https://www.servicenow.com/community/community-central-forum/need-help-securing-a-public-scripted-rest-api-get/m-p/3333185#M3937 <P><FONT color="#000000">Hello Community,</FONT><BR /><BR /></P><P><FONT color="#000000">I've created a Scripted REST API (GET method) in ServiceNow that generates a payment link. Currently, it’s publicly accessible, but this approach lacks proper security.</FONT></P><P><FONT color="#000000">When I try to secure it using ACL authentication, I receive an “Invalid Request” or “Forbidden Access” error. My goal is to <STRONG>enable authentication</STRONG> but still <STRONG>allow access to users who are not in the ServiceNow user table</STRONG> (i.e., unauthenticated external users).</FONT></P><P><FONT color="#000000">Is there a recommended way to securely expose this API to external/non-ServiceNow users while preventing unauthorized access?</FONT><BR /><BR /></P><P><FONT color="#000000">Thanks in advance for your guidance!</FONT><BR /><FONT color="#000000">daiva</FONT></P> Thu, 24 Jul 2025 09:39:26 GMT daiva 2025-07-24T09:39:26Z https://www.servicenow.com/community/community-central-forum/need-help-securing-a-public-scripted-rest-api-get/m-p/3333185#M3937 <P><FONT color="#000000">Hello Community,</FONT><BR /><BR /></P><P><FONT color="#000000">I've created a Scripted REST API (GET method) in ServiceNow that generates a payment link. Currently, it’s publicly accessible, but this approach lacks proper security.</FONT></P><P><FONT color="#000000">When I try to secure it using ACL authentication, I receive an “Invalid Request” or “Forbidden Access” error. My goal is to <STRONG>enable authentication</STRONG> but still <STRONG>allow access to users who are not in the ServiceNow user table</STRONG> (i.e., unauthenticated external users).</FONT></P><P><FONT color="#000000">Is there a recommended way to securely expose this API to external/non-ServiceNow users while preventing unauthorized access?</FONT><BR /><BR /></P><P><FONT color="#000000">Thanks in advance for your guidance!</FONT><BR /><FONT color="#000000">daiva</FONT></P> Thu, 24 Jul 2025 09:39:26 GMT https://www.servicenow.com/community/community-central-forum/need-help-securing-a-public-scripted-rest-api-get/m-p/3333185#M3937 daiva 2025-07-24T09:39:26Z https://www.servicenow.com/community/community-central-forum/need-help-securing-a-public-scripted-rest-api-get/m-p/3333197#M3938 <P><a href="https://www.servicenow.com/community/user/viewprofilepage/user-id/704709">@daiva</a>&nbsp;</P> <P>not possible without using user from user table</P> <P>Every authentication happens via sys_user record only.</P> <P>If my response helped please mark it correct and close the thread so that it benefits future readers.</P> Thu, 24 Jul 2025 09:56:16 GMT https://www.servicenow.com/community/community-central-forum/need-help-securing-a-public-scripted-rest-api-get/m-p/3333197#M3938 Ankur Bawiskar 2025-07-24T09:56:16Z https://www.servicenow.com/community/community-central-forum/need-help-securing-a-public-scripted-rest-api-get/m-p/3333262#M3939 <P>Requirement is bit confusing. You want to authenticate the users but also expose it to non-ServiceNow users. Both statements are contradictory.&nbsp;</P> <P>&nbsp;</P> <P>If you can tell the exact use case that how you differentiating external user from public users?</P> Thu, 24 Jul 2025 10:55:17 GMT https://www.servicenow.com/community/community-central-forum/need-help-securing-a-public-scripted-rest-api-get/m-p/3333262#M3939 Pranesh072 2025-07-24T10:55:17Z https://www.servicenow.com/community/community-central-forum/need-help-securing-a-public-scripted-rest-api-get/m-p/3333366#M3940 <P>I’ve developed a Scripted REST API (GET method) in ServiceNow that serves a payment link and is intended to be accessed by external users (non-authenticated/guest users). To make this publicly accessible, I’ve currently exposed the endpoint without authentication. However, this creates a security concern — and makes the integration non-compliant for Store publishing.</P><P>When I try enabling ACL-based authentication or use basic auth, it blocks access for guest users with errors like "Forbidden" or "Invalid Request."</P><P>My requirement is:</P><P>The API should be secure enough to meet Store submission standards.</P><P>It must still be accessible to external guest users (not in the sys_user table).</P><P>Ideally, without creating a ServiceNow user for every consumer.</P><P>Has anyone implemented a similar setup or can suggest a secure and compliant pattern for exposing REST APIs to guest users?</P><P>Thanks in advance!</P> Thu, 24 Jul 2025 12:06:12 GMT https://www.servicenow.com/community/community-central-forum/need-help-securing-a-public-scripted-rest-api-get/m-p/3333366#M3940 daiva 2025-07-24T12:06:12Z https://www.servicenow.com/community/community-central-forum/need-help-securing-a-public-scripted-rest-api-get/m-p/3333428#M3943 <P><a href="https://www.servicenow.com/community/user/viewprofilepage/user-id/704709">@daiva</a>&nbsp;</P> <P>My thoughts</P> <P>1)&nbsp;<SPAN>Public, unauthenticated endpoints are generally non-compliant with ServiceNow Store requirements</SPAN></P> <P><SPAN>2)&nbsp;By default, Scripted REST APIs are protected using Access Control Lists (ACLs), which require users to be authenticated (users must exist in the sys_user table)</SPAN></P> <P>If my response helped please mark it correct and close the thread so that it benefits future readers.</P> Thu, 24 Jul 2025 12:49:20 GMT https://www.servicenow.com/community/community-central-forum/need-help-securing-a-public-scripted-rest-api-get/m-p/3333428#M3943 Ankur Bawiskar 2025-07-24T12:49:20Z