Security and authentication
ArcGIS supports secure access to location services and private content. It ensures that only valid, authorized users and services access protected information. To access secure resources, you need to implement an authentication method so your applications can make authenticated requests to services.
To get started with authentication:
- You need either an ArcGIS Developer account or ArcGIS Online account. Sign up for an ArcGIS Developer account and a developer subscription (for free) if you do not already have one.
- Review the authentication methods and guidelines.
- Sign into the developer dashboard to create credentials.
- Visit the authentication tutorials to start building your app.
An authentication method is the process used to obtain an access token. Your app must present an access token whenever it makes an authenticated request to location services. Access tokens define the scope and permissions available to your application. The authentication method you use to get an access token will vary based on the security and access requirements of your app.
There are three kinds of access tokens:
- API key: a permanent token that grants your application access to ready-to-use services and, with an ArcGIS Developer account, private data (currently in beta).
- ArcGIS identity (formerly named user): grants a short-lived token, generated via OAuth 2.0, giving your application permission to access the content and services authorized to an existing ArcGIS user's account.
- Application credentials: grant a short-lived token, generated via OAuth 2.0, authorizing your application to access ready-to-use services.
To make authenticated requests to services, you need to set the
token parameter to an access token.
An API key is a permanent access token that grants your public-facing application access to specific, ready-to-use services, and, with an ArcGIS Developer account, private content, items, and limited client referrers (currently in beta).
Use API keys when you want to:
- Quickly write applications that consume ready-to-use services.
- Provide access to services without requiring users to sign in with an ArcGIS account.
- Use an access token that doesn't expire.
An API key is created for you when you sign up for an ArcGIS Developer account.
Set the API key according to your chosen client API to authenticate with ArcGIS.
An ArcGIS identity, also known as named user, grants a short-lived access token giving your application permission to access the content and services authorized to your application user's existing ArcGIS Online or ArcGIS Enterprise account. A short-lived token is created using OAuth 2.0 protocol and authorizes your application to act on the user's behalf without revealing their secure password to your application. The services your application consumes are metered to the authenticated user's ArcGIS subscription and, during the authenticated period, your app can access the user's content on their behalf.
Use ArcGIS identity when you want to:
- Ensure users are signed in and authenticated with their own ArcGIS account.
- Meter usage of private and public data, content, or service transactions for the authenticated user.
- Limit the length of time the access token is valid for until it expires and requires refreshing.
- Register your application in the developer dashboard to receive client credentials.
- Implement an OAuth 2.0 authentication workflow.
- A user authorizes your application and an authorization code is returned.
- The authorization code is exchanged for a short-lived access token.
- The access token is used to access ArcGIS content and services.
Application credentials grant a short-lived access token, generated via OAuth 2.0, authorizing your application to access ready-to-use services such as basemap layers, search, and routing.
Use application credentials when you want to:
- Access ready-to-use services with a secure process and a short-lived token.
- Provide access to services without requiring users to have an ArcGIS account.
- Register your OAuth 2.0 application in the developer dashboard to receive credentials.
- User requests a resource on your web server.
- Implement the OAuth 2.0 client credentials workflow to generate an application credential.
- Respond to the user's request with the application credential
- Use the application credential to authenticate with ArcGIS according to your specific client API.
There are many considerations to selecting the best authentication for your set of circumstances. Consider the following:
- The type of account you will be using to create the access token: ArcGIS Developer, ArcGIS Online, or ArcGIS Enterprise.
- Your choice of API.
- The level of security required: short-lived or permanent token.
- Requirement for users to log in and authorize access or to log in silently.
- Where the security access will take place: client-side, web-based app, or server-side.
|You are building an application that only requires access to ready-to-use services and you do not want users to log in.||API key or Application credentials|
|You are building an application on a server or API back-end that only requires access to ready-to-use services.||API key or Application credentials|
|You are building an application that will read private hosted data on your ArcGIS Developer account.||API key or Application credentials|
|You are building an application that will use private hosted data on your ArcGIS Online account.||ArcGIS identity|
|You are building an application using an open source API or using the ArcGIS REST APIs directly.||API key|
|You are building an application using an ArcGIS API.||API key, Application credentials, or ArcGIS identity|
Use the support tables below to match the capability and the API you are considering.
|API keys||ArcGIS identity||Application credentials|
|Restrict to specific services|
|Restrict to specific referrers|
|Data hosting services||1|
- 1. ArcGIS Developer subscriptions only
- 2. ArcGIS Developer subscriptions only, limited
- 1. Requires use of a server component to access and manage token and/or user session.
- 2. Supports using a token obtained from OAuth 2.0 but lacks advanced identity management features.