Inbound REST API rate limiting

Zurich API Reference

Release

zurich

ft:locale

en-US

ft:publication_title

Zurich API Reference

ft:clusterId

crapiref

bundleId

crapiref

workflow

Creator

Inbound REST API rate limiting

Release version: Zurich

Updated July 31, 2025

3 minutes to read

Summarize

Summarized using AI

Summary of Inbound REST API rate limiting

Inbound REST API rate limiting in ServiceNow allows you to control the volume of inbound REST API requests processed per hour. You can create rules to restrict requests based on specific users, user roles, or all users. These rules help prevent excessive API usage and protect your instance from overload.

Show full answer Show less

Rate limit rules are stored in the Rate Limit Rules [sysratelimitrules] table. Each node tracks request counts per user and commits them to the database every 30 seconds, so new rules may take up to 30 seconds to become effective.

Rate limiting priority and application

When multiple rate limit rules apply to a REST API request, priority is given as follows:

Rules for a Single user override rules for Users with role and All users.
Rules for Users with role override rules for All users.

If a user matches multiple role-based rules, the rule with the lowest allowed request count takes precedence.

For example, a user with both importadmin and itil roles will be limited by the rule allowing fewer requests per hour.

REST API response headers for rate limiting

When a request matches a rate limit rule, the response includes headers that provide rate limit details:

X-RateLimit-Limit: Number of allowed requests per hour.
X-RateLimit-Reset: UNIX timestamp for when the rate limit window resets.
X-RateLimit-Rule: sysid of the enforced rate limit rule.

If a request exceeds the limit, the response status is 429 Too Many Requests, and a Retry-After header indicates how many seconds to wait before retrying. The error message clarifies that the rate limit has been exceeded.

Managing inbound REST API rate limits

Create rules: Define rate limit rules to control inbound REST API usage per hour by user or role.
Reset limits: You can reset a rate limit rule to clear current counts and violations for the hour, helping to manage or test limits.
Monitor usage: Track counts and violations to assess if rate limits are appropriate and effective.
Investigate violations: Analyze which users and rules are exceeding limits to adjust policies or address abuse.

To prevent excessive inbound REST API requests, set rules that limit the number of inbound REST API requests processed per hour. You can create rules to limit requests for specific users, users with specific roles, or all users.

Rate limit rules are created in the Rate Limit Rules [sys_rate_limit_rules] table.

Note:

As requests reach an instance, each node maintains a rate limit count per user. Every 30 seconds, the count is committed to the database. As a result, a rate limit rule may not take effect for up to 30 seconds.

Rate limiting priority

If an inbound REST API request matches multiple rate limit rules for the same resource, rate limiting priority is enforced as follows:

Rules set for Single user override rules for All users and rules for Users with role.
Rules set for Users with role override rules for All users.

In this example, there are four rate limit rules for the REST API resource GET /now/v2/table/incident.

List of rate limit rules for GET /now/v2/table/incident.

These rate limit rules are applied in the following order:

Limit incidents by user applies to ITIL User, who can submit up to 200 requests per hour.
Limit incidents by import admin applies to all users with the import_admin role. Each user with the import_admin role can submit up to 500 requests per hour.
Limit incidents by itil applies to all users with the itil role. Each user with the itil role can submit up to 100 requests per hour.
Limit incidents applies to all users. Each user can submit up to 100 requests per hour.

When ITIL User makes the request GET /now/v2/table/incident, the request matches the criteria for three rules: Limit incidents, Limit incidents by itil, and Limit incidents by user. Only the Limit incidents by user rule is applied because it takes precedence over the other rules. As a result, ITIL User can submit a maximum of 200 requests per hour.

If a user has two or more roles matching the criteria of multiple rate limiting rules for a REST API resource, the rule allowing the lowest number of requests applies to the user's requests for the resource. For the example rules in the figure above, assume that user Abel Tuter has both the import_admin role and the itil role. When Abel Tuter submits a request, it meets the criteria for both the Limit incidents by admin rule and the Limit incidents by itil rule. Only the Limit incidents by itil rule is applied because it allows the lowest number of requests. As a result, Abel Tuter can submit a maximum of 100 requests per hour.

REST API response headers

You can generate inbound REST API requests using the REST API Explorer or an HTTP client, such as Postman API platform. If the request matches a rate limit rule, several HTTP response headers provide information about rate limiting.

X-RateLimit-Limit displays the number of requests allowed per hour.
X-RateLimit-Reset displays a UNIX timestamp for the next scheduled reset of the rate limit window.
X-RateLimit-Rule displays the sys_id of the rate limit rule [sys_rate_limit_rules] that is being enforced.

If a request is denied because it exceeds the rate limit, the system returns a Retry-After response header in addition to the response headers about rate limiting. The Retry-After response header displays the number of seconds after which you can retry the request to avoid exceeding the rate limit. The following error response is returned:

{
    "error": {
        "message": "Rate limit exceeded",
        "detail": "Rate limit of 100 requests per hour for Table API exceeded"
    },
    "status": "failure"
}

The status code of a denied request is 429 Too Many Requests.