498 Invalid Token

HTTP response status code 498 Invalid Token is an unofficial client error specific to ArcGIS by Esri. The server returns this code when the HTTP request includes a token not accepted by the server.

Table of Contents

Usage

The 498 Invalid Token status code indicates the client included a required Authentication token in the HTTP request, but the server rejected the token. Common causes include expired tokens, revoked tokens, and tokens generated for a different service endpoint. Resolving this error requires resubmitting the request with a freshly generated, valid token.

SEO impact

Search engines like Google do not index a URL with 498 Invalid Token response status. URLs previously indexed with this code are removed from search results.

Example

A client sends a request to an ArcGIS REST API endpoint with an expired token. The server responds with 498 Invalid Token.

Request

GET /arcgis/rest/services/Map/MapServer?f=json&token=expired_abc123 HTTP/1.1
Host: www.example.re

Response

HTTP/1.1 498 Invalid Token
Content-Type: application/json

{
  "error": {
    "code": 498,
    "message": "Invalid token.",
    "details": [
      "Token has expired."
    ]
  }
}

How to fix

Generate a new Authentication token from the ArcGIS token endpoint. Expired tokens are the most common cause of this error. The generateToken REST operation issues a fresh token:

POST https://www.example.re/portal/sharing/rest/generateToken
Content-Type: application/x-www-form-urlencoded

username=admin&password=secret&client=referer&referer=https://www.example.re&f=json

The Content-Type header must be application/x-www-form-urlencoded. Missing this header causes token generation to fail silently.

Check token binding settings. Tokens bound to a specific IP address fail when a proxy, load balancer, or NAT changes the apparent client IP between token generation and use. Switch to client=referer binding when proxy infrastructure sits between the client and the server.

Verify the username is case-sensitive. The ArcGIS REST API treats Admin and admin as different accounts during token generation.

Check the token expiration timestamp returned in the generateToken response and refresh before expiry. Implement proactive token renewal in client code to avoid mid-request expiration.

Send the token in the X-Esri-Authorization header instead of the token query parameter. Query parameters are logged by intermediate proxies, gateways, and load balancers, exposing the token in plain text:

X-Esri-Authorization: Bearer <token>

Confirm the token has permissions for the requested resource. Tokens generated for one ArcGIS Server endpoint or organization are not valid for a different endpoint. Federated servers require a portal token exchanged through the federation trust relationship.

Takeaway

The 498 Invalid Token status code is an ArcGIS client error sent when the request includes an invalid or expired Authentication token.

See also

Last updated: March 6, 2026