API accounts and UI accounts are both sys_user records. The important distinction is what the account needs to do. API automation calls REST endpoints through sn execute, sn validate, sn test, sn get, and related commands. UI automation signs into the browser for sn ui-run and Playwright-backed flows.
API vs UI Accounts
How to set the sys_user identity fields for API automation and browser-based UI automation.
| Use case | sys_user fields to check | Recommended CLI shape |
|---|---|---|
| API automation | `active=true`, `identity_type=machine`. Use `admin` for a PDI or broad development account, or `snc_platform_rest_api_access` plus the roles required by the skills you run. | Register as the main instance entry. `sn instance add` defaults to `--access api`, so it skips the browser-login probe. |
| Browser/UI automation | `active=true`, `identity_type=human`. Use a local password-capable account for browser login; SSO/MFA-only accounts are not suitable for unattended Playwright runs. | Register as a separate `ui` profile with `sn instance add-profile <instance> ui --access ui` so API work can keep using the API account. |
Check the user record
The fields live on sys_user. From an already registered admin-capable instance, inspect the account you plan to use:
sn get sys_user "user_name=cli_automation" --fields user_name,active,identity_type,internal_integration_user --limit 1internal_integration_user is a reporting/classification flag. Use identity_type=machine for API accounts and identity_type=human for UI-login accounts; do not use internal_integration_user as the primary signal for deciding API vs UI behavior.
Register the accounts
For a PDI or quick local development, a single admin user can be enough. For shared or production-like environments, keep the API and UI credentials separate:
sn instance add default --url your-instance.service-now.com \
--user cli_api --default
sn instance add-profile default ui --user ui_automation --access uiThe examples intentionally omit --pass. In an interactive terminal, sn uses the existing hidden password prompt. In automation, pass --pass - and pipe the secret through stdin.