I’ve developed a Scripted REST API (GET method) in ServiceNow that serves a payment link and is intended to be accessed by external users (non-authenticated/guest users). To make this publicly accessible, I’ve currently exposed the endpoint without authentication. However, this creates a security concern — and makes the integration non-compliant for Store publishing.

When I try enabling ACL-based authentication or use basic auth, it blocks access for guest users with errors like "Forbidden" or "Invalid Request."

My requirement is:

The API should be secure enough to meet Store submission standards.

It must still be accessible to external guest users (not in the sys_user table).

Ideally, without creating a ServiceNow user for every consumer.

Has anyone implemented a similar setup or can suggest a secure and compliant pattern for exposing REST APIs to guest users?

Thanks in advance!