HTTP authorization headers

ArcGIS services are secured using ArcGIS token-based authentication. The client software must be able to obtain and use the token.

When building custom ArcGIS client applications that use GET requests to access web services secured using ArcGIS token-based authentication, it is recommended that the token be sent in the X-Esri-Authorization header instead of a query parameter. This prevents intermediaries on the network, such as proxies, gateways or load-balancers from being able to obtain the token.

The general steps to use an authorization header are:

  1. Use a valid username and password to get an access token.
  2. Set the server host domain.
  3. Set the authorization header and bearer:
    • X-Esri-Authorization(web-tier)
    • Authorization(not web-tier)

Code examples

Web-tiered authentication

This example illustrates how to use HTTP header authentication, using X-Esri-Authorization with the places service.

Use dark colors for code blocksCopy
1
2
3
GET https://places-api.arcgis.com/arcgis/rest/services/places-service/v1/places/near-point?x=-3.1883&y=55.9533&categoryids=13002 HTTP/1.1
    Host: places-api.arcgis.com
    X-Esri-Authorization: Bearer <ACCESS_TOKEN>

Non web-tiered authentication

This example illustrates how to use HTTP header authentication, using Authorization with the places service.

Use dark colors for code blocksCopy
1
2
3
GET https://places-api.arcgis.com/arcgis/rest/services/places-service/v1/places/near-point?x=-3.1883&y=55.9533&categoryids=13002 HTTP/1.1
    Host: places-api.arcgis.com
    Authorization: Bearer <ACCESS_TOKEN>

Your browser is no longer supported. Please upgrade your browser for the best experience. See our browser deprecation post for more details.