Inbound REST API rate limiting

  • Release version: Australia
  • Updated March 12, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Inbound REST API rate limiting

    Inbound REST API rate limiting in ServiceNow allows you to control and prevent excessive inbound REST API requests by setting rules that limit the number of requests processed per hour. These limits can be applied globally, by specific users, or by users with specific roles. Rate limit rules are managed within theRate Limit Rules [sysratelimitrules]table.

    Show full answer Show less

    Each node on an instance tracks rate limits per user and commits counts to the database every 30 seconds, which means new rules may take up to 30 seconds to take effect.

    Rate Limiting Priority and Behavior

    • Priority Order: Rules for a single user override rules for users with roles, which override rules for all users.
    • If multiple rules apply to a user with multiple roles, the rule with the lowest allowed request count applies.
    • Example: A user with both importadmin and itil roles will be limited by the rule allowing fewer requests (e.g., 100 requests/hour if itil rule is lower).

    REST API Response Headers for Rate Limiting

    When a request matches a rate limit rule, response headers provide detailed information:

    • X-RateLimit-Limit: Number of requests allowed per hour.
    • X-RateLimit-Reset: UNIX timestamp for when the rate limit resets.
    • X-RateLimit-Rule: sysid of the applied rate limit rule.

    If a request exceeds the rate limit, the response includes a Retry-After header indicating the wait time in seconds before retrying, and returns a 429 Too Many Requests status with an error message.

    Managing Rate Limits

    • Create rate limit rules: Define rules to limit hourly inbound REST API requests based on user, role, or globally.
    • Reset rate limits: Reset counts and violations for a rule to zero to immediately clear restrictions within the current hour.
    • Monitor usage: Track counts and violations to ensure rate limits are appropriate and effective.
    • Investigate violations: Identify which users and rules are exceeding limits to adjust policies or troubleshoot issues.

    To prevent excessive inbound REST API requests, set rules that limit the number of inbound REST API requests processed per hour. You can create rules to limit requests for specific users, users with specific roles, or all users.

    Rate limit rules are created in the Rate Limit Rules [sys_rate_limit_rules] table.

    Note:
    As requests reach an instance, each node maintains a rate limit count per user. Every 30 seconds, the count is committed to the database. As a result, a rate limit rule may not take effect for up to 30 seconds.

    Rate limiting priority

    If an inbound REST API request matches multiple rate limit rules for the same resource, rate limiting priority is enforced as follows:
    • Rules set for Single user override rules for All users and rules for Users with role.
    • Rules set for Users with role override rules for All users.
    In this example, there are four rate limit rules for the REST API resource GET /now/v2/table/incident.
    List of rate limit rules for GET /now/v2/table/incident.
    These rate limit rules are applied in the following order:
    1. Limit incidents by user applies to ITIL User, who can submit up to 200 requests per hour.
    2. Limit incidents by import admin applies to all users with the import_admin role. Each user with the import_admin role can submit up to 500 requests per hour.
    3. Limit incidents by itil applies to all users with the itil role. Each user with the itil role can submit up to 100 requests per hour.
    4. Limit incidents applies to all users. Each user can submit up to 100 requests per hour.

    When ITIL User makes the request GET /now/v2/table/incident, the request matches the criteria for three rules: Limit incidents, Limit incidents by itil, and Limit incidents by user. Only the Limit incidents by user rule is applied because it takes precedence over the other rules. As a result, ITIL User can submit a maximum of 200 requests per hour.

    If a user has two or more roles matching the criteria of multiple rate limiting rules for a REST API resource, the rule allowing the lowest number of requests applies to the user's requests for the resource. For the example rules in the figure above, assume that user Abel Tuter has both the import_admin role and the itil role. When Abel Tuter submits a request, it meets the criteria for both the Limit incidents by admin rule and the Limit incidents by itil rule. Only the Limit incidents by itil rule is applied because it allows the lowest number of requests. As a result, Abel Tuter can submit a maximum of 100 requests per hour.

    REST API response headers

    You can generate inbound REST API requests using the REST API Explorer or an HTTP client, such as Postman API platform. If the request matches a rate limit rule, several HTTP response headers provide information about rate limiting.
    • X-RateLimit-Limit displays the number of requests allowed per hour.
    • X-RateLimit-Reset displays a UNIX timestamp for the next scheduled reset of the rate limit window.
    • X-RateLimit-Rule displays the sys_id of the rate limit rule [sys_rate_limit_rules] that is being enforced.
    If a request is denied because it exceeds the rate limit, the system returns a Retry-After response header in addition to the response headers about rate limiting. The Retry-After response header displays the number of seconds after which you can retry the request to avoid exceeding the rate limit. The following error response is returned:
    {
    "error": {
        "message": "Rate limit exceeded",
        "detail": "Rate limit of 100 requests per hour for Table API exceeded"
    },
    "status": "failure"
}

    The status code of a denied request is 429 Too Many Requests.