Introduction to app authentication | Documentation

App authentication is a type of authentication that generates short-lived access tokensAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more based on a set of OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more. The access tokens are associated with your ArcGIS accountAn ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more, and can be used to to authenticate requests to access secure ArcGIS servicesA service, also known as an ArcGIS service, is software that supports an ArcGIS REST API and provides geospatial functionality or data. A service can be hosted by Esri or in ArcGIS Enterprise.Learn more and itemsAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more.

App authentication is typically implemented on a web server or in standalone console scripts. This is to avoid exposing the confidential client_id and client_secret values contained within OAuth credentials. App authentication is not recommended for client applications without a web server, or in sign-in apps that require authentication with an ArcGIS account.

You can use app authentication to:

Create web servers and automation scripts that access the portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more and spatial analysis servicesSpatial analysis services are services that perform geometry and statistical analyses on feature and raster data.Learn more.
Create public applicationsA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more that do not require users to sign in.
Build applications that access location servicesArcGIS Location Services, also referred to as Location Services, are services hosted by Esri that provide geospatial functionality for developing mapping applications. They include the ArcGIS Basemap Styles service, ArcGIS Static Basemap Tiles service, ArcGIS Places service, ArcGIS Geocoding service, ArcGIS Routing service, ArcGIS GeoEnrichment service, and ArcGIS Elevation service. An ArcGIS Location Platform or ArcGIS Online account is required to use the services.Learn more and items such as hosted layersA hosted layer is an item in a portal that contains the properties and settings for a hosted data service or a layer in a hosted data service.Learn more and data servicesData services, also known as hosted data services, are services created dynamically to store and provide access to your data in ArcGIS. Examples are feature services, vector tile services, map tile services, image services, and scene services.Learn more.
Authenticate with an OAuth 2.0OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage credentials for web, desktop, and mobile applications. It is supported by ArcGIS.Learn more process that provides better security than API key authenticationAPI key authentication is a type of authentication that uses an API key to authenticate requests to ArcGIS services and secure portal items.Learn more.
Access secure resources with the privileges of your ArcGIS accountAn ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more.

How app authentication works

Diagram showing the ArcGIS app authentication flow, where an application authenticates using its client credentials to obtain an access token directly from the authorization server for accessing ArcGIS services.

The client credentials flow used in app authentication. To learn more, go to Client credentials flow

Apps that implement app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more submit requests for access tokens using an OAuth 2.0OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage credentials for web, desktop, and mobile applications. It is supported by ArcGIS.Learn more client_id and client_secret. These values are generated from OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more and should remain confidential at all times.

The high-level process of app authentication is as follows:

Include a client_id and client_secret from OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more in your server script.
Create an endpoint for clients to request access tokens.
When a client requests a token, submit a request to the token endpointAn token endpoint is an endpoint of a portal service that can be queried to request an access token. It is used to implement user authentication OAuth2.0 flows.Learn more of your portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more.
Deliver the resulting access token to the client.
The client uses the access token to access secure resourcesA secure resource is any item or service in an ArcGIS that requires an ArcGIS account and authentication to access. Examples include ArcGIS Location Services, and items and data services in an ArcGIS portal.Learn more.

Include a client_id and client_secret from OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more in your script.
Submit a request to the token endpointAn token endpoint is an endpoint of a portal service that can be queried to request an access token. It is used to implement user authentication OAuth2.0 flows.Learn more of your portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more.
Use the resulting access token to access secure resourcesA secure resource is any item or service in an ArcGIS that requires an ArcGIS account and authentication to access. Examples include ArcGIS Location Services, and items and data services in an ArcGIS portal.Learn more

OAuth credentials

OAuth credentials are an itemAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more used to support multiple types of authentication. They are required to implement app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more. The most common pattern is to create a new OAuth credentials item for each application. OAuth credentials are used to obtain a client IDA Client ID is an identifier associated with an application that assists with client / server OAuth 2.0 authentication for ArcGIS client APIs.Learn more and client secret for your app, as well as to determine the privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more your application will have access to.

Product and account requirements

App authentication is available with ArcGIS Location PlatformArcGIS Location Platform, formerly known as ArcGIS Platform, is a Platform as a Service (PaaS) product that gives developers access to location services, APIs, and tools to build mapping and spatial analysis applications. It is subscription-based and requires an ArcGIS Location Platform account.Learn more, ArcGIS OnlineArcGIS Online is a GIS mapping, analytics, data hosting, and content management software as a service (SaaS) product. It includes applications, tools, APIs, and location services for users and developers. It is subscription-based and requires an ArcGIS Online account.Learn more, and ArcGIS EnterpriseArcGIS Enterprise is a GIS mapping, analytics, data hosting, and content management product that can be hosted on-premise or in a cloud infrastructure. It includes software, applications, tools, APIs, and services for users and developers.Learn more.

ArcGIS Location Platform

All ArcGIS Location Platform accounts have the correct privileges to manage app authentication by default.

ArcGIS Online

App authentication requires an ArcGIS Online account with a user type of Creator or higher. The account must also have this additional privilegePrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more:

General privileges > Content > Assign privileges to OAuth 2.0 applications

Your organization administrator can grant you this privilege using a custom role. Learn more in the FAQ.

ArcGIS Online Trial: App authentication is not available in ArcGIS Online Trial subscriptions, as these accounts cannot assign privileges to OAuth 2.0 credentials.

ArcGIS for Personal Use: App authentication is not available in ArcGIS Online subscriptions purchased through ArcGIS for Personal Use, as these accounts cannot assign privileges to OAuth 2.0 credentials.

ArcGIS Hub: App authentication is not available with for accounts with the Hub Community Member user type. This includes community administrators.

ArcGIS Enterprise

App authentication requires an ArcGIS Enterprise account with a user type of Creator or higher. The account must also have this additional privilegePrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more:

General privileges > Content > Assign privileges to OAuth 2.0 applications

Your organization administrator can grant you this privilege using a custom role. Learn more in the FAQ.

Supported versions: The steps in this chapter apply to the latest version of ArcGIS Enterprise (12.0). To view steps for previous versions of Enterprise, go to Developer credentials for ArcGIS Enterprise.

Limitations

Location services

ArcGIS Enterprise limitations: App authentication cannot be used to access ArcGIS Location ServicesArcGIS Location Services, also referred to as Location Services, are services hosted by Esri that provide geospatial functionality for developing mapping applications. They include the ArcGIS Basemap Styles service, ArcGIS Static Basemap Tiles service, ArcGIS Places service, ArcGIS Geocoding service, ArcGIS Routing service, ArcGIS GeoEnrichment service, and ArcGIS Elevation service. An ArcGIS Location Platform or ArcGIS Online account is required to use the services.Learn more with ArcGIS Enterprise. However, it can still be used to access secure itemsAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more in your Enterprise portal, such as locators (geocoding services)A locator is an ArcGIS dataset that stores address information and the rules for translating descriptions of places (such as street addresses or place names) into spatial data that can be displayed on a map.Learn more and hosted data servicesData services, also known as hosted data services, are services created dynamically to store and provide access to your data in ArcGIS. Examples are feature services, vector tile services, map tile services, image services, and scene services.Learn more.

OAuth 2.0 credentials

Creating credentials: There is no limit to the number of OAuth 2.0 credentials you can create.

Accessing items: An OAuth 2.0 credential can be configured to access a maximum of 100 itemsAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more you own.

Tutorials

Create OAuth credentials for app authentication

Create and configure OAuth credentials to set up app authentication.

ArcGIS portal

Service support

The following table provides an overview of the functionality available with each type of authentication:

	API key authentication	User authentication	App authentication
ArcGIS Location Services	¹	¹	¹
Data services (Item access)	²
Spatial analysis services	¹		¹
Portal service (General privileges)
Portal service (Admin privileges)

Full supportPartial supportNo support

1. Supported with ArcGIS Online and ArcGIS Location Platform.
2. Supported, but not recommended due to security risks.

API support

	App authentication
ArcGIS Maps SDK for JavaScript
ArcGIS Maps SDK for .NET
ArcGIS Maps SDK for Kotlin
ArcGIS Maps SDK for Swift
ArcGIS Maps SDK for Flutter
ArcGIS Maps SDK for Java
ArcGIS Maps SDK for Qt
ArcGIS API for Python
ArcGIS REST JS
Leaflet
MapLibre GL JS
OpenLayers
CesiumJS

Full supportPartial supportNo support