Hello,
We have a GIS website that we recently updated to use the Javascript API 4.17 and moved it to a new server along with updated feature services on a new ArcGIS server. The site is public-facing, open to all, and utilizes a good number of feature/image services we host on our internal ArcGIS servers (10.7) via a web adapter. After closing down the old web site, our IT department reported there was still substantial traffic to our old feature services. Apparently, several outside entities have been consuming our imagery services for their own use as they had been publicly exposed.
We want to make the data and imagery available to the public via our website but we are not a hosting service for other entities. It is especially frustrating as IT has reported these other entities are accounting for more than 30 times our own network traffic to the image services.
Can feature and image services hosted on a standalone ArcGIS server deployment be secured but yet still available to an open, public-facing website that is mostly client-side javascript? We do not want users to have to log in to view the site. Looking through the Developers documentation (Access secure resources), it appears this can be accomplished using ArcGIS Tokens but I cannot find a comprehensive example for the Javascript API 4.17.
I also want to make sure this is not a violation of any ESRI policy.