Inbound Web Services — Troubleshooting GuideIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Contents Issue — What This Article CoversQuick Symptom TriageThe Inbound Request LifecycleUniversal Diagnostic ChecklistCommon Issue Categories 5.1 Network & Connection Failures5.2 Authentication, Authorization & ACLs5.3 Rate Limits, Semaphores & Throttling5.4 Timeouts, Slow Responses & Server Errors5.5 Empty Bodies & Wrong Record Counts HTTP Status Codes — Quick ReferenceRelated Articles 1. Issue — What This Article Covers Starting point for troubleshooting inbound web service issues — calls coming into a ServiceNow instance via REST, SOAP, GraphQL, or Scripted REST API. Symptoms covered: No response, timeout, or connection failure.401 / 403 auth failures.429 throttling.Slow responses, or transactions cancelled at 5 minutes.Empty bodies, or fewer records returned than expected.500 / 502 / 503 server errors. How to use this article: This is a hub article. It points you to the right deep-dive. Start with the Quick Symptom Triage below. ↑ Back to top 2. Quick Symptom Triage Match your symptom on the left and follow the link on the right. What you are seeingMost likely causeRead thisNo response, connection refused, TLS handshake error, or CORS error in browser consoleNetwork, firewall, certificate, or CORS configurationInbound Web Services — No Response and Connection Failures401 Unauthorized or 403 ForbiddenAuth, API key, token, role, or ACL issueInbound Web Services — Authentication and Authorization FailuresSOAP request returns "Insert Aborted"Business rule, mandatory field, or write ACL blocking the insertInbound Web Services — Authentication and Authorization FailuresGraphQL returns "Could not process ACLs"User lacks access to the field or record referenced by the queryInbound Web Services — Authentication and Authorization Failures403 returned even though the operation succeededKnown ACL response pattern on POSTKB2697679429 Too Many Requests, throttling, or "adding nodes didn't help"Rate limit rule, semaphore saturation, or per-table quotaInbound Web Services — Rate Limits and ThrottlingCalls timing out at exactly 5 minutesPer-table transaction quota (300 s default)Inbound Web Services — Rate Limits and Throttling, Section 7Slow but eventually succeeds, intermittent 500 / 502 / 503Query performance, indexing, or transient platform eventInbound Web Services — Timeouts and Slow ResponsesEmpty response body, or fewer records returned than sysparm_limit requestedACLs filtering rows post-queryInbound Web Services — Empty or Incomplete ResultsTable API response sorted differently than expectedDefault sort behavior on Table APIKB2628639Web service export size or throttling concernsExport sizing limitsKB0547836 ↑ Back to top 3. The Inbound Request Lifecycle Every inbound request passes through five stages. Most failures live in exactly one. Identifying the stage narrows the diagnostic path. Network & Delivery — The request travels from the client to the instance. Failures here mean the request never arrives. Symptoms: no response, TLS error, connection refused, CORS error.Authentication & Authorization — The instance verifies the caller's identity and checks roles and ACLs. Failures here return HTTP 401 or 403.Throttling & Capacity — The instance checks rate limit rules, semaphore availability, and per-table quotas. Failures here return HTTP 429 or cancel the transaction.Execution & Processing — The instance runs the query or operation. Failures here produce slow responses, 500 / 502 / 503 errors, or transaction cancellations.Response & Data Return — The instance assembles the response and applies ACL row filtering. Failures here produce empty bodies or fewer records than requested. ↑ Back to top 4. Universal Diagnostic Checklist Capture these items before opening any deep-dive article. They resolve most cases at first touch. Full HTTP response headers — especially status code and any header starting with X-RateLimit- or Retry-After. Their presence or absence is itself diagnostic.Time of failure to the second, with timezone (UTC strongly preferred).Endpoint and target table (e.g., POST /api/now/table/incident).Client IP and integration user that made the call.Recent change context — platform upgrade, rate limit rule edit, ACL change, or client-side deployment in the last 30 days.A snapshot of https://<instance>.service-now.com/stats.do captured as close to the failure time as possible. Enable debug logging if the request never appears to arrive. If you turn on debugging and do not see your request in the logs, the call is not reaching the instance — go to No Response and Connection Failures. Available debug properties: REST: glide.rest.debugSOAP: glide.processor.debug.SOAPProcessorJSONv2 (Fuji and later): no dedicated debug property; rely on Transaction and All logs. ↑ Back to top 5. Common Issue Categories Short summaries below. The deep-dive articles are where actual diagnosis happens. 5.1 Network & Connection Failures When: request does not reach the instance, TLS handshake errors, connection refused, or CORS errors in the browser console. Common causes: customer-side firewall or proxy block, missing or expired TLS trust chain, DNS or routing failure, missing CORS rule. Next: Inbound Web Services — No Response and Connection Failures. Verify instance IP ranges in KB0538621. 5.2 Authentication, Authorization & ACLs When: 401, 403, SOAP Insert Aborted, or GraphQL ACL error. Two ACL levels apply: Processor-level — gates the endpoint. SOAP requires a SOAP role. REST requires rest_service.Table / record-level — gates which rows the user sees. Empty bodies or short result sets usually mean these. Quick check: if it works as admin but fails as the integration user, it is ACLs — not auth. Next: Inbound Web Services — Authentication and Authorization Failures. 5.3 Rate Limits, Semaphores & Throttling When: HTTP 429, or failures under load. Three layers — confusing them is the most common source of misdiagnosis: Per-instance rate limit rules (sys_rate_limit_rules). Hourly cap per user or role. Does not scale with nodes.Per-node semaphores (API_INT, visible at stats.do). Scales with nodes.Per-table transaction quotas. Cap duration and concurrency on a specific table. Does not scale with nodes. Quick check: 429 with X-RateLimit-* headers = Layer 1. 429 without them = Layer 2. Cancels at exactly 5 minutes = Layer 3. Next: Inbound Web Services — Rate Limits and Throttling. 5.4 Timeouts, Slow Responses & Server Errors When: calls take much longer than expected, time out without a clean 429, or return HTTP 500 / 502 / 503. Common causes: large or unfiltered Table API queries, missing indexes on integration filter fields, transient 5xx during maintenance windows, server exceptions in System Log. Next: Inbound Web Services — Timeouts and Slow Responses. 5.5 Empty Bodies & Wrong Record Counts When: the call succeeds (200 or 201) but the response body is empty, or fewer records are returned than sysparm_limit requested. Common cause: ACLs filter rows after the query runs. The platform applies sysparm_limit first, then drops any rows the user cannot read. Result: fewer rows than requested, with no error. Quick check: re-run as admin. If the row count jumps, the cause is ACL filtering. Next: Inbound Web Services — Empty or Incomplete Results. ↑ Back to top 6. HTTP Status Codes — Quick Reference CodeMeaningWhat to do400Bad RequestMalformed JSON, missing required field, or invalid endpoint. Fix the request body or URL.401UnauthorizedCredentials missing, invalid, or expired. See Section 5.2.403ForbiddenCredentials valid, but user lacks the required role or ACL. See Section 5.2. For the success-but-403 pattern, see KB2697679.429Too Many RequestsThrottled by a rate limit rule, semaphore pool, or table quota. See Section 5.3.499Client Closed RequestClient disconnected before the instance responded. Extend the client timeout or investigate slow processing. See No Response and Connection Failures, Section 4.4.500Internal Server ErrorException in processing. Check System Log for the stack trace. See Section 5.4.502Bad GatewayNode unresponsive or high load, or customer-side proxy or load balancer issue. See Section 5.4.503Service UnavailableUsually transient — instance maintenance window or short-term capacity event. Retry with backoff. If sustained, see Section 5.4. ↑ Back to top 7. Related Articles KB3064934 — Inbound Web Services — No Response and Connection FailuresKB3064952 — Inbound Web Services — Authentication and Authorization FailuresKB3046852 — Inbound Web Services — Rate Limits and ThrottlingKB3047080 — Inbound Web Services — Timeouts and Slow ResponsesKB3047115 — Inbound Web Services — Empty or Incomplete ResultsKB0538621 — How to find IP address and datacenter information for your instanceKB2628639 — Table API response sorting behaviorKB2697679 — POST returns 403 although operation succeededKB0547836 — Web service export sizing and throttling ↑ Back to top Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } . Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } .