OAuth credentials (for app authentication) | Documentation

OAuth credentials are an item used to support authentication workflows. They are required to implement user authentication and app authentication using OAuth 2.0 workflows.

Creating OAuth 2.0 credentials

Prerequisites

OAuth 2.0 credentials can be created using an ArcGIS Online account with a user type of Creator or higher. To create credentials for app authentication, the account also requires a custom role with this additional privilege:

General privileges > Content > Assign privileges to OAuth 2.0 applications

To learn more, go to the Product and account requirements.

Steps

The steps to create OAuth 2.0 credentials are explained in the Create OAuth credentials for app authentication tutorial:

Create OAuth credentials for app authentication

Create and configure OAuth credentials to set up app authentication.

ArcGIS portal

Both a client_id and client_secret from OAuth 2.0 credentials are required to implement app authentication.

Privileges

OAuth credentials include a privilege selector that can authorize access to secure ArcGIS services. Once privileges are configured using the selector, the resulting access token will be authorized to access the specified services and perform operations.

The privilege selector for developer credentials in ArcGIS Online.

The privileges available to OAuth credentials with an ArcGIS Online account generally include:

ArcGIS Location Services, such as the Basemap Styles service and Routing service.
Portal operations, such as managing users, items, and groups.
Spatial analysis services for performing feature and raster analysis operations.

The exact privileges available depend on the user type and role of the ArcGIS Online account that created the credentials.

Edit privileges

You can edit the privileges of your OAuth credentials to adjust the authorization level of your application.

Go to Settings on the item page of your OAuth credentials.
Under Application > Credentials, click the Edit button. In the warning that appears, click Continue. If this option is not available to your account, please refer to the Product and account requirements for app authentication.
Select a type of application that your key will be used in.
Select No item access if you do not want to grant access to any items, or select Grant access to specific items if you want to grant access to certain items in your portal. Then, click Next.
Select new privileges for your OAuth credentials using the privileges window. To view a list of all available privileges, go to Privileges.
Click Save to close the window. Then, click the Save button again under Application to update your developer credential.

Item access privileges

The item access menu for developer credentials

OAuth credentials also include an item access menu used to allow access to specific items in a portal. The resulting access tokens will be authorized to access any items you specify in this menu.

The items available in this menu include all of the items owned by your account with a sharing level of Private, Group, or Organization. OAuth credentials can be configured to access a maximum of 100 items.

Edit item access

You can edit the items that your OAuth credentials are authorized to access.

Go to Settings on the item page of your OAuth credentials.
Under Application > Credentials, click the Edit button. In the warning that appears, click Continue. If this option is not available to your account, please refer to the Product and account requirements for app authentication.
In the Item access window, select Grant access to specific items to grant access to specific items in your portal.
Select items to grant your OAuth credentials access to.
Click Save to close the window. Then, click the Save button again under Application to update your developer credential.

Referrers

The referrers field for developer credentials

A referrer is an HTTP header field used to identify the client requesting a server resource. This functions as a security measure, allowing applications to confirm their client's identity. When OAuth credentials have a specific HTTP referer header set, services can confirm that an incoming request's referrer matches one of the valid referrers assigned to that access token.

Specific domains can be provided or you can use wildcard characters (*) in the subdomain of your allowed referrer. For example https://*.your-app.com will allow the access token to be used on both https://dev.your-app.com and https://your-app.com. While it is also possible to restrict access token use to specific paths (https://your-app.com/page), we do not recommend this method because browsers may remove the path due to privacy concerns.

Usage tracking

All services and content accessed with OAuth credentials are tracked. You can monitor the usage of credentials in order to view the consumption of services and the billing amount.

ArcGIS Online developers use their portal to monitor service usage. To monitor service usage of OAuth credentials, use the following steps:

Go to ArcGIS.com and sign in to your portal with an ArcGIS Online account.
Click Content > My content.
Find the OAuth credentials item you would like to review usage for. Go to its item page.
Click Settings > Application > View usage.
Review the usage report for the OAuth credentials. The Credits view displays the number of credits the application has consumed. The Users view displays the number of users who have signed in to your application, if applicable.

In addition to these steps, ArcGIS Online administrators can use the portal to generate a usage report.