ArcGIS for Server Long Tokens

I recently wanted to use a secure ArcGIS for Server map service with a new proof-of-concept (POC) web application. The service was secure, but I want to allow public access to the application without any credentials required by the user. I could take care of this with a username/password in the Esri Resource Proxy; or have the application request a token with a user/pw saved in JavaScript (bad idea), but I was hoping to keep it simple with a “HTTP Referer” token. However, when visiting the token request page (http://domain/arcgis/tokens/) the longest request I could make was for 1 year. Not that I needed a longer token for this POC, but now I was intrigued. How do I create an ArcGIS for Server long token?

I’m sure we all hope our sites will survive longer than one Super Bowl - but can we create a token for more than a year? Since the ArcGIS for Server Long Token request GUI really just helps the user populate and submit a REST request, why not just submit our own in its place with a longer Expiration setting?!

Yes, we need to be careful of HTTP Referer Spoofing and other questionable external attempts to our services, so putting the resulting token directly in a JavaScript file isn’t the most secure method. For more rigorous security you can put this long token in the Esri Resource Proxy configuration file for a great approach to both security and longevity. The proxy can even be configured with it’s own HTTP referer settings, rate limits, and additional authentication options if you so choose.

Check your configuration:

The ArcGIS for Server long token request is straight forward, but there is one catch (there always is): ArcGIS for Server has a maximum lifespan of long-lived tokens (this is a good thing). Even better - this is configurable! To set the maximum length for all long tokens, just log into ArcGIS for Server: Manager > Security > Settings, and you can set the length of time both the short and long tokens.

The long token lifespan is set in number of days, so for this example, we will set the number to 3654 to cover 10 years (to account for leap years and some rounding). Once the setting is updated, we can start making our longer token requests.

Generate the Token:

With the username, password, and HTTP referer site information ready to go, you can now make the token request by opening your web browser and typing a URL:

http://domain/arcgis/tokens/request=gettoken&username=USER&password=PW&clientid=ref.https://www.spatialtimes.com&expiration=5261750

You might notice the expiration date doesn’t look the same as the config setting. While the config setting is in days, the token expiration parameter is in minutes. Once complete, a successful request will return a new token in your browser window. Copy this token to your Proxy configuration or JS file and you are off to the races. Might be a good idea to put a reminder in your 2024 calendar to update the token just in case, hopefully you aren’t already busy that day.