Inbound Traffic Policies

The PingOne inbound traffic policies API allows you to identify the source of requests to your environment using the service’s verify rules. Then, it allows you to define the structure of the request, including the client IP address and any additional headers. After defining the request structure, access to the environment can be controlled, either through a specified traffic rule or a DaVinci flow that introspects the request’s metadata. Inbound traffic policies are available only through Cloudflare-based Customer Custom Domains (CCDs).

For information about Cloudflare CCDs and migration from legacy CloudFront CCDs, refer to Setting up a custom domain in the PingOne admin documentation.

The /environments/{{envID}}/inboundTrafficPolicies endpoint provides operations to create, read, update, and delete inbound traffic policy confguration resources within a specified environment. To learn more about inbound traffic controls in PingOne, refer to Inbound traffic policies in the PingOne admin documentation.

Inbound traffic policies API limits

PingOne sets the following limits on policies and rules.

Ten (10) inbound traffic policies per environment.
Four (4) VerifyRule objects per inbound traffic policy.
Fifteen (15) HeaderRule objects per per inbound traffic policy.
Sixteen (16) KB limit on the jwks string per verifyRule object.
Five (5) sha256Thumbprints array entries per verifyRule object.
Five (5) sha256Secrets array entries per verifyRule object.
Five (5) cidrRanges array entries per verifyRule.

Inbound traffic policies data model

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`clientIpRule`	Object	Required	Mutable	An object that defines how the client IP address is set. The client IP address is used for rate limiting and available through DaVinci’s `global.ip` property. Refer to clientIpRule data model for details.
`createdAt`	Date	N/A	Read-only	The time the resource was created.
`enabled`	Boolean	Required	Mutable	Specifies whether the policy is enabled or disabled. A disabled policy is ignored when matching requests. It does not imply that a matching request is blocked.
`environment`	Object	N/A	Read-only	The environment object.
`environment.id`	String	N/A	Read-only	The environment resource’s unique identifier associated with the inbound traffic policy.
`headerRules`	Object[]	Optional	Mutable	An object that defines the custom headers that are available in DaVinci’s `global.currentRequest.connection.headers` property. Refer to headerRules data model for details.
`id`	String	N/A	Read-only	The resource’s unique identifier.
`name`	String	Required	Mutable	The inbound traffic policy’s name, which must be provided and must be unique within an environment.
`priority`	Integer	Required	Mutable	Specifies the order in which the policy is evaluated. A lower priority is evaluated first. Priority values begin at 1. Policies with duplicate priority values are ordered alphabetically by name.
`trafficRule`	Object	Required	Mutable	An object that defines how matching requests are processed. Refer to trafficRule data model for details.
`updatedAt`	Date	N/A	Read-only	The time the resource was last updated.
`verifyRules`	Object[]	Optional	Mutable	An array of zero or more `verifyRule` objects that a request using this policy must match. Each `verifyRule` type appears at most once. A policy with no `verifyRule` entries will match all requests. Refer to Verify rules data model for details.

clientIpRule

Object

Required

Mutable

An object that defines how the client IP address is set. The client IP address is used for rate limiting and available through DaVinci’s global.ip property. Refer to clientIpRule data model for details.

createdAt

Date

N/A

Read-only

The time the resource was created.

enabled

Boolean

Required

Mutable

Specifies whether the policy is enabled or disabled. A disabled policy is ignored when matching requests. It does not imply that a matching request is blocked.

environment

Object

N/A

Read-only

The environment object.

environment.id

String

N/A

Read-only

The environment resource’s unique identifier associated with the inbound traffic policy.

headerRules

Object[]

Optional

Mutable

An object that defines the custom headers that are available in DaVinci’s global.currentRequest.connection.headers property. Refer to headerRules data model for details.

id

String

N/A

Read-only

The resource’s unique identifier.

name

String

Required

Mutable

The inbound traffic policy’s name, which must be provided and must be unique within an environment.

priority

Integer

Required

Mutable

Specifies the order in which the policy is evaluated. A lower priority is evaluated first. Priority values begin at 1. Policies with duplicate priority values are ordered alphabetically by name.

trafficRule

Object

Required

Mutable

An object that defines how matching requests are processed. Refer to trafficRule data model for details.

updatedAt

Date

N/A

Read-only

The time the resource was last updated.

verifyRules

Object[]

Optional

Mutable

An array of zero or more verifyRule objects that a request using this policy must match. Each verifyRule type appears at most once. A policy with no verifyRule entries will match all requests. Refer to Verify rules data model for details.

clientIpRule data model

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`type`	String	Required	Mutable	Specifies the client IP rule type. Options are `SOCKET` if the IP address is from the connection’s socket, `HEADER` if the IP address is from the header value, and `HEADER_CSV` if the IP address is from an element of a comma-separated header value. For `HEADER` and `HEADER_CSV`, the request must include the header and the indicated value must be an IPv4 or IPv6 address.
`name`	String	Required/Optional	Mutable	The case-insensitive header name. This property is required for `HEADER` and `HEADER_CSV`. For formatting rules, refer to RFC 9110 HTTP Semantics, 5.6.2. Tokens. The maximum name size is 8KB, and the platform disallows name values of: `Authorization`, `Cookie`, `X-Ping-Itp-Jwt`, `X-Ping-Itp-Secret`, `X-Ping-Itp-Id`, and any header beginning with `Cf-`.
`index`	Integer	Required/Optional	Mutable	A 0-based index of comma-separated header value with index starting from the first node in the list. This property is required for `HEADER_CSV`.
`cardinality`	Integer	Required/Optional	Mutable	The expected number of elements in comma-separated header value. This property is required for `HEADER_CSV`.

type

String

Required

Mutable

Specifies the client IP rule type. Options are SOCKET if the IP address is from the connection’s socket, HEADER if the IP address is from the header value, and HEADER_CSV if the IP address is from an element of a comma-separated header value. For HEADER and HEADER_CSV, the request must include the header and the indicated value must be an IPv4 or IPv6 address.

name

String

Required/Optional

Mutable

The case-insensitive header name. This property is required for HEADER and HEADER_CSV. For formatting rules, refer to RFC 9110 HTTP Semantics, 5.6.2. Tokens. The maximum name size is 8KB, and the platform disallows name values of: Authorization, Cookie, X-Ping-Itp-Jwt, X-Ping-Itp-Secret, X-Ping-Itp-Id, and any header beginning with Cf-.

index

Integer

Required/Optional

Mutable

A 0-based index of comma-separated header value with index starting from the first node in the list. This property is required for HEADER_CSV.

cardinality

Integer

Required/Optional

Mutable

The expected number of elements in comma-separated header value. This property is required for HEADER_CSV.

headerRules data model

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`name`	String	Required	Mutable	The case-insensitive header name. This property is required for `HEADER` and `HEADER_CSV`. For formatting rules, refer to RFC 9110 HTTP Semantics, 5.6.2. Tokens. The maximum name size is 8KB, and the platform disallows header name values of: `Authorization`, `Cookie`, `X-Ping-Itp-Jwt`, `X-Ping-Itp-Secret`, `X-Ping-Itp-Id`, and any header beginning with `Cf-`.
`required`	Boolean	Required	Mutable	Specifies whether the request must include the header (set to `true` if required).

name

String

Required

Mutable

The case-insensitive header name. This property is required for HEADER and HEADER_CSV. For formatting rules, refer to RFC 9110 HTTP Semantics, 5.6.2. Tokens. The maximum name size is 8KB, and the platform disallows header name values of: Authorization, Cookie, X-Ping-Itp-Jwt, X-Ping-Itp-Secret, X-Ping-Itp-Id, and any header beginning with Cf-.

required

Boolean

Required

Mutable

Specifies whether the request must include the header (set to true if required).

trafficRule data model

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`type`	String	Required	Mutable	Specifies whether matching requests are allowed to proceed. Options are `ALLOW` and `BLOCK`.

type

String

Required

Mutable

Specifies whether matching requests are allowed to proceed. Options are ALLOW and BLOCK.

verifyRule data model

Property Type Required? Mutable? Description

Property	Type	Required?	Mutable?	Description
`cidrRanges`	String[]	Required/Optional	Mutable	An array that specifies the list of IPv4 and/or IPv6 CIDR subnets for verifying connection IP. This property is required for the `IP_ADDRESS` type.
`jwks`	String	Required/Optional	Mutable	A string in JWK Set format RFC 7517: JSON Web Key (JWK) that specifies the public keys for verifying `X-Ping-Itp-Jwt`. This property is required for the `SIGNATURE` type. The JSON for the JWKS string in the embedded `jwks` property must be formatted as one line with double quotes escaped.
`sha256Thumbprints`	String[]	Required/Optional	Mutable	An array that specifies the list of SHA-256 thumbprints in lowercase hexadecimal for verifying mTLS certificates. This property is required for `MTLS_THUMBPRINT`.
`sha256Secrets`	String[]	Required/Optional	Mutable	An array that specifies the list of SHA-256 secret hashes in lowercase hexadecimal for verifying `X-Ping-Itp-Secret`. The request payload requires these values to be SHA-256 hashed. Each value must be 64 characters in length and be a SHA256 hashed string (`0-9a-f`). This property is required for `SECRET`.
`type`	String	Required	Mutable	Specifies the verify rule type. Options are `SIGNATURE` for signed requests, `MTLS_THUMBPRINT` for mTLS, `SECRET` for shared secret, `IP_ADDRESS` for IP address.

cidrRanges

String[]

Required/Optional

Mutable

An array that specifies the list of IPv4 and/or IPv6 CIDR subnets for verifying connection IP. This property is required for the IP_ADDRESS type.

jwks

String

Required/Optional

Mutable

A string in JWK Set format RFC 7517: JSON Web Key (JWK) that specifies the public keys for verifying X-Ping-Itp-Jwt. This property is required for the SIGNATURE type. The JSON for the JWKS string in the embedded jwks property must be formatted as one line with double quotes escaped.

sha256Thumbprints

String[]

Required/Optional

Mutable

An array that specifies the list of SHA-256 thumbprints in lowercase hexadecimal for verifying mTLS certificates. This property is required for MTLS_THUMBPRINT.

sha256Secrets

String[]

Required/Optional

Mutable

An array that specifies the list of SHA-256 secret hashes in lowercase hexadecimal for verifying X-Ping-Itp-Secret. The request payload requires these values to be SHA-256 hashed. Each value must be 64 characters in length and be a SHA256 hashed string (0-9a-f). This property is required for SECRET.

type

String

Required

Mutable

Specifies the verify rule type. Options are SIGNATURE for signed requests, MTLS_THUMBPRINT for mTLS, SECRET for shared secret, IP_ADDRESS for IP address.

Response codes

Code	Message
200	Successful operation.
201	Successfully created.
204	Successfully removed. No content.
400	The request could not be completed.
401	You do not have access to this resource.
404	The requested resource was not found.

PingOne Platform APIs

Inbound Traffic Policies

Inbound traffic policies API limits

Inbound traffic policies data model

clientIpRule data model

headerRules data model

trafficRule data model

verifyRule data model

Response codes