I have a web app that uses OAuth2 to authenticate Esri named users. I have an access token for the user and, if the feature service is "secured" (not shared with public), I append the token to the feature service to load it (e.g. "[feature service url]?token=[token]") .
It used to be that if I appended the token to a "public" feature service (share with everyone), then I would get an error and the service wouldn't load. That meant I would have to track which services were "secured" and which were "public" and request the data accordingly.
I noticed on AGOL the other day when I looked at the details page of a "public" feature service that an access token was appended to it. I thought that was interesting, so I started experimenting. It appears that I can now append an any Esri access token to a "public" feature service and it will still load as long as the token is valid.
I have 3 questions on this topic:
- Is my understanding correct, that you can append an access token to a "public" feature service and it will still load?
- If that is correct, when was the change made? Is it documented somewhere?
- Will that always work in the future? If so, I am going to simplify my codebase and always append an access token to feature services. If it is uncertain, I might need to leave it all in "just in case".