HTTP authorization headers | Documentation

The Authorization header of HTTP requests can be used to provide credentials that authenticate a client with a server. You can use authorization headers to authenticate requests to ArcGIS services with an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more. Using an authorization header prevents intermediaries on the network, such as proxies, gateways or load-balancers from being able to access the token. This offers additional security benefits compared to sending the access token as a query parameter.

To use an authorization request header with ArcGIS services, you can use either the Authorization or X-Esri-Authorization HTTP request header.

Authorization header: This is the standard HTTP header for passing authentication credentials, such as Bearer tokens for OAuth 2.0. ArcGIS services that use non-web-tier authentication (not using Windows Integrated, PKI, etc.) typically accept tokens in this header. It is widely supported and recommended for most API authentication scenarios.
X-Esri-Authorization header: This is a custom header defined by Esri, primarily used for ArcGIS services that require web-tier authentication. Using this header can help avoid conflicts with other authentication systems that may already use the standard Authorization header, and is often required for compatibility with certain ArcGIS server configurations or versions (notably, web-tier security setups).

How to use an authorization header

The general steps to use an authorization header are:

Implement an authentication type to obtain an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more.
Set the server host domain.
Set the authorization header and bearer using the access token.
Send the request.

Example request

Use dark colors for code blocks

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
GET /arcgis/rest/services/styles/v2/styles/arcgis/navigation/ HTTP/1.1
Host: basemapstyles-api.arcgis.com
Authorization: Bearer {YOUR_ACCESS_TOKEN}

Run in Postman

Code examples

Location services

This example demonstrates how to use authorization headers to access the ArcGIS Geocoding serviceA geocoding service is a service that can search for addresses, place addresses, businesses, reverse geocode coordinates to addresses, provide suggestions for places, and perform bulk geocoding. It is hosted by Esri as the ArcGIS Geocoding service and can also be hosted in ArcGIS Enterprise.Learn more.

To learn more about location services go to the Mapping and location services guide.

Request

HTTP

cURL

Python

Use dark colors for code blocks

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
GET https://geocode-api.arcgis.com/arcgis/rest/services/World/GeocodeServer/findAddressCandidates
?f=pjson
&singleLine=1600 Pennsylvania Ave NW, DC HTTP/1.1
Authorization: Bearer {YOUR_ACCESS_TOKEN}

Run in Postman

Response

Use dark colors for code blocksCopy
{
  "spatialReference": {
    "wkid": 4326,
    "latestWkid": 4326
  },
  "candidates": [
    {
      "address": "1600 Pennsylvania Ave NW, Washington, District of Columbia, 20500",
      "location": {
        "x": -77.036546998209,
Expand

Request

HTTP

cURL

Python

Use dark colors for code blocks

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
GET https://geocode-api.arcgis.com/arcgis/rest/services/World/GeocodeServer/findAddressCandidates
?f=pjson
&singleLine=1600 Pennsylvania Ave NW, DC HTTP/1.1
X-Esri-Authorization: Bearer {YOUR_ACCESS_TOKEN}

Run in Postman

Response

Use dark colors for code blocksCopy
{
  "results": [
    {
      "placeId": "cc8b3eb4e906e8d3e1fbf0d9413e2b74",
      "location": {
        "x": 24.939995,
        "y": 60.169311
      },
      "categories": [
        {
Expand

Portal and data services

Portal service

This example demonstrates how to use authorization headers to access an itemAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more from a portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more

To learn more about portal services go to the Portal and data services guide > Portal service.

Request

HTTP

cURL

Python

Use dark colors for code blocks

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
GET /sharing/rest/content/items/5a5147abe878444cbac68dea9f2f64e7/
?f=json HTTP/1.1
Host: www.arcgis.com
Authorization: Bearer {YOUR_ACCESS_TOKEN}

Run in Postman

Response

Use dark colors for code blocksCopy
{
  "id": "5a5147abe878444cbac68dea9f2f64e7",
  "owner": "esri_devlabs",
  "orgId": "GVgbJbqm8hXASVYi",
  "created": 1569537110000,
  "modified": 1569537111000,
  "guid": null,
  "name": null,
  "title": "Seven Natural Wonders of the World Map",
  "type": "Web Map",
Expand

Request

HTTP

cURL

Python

Use dark colors for code blocks

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
GET /GVgbJbqm8hXASVYi/arcgis/rest/services/LA_County_Parcels/FeatureServer/0/query
?where=UseType='Residential'
&resultRecordCount=1
&f=json
&outFields=APN,UseType,TaxRateCity,Roll_LandValue HTTP/1.1
Host: services3.arcgis.com
X-Esri-Authorization: Bearer {YOUR_ACCESS_TOKEN}

Run in Postman

Response

Use dark colors for code blocksCopy
{
  "objectIdFieldName": "OBJECTID",
  "uniqueIdField": { "name": "OBJECTID", "isSystemMaintained": true },
  "globalIdFieldName": "",
  "geometryProperties": {
    "shapeAreaFieldName": "Shape__Area",
    "shapeLengthFieldName": "Shape__Length",
    "units": "esriMeters"
  },
  "geometryType": "esriGeometryPolygon",
Expand

Feature service

This example demonstrates how to use authorization headers to query for features from a hosted feature layerA feature layer (server-side) is a spatially-enabled table in a feature service. All features in a feature layer share the same geometry type and set of fields.Learn more.

To learn more about feature services go to the Portal and data services guide> Feature services.

Request

HTTP

cURL

Python

Use dark colors for code blocks

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
GET /GVgbJbqm8hXASVYi/arcgis/rest/services/LA_County_Parcels/FeatureServer/0/query
?where=UseType='Residential'
&resultRecordCount=1
&f=json
&outFields=APN,UseType,TaxRateCity,Roll_LandValue HTTP/1.1
Host: services3.arcgis.com
Authorization: Bearer {YOUR_ACCESS_TOKEN}

Run in Postman

Response

Use dark colors for code blocksCopy
{
  "objectIdFieldName": "OBJECTID",
  "uniqueIdField": { "name": "OBJECTID", "isSystemMaintained": true },
  "globalIdFieldName": "",
  "geometryProperties": {
    "shapeAreaFieldName": "Shape__Area",
    "shapeLengthFieldName": "Shape__Length",
    "units": "esriMeters"
  },
  "geometryType": "esriGeometryPolygon",
Expand

Access featuresA feature is a single record, also known as a row, that represents a real-world entity. It typically contains a geometry (point, multipoint, polyline, or polygon) and attributes but it can also contain just attributes.Learn more from a hosted feature layerA feature layer (server-side) is a spatially-enabled table in a feature service. All features in a feature layer share the same geometry type and set of fields.Learn more using a SQL attribute query.

Request

HTTP

cURL

Python

Use dark colors for code blocks

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
GET /GVgbJbqm8hXASVYi/arcgis/rest/services/LA_County_Parcels/FeatureServer/0/query
?where=UseType='Residential'
&resultRecordCount=1
&f=json
&outFields=APN,UseType,TaxRateCity,Roll_LandValue HTTP/1.1
Host: services3.arcgis.com
X-Esri-Authorization: Bearer {YOUR_ACCESS_TOKEN}

Run in Postman

Response

Use dark colors for code blocksCopy
{
  "objectIdFieldName": "OBJECTID",
  "uniqueIdField": { "name": "OBJECTID", "isSystemMaintained": true },
  "globalIdFieldName": "",
  "geometryProperties": {
    "shapeAreaFieldName": "Shape__Area",
    "shapeLengthFieldName": "Shape__Length",
    "units": "esriMeters"
  },
  "geometryType": "esriGeometryPolygon",
Expand

To learn more about Portal and data services go to then Portal and data services guide.

Analysis services

This example demonstrate how to use authorization headers to access the spatial analysis serviceA spatial analysis service, also known as a feature analysis service, is a service used to perform spatial analysis operations on feature data such as finding, comparing, summarizing, analyzing patterns, and calculating geometries.Learn more.

To learn more about analysis services go to the Spatial analysis developer guide.

Use a job requestA job request is an HTTPS request to a service that starts a server-side operation (or job) with a long duration.Learn more to generate buffer geometries from a layer of points.

Request

HTTP

cURL

Use dark colors for code blocks

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
GET /arcgis/rest/services/tasks/GPServer/CreateBuffers/submitJob
?f=json
&inputLayer={"url":"https://services3.arcgis.com/GVgbJbqm8hXASVYi/arcgis/rest/services/DeriveHighSchools/FeatureServer/0"}
&distances=[1000]
&outputName={"serviceProperties": {"name":"Results of create buffers"}} HTTP/1.1
Host: analysis3.arcgis.com
Authorization: Bearer {YOUR_ACCESS_TOKEN}

Run in Postman

Response

Use dark colors for code blocksCopy

{
  "jobId": "j06acd3e062b34987bd3feb394146e327",
  "jobStatus": "esriJobSubmitted",
  "results": {},
  "inputs": {},
  "messages": []
}
Expand

Request

HTTP

cURL

Use dark colors for code blocks

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
GET /arcgis/rest/services/tasks/GPServer/CreateBuffers/jobs/j06acd3e062b34987bd3feb394146e327
?f=json HTTP/1.1
Host: analysis3.arcgis.com
Authorization: Bearer {YOUR_ACCESS_TOKEN}

Run in Postman

Response

Expand
Use dark colors for code blocksCopy
{
    "jobId": "j06acd3e062b34987bd3feb394146e327",
    "jobStatus": "esriJobSucceeded",
    "results": {
        "bufferLayer": {
            "paramUrl": "results/bufferLayer"
        }
    },
    "inputs": {},
    "messages": [
        {
            "type": "esriJobMessageTypeWarning",
            "description": "{\"cost\": 0.018}"
        }
    ]
}
Expand

Request

HTTP

cURL

Use dark colors for code blocks

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
GET /arcgis/rest/services/tasks/GPServer/CreateBuffers/jobs/j06acd3e062b34987bd3feb394146e327/results/bufferLayer
?f=json HTTP/1.1
Host: analysis3.arcgis.com
Authorization: Bearer {YOUR_ACCESS_TOKEN}

Run in Postman

Response

Expand
Use dark colors for code blocksCopy
{
    "paramName": "bufferLayer",
    "dataType": "GPString",
    "value": {
        "url": "https://services3.arcgis.com/GVgbJbqm8hXASVYi/arcgis/rest/services/Results of create buffers/FeatureServer/0",
        "itemId": "cc227084effa4882a3e5799958284571"
    }
}

Use a job requestA job request is an HTTPS request to a service that starts a server-side operation (or job) with a long duration.Learn more to generate buffer geometries from a layer of points.

Request

HTTP

cURL

Use dark colors for code blocksCopy
GET /arcgis/rest/services/tasks/GPServer/CreateBuffers/submitJob
?f=json
&inputLayer={"url":"https://services3.arcgis.com/GVgbJbqm8hXASVYi/arcgis/rest/services/DeriveHighSchools/FeatureServer/0"}
&distances=[1000]
&outputName={"serviceProperties": {"name":"Results of create buffers"}} HTTP/1.1
Host: analysis3.arcgis.com
X-Esri-Authorization: Bearer {YOUR_ACCESS_TOKEN}

Response

Use dark colors for code blocksCopy

{
  "jobId": "j06acd3e062b34987bd3feb394146e327",
  "jobStatus": "esriJobSubmitted",
  "results": {},
  "inputs": {},
  "messages": []
}
Expand

Request

HTTP

cURL

Use dark colors for code blocksCopy
GET /arcgis/rest/services/tasks/GPServer/CreateBuffers/jobs/j06acd3e062b34987bd3feb394146e327
?f=json HTTP/1.1
Host: analysis3.arcgis.com
X-Esri-Authorization: Bearer {YOUR_ACCESS_TOKEN}

Response

Expand
Use dark colors for code blocksCopy
{
    "jobId": "j06acd3e062b34987bd3feb394146e327",
    "jobStatus": "esriJobSucceeded",
    "results": {
        "bufferLayer": {
            "paramUrl": "results/bufferLayer"
        }
    },
    "inputs": {},
    "messages": [
        {
            "type": "esriJobMessageTypeWarning",
            "description": "{\"cost\": 0.018}"
        }
    ]
}
Expand

Request

HTTP

cURL

Use dark colors for code blocksCopy
GET /arcgis/rest/services/tasks/GPServer/CreateBuffers/jobs/j06acd3e062b34987bd3feb394146e327/results/bufferLayer
?f=json HTTP/1.1
Host: analysis3.arcgis.com
X-Esri-Authorization: Bearer {YOUR_ACCESS_TOKEN}

Response

Expand
Use dark colors for code blocksCopy
{
    "paramName": "bufferLayer",
    "dataType": "GPString",
    "value": {
        "url": "https://services3.arcgis.com/GVgbJbqm8hXASVYi/arcgis/rest/services/Results of create buffers/FeatureServer/0",
        "itemId": "cc227084effa4882a3e5799958284571"
    }
}

To learn more about analysis services go to then Spatial analysis services guide.