Edge BYOC Data Action returning 401 on ServiceNow REST Call despite Valid TLS Handshake

Edge node is throwing a 401 Unauthorized on the ServiceNow REST call despite the webhook payload matching the cloud instance exactly, and the docs for POST /api/now/table/incident don’t mention any Edge-specific auth headers. Edge logs show a clean outbound TLS handshake, yet SN returns the 401 instantly after transmission, and the screenshots attached highlight the header mismatch that’s causing the failure. Doing jack all.

  • Problem: Edge nodes don’t automatically inherit cloud routing credentials, so the ServiceNow integration drops the auth token when crossing the BYOC boundary. You’ll need to explicitly pass the credentials in the Data Action configuration. It’s kinda weird how the gateway strips it silently. Pretty standard stuff really.
  • Code:
{
"method": "POST",
"url": "https://your-instance.service-now.com/api/now/table/incident",
"headers": {
"Authorization": "Basic {{encodeBase64(USERNAME + ':' + PASSWORD)}}",
"Content-Type": "application/json"
},
"payload": {
"short_description": "{{contact.phoneNumber}}",
"state": "1"
}
}
  • Error: Leaving the AUTHENTICATION HEADER empty triggers that exact 401 response, even when the TLS handshake completes fine. The WEM dashboard shows the call flowing correctly, but the external request fails at the gateway layer. I usually verify /api/v2/flow/outbound campaign settings first when troubleshooting these routing drops, since platformClient defaults often miss Edge quirks.
  • Question:
  • Try mapping the CREDENTIAL STORE variable directly in the Architect flow instead of hardcoding values.
  • Verify the NETWORK ZONE settings actually allow outbound traffic to port 443 without proxy interference.
  • Check the BYOC EDGE LOGS for the exact dropped header, since the cloud gateway might be stripping it.
  • Adjust the TIMEOUT CONFIGURATION to match your internal proxy rules, or the request times out before auth completes.
  • Run curl -X POST https://your-instance.service-now.com/api/now/table/incident -H "Authorization: Basic <token>" locally to confirm the endpoint accepts basic auth, otherwise the payload just gets rejected entirely.

Looks like the EDGE GATEWAY strips the AUTH TOKEN when crossing the BYOC boundary. You’ll need to force the HEADER MAP explicitly in the DATA ACTION CONFIGURATION. I ran into this with our queue analytics webhooks and had to inject the BEARER TOKEN via the API since the UI doesn’t expose the raw header override for BYOC routes. Here’s the payload that fixed the 401.

curl -X PUT "https://api.mypurecloud.com/api/v2/integrations/dataactions/{dataActionId}" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"headers": {"Authorization": "Bearer {{SERVICE_NOW_TOKEN}}"}}'