How to restrict inbound REST web service callsIssue You might want to restrict inbound REST calls due to security internal concerns or agreements with third parties.CauseExternal business requirementsResolution Taking into account the need to restrict inbound REST calls, we suggest three options may be considered: 1. Inbound REST API Access Policies: Where you can add IP restrictions only for REST APIs, without impacting interactive user sessions. Find further details in our documentation: REST API access policiesYou may also consider adding API Access Policies specific to the business requirements in the "sys_api_access_policy" table. Please refer to the screenshots attached below which depict the process to create a new API Access Policy on your instance. REST API PATH is populated based on the REST API selected and you have the flexibility to apply this policy to all methods, resources and/or versions.You may choose from OOB Authentication Profiles or create a new one where you can select the "type" according to your requirements. Please refer to this document to learn about the API access policy prioritization logic if there are multiple API access policies configured on your instance: API access policy prioritization In case the REST API Access Policies do not meet your business requirements, there are additional two options to explore. 2. Inbound REST API rules: There is another feature that can be used, Inbound REST API Limitation: To prevent excessive inbound REST API requests, set rules that limit the number of inbound REST API requests processed per hour. You can create rules to limit requests for specific users, users with specific roles, or all users. Find further details in our documentation: Inbound REST API rate limiting.3. IP restriction: ServiceNow has a way to force API calls are only received from designated IP addresses, if you want to only allow IPs belonging to specific 3rd party to be able to make API calls to your ServiceNow instances.This would restrict access based on the client IP address. Evidently, the specific 3rd party could be another ServiceNow instance belonging to another Enterprise. OOB we offer the possibility to do this through the IP restriction: see "KB0550613 - Identifying and Enabling IP address restrictions".