API keys

An Application programming interface key (API key) is a unique identifier used to authenticate a user, developer, or calling program to ArcGIS Platform. API keys are used to authenticate a calling program within the API rather than an individual user.

An API key is created for you when you sign up for an ArcGIS Developer account. If you already have an ArcGIS account, you can sign in to view your default API key or create new API keys.

Use your API key

You can configure your default API key or create a new API key from the ArcGIS Developer dashboard.

  1. To create a new API key, click New API Key; to edit the location services, content and items, or referrer header(s) of an existing API key, click Edit Key.
    • Assign a Title and Description to your new API key.
    • Click Save Settings to save the new API key.
  2. Configure the Location services your API key is permitted to access.
    • To add a Location service, on the API key form > Overview tab > Location services tile, click Configure services.
    • Click to check the service(s) you wish to add to this API key from the Configure services pop-up.
    • Click Update services to save these services to your API and close the pop-up.
  3. Add map and layer content and items to your API key.
    • On the Content and items tile, click Add items.
    • Search for a map or layer from the search menu. You can limit this search field by type (hosted feature layer, tile layer, web map, GeoJSON, or CSV) or search for all item types.
    • When you have located and selected map and layer item(s), click Add Items to close the pop-up.
  4. Add a Referrer header(s) to your API key.
    • On the Referrer tile, click Add Referrer.
    • Enter the Referrer header address (URL) to use with this API key.
    • Click Add Referrer Header to close this pop-up.
  5. Monitor usage of your API keys.
    • Click the Usage tab to view and monitor usage of this API key.
  6. Click the Settings tab to change the title or description of your API, disable protections, or to delete it from the system.

Using your API key

API endpoints on ArcGIS Platform support apiKey or token parameters, to which you can pass your API key. Client APIs support either a single, global API key, which can be used for all requests, or an API key can be passed to a specific method, or class, or both.

ArcGIS JS APIEsri LeafletMapbox GL JSOpenLayersArcGIS .NET APIArcGIS Android APIArcGIS iOS APIArcGIS Java APIArcGIS Qt API (C++)ArcGIS Qt API (QML)
                                                   
<html>

<head>
  <meta charset="utf-8">
  <meta name="viewport" content="initial-scale=1, maximum-scale=1, user-scalable=no">
  <title>ArcGIS Developer Guide: Display a map (2D)</title>
  <style>
    html,
    body,
    #viewDiv {
      padding: 0;
      margin: 0;
      height: 100%;
      width: 100%;
    }
  </style>

  <link rel="stylesheet" href="https://js.arcgis.com/4.18//esri/themes/light/main.css">
  <script src="https://js.arcgis.com/4.18//"></script>

  <script>
    require([
     "esri/config",
      "esri/Map",
      "esri/views/MapView"
    ], function (esriConfig,Map, MapView) {

      esriConfig.apiKey= "YOUR-API-KEY";
      const map = new Map({
        basemap: "arcgis-topographic" // Basemap layer
      });

      const view = new MapView({
        map: map,
        center: [-118.805, 34.027],
        zoom: 13, // scale: 72223.819286
        container: "viewDiv",
        constraints: {
          snapToZoom: false
        }
      });

    });
  </script>
</head>

<body>
  <div id="viewDiv"></div>
</body>

</html>

Configure your API key

You can edit the location services, content and items, or referrer header(s) configured to an existing API key, monitor its usage, and update its name, description, and other settings. API key settings are configured from the ArcGIS Developer dashboard API keys tab. See the set and manage an API key tutorial for details.

Available services

API keys can be given permissions to access different services. The following location services can be accessed with API keys. Some services have multiple "scopes". For example, you can choose to enable Routing but not Closest Facility on the routing service for an individual API key.

ServiceAvailable scopes
Basemap layer serviceBasemaps (enabled by default)
Geocoding serviceGeocoding (stored) / Geocoding (not stored)
Routing serviceRouting / Routing (asynchronous or optimized); Closest Facility / Closest Facility (asynchronous); Service Area / Service Area (asynchronous); Location Allocation; Multi-Vehicle Routing; Origin Destination Cost Matrix Service
GeoEnrichment serviceGeoEnrichment

ArcGIS Developer accounts have a free tier for many operations. See the Pricing page for service cost details for ArcGIS Developer accounts. Transactions beyond the free limit require enabling pay as you go with a credit card, usage will be billed monthly. ArcGIS Online organizations consume service credits for some services. See the ArcGIS Online pricing page for information about service credits.

Access content and items (beta)

Only ArcGIS Developer accounts can use API keys to read private content. ArcGIS Organization users should use OAuth 2.0 to obtain ArcGIS identity credentials to read private user content and access services on a user's behalf.

Referrers

An HTTP referer is an HTTP header field used to identify the client requesting the server resource. This functions as a security measure, allowing applications to confirm the identity of their clients. If an API key does not have specific, defined HTTP referers, any request using the API key is valid. When an API key configures a specific HTTP referer header, then services confirm that an incoming request's referrer matches one of the valid referrers affiliated with the key.

You can also use wildcard characters (*) in the subdomain of your allowed referrer, for example https://*.your-app.com will allow the API key to be used on both https://dev.your-app.com and https://your-app.com. While it is also possible to restrict API key use to specific paths (https://your-app.com/page), we do not recommend this method because browsers may remove the path due to privacy concerns. We recommend setting only your domain name (with protocol) as the value for the allowed HTTP referer headers.

We recommend setting only your domain name (with protocol) as the value for the allowed HTTP referer headers.

Monitoring usage