Types of authentication

ArcGIS services and resources are secured using token-based authentication. You can implement a type of authentication in your application to obtain an access token and make secure requests. The type of authentication you use will depend on the security and access requirements of your app. Different authentication types result in access tokens with different priveleges and account associations.

There are three types of authentication that can be used to get an access token:

  1. API key authentication

  2. User authentication

  3. App credential authentication

API key authentication

API key authentication is a type of authentication that uses a permanent API key to access ArcGIS resources. An API key is a permanent access token that grants your public-facing application access to specific ready-to-use services. With an ArcGIS Developer account, API keys can also access private content and limit client referrers.

Learn how to implement API key authentication

User authentication

User authentication is a set of authentication workflows that allow users with an ArcGIS account to sign into an application and access ArcGIS content, services, and resources. The typical authentication protocol used is OAuth2.0. When a user signs into an application with their ArcGIS account, an access token is generated that authorizes the application to access services and content on their behalf. The resources and functionality available depend on the user type, roles, and privileges of the user's ArcGIS account. This authentication type was previously known as Named user login and ArcGIS identity.

User authentication supports all three account types, including ArcGIS Developer, ArcGIS Online, and ArcGIS Enterprise accounts.

The following workflows can be used to implement user authentication:

Implement user authentication

App credential authentication

App credential authentication is a workflow that grants a short-lived access token via OAuth 2.0, authorizing your application to access ready-to-use services such as basemap layers, search, and routing. The access token granted by app credentials authentication is associated with the app developer's ArcGIS account and can only be used to access ready-to-use location services.

Implement app credential authentication

Choosing a type of authentication

The main factors for choosing an appropriate type of authentication include the following:

  1. The type of application you are building:

    • Anonymous user applications (no login required).
    • ArcGIS user applications (ArcGIS account login required).
  2. The type of ArcGIS product and account you have:

    • ArcGIS Platform
    • ArcGIS Online
    • ArcGIS Enterprise
  3. The type of secure ArcGIS resource you need access to.

  4. The level of security required (API key vs OAuth2.0 token).

  5. What agent will request an access token: client-side app, web-based app, or server.

  6. The API you are using.

Use caseSolution
You are building an application that only requires access to ready-to-use services and you do not want users to log in.API key or App credential authentication
You are building an application on a server or API back-end that only requires access to ready-to-use services.API key or App credential authentication
You are building an application that will read private hosted data on your ArcGIS Developer account.API key or App credential authentication
You are building an application that will use private hosted data on your ArcGIS Online account.User authentication
You are building an application using an open source API or using the ArcGIS REST APIs directly.API key
You are building an application using an ArcGIS API.API key, app credential authentication, or user authentication

Feature comparison

The different types of authentication have the following features:

API key authenticationUser authenticationApp credential authentication
Permanent tokens
Short-lived tokens
Serverless authentication
Server-based authentication
Charge usage to users
Charge usage to developer
Restrict to specific services
Restrict to specific referrers
Full supportPartial supportNo support

    Privilege comparison

    The different types of authentication can access the following ArcGIS resources:

    API key access tokensUser authentication access tokensApp credential authentication access tokens
    Ready-to-use services
    Public content
    Secure content1
    Subscriber and premium content
    Content management services2
    Full supportPartial supportNo support
    • 1. ArcGIS Developer subscriptions only
    • 2. ArcGIS Developer subscriptions only, limited

    API support

    The following table shows the built-in level of support for different types of authentication in each API.

    API keysApp credentials authenticationUser authentication
    ArcGIS Maps SDK for JavaScript1
    ArcGIS Maps SDK for .NET
    ArcGIS Maps SDK for Kotlin
    ArcGIS Maps SDK for Swift
    ArcGIS Maps SDK for Java
    ArcGIS Maps SDK for Qt
    ArcGIS API for Python
    Esri Leaflet12
    MapLibre GL JS12
    Full supportPartial supportNo support
    • 1. Requires use of a server component to access and manage token and/or user session.
    • 2. Supports using a token obtained from OAuth 2.0 but lacks federated server validation for basemaps.

    Your browser is no longer supported. Please upgrade your browser for the best experience. See our browser deprecation post for more details.