The Authentication Web Service validates access to ArcWeb Services. The first time a client accesses an ArcWeb Service, it must call the Authentication Web Service with a user name and password over a Secure Hypertext Transfer Protocol (HTTPS) Secure Sockets Layer (SSL) connection. These security measures minimize the risk that an unauthorized user can access an ArcWeb Service by stealing valid login information. If the user and password are valid, the Authentication Web Service returns a token. The token is a binary encoded string that the client application uses to call ArcWeb Services.
For additional information on security in ArcWeb Services, see Understanding ArcWeb Services: An Overview for Developers (PDF).
There are three basic steps for using the Authentication Web Service to access an ArcWeb Service.
Step 1: Call the Authentication Web Service with a getToken request.
Note: You must have permission on your ESRI Global Account to access ArcWeb Services.
If the login information is correct, the Authentication Web Service sends back a token string.
Step 2: Call the ArcWeb Service with an argument that passes in the token.
If the ArcWeb Service recognizes the token, it sends back the requested response. If the token expires during a session, it sends back the response, "Token Expires".
Step 3: Call the Authentication Web Service with a new getToken request if the current token has expired.
https://arcweb.esri.com/services/v2/Authentication.wsdl