AnsweredAssumed Answered

Are tokens OK on public feature services?

Question asked by on Jan 15, 2019

I have a web app that uses OAuth2 to authenticate Esri named users. I have an access token for the user and, if the feature service is "secured" (not shared with public), I append the token to the feature service to load it (e.g. "[feature service url]?token=[token]") .


It used to be that if I appended the token to a "public" feature service (share with everyone), then I would get an error and the service wouldn't load. That meant I would have to track which services were "secured" and which were "public" and request the data accordingly.


I noticed on AGOL the other day when I looked at the details page of a "public" feature service that an access token was appended to it. I thought that was interesting, so I started experimenting. It appears that I can now append an any Esri access token to a "public" feature service and it will still load as long as the token is valid.


I have 3 questions on this topic:

  1. Is my understanding correct, that you can append an access token to a "public" feature service and it will still load?
  2. If that is correct, when was the change made? Is it documented somewhere?
  3. Will that always work in the future? If so, I am going to simplify my codebase and always append an access token to feature services. If it is uncertain, I might need to leave it all in "just in case".