How we built a fully-functional Box integration using ServiceNow's native REST capabilities – no additional licensing required
The Great Integration Hub Paradox
ServiceNow's marketing is brilliant in its simplicity. "It just works." or "We have a spoke for that." And when they're demoing to executives, they love showing a pre-built Flow Designer action as part of a spoke.
But, what happens when your customer doesn't pay for that spoke?
Integration Hub's licensing model is confusing. ServiceNow breaks spokes into multiple tiers – Starter, Professional and Enterprise – each requiring separate entitlements. Want to integrate with Box? That's a Professional spoke. Need SAP S/4HANA? Enterprise tier. Oracle HCM? Also Enterprise. The list goes on and on, and we're constanly referencing the latest version of the "pricing-and-packaging-app-engine" document.
Just a sampling of the Professional tier spokes.
Enterprise spokes add even more cost – and more confusion about what's included.
For organizations that only need one or two integrations, paying for an entire spoke tier feels like buying a whole pizza when you just want a slice. And for ServiceNow partners like us, we need to be able to deliver value regardless of what licensing our clients have.
The Old Fashioned Way Still Works
The good news is that you can still build integrations the "old fashioned way." REST Messages, OAuth configurations, and Script Includes aren't going anywhere. They're not deprecated. They're not legacy. They're fully-supported, and – critically – they don't require additional licensing.
We've done this before with SAP, Greenhouse, UKG, and even ESPN's Fantasy Football. Every time, we read the API documentation, set up the authentication, and build exactly what our clients need. No spokes required.
When a client came to us needing to integrate with Box for their employee onboarding process, we didn't hesitate.
Building the Box Integration
Step 1: Creating an OAuth Application in Box
The first step was heading to the Box Developer Console and creating a Custom App with OAuth 2.0 authentication. Box's documentation is excellent here – you specify your redirect URI (pointing to your ServiceNow instance), select the scopes you need, and Box generates your client credentials.
Per the Box documentation, the key scopes we needed were:
root_readwrite- for folder and file operationssign_requests.readwrite- for Box Sign templates
Step 2: Configuring OAuth in ServiceNow
ServiceNow's OAuth framework is under-appreciated. We created an OAuth Entity in ServiceNow with the client ID and secret from Box, configured the token and authorization URLs, and ServiceNow handles the rest – including token refreshes.
This is the magic that spokes obscure: ServiceNow already has robust OAuth2 support built into core platform functionality. The spoke is just a wrapper around capabilities you already have access to.
Step 3: Creating the REST Message
We created a single REST Message called "Box" with OAuth2 authentication pointing to our OAuth profile. Then, for each Box API endpoint we need, we added an HTTP Method:
- Get Folder -
GET https://api.box.com/2.0/folders/${folder_id} - Create Folder -
POST https://api.box.com/2.0/folders - Copy Folder -
POST https://api.box.com/2.0/folders/${folder_id}/copy - Get Sign Templates -
GET https://api.box.com/2.0/sign_templates - Create Sign Request -
POST https://api.box.com/2.0/sign_requests
Each method has its parameters defined, and the authentication is inherited from the parent. Want to add a new endpoint later? It's easy, and you can insert & stay on the ones you already have.
Step 4: The Script Include
The real power comes from wrapping everything in a Script Include. Here's the structure we usually use: