Introduction to security and authentication

ArcGIS supports secure access to location services and private content. It ensures that only valid, authorized users and services access protected information. To build applications that access secure resources, you need to implement an authentication method. This section covers how to use API keys, ArcGIS Identity, and application credentials to make authenticated requests to services and secure resources.

Authentication methods

An authentication method is the process used to obtain an access token. Your app must present an access token whenever it makes an authenticated request to location services. Access tokens define the scope and permissions available to your application. The authentication method you use to get an access token will vary based on the security and access requirements of your app.

There are three kinds of access tokens:

  • API key: a permanent token that grants your application access to ready-to-use services and, with an ArcGIS Developer account, private data (currently in beta).
  • ArcGIS identity (formerly named user): grants a short-lived token, generated via OAuth 2.0, giving your application permission to access the content and services authorized to an existing ArcGIS user's account.
  • Application credentials: grant a short-lived token, generated via OAuth 2.0, authorizing your application to access ready-to-use services.

To make authenticated requests to services, you need to set the token parameter to an access token.

Use dark colors for code blocksCopy
 
1
https://<LOCATION_SERVICE_URL>?token=<ACCESS_TOKEN>

API keys

An API key is a permanent access token that grants your public-facing application access to specific, ready-to-use services, and, with an ArcGIS Developer account, private content, items, and limited client referrers (currently in beta).

Use API keys when you want to:

  • Quickly write applications that consume ready-to-use services.
  • Provide access to services without requiring users to sign in with an ArcGIS account.
  • Use an access token that doesn't expire.

API key overview

  1. Configure an API key in the developer dashboard.

    An API key is created for you when you sign up for an ArcGIS Developer account.

  2. Set the API key according to your chosen client API to authenticate with ArcGIS.

Learn more about API keys

ArcGIS identity

An ArcGIS identity, also known as named user, grants a short-lived access token giving your application permission to access the content and services authorized to your application user's existing ArcGIS Online or ArcGIS Enterprise account. A short-lived token is created using OAuth 2.0 protocol and authorizes your application to act on the user's behalf without revealing their secure password to your application. The services your application consumes are metered to the authenticated user's ArcGIS subscription and, during the authenticated period, your app can access the user's content on their behalf.

Use ArcGIS identity when you want to:

  • Ensure users are signed in and authenticated with their own ArcGIS account.
  • Meter usage of private and public data, content, or service transactions for the authenticated user.
  • Limit the length of time the access token is valid for until it expires and requires refreshing.

ArcGIS identity overview

  1. Register your application in the developer dashboard to receive client credentials.
  2. Implement an OAuth 2.0 authentication workflow.
  3. A user authorizes your application and an authorization code is returned.
  4. The authorization code is exchanged for a short-lived access token.
  5. The access token is used to access ArcGIS content and services.
Learn more about ArcGIS identity

Application credentials

Application credentials grant a short-lived access token, generated via OAuth 2.0, authorizing your application to access ready-to-use services such as basemap layers, search, and routing.

Use application credentials when you want to:

  • Access ready-to-use services with a secure process and a short-lived token.
  • Provide access to services without requiring users to have an ArcGIS account.

Application credentials overview

  1. Register your OAuth 2.0 application in the developer dashboard to receive credentials.
  2. User requests a resource on your web server.
  3. Implement the OAuth 2.0 client credentials workflow to generate an application credential.
  4. Respond to the user's request with the application credential
  5. Use the application credential to authenticate with ArcGIS according to your specific client API.
Learn more about Application credentials

Choosing an authentication method

There are many considerations to selecting the best authentication for your set of circumstances. Consider the following:

  1. The type of account you will be using to create the access token: ArcGIS Developer, ArcGIS Online, or ArcGIS Enterprise.
  2. Your choice of API.
  3. The level of security required: short-lived or permanent token.
  4. Requirement for users to log in and authorize access or to log in silently.
  5. Where the security access will take place: client-side, web-based app, or server-side.
ScenarioSolution
You are building an application that only requires access to ready-to-use services and you do not want users to log in.API key or Application credentials
You are building an application on a server or API back-end that only requires access to ready-to-use services.API key or Application credentials
You are building an application that will read private hosted data on your ArcGIS Developer account.API key or Application credentials
You are building an application that will use private hosted data on your ArcGIS Online account.ArcGIS identity
You are building an application using an open source API or using the ArcGIS REST APIs directly.API key
You are building an application using an ArcGIS API.API key, Application credentials, or ArcGIS identity

Use the support tables below to match the capability and the API you are considering.

Capability comparison

API keysArcGIS identityApplication credentials
Permanent tokens
Short-lived tokens
Serverless authentication
Server-based authentication
Restrict to specific services
Restrict to specific referrers
Ready-to-use services
Data hosting services1
Content management2
Full supportPartial supportNo support
  • 1. ArcGIS Developer subscriptions only
  • 2. ArcGIS Developer subscriptions only, limited

API support

Full supportPartial supportNo support
  • 1. Requires use of a server component to access and manage token and/or user session.
  • 2. Supports using a token obtained from OAuth 2.0 but lacks advanced identity management features.

Tutorials

Your browser is no longer supported. Please upgrade your browser for the best experience. See our browser deprecation post for more details.