What is an access token?
An access token is an authorization string that provides access to secure ArcGIS resources such as ArcGIS applications, ArcGIS services, ArcGIS Location Services, and ArcGIS portal services. You can get an access token by implementing a type of authentication. You use an access token to make HTTP requests to authenticated services. The services the token can access and the operations it can perform are determined by the privileges associated with the token.
Below is an example of an API key access token:
AAPT85fOqywZsicJupSmVSCGrjmBjlVZupd64H9kjIjy5FrwIJkpxFMIvd88p32f1vWWpuyzGx7-1nPCMc4XljyuVu-fQSxU4r1Nq17OQo5kjJBVcAw1bKKYM9GYeB98hlK9cwRNzi8H7z3SNb8hCLYvrNwKhXPJo971vH22psnikowztg6ckFD-1zi3TasXKe0e3sSNrmBRunl0SLM7hPgNzuPQkvVES1fDgDL-Thsc2XU.AT2_WilXzfTaTypes of access tokens
There are three types of access tokens that you can create: API keys, user access tokens, and app tokens. The type of access token created depends on the type of authentication you use to create it. The main difference between the tokens is how you create them, the duration they are valid for, the account they are associated with, and who is billed for service usage.
| Type of access token | Description | Created from | Duration | Account | Billing |
|---|---|---|---|---|---|
| API key access token | A static, long-lived API key created with API key credentials. | API key authentication | Valid for up to one year. | Developer's ArcGIS account | Developer's ArcGIS subscription |
| User access token | A unique, short-lived token generated for each user that signs into a custom application with user authentication. | User authentication | Valid for 30 minutes by default, or up to 2 weeks. | User's ArcGIS account | ArcGIS subscription of the user's organization |
| App access token | An access token generated using OAuth credentials with a client token request. | App authentication | Valid for 2 weeks. | Developer's ArcGIS account | Developer's ArcGIS subscription |
How to use an access token
You can use an access token to make HTTP requests to ArcGIS services. To do so, you need to set the token parameter of the request to include the access token. If the token is authenticated successfully, the request is granted access to the service operation or resource.
Steps to use an access token:
-
Get an access token by implementing authentication.
-
Find the ArcGIS service URL you want to access.
-
Set the
tokenparameter. -
Access the ArcGIS service endpoint or operation.
https://<ARCGIS_SERVICE_URL>?token=<YOUR_ACCESS_TOKEN>Access token privileges
Access tokens have privileges associated with them that determine the ArcGIS services, service operations, and content items they can access. Privileges are assigned to access tokens as part of the authentication process.
The privileges of an access token are based on the privileges of the account used to create it. With API key and app authentication, specific privileges from your account can be assigned to access tokens. With user authentication, access tokens inherit all of the privileges of the signed-in user's account.
| Type of access token | Creation method | How privileges are assigned |
|---|---|---|
| API key access token | Created by the developer | Developer assigns specific privileges to API keys using API key credentials in your portal. |
| User access token | Created when a user signs in | User access tokens inherit all privileges of the signed-in user's ArcGIS account. |
| App access token | Created programmatically | Developer assigns specific privileges to app tokens using OAuth credentials in your portal. |
View access token properties
You can view the properties and capabilities of an access token by making a /self request to the portal service. This allows you to get information such as the:
- Privileges of the access token.
- Access token expiration date.
- Organization ID of the organization the access token belongs to.
- Client ID of the associated developer credentials.
- Item ID of the associated developer credentials.
- Owner of the associated developer credentials.
The steps to get an access token's properties are:
- Find the URL to your portal service.
- Define the
/selfrequest. - Set the
tokenandappparameters to your access token.Info Token
URL request
https://<PORTAL_URL>/self?token=<YOUR_ACCESS_TOKEN>&appInfoToken=<YOUR_ACCESS_TOKEN>&f=pjsonRequired parameters
| Name | Description | Examples |
|---|---|---|
f | The format of the data returned. Must be set to view output. | f=json f=pjson |
token | A valid access token (API key or OAuth 2.0). | token= |
app | The access token you want to view information about. Can be valid or expired. | app |
API key access token properties
This example shows a sample response from a /self request for an API key access token that has specific privileges assigned to it. This type of access token is obtained from API key authentication.
{
"appInfo": {
"appId": "<CREDENTIAL_CLIENT_ID>",
"itemId": "<CREDENTIAL_ITEM_ID>",
"appOwner": "<USERNAME_OF_OWNER>",
"orgId": "<ORGANIZATION_ID>",
"appTitle": "<CREDENTIAL_TITLE>",
"privileges": [
"premium:user:basemaps",
"premium:user:elevation",
User access token properties
This example shows a sample response from a /self request for a user access token that impersonates an ArcGIS account. This type of access token is known as a user access token and is primarily obtained from user authentication. It can also be obtained from certain workflows in API key and app authentication.
The /self response for this type of token returns additional properties pertaining to the impersonated account, including:
- The full name associated with the ArcGIS account
- The email associated with the ArcGIS account
- Timestamp of the last account sign-in
- All privileges the account has
- All groups that the account belongs to
{
"username": "<USERNAME>",
"udn": null,
"id": "<USER_ID>",
"fullName": "<USER_FULL_NAME>",
"categories": [],
"emailStatus": "notverified",
"firstName": "<USER_LASTNAME>",
"lastName": "<USER_FIRSTNAME>",
"preferredView": null,
App access token properties
This example shows a sample response from a /self request for an app access token that has specific privileges assigned to it. This type of access token is obtained from app authentication.
{
"appInfo": {
"appId": "<CREDENTIAL_CLIENT_ID>",
"itemId": "<CREDENTIAL_ITEM_ID>",
"appOwner": "<USERNAME_OF_OWNER>",
"orgId": "<ORGANIZATION_ID>",
"appTitle": "<CREDENTIAL_TITLE>",
"privileges": [
"premium:user:basemaps",
"premium:user:elevation",
Code examples
The following code examples show how to use access tokens to make requests to ArcGIS services.
Access the basemap styles service
This example accesses the ArcGIS Outdoor basemap style from the basemap styles service.
curl https://basemapstyles-api.arcgis.com/arcgis/rest/services/styles/v2/styles/arcgis/outdoor? \
-d "token=<YOUR_ACCESS_TOKEN>"Access the geocoding service
This example performs a forward geocode by making a request to the geocoding service.
curl https://geocode-api.arcgis.com/arcgis/rest/services/World/GeocodeServer/findAddressCandidates \
-d "f=pjson" \
-d "address=1600 Pennsylvania Ave NW, DC" \
-d "token=<YOUR_ACCESS_TOKEN>"Access a feature service
This example retrieves features from a feature service.
curl https://services3.arcgis.com/GVgbJbqm8hXASVYi/arcgis/rest/services/LA_County_Parcels/FeatureServer/0/query? \
-d "where=1=1" \
-d "outFields=*" \
-d "f=json" \
-d "token=<YOUR_ACCESS_TOKEN>"Access a portal item
This example accesses a private item hosted in ArcGIS.com and retrieves its properties.
curl https://www.arcgis.com/sharing/rest/content/items/<ITEM_ID> \
-d 'f=pjson' \
-d 'token=<YOUR_ACCESS_TOKEN>'Tutorials
Create an API key
Create and configure API key credentials to get a long-lived API key access token.