Application credentials

Application credentials are short-lived access tokens that define the scope and permissions for accessing ready-to-use services in ArcGIS Platform. Application credentials use OAuth 2.0 client_id and client_secret parameters and the client_credentials grant type to secure client login.

How application credentials work

ArcGIS identity overview

  1. Register your OAuth 2.0 application in the developer dashboard to receive credentials.

  2. Create a server-side component to store your application credentials.

  3. User requests a resource on your web server.

  4. Get an access token (application credentials).

  5. Use the application credentials to authenticate with ArcGIS Platform according to your specific client API and the service with which you are working.

Create a server-side component

Any unauthorized software that accesses your application's credentials could potentially also access billable services on the ArcGIS Platform that are charged to your application. To prevent this kind of breach, your app needs to have a server-side component to keep app credentials secure.

A server-side component calls the OAuth 2.0 token endpoint with the client_id and client_secret using the client_credentials OAuth 2.0 grant_type. The response will contain the application credentials in the access_token property. The server side component then uses these application credentials to make requests to the ArcGIS Platform or to the client.

  1. Make an OAuth 2.0 REST API POST request to the portal's token endpoint using the request parameters:

        
    1
    2
    3
    4
      https://www.arcgis.com/sharing/rest/oauth2/token
        client_id=APPID&
        client_secret=APPSECRET&
        grant_type=client_credentials
  2. The successful JSON response object returns an access_token granting your application permission to work with shared resources. Use this access_token to create the server-side component.

Get an access token

  1. POST to the token endpoint using the correct parameters.
  2. The JSON response will contain an access_token.
  3. All subsequent ArcGIS REST API request headers must include this access_token as authorization whenever a token parameter is required.

Token endpoint

https://www.arcgis.com/sharing/rest/oauth2/token/

A token can only be generated using the HTTPS REST API POST method.

Request parameters

ParameterRequiredFormatDescription
client_idstringThe registered app's client_id.
client_secretstringThe registered app's client_secret.
grant_typeclient_credentialsYou must include this OAuth 2.0 grant type.
expirationnumberNumber of minutes until token expires: default = 120 minutes; maximum = 20160 minutes (2 weeks).

Response object

    
1
2
3
4
{
    "access_token": "J-S0KLOl5_8U***lMyB9g..",
    "expires_in": 86400
}

Examples

PythonNode.jsPHPRubyGocURL
              
1
2
3
4
5
6
7
8
9
10
11
12
13
14
import requests  # pip install requests
def get_token():
    params = {
        'client_id': "YOUR_APPLICATION_CLIENT_ID",
        'client_secret': "YOUR_APPLICATION_CLIENT_SECRET",
        'grant_type': "client_credentials"
    }
    request = requests.get('https://www.arcgis.com/sharing/rest/oauth2/token',
                          params=params)
    response = request.json()
    token = response["access_token"]
    return token
token = get_token()
print(token)

Using the token

Now that you have received the OAuth 2.0 token, it must be included in every request header to authorize the request.

The following are examples of an OAuth 2.0 token authorizing GeoEnrichment service demographic data queries.

PythonNode.jsRubycURL
         
1
2
3
4
5
6
7
8
9
import requests  # pip install requests
params = {
    'f': 'json',
    'token': 'J-S0KLO***MyB9g..',
    'studyAreas': '[{"geometry":{"x":-117.1956,"y":34.0572}}]'
}
url = 'http://geoenrich.arcgis.com/arcgis/rest/services/World/GeoenrichmentServer/Geoenrichment/enrich'
data = requests.post(url, params=params)
print(data.json())

Token errors

If a request fails, you will receive a failure message. The error description will provide more details, the most common of which are expired or invalid tokens. To resolve token issues, generate a new token and resubmit the request.

         
1
2
3
4
5
6
7
8
9
{
  "error":{
    "code":400,
    "error":"invalid_request",
    "error_description":"code expired",
    "message":"code expired",
    "details":[]
  }
}

Billing information

When you use application credentials, your application's users have access to any resources to which you have access, and consume your credits for premium content. See premium payment / billing credits information.

Your browser is no longer supported. Please upgrade your browser for the best experience. See our browser deprecation post for more details.