Restrict external trigger URL created from jira spoke from being accessed by unauthorized Jira instancesIssue In ServiceNow, we create a Callback URL using admin account which contains the token in the URL itself. We just copy that Callback URL and paste it in Jira webhook. There is no token refresh or OAuth or API authentication.If anyone outside of the org has the Callback URL as its available on the jira console which all the users with admin access in the Jira instance will be able to access. They can use it outside of the org by triggering the call from their personal jira instance. These calls will still be received into the instance and will be processed. Ref to the product doc below Set up triggers for the Jira spoke ReleaseAllCauseThis is expected behaviour as the webhook URL contains the authentication parameters embedded in the URL itself. Its the responsibility of the Jira admins to make sure the URL is safe in the Jira console and only authorized users can access it.ResolutionThis is as per design and in order to restrict these API hits from an unauthorized Jira instance you can add an AND condition to all the below decision policies and specify the Jira instance URL https://<instance name>.service-now.com/sys_decision_question_list.do?sysparm_query=decision_table%3Ddf29d6b987b23300c1e95773e8cb0b5f&sysparm_view=jira_webhooks By adding so, the sub-flow will only be executed if the request is received from the specified Jira instance URL.