Limit usage of secure services

To share secure ArcGIS Server web service items with a wide audience—for example, as part of a public web app—store the credentials with the item so the public is not required to sign in to access the app. This creates an ArcGIS item proxy, which forwards user requests with an appended token.

You may also want to limit usage to control how many times and by whom the service is accessed. You can specify the rate limit, and to further restrict usage, designate the specific referrer URLs or IPs that can access the service, for example, the URL of your organization. For example, if you have public kiosks in your lobby that run a web app that contains a secure service, you can designate the URL of your organization and the IP addresses of those kiosks so that they are the only machines allowed to access it.


Designating specific referrers ensures that the specified URLs or IP addresses can connect to the service, but it does not prevent someone from intercepting the proxy call to the secure service and changing it.

Once you add your secure service as an item and store credentials, but before you share it, follow these steps to limit use of the item:

  1. Open the item page for the secure service or app.
  2. Click the Settings tab and scroll down to the Limit Usage section. Click Limit Usage.
  3. Check the Enable rate limiting check box and set the limits: a maximum number of requests allowed for a specific period of time or the referrer URLs and IPs that can access your service.

    For example, you can specify the URL to your organization, such as

    You can also limit the rate and the referrer.

    Your referrer URLs and IPs can be fully qualified URLs (, wildcards to include all subdomains (https://*, or the IP address ( You must specify ports and add https.


    Due to recent changes in the default security policy in web browsers, you can no longer restrict secure services to specific URLs. Restrictions can be applied for URL host names only, for example,

  4. Click OK.

Now you can share the item with those intended to have access to it: your organization, everyone (public), or specific groups to which you belong.