the first and easiest option for displaying ArcGIS Online content in a Leaflet application that is not shared publicly is to embed credentials directly in your javascript and fetch a token automatically. this is an EXTREMELY bad idea because you are exposing sensitive credentials in the code that is downloaded to each and every browser that ever opens your website.
L.esri.post('https://www.arcgis.com/sharing/rest/generateToken', {
username: 'johndoe',
password: 'password123',
f: 'json',
expiration: 60,
client: 'referer',
referer: window.location.origin
}, callback);complete sample: http://esri.github.io/esri-leaflet/examples/arcgis-server-auth.html
a second, more difficult, and more production appropriate option is to utilize a server side proxy to hide the username and password in code that is NOT accessible to your end users so that the proxy can broker requests to secure resources and append a token on its own.
L.esri.featureLayer({
url: './proxy.ashx?http://services.arcgis.com/uasgdsgd/arcgis/rest/services/SelectivelyShared/FeatureServer/0'
}).addTo(map);Open Source proxies in ASP.NET, PHP and Java that we host on GitHub
https://github.com/Esri/resource-proxy/
Some conceptual information from the ArcGIS API for JavaScript 3.x documentation
https://developers.arcgis.com/javascript/3/jshelp/ags_proxy.html
no matter what you do, you'll need to make sure you are honoring your license agreement and making sure the private content is only accessed by the number of ArcGIS Online named users you're paying for.
