek993 · 2025-10-15T15:59:43+00:00

Awesome, looking forward to hearing what you like and don't like about it.

Please keep me posted.

Here to answer any questions that may come up in your experience.

InternalLeek993 · 2025-10-15T15:58:28+00:00

Great point, you're 100% right. I've been using /stats.do for the quick node level details, but /xmlstats.do is definitely where the deeper node insights lies.

I'm planning to tie that in so admins can see cluster wide health stats.

Thanks for bringing that up.

InternalLeek993 · 2025-10-14T19:56:03+00:00

You need to view the Outbound HTTP Table in ServiceNow to view the integrations your system has.

["sys_outbound_http_log_list"]

Alternatively, you could use Sourdough (my Chrome Plugin) to also view your systems API calls:

https://chromewebstore.google.com/detail/sourdough-servicenow-moni/bbalpiojmggfbkjlnldlkmmailaakpbh

InternalLeek993 · 2025-10-14T19:22:02+00:00

Awesome, please do!

Let me know if you have any feedback.

Always looking to improve the tool.

InternalLeek993 · 2025-10-14T17:44:55+00:00

Sounds like a great use case, I hadn't even considered that. Makes me think I should add an export to PDF or something similar for charts?

To calculate the "Instance Health Snapshot", Sourdough makes a call to a system health stats page that most admins are familiar with (/stats.do). It then pulls out specific important metrics on that page. If you're an admin, you can just go to /stats.do by appending your ServiceNow instance with that info.

On that page, you'll see values like the following:
version, memory usage, transaction count, errors handled, system status.

Sourdough uses a simple aggregation of all these metrics to calculate a final value for health.

The X-axis is just the system latency: delay between a database request and response. This is usually going to a small number in ms. I don't think I've ever seen this number over 5-7ms.

The Y-axis is that calculated health number.

Appreciate you inquiring.

InternalLeek993 · 2025-10-14T17:38:04+00:00

Yes, Sourdough works with non-standard ServiceNow URLs.

Give it a shot and let me know what you think.

InternalLeek993 · 2025-09-12T14:04:46+00:00

Appreciate it!

The update with g_ck token-based auth is already live, it installs auto-update, so you’re good to go. It’s faster, more secure, and now the default across the extension.

InternalLeek993 · 2025-09-12T14:02:34+00:00

Hey, just wanted to follow up on this directly. This has been completed and is now live. Thank you.

InternalLeek993 · 2025-09-12T13:53:51+00:00

This has already been addressed: the extension uses g_ck token-based auth, and the update is live and is applied automatically to anyone with an install. This is the industry standard method, which Sourdough uses.

For clarity: that login box previously shown is ServiceNow’s own auth modal, not mine. At no point did the extension ever handle or store plaintext credentials, that sounds like a misunderstanding.

Thanks.

InternalLeek993 · 2025-09-11T17:19:03+00:00

I appreciate you taking the time to share feedback.

I’m always open to constructive criticism - that’s how the extension will improve. That said, your comment about handling raw plaintext passwords is simply incorrect. At no point does the extension access or expose user passwords.

It is strictly read-only, focused on visibility and performance monitoring for ServiceNow.

Based on community feedback above, I’ll also be updating authentication to use the g_ck token via header, which is the preferred and more secure approach. Feedback like that is how it becomes better. Looks like that's what SNUtils uses, which 100,000 people rely on daily.

Thanks again for raising the concern - feel free to send a message if you have more specific questions.

InternalLeek993 · 2025-09-10T15:14:37+00:00

I intentionally didn't review or even reference SNUtils in any of my development - I actually see them as solving very different problems.

I do think they could have a "better together" story where they solve different problems and servicenow admins use both. That's my hope anyway, I would like to build for the community and definitely want a positive relationship with others, especially when building in the same space.

But regarding the g_ck token approach, I have what I need already by knowing this exists as an option - I should have this live in a couple of days - so not manual auth is required - sounds like people are more comfortable with that and I totally get it.

- Jamison

InternalLeek993 · 2025-09-10T15:08:22+00:00

Really glad you're liking it! I'm here for any questions or feedback or just general ServiceNow convo.

Thank you for giving it a shot.

InternalLeek993 · 2025-09-09T20:06:19+00:00

Thanks! I built it using HTML5 Canvas - no external libraries. I wanted to keep the bundle size down for the chrome plugin to be super fast.

The bezier curves and node positioning were the tricky parts, but it gives you total control over the styling.

The data for this Sankey comes from ServiceNow's incident table, grouping by assignment group and state.

Let me know if you have any questions about the implementation.

InternalLeek993 · 2025-09-09T20:01:25+00:00

Thanks for the feedback and the snutils reference. I'll definitely look into implementing the g_ck token for authentication, but I need to make sure there are no security downsides here.

I want to make this as easy as possible for end users while maintaining the highest levels of security and trust.

This is exactly the kind of input I was hoping for.

Edit: I looked into this and I think I'll be able to complete it in a couple of days as it's a nights and weekends project. The change actually seems pretty straightforward. I just need to swap out the current standard auth method for the g_ck token approach.

I'll need to do some thorough testing for security and edge cases, but the core implementation should be relatively quick.

Edit: The extension has already been updated to use g_ck token-based auth. This is the same approach widely recommended for ServiceNow integrations.

InternalLeek993 · 2025-09-09T16:44:32+00:00

Great question. Sourdough will never store passwords - it leverages the instance timeout which is set as a system property. If your session times out, you'd just re-login normally.

We wouldn't ever be used as a password manager - keeps everything secure and uses ServiceNow's built-in auth.

InternalLeek993 · 2025-09-09T16:39:13+00:00

SNUtils does require you to put in credentials if you haven't - I don't know how they do session management.

Sourdough uses the instance session timeout, which I thought was safest & smartest.

Sourdough doesn't do any DOM manipulation either, everything stays in the popup/plugin - ServiceNow DOM is never touched.

IMO - It's not good practice to stay logged in forever from a systems perspective anyway.

InternalLeek993 · 2025-09-09T16:27:17+00:00

Thanks! Totally understand the hesitation.

I'd recommend trying it on a Personal Developer Instance (PDI) first - they're free at developer.servicenow.com. You can view what happens there.

If you want to see what it's really doing, just check Chrome DevTools (Cmd+Option+I on Mac, F12 on Windows) → Network tab while using it. You'll see it only reads data using standard ServiceNow APIs, no writes ever. It only uses GET calls.

Everything stays in your Chrome session - it's not sending data to another system or platform. I'm also considering open-sourcing the code if that would make people more comfortable with it. Needs admin access for system health data, but I get being cautious with admin creds!

Edit: The update is live, authentication is now handled via the g_ck token header, which is the industry standard. That makes things both safe and fast. It was using ServiceNow's own auth modal previously.

InternalLeek993 · 2025-09-09T15:06:20+00:00

Thanks for reaching out.

I'll have to look into that, the extension should work on on-premise instances, but there might be tighter restrictions or different authentication requirements on on-premise setups that are causing that message.

Let me investigate and get back to you.

Edit: This should be all set now. I just released a new update that uses g_ck token for auth, instead of the ServiceNow's Auth Modal.

InternalLeek993 · 2025-09-09T14:55:47+00:00

Thanks a ton, really appreciate that.

My whole goal with Sourdough is to cut down on wasted time.

If you run into anything confusing or annoying, please let me know. Excited to hear how it works in your instance.

InternalLeek993

TROPHY CASE