Acquiring ArcGIS tokens

When ArcGIS web services are secured using ArcGIS token-based authentication, every request to a resource must be accompanied by a valid token.

Tokens can be acquired using the tokens endpoint (using steps below) or generated programmatically through the ArcGIS REST API. If you're generating a token programmatically, the username and password cannot be passed as query parameters in the URL. They must be passed in the body of a POST request; GET requests are not supported.

Steps:
  1. Open the URL http://gisserver.domain.com:6080/arcgis/tokens in a web browser.
  2. Enter the following information:
    • User name: The name of a user authorized to access the resource.
    • Password: The user's password.
    • Client: This parameter enforces restrictions on how the token may be used.
      • HTTP Referer: When this (default) option is selected, the issued token can only be used in requests referred by the specified URL. This is the URL of the page from which the request is made to the ArcGIS resource. Use this approach when building an application with the ArcGIS API for JavaScript or other REST-based applications, in which individual clients will request maps and data directly from the ArcGIS Server web service.
      • IP Address: When this option is chosen, the issued token can only be used in requests made from the specified IP address.
      • IP address of this request's origin: When this option is chosen, the issued token can only be used in requests made from the IP address used to acquire the token.
      NoteNote:

      If there is a proxy server between the client application\browser and the ArcGIS Server, tokens generated using the IP Address and IP address of this request's origin options must be bound to the IP address of the proxy server. If there are multiple load balancing proxy servers between the client application\browser and the ArcGIS Server, the HTTP Referer option should be used.

    • Expiration: The duration, from the time of issue of the token, for which the token will be valid.
      NoteNote:

      The expiration time specified must be less than or equal to the value configured for the lifespan of long-lived tokens. To see the current token properties in Manager, click Security > Settings, then click the edit icon next to Token Settings.

    • Format: This parameter specifies the format of the response from the server to this token request.
      • HTML: This option displays the token issued by the server in string format. To use the token, copy the string and append it to requests made to secured ArcGIS Server web services.
      • JSON: This option returns the token in JSON format. This option is used when a token is requested through a web application instead of a web browser.
  3. Click Generate Token to get the token.