Reduce excessive vault API calls during Discovery by configuring the MID Server external credential cache (ext.cred.cache.ttl)Issue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Discovery makes excessive API calls to external credential vaults — for example, Delinea, HashiCorp, Keeper, or other third-party credential resolvers — for every probe and pattern execution per device. This can result in thousands or tens of thousands of vault API calls during a single Discovery run, which can noticeably degrade performance. The MID Server wrapper logs show the same credential being fetched repeatedly within seconds for the same secret ID. Discovery jobs take noticeably longer than expected compared to environments using CyberArk or built-in credential storage. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Environment ServiceNow Discovery with the External Credential Storage plugin (com.snc.discovery.external_credentials) enabledMID Server using a third-party (non-CyberArk) external credential resolver JAR fileAny ServiceNow version where the ext.cred.cache.ttl MID Server property is available Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The MID Server external credential cache is controlled by the property ext.cred.cache.ttl. By default, this property is set to 0 (disabled). When disabled, the MID Server does not cache resolved credentials, and every Discovery probe or pattern execution triggers a full API round-trip to the external vault — even when credential affinity exists for the target IP address. Credential affinity determines which credential to try first for a given IP address. It does not bypass or reduce external vault calls. The external credential cache (ext.cred.cache.ttl) is the only MID Server mechanism that prevents repeated vault calls. For default CyberArk integrations, this is typically not an issue because CyberArk uses a local agent (AIM/CCP) on the MID Server host that provides its own caching layer. Third-party resolvers that make direct network calls to cloud-based vaults — without a local caching agent — are most affected by this default behavior. Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Set the MID Server property ext.cred.cache.ttl to a non-zero value to enable credential caching. Property details PropertyValueProperty nameext.cred.cache.ttlDescriptionExternal credentials cache time-to-liveUnitSecondsDefault0 (disabled)Minimum0Maximum3600 (1 hour)MID Server restart requiredYes — the cache is initialized at startupVisible in MID Server properties UIYes How the cache works The cache key is the credential ID only (not a combination of credential ID, IP address, and credential type). This means a single cached resolution of one credential serves all probes across all target servers using that credential. If the credential ID is null, the cache falls back to using the target IP address as the key. Resolved credentials are encrypted in MID Server process memory using the MID Server's encrypter. Nothing is written to disk. The maximum number of cache entries is 25,000 distinct credentials. The cache is cleared on MID Server restart and can be manually invalidated from the instance using the InvalidateExternalCredentialCache system command. Per-credential TTL override If the external credential resolver JAR file returns a key ttl_seconds in its resolve() response map, the MID Server uses that value (divided by 2) as the cache TTL for that specific credential, overriding the global ext.cred.cache.ttl value. This allows resolver implementations to control cache duration on a per-credential basis. Steps to apply Navigate to MID Server > Properties in your ServiceNow instance. Alternatively, open the config.xml file on the MID Server host directly.Set ext.cred.cache.ttl to the desired value in seconds. A value of 3600 enables the maximum cache duration of one hour. Choose a lower value if your environment requires more frequent credential refresh. Example entry in config.xml: <parameter name="ext.cred.cache.ttl" value="3600"/>Save the change.Restart the MID Server service.After the MID Server restarts and reports as Up, verify the property took effect by reviewing the MID Server agent log. Look for the following message: Initialized external credential cache with 3600 sec ttl. If this message does not appear, verify the property name and value are correctly set, then restart the MID Server again.Run Discovery and confirm cache hits appear in the log: Found existing credential for <credential_id> Considerations for credential rotation The maximum cache TTL is 1 hour (3600 seconds). If credentials rotate on a longer cycle — for example, every 24 hours — the 1-hour maximum is well within the rotation window. If a credential rotates while cached, the stale entry expires naturally at the end of the TTL, and the next probe fetches the updated credential from the vault. The cache can also be manually invalidated from the instance if an immediate refresh is needed.