laptop and a wrench


Generating a token using the OAuth2.0 endpoints with a valid Client ID and Client Secret returns a token, which is not valid to access services, which are owned by the same user who created the registered application. This occurs in a federated Portal for ArcGIS and ArcGIS GIS Server environment with a hosting server configured.

Last Published: March 1, 2016 ArcGIS API for JavaScript
Bug ID Number BUG-000093367
SubmittedJanuary 7, 2016
Last ModifiedFebruary 15, 2023
Applies toArcGIS API for JavaScript
Version found3.14
Operating SystemWindows OS
Operating System Version7.0 64 Bit
StatusWill Not Be Addressed

Additional Information

This is intended behavior, it is a limitation of app logins. Tokens obtained by applications can only read public content and services. Although an App login cannot be used with private content, if the goal is to distribute or sell an app to organizations without ArcGIS Online (no named users), the control access to the content may be controlled by using an login mechanism (Identity) to the app.

Steps to Reproduce

Bug ID: BUG-000093367


  • ArcGIS API for JavaScript

Get help from ArcGIS experts

Contact technical support

Download the Esri Support App

Go to download options

Discover more on this topic