HTTP authorization headers

ArcGIS services are secured using ArcGIS token-based authentication. The client software must be able to obtain and use the token.

When building custom ArcGIS client applications that use GET requests to access web services secured using ArcGIS token-based authentication, it is recommended that the token be sent in the X-Esri-Authorization header instead of a query parameter. This prevents intermediaries on the network, such as proxies, gateways or load-balancers from being able to obtain the token.

The general steps to use an authorization header are:

Use a valid username and password to get an access token.
Set the server host domain.
Set the authorization header and bearer:
- X-Esri-Authorization(web-tier)
- Authorization(not web-tier)

Code examples

Web-tiered authentication

This example illustrates how to use HTTP header authentication, using X-Esri-Authorization with the places service.

Use dark colors for code blocksCopy
GET https://places-api.arcgis.com/arcgis/rest/services/places-service/v1/places/near-point?x=-3.1883&y=55.9533&categoryids=13002 HTTP/1.1
    Host: places-api.arcgis.com
    X-Esri-Authorization: Bearer <ACCESS_TOKEN>

Non web-tiered authentication

This example illustrates how to use HTTP header authentication, using Authorization with the places service.

Use dark colors for code blocksCopy
GET https://places-api.arcgis.com/arcgis/rest/services/places-service/v1/places/near-point?x=-3.1883&y=55.9533&categoryids=13002 HTTP/1.1
    Host: places-api.arcgis.com
    Authorization: Bearer <ACCESS_TOKEN>

Mapping APIs and location services

HTTP authorization headers

Was this page helpful?

Was this page helpful?