When ArcGIS web services are secured using ArcGIS token-based authentication, the client software must be able to obtain and use the token. Esri client applications, such as ArcGIS Desktop, automatically handle the process of acquiring tokens from the token service and presenting tokens to the secured ArcGIS web service.
When building custom ArcGIS client applications that use GET requests to access web services secured using ArcGIS token-based authentication, it is recommended that the token be sent in the X-Esri-Authorization header instead of a query parameter. This prevents intermediaries on the network, such as proxies, gateways or load-balancers from being able to obtain the token. The example HTTP GET request below sends the token in the X-Esri-Authorization header:
GET https://arcgis.mydomain.com/arcgis/rest/services/SampleWorldCities/MapServer?f=pjson HTTP/1.1
Host: arcgis.mydomain.com
X-Esri-Authorization: Bearer xMTuPSYpAbj85TVfbZcVU7td8bMBlDKuSVkM3FAx7zO1MYD0zDam1VR3Cm-ZbFo-
If ArcGIS Server uses ArcGIS Server authentication and not web-tier authentication (IWA, HTTP BASIC, PKI, and so on), the standard HTTP Authorization header may be used instead of the X-Esri-Authorization header:
GET https://arcgis.mydomain.com/arcgis/rest/services/SampleWorldCities/MapServer?f=pjson HTTP/1.1
Host: arcgis.mydomain.com
Authorization: Bearer xMTuPSYpAbj85TVfbZcVU7td8bMBlDKuSVkM3FAx7zO1MYD0zDam1VR3Cm-ZbFo-
The behavior of ArcGIS clients when connecting to an ArcGIS web service secured using token-based authentication is described below.
- ArcGIS Desktop (ArcMap, ArcGIS Pro): The user provides a valid user name and password on the connection dialog box. If no user name or password is specified, or if the login is incorrect, the software prompts the user to enter correct credentials.
- JavaScript applications (ArcGIS API for JavaScript and other REST-based applications): The client must be capable of providing a token to access the service that requires a token. In most cases, it will not be appropriate to embed the user name and password for the service into the client-side JavaScript. Instead, a long-lived token can be obtained from the token server, and this token can be included in the client-side page. The token is then included in the request for the service. For details on acquiring the token, see Acquiring ArcGIS tokens. For information on requesting a resource with a token, see the appropriate API help.
- SOAP-based applications: Applications that use a SOAP toolkit to access the WSDL of the GIS web service need to acquire and use tokens explicitly. See the ArcGIS Server Developer Help for information and examples.
- ArcGIS Web Applications (Java or Microsoft .NET): The web application uses the credentials previously entered into the ArcGIS Web Applications Manager or in the developer environment.