Adjusting Token Expiration Times in ArcGIS Enterprise Portal

This guide explains how to increase the validity period for Access Tokens and Refresh Tokens in your ArcGIS Enterprise Portal. Adjusting these values helps prevent frequent sign-in requests for connected client applications.

Note: This configuration must be performed by a Portal Administrator and requires access to the Portal Administrator Directory. This process applies to ArcGIS Enterprise (Portal), not ArcGIS Online.

Access Token vs. Refresh Token Expiration

Two key settings control user sessions:

  1. Access Token Expiration (maxTokenExpirationMinutes ): The lifespan of the short-lived token used for API requests. Default is 120 minutes (2 hours).
  2. Refresh Token Expiration (tokenMaxIdleTime ): The lifespan of the long-lived token that allows silent renewal. Default is 14 days. This controls how long a user can remain signed in without seeing the login prompt.

Step-by-Step: Updating Token Expiration

Use the following steps to modify the security properties of your Portal.

1. Navigate to the Portal Administrator Directory

  1. Open your web browser and navigate to the Portal Administrator Directory.
    • URL Example: https://gis.yourdomain.com/portal/portaladmin
  2. Sign in using a built-in Portal administrator account.

2. Access the Security Settings

  1. Click on the System option in the top right menu.
  2. On the left-hand menu, click Security.
  3. Scroll to the bottom of the page and click the Update operation.

3. Apply the Changes via JSON Payload

You will update the settings by providing a JSON object. You can adjust one or both settings.

A. To Increase the Access Token Lifespan:

This is the short-lived token. Setting it higher means clients will call the renewal endpoint less frequently.

Setting Value Description
maxTokenExpirationMinutes 480 Sets the Access Token lifespan to 8 hours. The default is 120 minutes.

B. To Increase the Refresh Token Lifespan (Session Persistence):

This controls the maximum time a user can stay logged in without needing to re-enter their credentials.

Setting Value Description
tokenMaxIdleTime 28 Sets the maximum session time to 28 days. The default is 14 days.

Combined JSON Payload Example (Recommended for Persistent Sessions):

Copy the following JSON and adjust the values as needed. This example sets the Access Token to 4 hours and the maximum session time (Refresh Token validity) to 28 days.

{
  "maxTokenExpirationMinutes": 240, 
  "tokenMaxIdleTime": 28 
}

4. Execute the Update

  1. Paste the customized JSON payload into the Properties  text box on the Update Security page.
  2. Click the Update button.

5. Restart the Portal Service (Mandatory)

For these security changes to take effect across your entire Portal deployment, the Portal for ArcGIS service must be restarted on the host machine(s).

Summary of the Change

By increasing the tokenMaxIdleTime , you extend the life of the Refresh Token. As long as this Refresh Token is valid, client applications using the Identity Manager will automatically and silently exchange it for a new Access Token when the old one expires, eliminating the need for the user to sign in repeatedly.

Still need help? Contact Us Contact Us