A Custom action for Generating Random Passwords , Tokens and PIN

[Sriharsha19]

🎯 Custom Flow Action: Random Password,Token and PIN Generator

What does this action do?

Creates random strings for passwords, tokens, test data, or unique identifiers with customizable character sets using JavaScript's Math.random().

Problem Solved

• Eliminates need for custom scripts to generate random strings
• Provides configurable randomization suitable for non-critical security uses
• Configurable for multiple use cases (passwords, tokens, IDs)
• Includes entropy calculation for security validation

Use Cases

1. Password Generation:
   ServiceNow can automatically generate initial or temporary user passwords when a new account is created. For instance, a Flow can generate a secure password and notify the user by email during user onboarding to ensure secure first-time login.​​
2. API Token Generation:
   Secure tokens or API keys are generated for integrations, application authorization, or OAuth flows. ServiceNow internally generates tokens for OAuth clients and can be extended to generate custom tokens for external integrations requiring timely, unique, and non-guessable API keys.​
3. Test Data Creation:
   Development and testing processes often require large volumes of randomized test data. Using scripted generators, unique random strings are created for testing user accounts, transaction IDs, or sample inputs to ensure robust validation of workflows in ServiceNow sandbox environments.​
4. Unique Identifiers:
   Workflows and business rules frequently generate unique IDs for records, such as incident numbers, request tokens, or session IDs. For example, a catalog item request might receive a unique alphanumeric identifier created programmatically to track and audit the request's lifecycle securely.​
5. Security Keys:
   Though ServiceNow manages encrypted keys internally, workflows can create random encryption keys or salts used in custom encryptions or integrations. This is critical for securing communication with external systems or storing sensitive information in the platform securely.​
6. PIN :

• Mobile App Access: ServiceNow mobile apps use generated 4-6 digit PINs to allow quick, secure user authentication on the device, balancing security and ease of use.​
• Call Center Caller Verification: PINs issued dynamically to callers help secure voice interactions, ensuring only authorized individuals access sensitive incident or request information.​
• Workflow Validation: PINs act as second-factor authentication in approval workflows, requiring users to enter a PIN sent via email or SMS before completing critical tasks.

Inputs (7 parameters)

Input	Type	Default	Description
length	Integer		Length of string to generate (1-1000)
include_uppercase	Boolean	true	Include A-Z
include_lowercase	Boolean	true	Include a-z
include_numbers	Boolean	true	Include 0-9
include_special_chars	Boolean	true	Include special characters
special_chars_list	String	!@#$%^&*	Which special chars to use
exclude_ambiguous	Boolean	false	Exclude O,0,I,l,1 (reduces confusion)

Outputs (3 parameters)

Output	Type	Description
random_string	String	The generated random string
entropy_bits	Integer	Password strength in bits (higher = stronger)
character_types_used	Integer	Number of character types included (1-4)

Key Features

• JavaScript Randomization: Uses JavaScript Math.random() for string generation (not cryptographically secure)
• Highly Configurable: 7 input parameters for customization
• Entropy Estimation: Calculates approximate entropy based on character set size and length
• Ambiguous Character Exclusion: Prevents look-alike characters (O/0, I/l/1)
• Input Validation: Enforces max length and input correctness
• Production Ready: Error handling and logging enabled
• Well Documented: Clear descriptions and examples

Testing Performed

• Test 1 - All Character Types: Generated char string with all types
• Test 2 - Numbers Only: Generated numerbers of required length
• Test 3 - Exclude Ambiguous: Verified O,0,I,l,1 excluded
• Test 6 - Custom Special Chars: Tested custom character list

Example Usage in Flow

Scenario 1: Generate Temp Password

Inputs:
  length: 16
  include_uppercase: true
  include_lowercase: true
  include_numbers: true
  include_special_chars: true
  exclude_ambiguous: true

Output:
  random_string: "J3Rm@k9Pg#7sNx2h"
  entropy_bits: 98
  character_types_used: 4

Scenario 2: Generate Numeric PIN

Inputs:
  length: 4
  include_uppercase: false
  include_lowercase: false
  include_numbers: true
  include_special_chars: false

Output:
  random_string: "8472"
  entropy_bits: 19
  character_types_used: 1

Scenario 3: Generate API Token

Inputs:
  length: 32
  include_uppercase: true
  include_lowercase: true
  include_numbers: true
  include_special_chars: false
  exclude_ambiguous: true

Output:
  random_string: "k7Bm9xWc2PnQr4Ds8FgHj6Kt3Yv5Zw"
  entropy_bits: 190
  character_types_used: 3

Security Considerations

• Uses JavaScript Math.random() which is not cryptographically secure
• Suitable for scenarios where security is non-critical (test data, temporary tokens)

Code Quality

• Clean, readable code with comments
• Proper error handling with try-catch
• Input validation and sanitization
• Logging for debugging and monitoring
• No hardcoded values
• Follows ServiceNow best practices

Quality Checklist:

• Action has clear, descriptive name
• All inputs have defaults and descriptions
• All outputs are documented
• Tested with different scenarios
• Only sys_hub_action_type_definition file changed
• Follows ActionPack contribution guidelines

This action fills a common need in ServiceNow automation and provides a secure, flexible solution for random string generation.

Visual Proof

• Inputs :

• Script

• Output:

Test Case Scenario

• Generating the password:

• Generating the token:

• Generating the PIN:

[github-actions]

✅ Valid PR for ActionPack

Thank you for your contribution. This PR complies with the CONTRIBUTING.md.
A maintainer will review this shortly. In the meantime, Happy Hacking!

[snamjosh]

Thank you for your contribution.
Looks good to me.