ArcGIS services and resources are secured using token-based authentication. You can implement a type of authentication in your application to obtain an access token and make secure requests. The type of authentication you use will depend on the security and access requirements of your app. Different authentication types result in access tokens with different priveleges and account associations.
There are three types of authentication that can be used to get an access token:
API key authentication
API key authentication is a type of authentication that uses a permanent API key to access ArcGIS resources. An API key is a permanent access token that grants your public-facing application access to specific ready-to-use services. With an ArcGIS Developer account, API keys can also access private content and limit client referrers.
User authentication
User authentication is a set of authentication workflows that allow users with an ArcGIS account to sign into an application and access ArcGIS content, services, and resources. The typical authentication protocol used is OAuth2.0. When a user signs into an application with their ArcGIS account, an access token is generated that authorizes the application to access services and content on their behalf. The resources and functionality available depend on the user type, roles, and privileges of the user's ArcGIS account. This authentication type was previously known as Named user login and ArcGIS identity.
User authentication supports all three account types, including ArcGIS Developer, ArcGIS Online, and ArcGIS Enterprise accounts.
The following workflows can be used to implement user authentication:
- Serverless web app flow
- Serverless mobile or native app flow,
- Server-based app flow
- Manual token generation flow
- HTTP/Windows/Integrated Windows Authentication
- Public key infrastructure (PKI) authentication
App credential authentication
App credential authentication is a workflow that grants a short-lived access token via OAuth 2.0, authorizing your application to access ready-to-use services such as basemap layers, search, and routing. The access token granted by app credentials authentication is associated with the app developer's ArcGIS account and can only be used to access ready-to-use location services.
Choosing a type of authentication
The main factors for choosing an appropriate type of authentication include the following:
-
The type of application you are building:
- Anonymous user applications (no login required).
- ArcGIS user applications (ArcGIS account login required).
-
The type of ArcGIS product and account you have:
- ArcGIS Platform
- ArcGIS Online
- ArcGIS Enterprise
-
The type of secure ArcGIS resource you need access to.
-
The level of security required (API key vs OAuth2.0 token).
-
What agent will request an access token: client-side app, web-based app, or server.
-
The API you are using.
| Use case | Solution |
|---|---|
| You are building an application that only requires access to ready-to-use services and you do not want users to log in. | API key or App credential authentication |
| You are building an application on a server or API back-end that only requires access to ready-to-use services. | API key or App credential authentication |
| You are building an application that will read private hosted data on your ArcGIS Developer account. | API key or App credential authentication |
| You are building an application that will use private hosted data on your ArcGIS Online account. | User authentication |
| You are building an application using an open source API or using the ArcGIS REST APIs directly. | API key |
| You are building an application using an ArcGIS API. | API key, app credential authentication, or user authentication |
Feature comparison
The different types of authentication have the following features:
| API key authentication | User authentication | App credential authentication | |
|---|---|---|---|
| Permanent tokens | |||
| Short-lived tokens | |||
| Serverless authentication | |||
| Server-based authentication | |||
| Charge usage to users | |||
| Charge usage to developer | |||
| Restrict to specific services | |||
| Restrict to specific referrers |
Privilege comparison
The different types of authentication can access the following ArcGIS resources:
| API key access tokens | User authentication access tokens | App credential authentication access tokens | |
|---|---|---|---|
| Ready-to-use services | |||
| Public content | |||
| Secure content | 1 | ||
| Subscriber and premium content | |||
| Content management services | 2 |
- 1. ArcGIS Developer subscriptions only
- 2. ArcGIS Developer subscriptions only, limited
API support
The following table shows the built-in level of support for different types of authentication in each API.
- 1. Requires use of a server component to access and manage token and/or user session.
- 2. Supports using a token obtained from OAuth 2.0 but lacks federated server validation for basemaps.