Proxy Token Manager — Secure ArcGIS Enterprise Services

TL;DR — Proxy Token Manager (PTM) is a reverse proxy and operations console that adds per-customer API tokens, referrer and IP allowlists, real-time audit logging, rate limiting, and auto-generated developer documentation to ArcGIS Enterprise Map, Feature, Image, and Vector Tile Services. It deploys in front of ArcGIS Server and Portal for ArcGIS without changing the underlying GIS stack, and it does so with sub-millisecond proxy overhead that the dashboard proves on every page view.

Public institutions sit on some of the most useful geospatial data in the country — parcel records, infrastructure layers, zoning, environmental coverage, basemap tiles. Sharing that data with partner agencies, contractors, and citizen-facing applications is not the hard part. Sharing it safely — with per-customer authentication, queryable audit trails, enforceable usage policies, and verifiable performance — is the hard part. Proxy Token Manager is the layer that sits between your ArcGIS Enterprise services and everyone who consumes them, and turns that hard part into operational routine.

What Is Proxy Token Manager?

Proxy Token Manager (PTM) is a token-aware reverse proxy and operations console for ArcGIS Enterprise services. It intercepts every HTTP request to your ArcGIS Map Services, Feature Services, Image Services, and Vector Tile Services; validates the request against a per-customer API token, referrer policy, and optional IP allowlist; forwards approved traffic to the upstream ArcGIS Server endpoint; and writes a structured record of the transaction to an auditable PostgreSQL database. The result is a single, unified access control plane in front of ArcGIS services that historically have lived behind ad-hoc URL secrets and good intentions.

PTM does not replace Portal for ArcGIS, ArcGIS Server, or any part of your existing Esri stack. It is a thin governance layer that wraps the services you already publish, and it coexists cleanly with native ArcGIS token authentication, federated identity, and existing reverse proxies.

ArcGIS Enterprise Security Challenges PTM Addresses

Open services are not the same as governed services

Most ArcGIS Enterprise deployments end up with a small population of services exposed for partner agencies, contractors, regional offices, or public-facing web maps. The original sharing decision was deliberate. The downstream sprawl — unknown referrers consuming the service, unrotated API keys, no usage visibility per consumer — was not. PTM gives that sprawl a clear perimeter, with per-customer tokens, per-customer referrer allowlists, and per-customer telemetry.

Audit logging is non-negotiable in the public sector

Regulators, internal information-security teams, and procurement reviews increasingly ask the same question of GIS operators: who accessed which dataset, when, and from where? If the answer requires a forensic NGINX access-log dive, the answer is effectively “we don’t know.” PTM stores per-request audit records — timestamp, source IP, customer identity, requested service path, HTTP status code, response time — in a queryable database with a configurable retention horizon (seven days to ten years).

Customer onboarding is the silent operational tax

Every new partner that integrates with an ArcGIS service generates a back-and-forth thread about service URLs, authentication parameters, framework-specific code samples, and rate-limit expectations. PTM compresses that thread into a single per-customer PDF that the operator generates with one click — already populated with the customer’s API key, their assigned services, and copy-paste integration code for the ArcGIS JavaScript SDK, Leaflet, and OpenLayers.

API token lifecycles drift without tooling

Long-lived API keys are a known security liability. Short-lived keys are an operational headache without dedicated tooling. PTM treats expiry, warning windows, and rotation as first-class workflow steps so the operator stays ahead of the lifecycle instead of chasing it.

Capabilities

1. Token-Based Access Control for ArcGIS Services

Every customer in PTM gets a unique API token that the proxy validates on every request to a bound ArcGIS service. Each token carries an explicit expiry policy (one day, one month, one year, or non-expiring), an allowlist of referrer domains the request must originate from, and optionally an IP allowlist for service-to-service deployments. Tokens can be rotated in place without taking the upstream ArcGIS service offline, and expired customers stop receiving traffic the moment their window closes — no manual cleanup required.

2. Real-Time Audit Logging and Operational Metrics

The PTM dashboard surfaces a thirty-day request timeline, current-day request volume, active-customer count, and bound-layer count at a glance. Per-customer drill-downs expose the full request history with filtering by time window, HTTP status, and source IP, plus a top-IPs report so the operator sees exactly which networks are consuming a given service. Every event is also written as structured JSON to the application log stream, ready for ingestion into Loki, Elasticsearch, CloudWatch, or any centralized observability platform.

3. Rate Limiting and Per-Customer Usage Policy

Per-customer rate limits prevent any single integration from consuming a disproportionate share of your ArcGIS Server capacity. Combined with the audit log, rate limits give operators the data they need for capacity planning, billing, and service-level negotiation with downstream consumers.

4. Auto-Generated Customer Onboarding PDFs

For every customer, PTM produces a branded PDF guide containing the assigned API key, expiry timeline, the proxy paths for each bound service, rate-limit details, and copy-paste integration code samples for the three most common map clients in production today: the ArcGIS JavaScript SDK, Leaflet, and OpenLayers. The integration story for a new partner becomes a single PDF and a calendar invite — not a week of email.

5. Lifecycle Automation

PTM ships with the operational details that consume real time in unmanaged setups: configurable expiry-warning thresholds with dashboard banners that flag customers whose tokens lapse within the operator’s chosen window, automatic NGINX configuration regeneration and reload when a layer is bound or unbound, an audit-retention cron that prunes log records past the configured horizon, and a token expirer that revokes access on schedule. The system maintains itself between operator interventions.

ArcGIS Proxy Performance: How Much Latency Does PTM Add?

The first question every GIS team asks about a proxy is the right one: what does this cost in latency? PTM answers it on the dashboard, in plain numbers, without asking anyone to take it on faith. The operations view shows the rolling twenty-four-hour average response time of requests that traverse the proxy alongside the equivalent average for direct-to-upstream ArcGIS Server traffic. In well-tuned deployments the gap is measured in fractions of a millisecond — well below the threshold at which any human or downstream system can perceive a difference. The product proves its own performance characteristic every time the operator opens it.

Who Proxy Token Manager Is For

• Municipal and regional government GIS teams that share infrastructure, parcel, and environmental layers with multiple internal departments and external partners.
• Enterprise ArcGIS Server and Portal for ArcGIS operators who need a single, auditable boundary in front of a portfolio of services without changing the underlying ArcGIS deployment.
• Information-security and compliance functions that require provable, queryable evidence of who accessed which dataset and when.
• API platform and developer-experience teams running geospatial services for multi-tenant consumption who need per-customer policy, per-customer documentation, and per-customer telemetry without building it themselves.
• Utility, telecom, and transport operators publishing operational GIS data to contractors and field crews who need scoped, time-bound access.

How PTM Compares to Native ArcGIS Token Authentication

Native ArcGIS token authentication is excellent at what it was designed for: authenticating named users and applications inside the Esri identity model. It was not designed to give operators a per-consumer audit trail across a portfolio of public-facing services, to issue and rotate scoped tokens for external partners, to enforce referrer and IP allowlists per consumer, or to generate consumer-specific developer documentation. PTM does not replace native ArcGIS tokens — it complements them with a governance and operations layer optimized for multi-tenant, externally consumed services.