Request app-specific token, passing in the token for the current app.

This call returns a token after performing the same checks made by validateAppAccess. It returns an app-specific token of the signed-in user only if the user has access to the app and the encrypted platform cookie is valid.

A scenario where an app would use this is if it is iframed into another platform app and recieves credentials via postMessage. Those credentials contain a token that is specific to the host app, so the embedded app would use exchangeToken to get one that is specific to itself.

Note: This is only usable by Esri applications hosted on *, * or within an ArcGIS Enterprise installation. Custom applications can not use this.

  • exchangeToken(token: string, clientId: string, portal: string) : Promise<string>


Parameter Type Default Notes
token Required string
clientId Required string


portal Optional string ""



Function defined in packages/arcgis-rest-auth/src/app-tokens.ts:25