Need Help Securing a Public Scripted REST API (GET)

daiva
Tera Guru

‎07-24-2025 02:39 AM - edited ‎07-24-2025 02:39 AM

Hello Community,

I've created a Scripted REST API (GET method) in ServiceNow that generates a payment link. Currently, it’s publicly accessible, but this approach lacks proper security.

When I try to secure it using ACL authentication, I receive an “Invalid Request” or “Forbidden Access” error. My goal is to enable authentication but still allow access to users who are not in the ServiceNow user table (i.e., unauthenticated external users).

Is there a recommended way to securely expose this API to external/non-ServiceNow users while preventing unauthorized access?

Thanks in advance for your guidance!
daiva

0 Helpfuls
  • 473 Views
4 REPLIES 4

Ankur Bawiskar
Tera Patron
Tera Patron

‎07-24-2025 02:56 AM

@daiva 

not possible without using user from user table

Every authentication happens via sys_user record only.

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls

Pranesh072
Mega Sage
Mega Sage

‎07-24-2025 03:55 AM

Requirement is bit confusing. You want to authenticate the users but also expose it to non-ServiceNow users. Both statements are contradictory. 

 

If you can tell the exact use case that how you differentiating external user from public users?

0 Helpfuls

daiva
Tera Guru
In response to Pranesh072

‎07-24-2025 05:06 AM

I’ve developed a Scripted REST API (GET method) in ServiceNow that serves a payment link and is intended to be accessed by external users (non-authenticated/guest users). To make this publicly accessible, I’ve currently exposed the endpoint without authentication. However, this creates a security concern — and makes the integration non-compliant for Store publishing.

When I try enabling ACL-based authentication or use basic auth, it blocks access for guest users with errors like "Forbidden" or "Invalid Request."

My requirement is:

The API should be secure enough to meet Store submission standards.

It must still be accessible to external guest users (not in the sys_user table).

Ideally, without creating a ServiceNow user for every consumer.

Has anyone implemented a similar setup or can suggest a secure and compliant pattern for exposing REST APIs to guest users?

Thanks in advance!

0 Helpfuls

Ankur Bawiskar
Tera Patron
Tera Patron
In response to daiva

‎07-24-2025 05:49 AM

@daiva 

My thoughts

1) Public, unauthenticated endpoints are generally non-compliant with ServiceNow Store requirements

2) By default, Scripted REST APIs are protected using Access Control Lists (ACLs), which require users to be authenticated (users must exist in the sys_user table)

If my response helped please mark it correct and close the thread so that it benefits future readers.

Regards,
Ankur
Certified Technical Architect  ||  9x ServiceNow MVP  ||  ServiceNow Community Leader
0 Helpfuls