Tutorial: Rotate API keys | Documentation

Learn how to rotate API keys with ArcGIS Enterprise in a deployed application to extend the lifetime of the application.

Item page for an API key credentials item. The item is titled "My API key credentials (for a public app)" and has a type of "Application", with a badge that says "API key credentials".

The item page of API key credentials in a portal

An API key is a long-lived access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more used to authenticate requests to secure resourcesA secure resource is any item or service in an ArcGIS that requires an ArcGIS account and authentication to access. Examples include ArcGIS Location Services, and items and data services in an ArcGIS portal.Learn more in applications. API keys are created and managed through API key credentialsAPI key credentials are an item that contains the parameters used to create and manage long-lived access tokens for API key authentication. They are a type of developer credential.Learn more.

API key credentials can generate up to two valid API keys at a time, known as API key 1 and API key 2. The keys share identical privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more and item access, but their expiration dates are set individually. By staggering the expiration dates of the two API keys, API key credentials can be used to keep an application running indefinitely.

This tutorial explains how to rotate between an API key 1 and API key 2 in a deployed application. This workflow is necessary for applications in production environments, such as live websites or apps published to the app store. Using this method, API keys can be rotated in deployed applications without any application downtime.

Prerequisites

You need an ArcGIS Enterprise accountAn ArcGIS Enterprise account is an identity for an instance of ArcGIS Enterprise. It can be used to access ArcGIS Enterprise tools, applications, and services, and to develop applications.Learn more with the correct user type and role. Please review the Product and account requirements before proceeding.
Your organization must be using ArcGIS Enterprise version 11.4 or greater. Learn more.
You need to complete the Create an API key tutorial and generate an API key 1 with your desired privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more.
You need to create and deploy an application that uses your API key, such as a native app built with an ArcGIS Maps SDKArcGIS Maps SDKs are developer products for building mapping and spatial analysis applications for web browsers, native devices, and game engines.Learn more or a web app built with ArcGIS REST JSArcGIS REST JS is a collection of JavaScript modules that can access ArcGIS location services and ArcGIS Enterprise services.Learn more.

Steps

You use your portal to create and manage items, including API key credentials.

In your web browser, go to your ArcGIS Enterprise portal and sign in to your portal with your ArcGIS Enterprise account.

Find your API key credentials

Developer credentialsDeveloper credentials are a type of item in a portal that contains parameters for authentication. There are two types of developer credentials: API key credentials and OAuth credentials.Learn more are stored as an itemAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more in your portal. Go to the item pageAn item page is a web page in ArcGIS Online or the developer dashboard used to access and manage the properties for an item and the content it references such as a web map, hosted layer, or file.Learn more of your credentials to manage their settings.

Go to Content > My content.
Search for the developer credentialsDeveloper credentials are a type of item in a portal that contains parameters for authentication. There are two types of developer credentials: API key credentials and OAuth credentials.Learn more you created in the prerequisites step.
Click on the developer credentials to go to its item pageAn item page is a web page in ArcGIS Online or the developer dashboard used to access and manage the properties for an item and the content it references such as a web map, hosted layer, or file.Learn more.

Check the API key 1 expiration date

API key credentials are used to manage up to two active API keysAn API key is a long-lived access token created using API key credentials. They are valid for up to one year and are typically embedded directly into client applications.Learn more at a time. The expiration date of each API key is listed on the API key credentials item pageAn item page is a web page in ArcGIS Online or the developer dashboard used to access and manage the properties for an item and the content it references such as a web map, hosted layer, or file.Learn more.

On the item pageAn item page is a web page in ArcGIS Online or the developer dashboard used to access and manage the properties for an item and the content it references such as a web map, hosted layer, or file.Learn more of your API key credentials, scroll down to Credentials > API keys.
A partial record of each API key is listed along with its expiration date. Check the expiration date of your active API key 1.

Generate an API key 2

When you are ready to rotate API keys, use the same API key credentialsAPI key credentials are an item that contains the parameters used to create and manage long-lived access tokens for API key authentication. They are a type of developer credential.Learn more to generate an API key 2. This new key will share identical privileges and item access with API key 1, but has a unique expiration date.

Under Application > API keys, click Generate a secondary API key.
Set an Expiration date for the key and click Generate API key.

Best practices
The expiration dates of your API keys should align with the interval at which you plan to rotate them. For example, if you rotate API keys in your application every 90 days, the keys should expire in about 90 days.

Copy the API key 2

Copy the API keyAn API key is a long-lived access token created using API key credentials. They are valid for up to one year and are typically embedded directly into client applications.Learn more from the window that appears and paste it into your application.

Attention
This is the only time you will be able to access the value of your API key. You will not be able to view it again. To get a new key, you need to regenerate one using the API key credentials item pageAn item page is a web page in ArcGIS Online or the developer dashboard used to access and manage the properties for an item and the content it references such as a web map, hosted layer, or file.Learn more.
Use the API key credentials item pageAn item page is a web page in ArcGIS Online or the developer dashboard used to access and manage the properties for an item and the content it references such as a web map, hosted layer, or file.Learn more to view a partial version of the new key, as well as its expiration date.

Deploy your application

After generating an API key 2 and pasting it into your application, your API key 1 can be safely deleted from the code base. You must deploy your application to production before the API key 1 can be invalidated.

Deploy your application to production using your normal process. This process varies based on your chosen platform, programming language, and build system.

Invalidate the API key 1

Once your application has been deployed with a new API key, the previous API key is no longer required. Invalidate the key to prevent fraudulent usage.

Under Application > API keys, find the API key you want to regenerate. Click Invalidate API key.
Click Yes, invalidate API key.
Your API key 1 has been invalidated. It will no longer function in applications or REST API requests. Your API key 2 will continue to function as normal.

What's next?

Your application has been deployed using a new API keyAn API key is a long-lived access token created using API key credentials. They are valid for up to one year and are typically embedded directly into client applications.Learn more with an extended expiration date. When your API key 2's expiration date approaches, this same workflow can be applied again to keep the application running indefinitely. Once the API key 2 is about to expire, generate a new API key 1 and deploy your application again using the new key.

Learn how to perform other management tasks for your API key credentials in the following tutorials:

Manage API key credentials

Manage previously created API key credentials to regenerate, edit privileges, and edit item access of API keys.

ArcGIS portal

Create an API key

Create and configure API key credentials to get a long-lived API key access token.

ArcGIS portal REST JS