--- title: Create Inbound Traffic Policy description: The POST /environments/{{envID}}/inboundTrafficPolicies endpoint creates a new inbound traffic policy configuration in the specified environment. The request body includes the set of inbound traffic policy rules that configure access to the PingOne endpoint called by the matching request. You can define up to 10 inbound traffic policy configurations on the environment. component: pingone-api page_id: pingone-api:platform:inbound-traffic/create-inbound-traffic-policy canonical_url: https://developer.pingidentity.com/pingone-api/platform/inbound-traffic/create-inbound-traffic-policy.html section_ids: prerequisites: Prerequisites headers: Headers body: Body example-request: Example Request example-response: Example Response --- # Create Inbound Traffic Policy ## ```none POST {{apiPath}}/v1/environments/{{envID}}/inboundTrafficPolicies ``` The `POST /environments/{{envID}}/inboundTrafficPolicies` endpoint creates a new inbound traffic policy configuration in the specified environment. The request body includes the set of inbound traffic policy rules that configure access to the PingOne endpoint called by the matching request. You can define up to 10 inbound traffic policy configurations on the environment. ### Prerequisites * Refer to [Inbound Traffic Policies](../inbound-traffic.html) for for full property descriptions for the verify, client IP, header, and traffic rules. * Refer to [Inbound Traffic Policies API Limits](../inbound-traffic.html#inbound-traffic-policies-api-limits) for maximum number of allowed policies and rules per environment. > **Collapse: Request Model** > > | Property | Type | Required? | > | ---------------- | --------- | --------- | > | `clientIpRule` | Object | Required | > | `enabled` | Boolean | Required | > | `environment` | Object | N/A | > | `environment.id` | String | N/A | > | `headerRules` | Object\[] | Required | > | `id` | String | N/A | > | `name` | String | Required | > | `priority` | Integer | Required | > | `trafficRule` | Object | Required | > | `verifyRules` | Object\[] | Required | > > Refer to the [Inbound traffic policies data model](../inbound-traffic.html#inbound-traffic-policies-data-model) for full property descriptions. ### Headers Authorization      Bearer {{accessToken}} Content-Type      application/json ### Body raw ( application/json ) ```json { "name":"Shared Secret", "trafficRule":{ "type":"ALLOW" }, "verifyRules":[ { "type":"SECRET", "sha256Secrets":[ "9e33f87fbe1a805f2e1f1d85b208bed4aa6b0de23117377310162ffa686573cf" ] } ], "clientIpRule":{ "type":"HEADER", "name":"secret" }, "headerRules":[], "priority":3, "enabled":true } ``` ## ### Example Request * cURL * C# * Go * HTTP * Java * jQuery * NodeJS * Python * PHP * Ruby * Swift ```shell curl --location --globoff '{{apiPath}}/v1/environments/{{envID}}/inboundTrafficPolicies' \ --header 'Content-Type: application/json' \ --header 'Authorization: Bearer {{accessToken}}' \ --data '{ "name":"Shared Secret", "trafficRule":{ "type":"ALLOW" }, "verifyRules":[ { "type":"SECRET", "sha256Secrets":[ "9e33f87fbe1a805f2e1f1d85b208bed4aa6b0de23117377310162ffa686573cf" ] } ], "clientIpRule":{ "type":"HEADER", "name":"secret" }, "headerRules":[], "priority":3, "enabled":true }' ``` ```csharp var options = new RestClientOptions("{{apiPath}}/v1/environments/{{envID}}/inboundTrafficPolicies") { MaxTimeout = -1, }; var client = new RestClient(options); var request = new RestRequest("", Method.Post); request.AddHeader("Content-Type", "application/json"); request.AddHeader("Authorization", "Bearer {{accessToken}}"); var body = @"{" + "\n" + @" ""name"":""Shared Secret""," + "\n" + @" ""trafficRule"":{" + "\n" + @" ""type"":""ALLOW""" + "\n" + @" }," + "\n" + @" ""verifyRules"":[" + "\n" + @" {" + "\n" + @" ""type"":""SECRET""," + "\n" + @" ""sha256Secrets"":[" + "\n" + @" ""9e33f87fbe1a805f2e1f1d85b208bed4aa6b0de23117377310162ffa686573cf""" + "\n" + @" ]" + "\n" + @" }" + "\n" + @" ]," + "\n" + @" ""clientIpRule"":{" + "\n" + @" ""type"":""HEADER""," + "\n" + @" ""name"":""secret""" + "\n" + @" }," + "\n" + @" ""headerRules"":[]," + "\n" + @" ""priority"":3," + "\n" + @" ""enabled"":true" + "\n" + @"}" + "\n" + @""; request.AddStringBody(body, DataFormat.Json); RestResponse response = await client.ExecuteAsync(request); Console.WriteLine(response.Content); ``` ```golang package main import ( "fmt" "strings" "net/http" "io" ) func main() { url := "{{apiPath}}/v1/environments/{{envID}}/inboundTrafficPolicies" method := "POST" payload := strings.NewReader(`{ "name":"Shared Secret", "trafficRule":{ "type":"ALLOW" }, "verifyRules":[ { "type":"SECRET", "sha256Secrets":[ "9e33f87fbe1a805f2e1f1d85b208bed4aa6b0de23117377310162ffa686573cf" ] } ], "clientIpRule":{ "type":"HEADER", "name":"secret" }, "headerRules":[], "priority":3, "enabled":true }`) client := &http.Client { } req, err := http.NewRequest(method, url, payload) if err != nil { fmt.Println(err) return } req.Header.Add("Content-Type", "application/json") req.Header.Add("Authorization", "Bearer {{accessToken}}") res, err := client.Do(req) if err != nil { fmt.Println(err) return } defer res.Body.Close() body, err := io.ReadAll(res.Body) if err != nil { fmt.Println(err) return } fmt.Println(string(body)) } ``` ```http POST /v1/environments/{{envID}}/inboundTrafficPolicies HTTP/1.1 Host: {{apiPath}} Content-Type: application/json Authorization: Bearer {{accessToken}} { "name":"Shared Secret", "trafficRule":{ "type":"ALLOW" }, "verifyRules":[ { "type":"SECRET", "sha256Secrets":[ "9e33f87fbe1a805f2e1f1d85b208bed4aa6b0de23117377310162ffa686573cf" ] } ], "clientIpRule":{ "type":"HEADER", "name":"secret" }, "headerRules":[], "priority":3, "enabled":true } ``` ```java OkHttpClient client = new OkHttpClient().newBuilder() .build(); MediaType mediaType = MediaType.parse("application/json"); RequestBody body = RequestBody.create(mediaType, "{\n \"name\":\"Shared Secret\",\n \"trafficRule\":{\n \"type\":\"ALLOW\"\n },\n \"verifyRules\":[\n {\n \"type\":\"SECRET\",\n \"sha256Secrets\":[\n \"9e33f87fbe1a805f2e1f1d85b208bed4aa6b0de23117377310162ffa686573cf\"\n ]\n }\n ],\n \"clientIpRule\":{\n \"type\":\"HEADER\",\n \"name\":\"secret\"\n },\n \"headerRules\":[],\n \"priority\":3,\n \"enabled\":true\n}\n"); Request request = new Request.Builder() .url("{{apiPath}}/v1/environments/{{envID}}/inboundTrafficPolicies") .method("POST", body) .addHeader("Content-Type", "application/json") .addHeader("Authorization", "Bearer {{accessToken}}") .build(); Response response = client.newCall(request).execute(); ``` ```javascript var settings = { "url": "{{apiPath}}/v1/environments/{{envID}}/inboundTrafficPolicies", "method": "POST", "timeout": 0, "headers": { "Content-Type": "application/json", "Authorization": "Bearer {{accessToken}}" }, "data": JSON.stringify({ "name": "Shared Secret", "trafficRule": { "type": "ALLOW" }, "verifyRules": [ { "type": "SECRET", "sha256Secrets": [ "9e33f87fbe1a805f2e1f1d85b208bed4aa6b0de23117377310162ffa686573cf" ] } ], "clientIpRule": { "type": "HEADER", "name": "secret" }, "headerRules": [], "priority": 3, "enabled": true }), }; $.ajax(settings).done(function (response) { console.log(response); }); ``` ```javascript var request = require('request'); var options = { 'method': 'POST', 'url': '{{apiPath}}/v1/environments/{{envID}}/inboundTrafficPolicies', 'headers': { 'Content-Type': 'application/json', 'Authorization': 'Bearer {{accessToken}}' }, body: JSON.stringify({ "name": "Shared Secret", "trafficRule": { "type": "ALLOW" }, "verifyRules": [ { "type": "SECRET", "sha256Secrets": [ "9e33f87fbe1a805f2e1f1d85b208bed4aa6b0de23117377310162ffa686573cf" ] } ], "clientIpRule": { "type": "HEADER", "name": "secret" }, "headerRules": [], "priority": 3, "enabled": true }) }; request(options, function (error, response) { if (error) throw new Error(error); console.log(response.body); }); ``` ```python import requests import json url = "{{apiPath}}/v1/environments/{{envID}}/inboundTrafficPolicies" payload = json.dumps({ "name": "Shared Secret", "trafficRule": { "type": "ALLOW" }, "verifyRules": [ { "type": "SECRET", "sha256Secrets": [ "9e33f87fbe1a805f2e1f1d85b208bed4aa6b0de23117377310162ffa686573cf" ] } ], "clientIpRule": { "type": "HEADER", "name": "secret" }, "headerRules": [], "priority": 3, "enabled": True }) headers = { 'Content-Type': 'application/json', 'Authorization': 'Bearer {{accessToken}}' } response = requests.request("POST", url, headers=headers, data=payload) print(response.text) ``` ```php setUrl('{{apiPath}}/v1/environments/{{envID}}/inboundTrafficPolicies'); $request->setMethod(HTTP_Request2::METHOD_POST); $request->setConfig(array( 'follow_redirects' => TRUE )); $request->setHeader(array( 'Content-Type' => 'application/json', 'Authorization' => 'Bearer {{accessToken}}' )); $request->setBody('{\n "name":"Shared Secret",\n "trafficRule":{\n "type":"ALLOW"\n },\n "verifyRules":[\n {\n "type":"SECRET",\n "sha256Secrets":[\n "9e33f87fbe1a805f2e1f1d85b208bed4aa6b0de23117377310162ffa686573cf"\n ]\n }\n ],\n "clientIpRule":{\n "type":"HEADER",\n "name":"secret"\n },\n "headerRules":[],\n "priority":3,\n "enabled":true\n}'); try { $response = $request->send(); if ($response->getStatus() == 200) { echo $response->getBody(); } else { echo 'Unexpected HTTP status: ' . $response->getStatus() . ' ' . $response->getReasonPhrase(); } } catch(HTTP_Request2_Exception $e) { echo 'Error: ' . $e->getMessage(); } ``` ```ruby require "uri" require "json" require "net/http" url = URI("{{apiPath}}/v1/environments/{{envID}}/inboundTrafficPolicies") http = Net::HTTP.new(url.host, url.port); request = Net::HTTP::Post.new(url) request["Content-Type"] = "application/json" request["Authorization"] = "Bearer {{accessToken}}" request.body = JSON.dump({ "name": "Shared Secret", "trafficRule": { "type": "ALLOW" }, "verifyRules": [ { "type": "SECRET", "sha256Secrets": [ "9e33f87fbe1a805f2e1f1d85b208bed4aa6b0de23117377310162ffa686573cf" ] } ], "clientIpRule": { "type": "HEADER", "name": "secret" }, "headerRules": [], "priority": 3, "enabled": true }) response = http.request(request) puts response.read_body ``` ```swift let parameters = "{\n \"name\":\"Shared Secret\",\n \"trafficRule\":{\n \"type\":\"ALLOW\"\n },\n \"verifyRules\":[\n {\n \"type\":\"SECRET\",\n \"sha256Secrets\":[\n \"9e33f87fbe1a805f2e1f1d85b208bed4aa6b0de23117377310162ffa686573cf\"\n ]\n }\n ],\n \"clientIpRule\":{\n \"type\":\"HEADER\",\n \"name\":\"secret\"\n },\n \"headerRules\":[],\n \"priority\":3,\n \"enabled\":true\n}" let postData = parameters.data(using: .utf8) var request = URLRequest(url: URL(string: "{{apiPath}}/v1/environments/{{envID}}/inboundTrafficPolicies")!,timeoutInterval: Double.infinity) request.addValue("application/json", forHTTPHeaderField: "Content-Type") request.addValue("Bearer {{accessToken}}", forHTTPHeaderField: "Authorization") request.httpMethod = "POST" request.httpBody = postData let task = URLSession.shared.dataTask(with: request) { data, response, error in guard let data = data else { print(String(describing: error)) return } print(String(data: data, encoding: .utf8)!) } task.resume() ``` ### Example Response 201 Created ```json { "id" : "37398c2b-a54d-4b1e-9a01-950c5cdd44cf", "environment" : { "id" : "abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6" }, "name" : "Shared Secret", "enabled" : true, "priority" : 3, "verifyRules" : [ { "type" : "SECRET", "sha256Secrets" : [ "9e33f87fbe1a805f2e1f1d85b208bed4aa6b0de23117377310162ffa686573cf" ] } ], "clientIpRule" : { "type" : "HEADER", "name" : "secret" }, "trafficRule" : { "type" : "ALLOW" }, "createdAt" : "2025-11-18T20:26:59.915Z", "updatedAt" : "2025-11-18T20:26:59.915Z", "_links" : { "self" : { "href" : "https://api.test-one-pingone.com/v1/environments/abfba8f6-49eb-49f5-a5d9-80ad5c98f9f6/inboundTrafficPolicies/37398c2b-a54d-4b1e-9a01-950c5cdd44cf" } } } ```