Update to API key credentials | Documentation

API keys (legacy) are permanent access tokens created with before June 2024. They can no longer be created or managed, and have been replaced by API key credentials. All developers should replace their existing API keys (legacy) with new API keys from API key credentials.

This tutorial shows how to migrate your application from an API key (legacy) to API key credentials with ArcGIS Online, and preserve the same privileges and item access.

Prerequisites

You need an ArcGIS Online account with the correct user type and role. Please review the Product and account requirements before proceeding.
You need to know the privileges to assign to your API key. The privileges assigned to a key allow your application to access specific ArcGIS services and resources.

Steps

You use your portal to create and manage items, including API key credentials.

Check the scopes of your API key (legacy)

API keys (legacy) can only be scoped to access location services. These capabilities and more are available through API key credentials. Use your portal to check the service scopes of your API key (legacy) to create a new set of credentials with equivalent capabilities.

Go to Content > My content.
Click on the API key (legacy) item you want to replace. The item should have the label API key (legacy). You will then be redirected to the item page of your API key (legacy) item.
Under Credentials, click Manage.
In API key (legacy), scroll down to the Location services section.
Write down the selected scopes under Required service and Available services. These scopes will be replicated in your API key credentials using privileges.

Create API key credentials

In your portal, click Content > My content > New item.
Click Developer credentials > API key credentials and click Next.

Need troubleshooting help?

If the Developer credentials option is not visible when creating a new item, your ArcGIS Online account does not have the correct permissions. You need an ArcGIS account with a user type of Creator or higher. Learn more about user types in the ArcGIS Online documentation.

If the API key credentials option is not visible when creating developer credentials, your ArcGIS Online account does not have the correct permissions. You need an ArcGIS account with a user type of Creator or higher. Your account must also have these additional privileges:

General privileges > Content > Generate API keys
General privileges > Content > Assign privileges to OAuth 2.0 applications

Your organization administrator can grant you these privileges using a custom role. To learn how, go to the ArcGIS Online documentation.

Select application type

You can configure your API key credentials in this menu to align their capabilities with the type of application you are building. This menu determines the privileges that will be available for selection in the next steps.

In the Where will you use these credentials? menu, select Public application.

Warning
If you are not building a public application, select one of the Private application options in this menu instead. These options allow access to additional privileges under the General and Admin categories, and should not be embedded in public applications.
Click Next.

Select items (optional)

If your application will require access to specific private items, you will need to configure your developer credentials to access them. The Item access menu allows you to browse your portal's content and grant your API key access to specific items.

If your token does not require item access, select No item access. Then, click Next.
Otherwise, select Grant access to specific items.
Select the items you want to grant access to. You can select up to 100 items in this menu.
Click Next.

Select privileges

You can configure the settings of API key credentials to configure the privileges of generated API keys. For an API key to work in your application, it needs to have the correct privileges to access the content and services your app is using. Select the privileges your app requires in this menu.

In the Create developer credentials > Privileges window, select the privileges required by your application.

Learn more about privileges

Browse the table below to view available privileges, privilege strings, and descriptions for ArcGIS Online:

Category	Label	Privilege string	Description
Basemaps	Basemap styles service	`premium:user:basemaps`	Allow application to access the basemap styles service. Learn more
Geocoding	Geocode service	`premium:user:geocode`	Allow application to access the geocoding service. Learn more
Routing	Routing (Network analysis)	`premium:user:networkanalysis`	Allow application to access the routing service. Learn more
Data enrichment	GeoEnrichment service	`premium:user:geoenrichment`	Allow application to access the GeoEnrichment service. Learn more

Category	Label	Privilege string	Description
Feature analysis	Spatial analysis service	`premium:user:spatialanalysis`	Allow application to access the spatial analysis service. Learn more
Image analysis	Image analysis service	`premium:publisher:rasteranalysis`	Allow application to access image services to perform analysis. Learn more

Privilege selection window (ArcGIS Online)

Click Next.

Need troubleshooting help?

If the Privileges window is not visible when creating API key credentials, your ArcGIS Online account does not have the correct permissions. You need an ArcGIS account with a user type of Creator or higher. Your account must also have these additional privileges:

General privileges > Content > Generate API keys
General privileges > Content > Assign privileges to OAuth 2.0 applications

Your organization administrator can grant you these privileges using a custom role. To learn how, go to the ArcGIS Online documentation.

If you don't see a specific privilege in the Privileges window, there are several possible reasons:

The application type you selected may only allow a limited set of privileges. To access a broader set of privileges, choose a different type of application in the Where will you use these credentials? menu.

Certain location services are only available for ArcGIS Location Platform. Check the privileges available for your product type in Security and authentication > Privileges.
If you have an ArcGIS Location Platform account, you need to enable pay-as-you-go in the Billing section of your dashboard to access some services, such as the GeoEnrichment service.
If you have an ArcGIS Online account, your account may not have the correct role to access the services you need. Contact your organization administrator.

Set the expiration date and referrers

API key credentials generate long-lived access tokens called API keys. API keys are valid for up to one year, and their expiration date is set when they are generated. You can also set referrers on an API key, which restrict the key to only be usable from authorized domains.

In the Create developer credentials window, click on the Expiration date field. Set the expiration date of the access token to one month from today's date.
Set the Referrers field to the web domains you would like to restrict the access token to. This is highly recommended for security purposes. To learn more about referrers, go to API key credentials.
Click Next.

Save the item

After configuring the properties of your API key credentials, save the credentials as a new item.

In the Create developer credentials window, set the following properties:
- Title: My API key credentials
- Folder: Developer credentials (Create a new folder)
- Tags: Add tags related to the privileges of the credentials.
- Description: Describe the application that these developer credentials will be used in.
Click Next.
In the Summary window, review the properties, privileges, and item access you have set.

Warning
The API key access tokens that this credential generates will grant access to the privileges listed here. If any items were selected, ensure they do not contain any sensitive or confidential data. Follow security best practices regarding API key rotation, expiration date, and referrer URLs.
Click Next.

Copy the API key

In the Create developer credentials > Generate API key window, select Generate the API key and go to item details page. I am ready to copy and save the key.
Click Next.
Copy the API key from the window that appears and paste it into your application.

Attention
This is the only time you will be able to access the value of your API key access token. You will not be able to view it again. To get a new key, you need to regenerate one using the API key credentials item page.

Delete the API key (legacy)

Once you replace your API key (legacy) in your application with your new API key, you can safely delete the API key (legacy) item.

Go to Content > My content.
Click on the API key (legacy) item you want to delete. You will then be redirected to the item page of your API key (legacy) item.
Click on the Settings tab.
In General, click Delete Item > Delete.

What's next?

Learn how to use your API key to access secure ArcGIS resources in the following guides:

Mapping and location services

Portal and data services

Low-code/no-code app builders

Spatial analysis services

Offline mapping apps