topic Can't validate federated 'server-token' against Portal for ArcGIS self end point in ArcGIS Enterprise Questions

Can't validate federated 'server-token' against Portal for ArcGIS self end point

NicolasGIS — Tue, 10 Feb 2026 15:15:10 GMT

Hello,

I am trying to validate a token on the Portal for ArcGIS (11.5) Inspection end point (self) but I am noticing that when the token has been generated using "generateToken" endpoint to get a 'server-token' in exchange of a 'portal-token', then it does not work:

{"error": {
"code": 498,
"message": "Invalid token.",
"details": ["Error validating token: Server request cannot be verified for account: 0123456789ABCDEF ,Request url: https://myportal.company.com/geoportal/sharing/rest/portals/self Server Id : jT5yBX8d125abcKp , Serverkey recieved 'false'"]
}}

Is it expected ? Or does it look like a bug ?

Thanks,

Self documentation: https://developers.arcgis.com/rest/users-groups-and-items/portal-self/

GenerateToken: https://developers.arcgis.com/rest/users-groups-and-items/generate-token/

Re: Can't validate federated 'server-token' against Portal for ArcGIS self end point

GlenterpriseUK — Fri, 10 Apr 2026 13:24:51 GMT

Hi @NicolasGIS,

What you are seeing is expected behaviour because a server token is only meant to be used with ArcGIS Server not Portal. If you try to use a server token into different Portal endpoints you will get the error message that you received.

Regards,

Glen

Re: Can't validate federated 'server-token' against Portal for ArcGIS self end point

NicolasGIS — Mon, 13 Apr 2026 10:04:57 GMT

Hi @GlenterpriseUK ,

Thanks for your reply.

OK, noted. As it was generated by Portal for ArcGIS for ArcGIS for Server, I would have expected that it could at least be introspected by Portal for ArcGIS.

My main problem is then how can I introspect this token ? I didn't find any other REST end point for doing so in the documentation.

Thanks,

Best regards,

Nicolas

Re: Can't validate federated 'server-token' against Portal for ArcGIS self end point

GlenterpriseUK — Mon, 13 Apr 2026 10:50:41 GMT

Hi @NicolasGIS,

Generate the token for your user in ArcGIS Portal Directory using the https://yourserver.domain.com/portal/sharing/rest/generateToken

When you generate the token, use the following for the WebAppURL https://yourserver.domain.com/server/rest/

Once you have the token generated for your desired user, using a Service URL append the token:

https://yourserver.domain.com/server/rest/services/example/MapServer/0/qyery?where=1%3D1&token=APPENDTOKENVALUE

Let me know how it goes.

Regards,

Glen

Re: Can't validate federated 'server-token' against Portal for ArcGIS self end point

NicolasGIS — Mon, 13 Apr 2026 12:54:30 GMT

Hi @GlenterpriseUK ,

Thanks for your reply.

I know how to use a token. I am looking for a way to inspect it server side.

In the meantime, I found the undocumented end point "/rest/self":

https://myagsserver.company.com/arcgis/rest/self?token=foo&f=json

that does what I want but I don't like using anything not official:

https://developers.arcgis.com/rest/services-reference/enterprise/get-started-with-the-services-directory/

Thanks

Re: Can't validate federated 'server-token' against Portal for ArcGIS self end point

JoshuaBixby — Mon, 13 Apr 2026 13:21:58 GMT

If you haven't already, it might be worth reading through Solved: how to generate correct token for a federated Ente... - Esri Community. Esri's various APIs handle authentication workflows correctly, and handling them with hand-rolled code commonly trips people up.

I can't say I fully understand your authentication workflow. It seems like you are using what is commonly called the two-step exchange, i.e., authentication first happens on Portal to generate a Portal token, and then that Portal token is used to create an ArcGIS Server token using the generateToken endpoint with the token and serverUrl parameters. Portal validates your Portal token, then creates a new ArcGIS Server token encrypted with the federated server's shared key. The resulting token is meant to be used with that specific federated ArcGIS Server and can be validated locally by that server. Portal cannot validate it because it was encrypted with the server's shared key, not the Portal's. If you need to validate a token against the Portal's portals/self endpoint, use the Portal token directly — before the exchange step.