Hi everyone,
We're using ArcGIS Enterprise and have uploaded image files to an item using the REST API (/sharing/rest/content/items/{itemId}/resources). These images are referenced from an ArcGIS Site page in standard HTML using <img src="...">.
The behavior we're experiencing is:
When users are logged in through the REST interface (e.g. after visiting the /items/{itemId}/resources URL), the images are displayed correctly in the Site.
When users are only logged into the Site (which is part of the organization), the images do not appear — they show as broken links unless the user also logs in through the REST endpoint.
All content is intended to be restricted to internal organizational users — it is not meant to be public.
What we are trying to achieve:
We want authenticated organization users to access the ArcGIS Site and see these images without having to log in again separately to the REST endpoint. We are not trying to expose the resources to anonymous users, just to avoid double authentication.
We’ve considered using OAuth (IdentityManager with OAuthInfo), but <script> tags are stripped when saving HTML blocks in Sites, so we can't include the logic directly.
Our questions:
Is there a recommended way to embed secured /resources images in Sites so they are visible to signed-in organization members?
Can token handling be done automatically when a user is already signed into the Site?
Are there alternative approaches for referencing item resources in HTML that respect the session of the logged-in user?
We’re looking for a solution that respects organization-only access while improving user experience (no double login).
Thanks in advance for your help!
