Skip to content

HTTP authorization headers

The Authorization header of HTTP requests can be used to provide credentials that authenticate a client with a server. You can use authorization headers to authenticate requests to ArcGIS services with an access token. Using an authorization header prevents intermediaries on the network, such as proxies, gateways or load-balancers from being able to access the token. This offers additional security benefits compared to sending the access token as a query parameter.

To use an authorization request header with ArcGIS services, you can use either the Authorization or X-Esri-Authorization HTTP request header.

  • Authorization header: This is the standard HTTP header for passing authentication credentials, such as Bearer tokens for OAuth 2.0. ArcGIS services that use non-web-tier authentication (not using Windows Integrated, PKI, etc.) typically accept tokens in this header. It is widely supported and recommended for most API authentication scenarios.

  • X-Esri-Authorization header: This is a custom header defined by Esri, primarily used for ArcGIS services that require web-tier authentication. Using this header can help avoid conflicts with other authentication systems that may already use the standard Authorization header, and is often required for compatibility with certain ArcGIS server configurations or versions (notably, web-tier security setups).

How to use an authorization header

The general steps to use an authorization header are:

  1. Implement an authentication type to obtain an access token.
  2. Set the server host domain.
  3. Set the authorization header and bearer using the access token.
  4. Send the request.

Example request

Use dark colors for code blocksCopy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
GET /arcgis/rest/services/styles/v2/styles/arcgis/navigation/ HTTP/1.1
Host: basemapstyles-api.arcgis.com
Authorization: Bearer {YOUR_ACCESS_TOKEN}

Code examples

Location services

This example demonstrates how to use authorization headers to access the ArcGIS Geocoding service.

To learn more about location services go to the Mapping and location services guide.

Request
HTTPHTTPcURLPython
Use dark colors for code blocksCopy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
GET https://geocode-api.arcgis.com/arcgis/rest/services/World/GeocodeServer/findAddressCandidates
?f=pjson
&singleLine=1600 Pennsylvania Ave NW, DC HTTP/1.1
Authorization: Bearer {YOUR_ACCESS_TOKEN}
Response
Use dark colors for code blocksCopy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
{
  "spatialReference": {
    "wkid": 4326,
    "latestWkid": 4326
  },
  "candidates": [
    {
      "address": "1600 Pennsylvania Ave NW, Washington, District of Columbia, 20500",
      "location": {
        "x": -77.036546998209,
Expand

Portal and data services

Portal service

This example demonstrates how to use authorization headers to access an item from a portal service

To learn more about portal services go to the Portal and data services guide > Portal service.

Request
HTTPHTTPcURLPython
Use dark colors for code blocksCopy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
GET /sharing/rest/content/items/5a5147abe878444cbac68dea9f2f64e7/
?f=json HTTP/1.1
Host: www.arcgis.com
Authorization: Bearer {YOUR_ACCESS_TOKEN}
Response
Use dark colors for code blocksCopy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
{
  "id": "5a5147abe878444cbac68dea9f2f64e7",
  "owner": "esri_devlabs",
  "orgId": "GVgbJbqm8hXASVYi",
  "created": 1569537110000,
  "modified": 1569537111000,
  "guid": null,
  "name": null,
  "title": "Seven Natural Wonders of the World Map",
  "type": "Web Map",
Expand

Feature service

This example demonstrates how to use authorization headers to query for features from a hosted feature layer.

To learn more about feature services go to the Portal and data services guide> Feature services.

Request
HTTPHTTPcURLPython
Use dark colors for code blocksCopy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
GET /GVgbJbqm8hXASVYi/arcgis/rest/services/LA_County_Parcels/FeatureServer/0/query
?where=UseType='Residential'
&resultRecordCount=1
&f=json
&outFields=APN,UseType,TaxRateCity,Roll_LandValue HTTP/1.1
Host: services3.arcgis.com
Authorization: Bearer {YOUR_ACCESS_TOKEN}
Response
Use dark colors for code blocksCopy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
{
  "objectIdFieldName": "OBJECTID",
  "uniqueIdField": { "name": "OBJECTID", "isSystemMaintained": true },
  "globalIdFieldName": "",
  "geometryProperties": {
    "shapeAreaFieldName": "Shape__Area",
    "shapeLengthFieldName": "Shape__Length",
    "units": "esriMeters"
  },
  "geometryType": "esriGeometryPolygon",
Expand

Analysis services

This example demonstrate how to use authorization headers to access the spatial analysis service.

To learn more about analysis services go to the Spatial analysis developer guide.

Use a job request to generate buffer geometries from a layer of points.

Request
HTTPHTTPcURL
Use dark colors for code blocksCopy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
GET /arcgis/rest/services/tasks/GPServer/CreateBuffers/submitJob
?f=json
&inputLayer={"url":"https://services3.arcgis.com/GVgbJbqm8hXASVYi/arcgis/rest/services/DeriveHighSchools/FeatureServer/0"}
&distances=[1000]
&outputName={"serviceProperties": {"name":"Results of create buffers"}} HTTP/1.1
Host: analysis3.arcgis.com
Authorization: Bearer {YOUR_ACCESS_TOKEN}
Response
Use dark colors for code blocksCopy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

{
  "jobId": "j06acd3e062b34987bd3feb394146e327",
  "jobStatus": "esriJobSubmitted",
  "results": {},
  "inputs": {},
  "messages": []
}
Expand

Your browser is no longer supported. Please upgrade your browser for the best experience. See our browser deprecation post for more details.