Client credentials flow | Documentation

Diagram showing the ArcGIS app authentication flow, where an application authenticates using its client credentials to obtain an access token directly from the authorization server for accessing ArcGIS services.

The client credentials flow

ArcGIS uses a client credentials flow to implement app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more. In this flow, a secure server uses a client_id and client_secret from a set of OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more to request an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more, then delivers the token to a client application.

The diagram above explains this flow using the following steps:

OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more are registered in the portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more to obtain a client_id and client_secret.
The confidential client_id and client_secret are stored in a server-side component.
The server gets an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more by submitting a request to your organization's portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more
The server delivers the access token to the client application upon request.
The client application uses the access token to authorize requests to secure resourcesA secure resource is any item or service in an ArcGIS that requires an ArcGIS account and authentication to access. Examples include ArcGIS Location Services, and items and data services in an ArcGIS portal.Learn more.

This flow adheres to the client_credentials grant type defined in the OAuth 2.0 specificationOAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage credentials for web, desktop, and mobile applications. It is supported by ArcGIS.Learn more. The main benefit of this flow is that the server handles requesting an access token, ensuring that the confidential client_id and client_secret values are never exposed to the client application. To read more about the client credentials protocol, go to OAuth 2.0 RFC 6749 section 4.4.

Manual implementation

The remainder of this page shows how to manually implement app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more by making direct requests to your organization's portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more. The sample is written in JavaScript, but can be implemented in any language by making HTTP requests.

Create OAuth credentials

App authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more requires a set of OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more. These credentials determine the privileges available to your application, and are used to generate a client ID and client secret. Please review the product and account requirements for app authentication prior to creation.

Configure authentication variables

Copy the client_id and client_secret parameters from your OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more and paste them into a new application.
server.js
Use dark colors for code blocks
```
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
const clientId = 'YOUR_CLIENT_ID';
const clientSecret = 'YOUR_CLIENT_SECRET';
```

Request the token endpoint

App authentication is implemented by submitting a request to the token endpointAn token endpoint is an endpoint of a portal service that can be queried to request an access token. It is used to implement user authentication OAuth2.0 flows.Learn more of your ArcGIS organizationAn organization a list of members from the same business, association, or entity who can sign in, access tools and applications, and collaborate with other members in a portal. All members have an ArcGIS account and are approved by an administrator to access the same portal.Learn more.

Find the URL of the token endpointAn token endpoint is an endpoint of a portal service that can be queried to request an access token. It is used to implement user authentication OAuth2.0 flows.Learn more for your ArcGIS organizationAn organization a list of members from the same business, association, or entity who can sign in, access tools and applications, and collaborate with other members in a portal. All members have an ArcGIS account and are approved by an administrator to access the same portal.Learn more. For ArcGIS Online and Location Platform users, the token endpoint is https://www.arcgis.com/sharing/rest/oauth2/token.
server.js
Use dark colors for code blocks
```
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
const token_endpoint = ' https://www.arcgis.com/sharing/rest/oauth2/token';
```

Submit an HTTP POST request to the endpoint. Include your client_id, client_secret, and a grant_type parameter set to 'client_credentials'.

server.js
Use dark colors for code blocks
const token_endpoint = ' https://www.arcgis.com/sharing/rest/oauth2/token';

const response = await fetch(token_endpoint, {
    method: 'POST',
    headers: {
        "Content-type":"application/x-www-form-urlencoded"
    },
    body: new URLSearchParams({
        'grant_type':'client_credentials',
        'client_id':clientId,
        'client_secret':clientSecret
    })
})

Use the token

After obtaining the access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more, you can use it to authorize requests directly from the server or alternatively deliver it to a client application. The method of implementation depends on the framework and libraries you are using.