How to implement app authentication | Documentation

This topic outlines the high-level steps of how to implement app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more.

1. Create OAuth credentials
Create developer credentials in your organization's portal.
2. Implement a client credentials flow
Add authorization code to your app.
3. Make a request
Use an access token to authorize service requests.

1. Create OAuth credentials

App authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more requires a set of OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more. These credentials determine the privileges available to your application, and are used to generate a client ID and client secret. Please review the product and account requirements for app authentication prior to creation.

2. Implement a client credentials flow

Diagram showing the ArcGIS app authentication flow, where an application authenticates using its client credentials to obtain an access token directly from the authorization server for accessing ArcGIS services.

The client credentials authorization flow

App authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more uses an OAuth 2.0OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage credentials for web, desktop, and mobile applications. It is supported by ArcGIS.Learn more authorization flow with a grant type of client_credentials. This involves making a request to the token endpointAn token endpoint is an endpoint of a portal service that can be queried to request an access token. It is used to implement user authentication OAuth2.0 flows.Learn more with a client_id and client_secret from OAuth credentials. The high-level steps to implement this flow are as follows:

Paste the client_id and client_secret from a set of OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more into your application.
Submit a POST request to the token endpointAn token endpoint is an endpoint of a portal service that can be queried to request an access token. It is used to implement user authentication OAuth2.0 flows.Learn more, either directly or through a helper class provided by an ArcGIS APIAn ArcGIS API is a web, native, game engine, or scripting API that has advanced mapping and spatial analysis capabilities and can be used to access ArcGIS services. ArcGIS APIs are designed to work optimally with the ArcGIS system and provide the most advanced GIS features and the highest performance possible.Learn more.
Use the access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more returned in the response. If you made the request on a server, you can now send the access token to your client application.

ArcGIS APIs

ArcGIS REST JS provides an ApplicationCredentialsManager class that can be used to implement app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more.

Use dark colors for code blocksCopy
import { ApplicationCredentialsManager } from "@esri/arcgis-rest-request";
import { geocode } from "@esri/arcgis-rest-geocoding";

const appManager = ApplicationCredentialsManager.fromCredentials({
  clientId: "YOUR_CLIENT_ID",
  clientSecret: "YOUR_CLIENT_SECRET"
});

appManager.refreshToken().then((manager) => {

Go to topic

Server-side examples

The following examples show how to set up a web server that implements app authentication and passes the resulting access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more to a client application.

3. Make a request

Implementing app authentication successfully will grant an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more to your application when it requests one. The access token will have privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more defined by the OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more used to supply the client_id and client_secret.

ArcGIS APIs and SDKs

If you use app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more, the access token returned from the /oauth2/token endpoint can be used directly in requests.

The examples below show how to display a map using an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more.

ArcGIS Maps SDK for JavaScript

ArcGIS API for Python

Leaflet

MapLibre GL JS

OpenLayers

Use dark colors for code blocksCopy
      esriConfig.apiKey = "YOUR_ACCESS_TOKEN";
      const map = new Map({
        basemap: "arcgis/topographic", // Basemap layer
      });

      const view = new MapView({
        map: map,
        center: [-118.805, 34.027],
        zoom: 13, // scale: 72223.819286
        container: "viewDiv",
        constraints: {
          snapToZoom: false,
        },
      });

ArcGIS REST APIs

Your application can also include the access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more in requests to REST APIsArcGIS REST APIs are the API specifications for all ArcGIS location services and ArcGIS Enterprise services. They define the operations, parameters, and structures required to make HTTPS requests.Learn more by setting the token parameter.

This example shows how to geocode an address with the geocoding serviceA geocoding service is a service that can search for addresses, place addresses, businesses, reverse geocode coordinates to addresses, provide suggestions for places, and perform bulk geocoding. It is hosted by Esri as the ArcGIS Geocoding service and can also be hosted in ArcGIS Enterprise.Learn more.

cURL

HTTP

Use dark colors for code blocks

Copy

1
2
3
4
curl https://geocode-api.arcgis.com/arcgis/rest/services/World/GeocodeServer/findAddressCandidates \
-d "f=pjson" \
-d "address=1600 Pennsylvania Ave NW, DC" \
-d "token=<YOUR_ACCESS_TOKEN>"

Go to topic

Use dark colors for code blocksCopy
{
    "spatialReference": {
      "wkid": 4326,
      "latestWkid": 4326
    },
    "candidates": [
      {
        "address": "1600 Pennsylvania Ave NW, Washington, District of Columbia, 20500",
        "location": {
          "x": -77.036548499999995,
Expand

Tutorials

Create OAuth credentials for app authentication

Create and configure OAuth credentials to set up app authentication.

ArcGIS portal