Request a token for a specific application using the esri_aopc encrypted cookie

When a client app boots up, it will know its clientId and the redirectUri for use in the normal /oauth/authorize pop-out oAuth flow.

If the app sees an esri_aopc cookie (only set if the app is hosted on *, it can call the /oauth2/platformSelf end-point passing in the clientId and redirectUri in headers, and it will receive back an app-specific token, assuming the user has access to the app.

Since there are scenarios where an app can boot using credentials/token from localstorage but those credentials are not for the same user as the esri_aopc cookie, it is recommended that an app check the returned username against any existing identity they may have loaded.

Note: This is only usable by Esri applications hosted on *, * or within an ArcGIS Enterprise installation. Custom applications can not use this.

// convert the encrypted platform cookie into a UserSession
import { platformSelf, UserSession } from '@esri/arcgis-rest-auth';

const portal = '';
const clientId = 'YOURAPPCLIENTID';

// exchange esri_aopc cookie
return platformSelf(clientId, 'https://your-app-redirect-uri', portal)
.then((response) => {
 const currentTimestamp = new Date().getTime();
 const tokenExpiresTimestamp = currentTimestamp + (response.expires_in * 1000);
 // Construct the session and return it
 return new UserSession({
   username: response.username,
   token: response.token,
   tokenExpires: new Date(tokenExpiresTimestamp),
   ssl: true


Parameter Type Default Notes
clientId Required string
redirectUri Required string
portal Optional string ""


Property Type Notes
expires_in number

Token expiration, in seconds-from-now

token string

Token the consuming application can use, It is tied to the clientId used in the platformSelf call

username string

Username of the user the encrypted cookie was issued for

Function defined in packages/arcgis-rest-auth/src/app-tokens.ts:110