HTTP authorization headers

The Authorization header of HTTP requests can be used to provide credentials that authenticate a client with a server. You can use authorization headers to authenticate requests to ArcGIS services with an access token. Using an authorization header prevents intermediaries on the network, such as proxies, gateways or load-balancers from being able to access the token. This offers additional security benefits compared to sending the access token as a query parameter.

To use an authorization request header with ArcGIS services, you can use either the Authorization or X-Esri-Authorization HTTP request header.

Authorization header: This is the standard HTTP header for passing authentication credentials, such as Bearer tokens for OAuth 2.0. ArcGIS services that use non-web-tier authentication (not using Windows Integrated, PKI, etc.) typically accept tokens in this header. It is widely supported and recommended for most API authentication scenarios.
X-Esri-Authorization header: This is a custom header defined by Esri, primarily used for ArcGIS services that require web-tier authentication. Using this header can help avoid conflicts with other authentication systems that may already use the standard Authorization header, and is often required for compatibility with certain ArcGIS server configurations or versions (notably, web-tier security setups).

How to use an authorization header

The general steps to use an authorization header are:

Implement an authentication type to obtain an access token.
Set the server host domain.
Set the authorization header and bearer using the access token.
Send the request.

Example request

Use dark colors for code blocks

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
GET /arcgis/rest/services/styles/v2/styles/arcgis/navigation/ HTTP/1.1
Host: basemapstyles-api.arcgis.com
Authorization: Bearer {YOUR_ACCESS_TOKEN}

Run in Postman

Code examples

Location services

This example demonstrates how to use authorization headers to access the ArcGIS Geocoding service.

To learn more about location services go to the Mapping and location services guide.

Request

HTTP

cURL

Python

Use dark colors for code blocks

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
GET https://geocode-api.arcgis.com/arcgis/rest/services/World/GeocodeServer/findAddressCandidates
?f=pjson
&singleLine=1600 Pennsylvania Ave NW, DC HTTP/1.1
Authorization: Bearer {YOUR_ACCESS_TOKEN}

Run in Postman

Response

Use dark colors for code blocksCopy
{
  "spatialReference": {
    "wkid": 4326,
    "latestWkid": 4326
  },
  "candidates": [
    {
      "address": "1600 Pennsylvania Ave NW, Washington, District of Columbia, 20500",
      "location": {
        "x": -77.036546998209,
Expand

Request

HTTP

cURL

Python

Use dark colors for code blocks

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
GET https://geocode-api.arcgis.com/arcgis/rest/services/World/GeocodeServer/findAddressCandidates
?f=pjson
&singleLine=1600 Pennsylvania Ave NW, DC HTTP/1.1
X-Esri-Authorization: Bearer {YOUR_ACCESS_TOKEN}

Run in Postman

Response

Use dark colors for code blocksCopy
{
  "results": [
    {
      "placeId": "cc8b3eb4e906e8d3e1fbf0d9413e2b74",
      "location": {
        "x": 24.939995,
        "y": 60.169311
      },
      "categories": [
        {
Expand