https://community.esri.com/t5/arcgis-enterprise-ideas/token-restriction-in-url/idi-p/1297866 <P>We have security concern that generated token can be used by another user on different machine which all normal access on portal resources by capture the token during internal request within the portal, is there way to hide token or to make portal internal request in post</P> Sun, 11 Jun 2023 06:55:10 GMT ahmedbadr2 2023-06-11T06:55:10Z https://community.esri.com/t5/arcgis-enterprise-ideas/token-restriction-in-url/idi-p/1297866 <P>We have security concern that generated token can be used by another user on different machine which all normal access on portal resources by capture the token during internal request within the portal, is there way to hide token or to make portal internal request in post</P> Sun, 11 Jun 2023 06:55:10 GMT https://community.esri.com/t5/arcgis-enterprise-ideas/token-restriction-in-url/idi-p/1297866 ahmedbadr2 2023-06-11T06:55:10Z https://community.esri.com/t5/arcgis-enterprise-ideas/token-restriction-in-url/idc-p/1308561#M3373 <P>If you are referring to the personal token, that is generated when you access ressources while logged in to Portal, enable HTTPS. This should prevent users sniffing on the webtraffic to read out the tokens.<BR />Of course, tokens should in now case be shared and should be treated like passwords.<BR /><A href="https://enterprise.arcgis.com/en/portal/latest/administer/windows/configure-https.htm" target="_blank" rel="noopener">Configure HTTPS—Portal for ArcGIS | Documentation for ArcGIS Enterprise</A><BR /><A href="https://enterprise.arcgis.com/en/portal/latest/administer/windows/enforce-strict-https-communication.htm" target="_blank">Enforce strict HTTPS communication—Portal for ArcGIS | Documentation for ArcGIS Enterprise</A><BR /><BR />If you are referring to generated access tokens, you can limit token access to an specific IP Adress + expiration time</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SimonSchtte_ct_0-1689589272434.png" style="width: 400px;"><img src="https://community.esri.com/t5/image/serverpage/image-id/75514i083021FC358A8BA4/image-size/medium?v=v2&amp;px=400" role="button" title="SimonSchtte_ct_0-1689589272434.png" alt="SimonSchtte_ct_0-1689589272434.png" /></span><BR /><A href="https://enterprise.arcgis.com/en/portal/latest/administer/windows/specify-the-default-token-expiration-time.htm#:~:text=ArcGIS%20token%E2%80%94120%20minutes%20OAuth%20access%20token%2C%20when%20created,type%E2%80%9430%20minutes%20OAuth%20refresh%20token%E2%80%942%20weeks%20%2820%2C160%20minutes%29" target="_blank" rel="noopener">Specify the maximum token expiration time—Portal for ArcGIS | Documentation for ArcGIS Enterprise</A></P><P>&nbsp;</P> Mon, 17 Jul 2023 10:25:35 GMT https://community.esri.com/t5/arcgis-enterprise-ideas/token-restriction-in-url/idc-p/1308561#M3373 SimonSchütte_ct 2023-07-17T10:25:35Z