I have an ArcGIS Developer account, so I can access a private feature layer in my account by adding it to the scopes on my API Key page.
But my client has an ArcGIS Online Account, and the documentation states "API keys cannot be used with ArcGIS Online accounts to access private hosted layer (items) and data services.", so if I understand correctly, that method will not work for them. (And I wouldn't want to use this method in production anyway, since the API Key would provide indefinite access to read the private layer)
I first attempted to solve this by getting an authentication token using my Client ID and Client Secret (server side), then passing this to my web application and assigning it to esriConfig.token (right below esriConfig.apiKey), but after removing the scope from the API Key settings, I am no longer able to load the private layer. Console message: "You do not have permissions to access this resource or perform this operation."
I know that the token has sufficient privileges because I can put the feature layer URL in a web browser and add "?token=[the token]" and it grants me access.
My questions:
1) How do I load a private feature layer using a token? Or is there a better way to load a private feature layer in an ArcGIS Online account (when the user of the web application is not an ArcGIS user)?
2) How can I limit the privileges of the token so it is read only and only for that one feature layer?
