OAuth 2.0

OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage user credentials for web, desktop, and mobile applications.

Users, clients, or servers are authorized for system access using encrypted tokens, and receive access tokens in response from the authorizing server. These tokens act as "keys", granting access to secured data for a fixed time period.

How does ArcGIS use OAuth 2.0?

ArcGIS uses OAuth 2.0 to safely expose access tokens to 3rd party applications.

ArcGIS stores private user identities and content; 3rd party applications access those resources through secure OAuth 2.0 user authorization protocol.

ArcGIS APIs contain a built-in IdentityManager or AuthenticationManager class that can be used to obtain an access token and simplify your process when implementing OAuth 2.0. See ArcGIS identity for more information about these classes.

Use OAuth 2.0 to get temporary access tokens that authorize your app with ArcGIS in one of two ways:

  • ArcGIS identity: applications use an existing ArcGIS end user's account to access secure content and services on their behalf; transactions are metered to the user's account.
  • Application credentials: applications use the registered application's credentials to access ready-to-use services on ArcGIS; transactions are metered to the owner of the registered application.

Get credentials

You must first register your application and obtain a client_id and client_secret. Use the method prescribed by the product with which you are building your app to authorize your users and obtain an OAuth 2.0 access_token. You should also set up a redirect URI at this time.

OAuth 2.0 grant types

ArcGIS uses the following OAuth 2.0 grant types:

  • implicit for browser-based, desktop, and mobile applications using ArcGIS identity.
  • authorization_code for server and mobile applications using ArcGIS identity.
  • client_credentials for application credentials.

OAuth 2.0 endpoints

OAuth 2.0 workflows use the following endpoints:

  • Token: https://www.arcgis.com/sharing/rest/oauth2/token/
  • Authorization: https://www.arcgis.com/sharing/rest/oauth2/authorize

Implementing OAuth 2.0

Serverless web apps

Web apps with ArcGIS identity workflow

  1. Open the authorization page in a pop-up or new tab.
  2. User authorizes your application.
  3. The pop-up or tab is redirected to the configured redirect URI on your website with an appended access token.
  4. Your website passes the access token to the original page that began the OAuth 2.0 process.
Learn more about the serverless web workflow

Serverless native and mobile apps

Web apps with ArcGIS identity workflow

  1. Open the authorization page in a browser on the device.
  2. User authorizes your application.
  3. The browser is redirected to the configured redirect URI, which opens your application on the device with an authorization code.
  4. Your application exchanges the authorization code for an access token and a refresh token.
Learn more about the serverless native / mobile workflow

Server-enabled apps

Server based applications with ArcGIS identity workflow

  1. Open the authorization page in a browser on the device.
  2. User authorizes your application.
  3. The browser is redirected to the configured redirect URI on your server with an appended authorization code.
  4. Your server exchanges the authorization code for an access token and a refresh token.
  5. This refresh token can be stored on the server and the access token provided to the client application.
Learn more about the server-enabled worflow

Your browser is no longer supported. Please upgrade your browser for the best experience. See our browser deprecation post for more details.