A token is used to authenticate members of your ArcGIS Enterprise organization. When a user attempts to access the organization, they provide their username and password. ArcGIS Enterprise verifies the supplied credentials, generates a token, and issues a token to the member.

A token is a string of encrypted information that contains the user's name, the token expiration time, and other proprietary information. When a token is issued to the member, they can access the portal until the token expires. When it expires, the member must provide their username and password again.

There are three types of tokens used within the portal:

• ArcGIS token—A token generated through the sharing/rest/generateToken endpoint.
• OAuth access token—A token generated through the OAuth2 authentication workflow.
• OAuth refresh token—A token used to generate new OAuth access tokens when they expire.

The maximum expiration time that members of your organization can specify when generating a token depends on the token type. If a user specifies an expiration time that is greater than the maximum, the token will be generated with an expiration matching the maximum value for that token type.

The following values are the maximum expiration times accepted by the portal, and are your organization's maximum values by default:

• ArcGIS token—14 days (20,160 minutes)
• OAuth access token, when created with the Implicit or Client Credentials grant types—14 days (20,160 minutes)
• OAuth access token, when created with the Authorization Code grant type—30 minutes
• OAuth refresh token—90 days (129,600 minutes)

If an expiration time isn't specified when generating a token, a default value is used that varies for each type of token:

• ArcGIS token—120 minutes
• OAuth access token, when created with the Implicit or Client Credentials grant types—120 minutes
• OAuth access token, when created with the Authorization Code grant type—30 minutes
• OAuth refresh token—2 weeks (20,160 minutes)

As an administrator, you can decrease these values by setting the maxTokenExpirationMinutes property in the ArcGIS Portal Administrator Directory to a new value. The default value of -1 represents the maximum and default expiration time for each token type.

If the value you set is less than the maximum value but greater than the default value, only the maximum value will be impacted, and the default value will stay the same. If the value is less than both the maximum and default values, both values will be affected, and the maximum and default values will match what is defined in maxTokenExpirationMinutes.

For example, if you set maxTokenExpirationMinutes to 17280 (12 days), the maximum expiration time for the ArcGIS token, OAuth access token when created with the Implicit or Client Credentials grant types, and OAuth refresh token will be 12 days. The OAuth access token when created with the Authorization Code grant type will remain 30 minutes. For the default expiration time used when none is specified, only the OAuth refresh token will update to 12 days.

It is important to consider the security implications behind a token. A token with a longer expiration time is less secure. For example, a token intercepted by a malicious user can be used until the token expires. Conversely, a shorter expiration time is more secure but less convenient, as members may need to enter their username and password more frequently.

Feedback on this topic?