--- title: Inbound Traffic Policies description: The Inbound Traffic Policies service allows you to identify the source of requests to your environment using the service's verify rules. Then, it allows you to define the structure of the request, including the client IP address and any additional headers. After defining the request structure, access to the environment can be controlled, either through a specified traffic rule or a DaVinci flow that introspects the request's metadata. Inbound traffic policies are available only through Cloudflare-based Customer Custom Domains (CCDs). component: pingone-api page_id: pingone-api:platform:inbound-traffic canonical_url: https://developer.pingidentity.com/pingone-api/platform/inbound-traffic.html section_ids: inbound-traffic-policies-api-limits: Inbound traffic policies API limits assigning-admin-roles-and-permissions-to-this-service: Assigning admin roles and permissions to this service inbound-traffic-policies-data-model: Inbound traffic policies data model clientiprule-data-model: clientIpRule data model headerrules-data-model: headerRules data model trafficrule-data-model: trafficRule data model verifyrules-data-model: verifyRule data model response-codes: Response codes --- # Inbound Traffic Policies The Inbound Traffic Policies service allows you to identify the source of requests to your environment using the service's verify rules. Then, it allows you to define the structure of the request, including the client IP address and any additional headers. After defining the request structure, access to the environment can be controlled, either through a specified traffic rule or a DaVinci flow that introspects the request's metadata. Inbound traffic policies are available only through Cloudflare-based Customer Custom Domains (CCDs). | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For information about Cloudflare CCDs and migration from legacy CloudFront CCDs, refer to [Setting up a custom domain](https://docs.pingidentity.com/pingone/settings/p1_set_up_custom_domain.html) in the PingOne admin documentation. | The `/environments/{{envID}}/inboundTrafficPolicies` endpoint provides operations to create, read, update, and delete inbound traffic policy confguration resources within a specified environment. To learn more about inbound traffic controls in PingOne, refer to [Inbound traffic policies](https://docs.pingidentity.com/pingone/settings/p1_inbound_traffic_policies.html) in the PingOne admin documentation. ## Inbound traffic policies API limits PingOne sets the following limits on policies and rules. * Ten (10) inbound traffic policies per environment. * Four (4) `VerifyRule` objects per inbound traffic policy. * Fifteen (15) `HeaderRule` objects per per inbound traffic policy. * Sixteen (16) KB limit on the `jwks` string per `verifyRule` object. * Five (5) `sha256Thumbprints` array entries per `verifyRule` object. * Five (5) `sha256Secrets` array entries per `verifyRule` object. * Five (5) `cidrRanges` array entries per `verifyRule`. ## Assigning admin roles and permissions to this service Admin role assignments determine access to PingOne APIs. When assigning admin roles to this service, refer to [PingOne Permissions by Service](reference/roles-and-permissions-in-pingone/permissions-by-service.html) for the service-specific permissions. You can also choose to assign admin roles based on particular service resources. Refer to [PingOne Permissions by Resource](reference/roles-and-permissions-in-pingone/permissions-by-resource.html) when assigning admin roles per service resources. Admin assignments to roles are set by: * [Automatic assignment for some roles](roles/predefined-roles.html#automatic-role-assignment). * [Group Role Assignments](group-role-assignments/group-role-assignments.html). * [User Role Assignments](users/user-role-assignments.html). Refer to [Roles Management](roles.html) for more information. ### Inbound traffic policies data model | Property | Type | Required? | Mutable? | Description | | ---------------- | --------- | --------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `clientIpRule` | Object | Required | Mutable | An object that defines how the client IP address is set. The client IP address is used for rate limiting and available through DaVinci's `global.ip` property. Refer to [clientIpRule data model](#clientiprule-data-model) for details. | | `createdAt` | Date | N/A | Read-only | The time the resource was created. | | `enabled` | Boolean | Required | Mutable | Specifies whether the policy is enabled or disabled. A disabled policy is ignored when matching requests. It does not imply that a matching request is blocked. | | `environment` | Object | N/A | Read-only | The environment object. | | `environment.id` | String | N/A | Read-only | The environment resource's unique identifier associated with the inbound traffic policy. | | `headerRules` | Object\[] | Optional | Mutable | An object that defines the custom headers that are available in DaVinci's `global.currentRequest.connection.headers` property. Refer to [headerRules data model](#headerrules-data-model) for details. | | `id` | String | N/A | Read-only | The resource's unique identifier. | | `name` | String | Required | Mutable | The inbound traffic policy's name, which must be provided and must be unique within an environment. | | `priority` | Integer | Required | Mutable | Specifies the order in which the policy is evaluated. A lower priority is evaluated first. Priority values begin at 1. Policies with duplicate priority values are ordered alphabetically by name. | | `trafficRule` | Object | Required | Mutable | An object that defines how matching requests are processed. Refer to [trafficRule data model](#trafficrule-data-model) for details. | | `updatedAt` | Date | N/A | Read-only | The time the resource was last updated. | | `verifyRules` | Object\[] | Optional | Mutable | An array of zero or more `verifyRule` objects that a request using this policy must match. Each `verifyRule` type appears at most once. A policy with no `verifyRule` entries will match all requests. Refer to [Verify rules data model](#verifyrules-data-model) for details. | ### clientIpRule data model | Property | Type | Required? | Mutable? | Description | | ------------- | ------- | ----------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `type` | String | Required | Mutable | Specifies the client IP rule type. Options are `SOCKET` if the IP address is from the connection's socket, `HEADER` if the IP address is from the header value, and `HEADER_CSV` if the IP address is from an element of a comma-separated header value. For `HEADER` and `HEADER_CSV`, the request must include the header and the indicated value must be an IPv4 or IPv6 address. | | `name` | String | Required/Optional | Mutable | The case-insensitive header name. This property is required for `HEADER` and `HEADER_CSV`. For formatting rules, refer to [RFC 9110 HTTP Semantics, 5.6.2. Tokens](https://www.rfc-editor.org/rfc/rfc9110.html#name-tokens). The maximum name size is 8KB, and the platform disallows name values of: `Authorization`, `Cookie`, `X-Ping-Itp-Jwt`, `X-Ping-Itp-Secret`, `X-Ping-Itp-Id`, and any header beginning with `Cf-`. | | `index` | Integer | Required/Optional | Mutable | A 0-based index of comma-separated header value with index starting from the first node in the list. This property is required for `HEADER_CSV`. | | `cardinality` | Integer | Required/Optional | Mutable | The expected number of elements in comma-separated header value. This property is required for `HEADER_CSV`. | ### headerRules data model | Property | Type | Required? | Mutable? | Description | | ---------- | ------- | --------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `name` | String | Required | Mutable | The case-insensitive header name. This property is required for `HEADER` and `HEADER_CSV`. For formatting rules, refer to [RFC 9110 HTTP Semantics, 5.6.2. Tokens](https://www.rfc-editor.org/rfc/rfc9110.html#name-tokens). The maximum name size is 8KB, and the platform disallows header name values of: `Authorization`, `Cookie`, `X-Ping-Itp-Jwt`, `X-Ping-Itp-Secret`, `X-Ping-Itp-Id`, and any header beginning with `Cf-`. | | `required` | Boolean | Required | Mutable | Specifies whether the request must include the header (set to `true` if required). | ### trafficRule data model | Property | Type | Required? | Mutable? | Description | | -------- | ------ | --------- | -------- | -------------------------------------------------------------------------------------------- | | `type` | String | Required | Mutable | Specifies whether matching requests are allowed to proceed. Options are `ALLOW` and `BLOCK`. | ### verifyRule data model | Property | Type | Required? | Mutable? | Description | | ------------------- | --------- | ----------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `cidrRanges` | String\[] | Required/Optional | Mutable | An array that specifies the list of IPv4 and/or IPv6 CIDR subnets for verifying connection IP. This property is required for the `IP_ADDRESS` type. | | `jwks` | String | Required/Optional | Mutable | A string in JWK Set format [RFC 7517: JSON Web Key (JWK)](https://datatracker.ietf.org/doc/html/rfc7517#section-5) that specifies the public keys for verifying `X-Ping-Itp-Jwt`. This property is required for the `SIGNATURE` type. The JSON for the JWKS string in the embedded `jwks` property must be formatted as one line with double quotes escaped. | | `sha256Thumbprints` | String\[] | Required/Optional | Mutable | An array that specifies the list of SHA-256 thumbprints in lowercase hexadecimal for verifying mTLS certificates. This property is required for `MTLS_THUMBPRINT`. | | `sha256Secrets` | String\[] | Required/Optional | Mutable | An array that specifies the list of SHA-256 secret hashes in lowercase hexadecimal for verifying `X-Ping-Itp-Secret`. The request payload requires these values to be SHA-256 hashed. Each value must be 64 characters in length and be a SHA256 hashed string (`0-9a-f`). This property is required for `SECRET`. | | `type` | String | Required | Mutable | Specifies the verify rule type. Options are `SIGNATURE` for signed requests, `MTLS_THUMBPRINT` for mTLS, `SECRET` for shared secret, `IP_ADDRESS` for IP address. | ## Response codes | Code | Message | | ---- | ---------------------------------------- | | 200 | Successful operation. | | 201 | Successfully created. | | 204 | Successfully removed. No content. | | 400 | The request could not be completed. | | 401 | You do not have access to this resource. | | 404 | The requested resource was not found. |