Authentication and access tokens

To build applications that use ArcGIS resources and services, you must first implement authentication to obtain an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more. There are three types of authentication: API key authenticationAPI key authentication is a type of authentication that uses an API key to authenticate requests to ArcGIS services and secure portal items.Learn more, user authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more, and app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more. ArcGIS REST JS provides authentication managers for each type of authentication which makes it easier to set up authentication once.

API key authentication

If you have ArcGIS Location Platform or ArcGIS Online, you can use API key authenticationAPI key authentication is a type of authentication that uses an API key to authenticate requests to ArcGIS services and secure portal items.Learn more to authorize secure service requests without requiring users to sign in. This method requires creating an API key credential and embedding a long-lived access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more directly in your application, granting access to specific services and content based on the API key’s configured privileges.

API keys can be configured to access specific ArcGIS services and functionality, including location services (such as basemaps, geocoding, and routing), hosted data services, and spatial analysis services. However, they do not support operations that require ArcGIS user account permissions, such as portal administration or content management. See user authentication for those scenarios.

API key authentication is well-suited for building public-facing applications that do not require user sign-in.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

import { ApiKeyManager, request } from "@esri/arcgis-rest-request";

const accessToken = "YOUR_ACCESS_TOKEN";
const authentication = ApiKeyManager.fromKey(accessToken);

const url = "https://www.arcgis.com/sharing/rest/community/users";

request(url, {
  authentication,
  params: {
    q: "john" // The query string to search the users against
  }
}).then((response) => {
  console.log(JSON.stringify(response, null, 2));
});

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
{
  "total": 10000,
  "start": 1,
  "num": 10,
  "nextStart": 11,
  "results": [
    {
      "username": "JohnDoe",
      "fullName": "John Doe",
      "id": "123",
      "firstName": "John",
      "lastName": "Doe",
      "provider": null,
      "created": 1540585165000,
      "modified": 1761576562000,

User authentication

If you have ArcGIS Online or ArcGIS Enterprise you can build applications that authenticate users with their ArcGIS account.An ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more This process involves creating an OAuth credentialOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more, which is used to generate a unique access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more tied to the user's privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more. With this token, applications can access all services and resources available to the signed-in user, including location services, spatial analysis, hosted data, secure items, and portal operations such as administration. Access is determined by the user's role and permissions.

User authentication is well-suited for building private applications for your organization that require users to sign in.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
// Send the user to the authorization screen
app.get("/authorize", function (req, res) {
  ArcGISIdentityManager.authorize(credentials, res);
});

// After authorizing, the user is redirected to /authenticate
app.get("/authenticate", function (req, res) {
  if (credentials) {
    // The user will be redirected with an authorization code we will need to exchange for tokens
    ArcGISIdentityManager.exchangeAuthorizationCode(credentials, req.query.code)
      .then((session) => {
        res.status(200).send(
          "Session successfully acquired. Check your server console to see session details."
        );

        console.log(session);
      })
      .catch((err) => {
        console.error("Error:", err);
        res.status(500).send(err.message);
      });
  } else {
    res.send("Please visit http://localhost:3000/authorize");
  }
});

app.listen(3000, function () {
  console.log("Visit http://localhost:3000/authorize to test the application!");
});

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
ArcGISIdentityManager {
  portal: 'https://www.arcgis.com/sharing/rest',
  _username: 'YOUR_USERNAME',
  clientId: 'YOUR_CLIENT_ID',
  _refreshToken: 'YOUR_REFRESH_TOKEN',
  _refreshTokenExpires: YYYY-MM-DDTHH:MM:SS,
  password: undefined,
  _token: 'YOUR_TOKEN',
  _tokenExpires: YYYY-MM-DDTHH:MM:SS,
  ssl: true,
  provider: 'arcgis',
  tokenDuration: 20160,
  redirectUri: 'http://localhost:3000/authenticate',
  server: undefined,
  referer: undefined,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
    <script type="module">

    /* Use for user authentication */
    const clientId = "YOUR_CLIENT_ID"; // Your client ID from OAuth credentials
    const redirectUri = ""YOUR_REDIRECT_URI""; // The redirect URL registered in your OAuth credentials
    const authentication = await arcgisRest.ArcGISIdentityManager.beginOAuth2({
      clientId,
      redirectUri,
      portal: "https://www.arcgis.com/sharing/rest" // Your portal URL
    });

    </script>

App authentication

If you have ArcGIS Location Platform, ArcGIS Online, or ArcGIS Enterprise you can build applications that authenticate using your app’s OAuth 2.0 credentials instead of a user sign-in. This workflow generates a short-lived access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more based on your app’s client ID and client secretOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more. The resulting token is associated with your ArcGIS account and grants access to secure services and items according to your account’s privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more.

App authentication is well-suited for web servers or standalone console scripts. This is to avoid exposing the confidential client_secret value contained within OAuth credentials.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import { ApplicationCredentialsManager } from "@esri/arcgis-rest-request";
import { geocode } from "@esri/arcgis-rest-geocoding";

const appManager = ApplicationCredentialsManager.fromCredentials({
  clientId: "YOUR_CLIENT_ID",
  clientSecret: "YOUR_CLIENT_SECRET"
});

appManager.refreshToken().then((manager) => {
  geocode({
    address: "1600 Pennsylvania Ave",
    postal: 20500,
    countryCode: "USA",
    authentication: manager
  })
});

More resources