ArcGIS services are secured using ArcGIS token-based authentication. The client software must be able to obtain and use the token.
When building custom ArcGIS client applications that use GET requests to access web services secured using ArcGIS token-based authentication, it is recommended that the token be sent in the X- header instead of a query parameter. This prevents intermediaries on the network, such as proxies, gateways or load-balancers from being able to obtain the token.
The general steps to use an authorization header are:
- Use a valid username and password to get an access token.
- Set the server host domain.
- Set the authorization header and bearer:
X-(web-tier)Esri- Authorization Authorization(not web-tier)
Code examples
Web-tiered authentication
This example illustrates how to use HTTP header authentication, using X- with the places service.
GET https://places-api.arcgis.com/arcgis/rest/services/places-service/v1/places/near-point?x=-3.1883&y=55.9533&categoryids=13002 HTTP/1.1
Host: places-api.arcgis.com
X-Esri-Authorization: Bearer <YOUR_ACCESS_TOKEN>Non web-tiered authentication
This example illustrates how to use HTTP header authentication, using Authorization with the places service.
GET https://places-api.arcgis.com/arcgis/rest/services/places-service/v1/places/near-point?x=-3.1883&y=55.9533&categoryids=13002 HTTP/1.1
Host: places-api.arcgis.com
Authorization: Bearer <YOUR_ACCESS_TOKEN>