OAuth credentials (for app authentication) | Documentation

OAuth credentials are an itemAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more used to support authentication workflows. They are required to implement user authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more and app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more using OAuth 2.0OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage credentials for web, desktop, and mobile applications. It is supported by ArcGIS.Learn more workflows.

Creating OAuth 2.0 credentials

Prerequisites

OAuth 2.0 credentials can be created using an ArcGIS Online account with a user type of Creator or higher. To create credentials for app authentication, the account also requires a custom role with this additional privilegePrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more:

General privileges > Content > Assign privileges to OAuth 2.0 applications

To learn more, go to the Product and account requirements.

Steps

The steps to create OAuth 2.0 credentials are explained in the Create OAuth credentials for app authentication tutorial:

Create OAuth credentials for app authentication

Create and configure OAuth credentials to set up app authentication.

ArcGIS portal

Both a client_id and client_secret from OAuth 2.0 credentials are required to implement app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more.

Privileges

OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more include a privilegePrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more selector that can authorize access to secure ArcGIS servicesA service, also known as an ArcGIS service, is software that supports an ArcGIS REST API and provides geospatial functionality or data. A service can be hosted by Esri or in ArcGIS Enterprise.Learn more. Once privileges are configured using the selector, the resulting access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more will be authorized to access the specified services and perform operations.

The privilege selector for developer credentials in ArcGIS Online.

The privileges available to OAuth credentials with an ArcGIS Online account generally include:

ArcGIS Location ServicesArcGIS Location Services, also referred to as Location Services, are services hosted by Esri that provide geospatial functionality for developing mapping applications. They include the ArcGIS Basemap Styles service, ArcGIS Static Basemap Tiles service, ArcGIS Places service, ArcGIS Geocoding service, ArcGIS Routing service, ArcGIS GeoEnrichment service, and ArcGIS Elevation service. An ArcGIS Location Platform or ArcGIS Online account is required to use the services.Learn more, such as the Basemap Styles serviceThe ArcGIS Basemap Styles service, also referred to as the Basemap Styles service, is a location service that provides basemap styles and data for the world. It returns styles as Mapbox styles and web maps, and data as vector tiles and/or map tiles. It supports all of the styles in the ArcGIS Basemap style and Open Basemap style family. An ArcGIS Location Platform or ArcGIS Online account is required to use the service.Learn more and Routing serviceA routing service is a service that uses network analysis and streets data to calculate the most effective path and turn-by-turn directions on a street network, optimize fleet routing and deliveries, find the closest facilities, calculate service areas, and more. It is hosted by Esri as the ArcGIS Routing service and can also be hosted in ArcGIS Enterprise.Learn more.
PortalA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more operations, such as managing users, items, and groups.
Spatial analysis servicesSpatial analysis services are services that perform geometry and statistical analyses on feature and raster data.Learn more for performing feature and raster analysis operations.

The exact privileges available depend on the user type and role of the ArcGIS Online account that created the credentials.

Edit privileges

You can edit the privileges of your OAuth credentials to adjust the authorization level of your application.

Go to Settings on the item pageAn item page is a web page in ArcGIS Online or the developer dashboard used to access and manage the properties for an item and the content it references such as a web map, hosted layer, or file.Learn more of your OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more.
Under Application > Credentials, click the Edit button. In the warning that appears, click Continue. If this option is not available to your account, please refer to the Product and account requirements for app authentication.
Select a type of application that your key will be used in.
Select No item access if you do not want to grant access to any items, or select Grant access to specific items if you want to grant access to certain items in your portal. Then, click Next.
Select new privileges for your OAuth credentials using the privileges window. To view a list of all available privileges, go to Privileges.
Click Save to close the window. Then, click the Save button again under Application to update your developer credential.

Item access privileges

The item access menu for developer credentials

OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more also include an item access menu used to allow access to specific itemsAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more in a portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more. The resulting access tokensAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more will be authorized to access any items you specify in this menu.

The items available in this menu include all of the items owned by your account with a sharing levelSharing level is the security setting assigned to an item in a portal that controls which users can access the resource. The sharing levels are Owner, Organization, Groups, and Everyone.Learn more of Private, Group, or Organization. OAuth credentials can be configured to access a maximum of 100 items.

Edit item access

You can edit the items that your OAuth credentials are authorized to access.

Go to Settings on the item pageAn item page is a web page in ArcGIS Online or the developer dashboard used to access and manage the properties for an item and the content it references such as a web map, hosted layer, or file.Learn more of your OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more.
Under Application > Credentials, click the Edit button. In the warning that appears, click Continue. If this option is not available to your account, please refer to the Product and account requirements for app authentication.
In the Item access window, select Grant access to specific items to grant access to specific items in your portal.
Select items to grant your OAuth credentials access to.
Click Save to close the window. Then, click the Save button again under Application to update your developer credential.

Referrers

The referrers field for developer credentials

A referrer is an HTTP header field used to identify the client requesting a server resource. This functions as a security measure, allowing applications to confirm their client's identity. When OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more have a specific HTTP referer header set, services can confirm that an incoming request's referrer matches one of the valid referrers assigned to that access token.

Specific domains can be provided or you can use wildcard characters (*) in the subdomain of your allowed referrer. For example https://*.your-app.com will allow the access token to be used on both https://dev.your-app.com and https://your-app.com. While it is also possible to restrict access token use to specific paths (https://your-app.com/page), we do not recommend this method because browsers may remove the path due to privacy concerns.

Usage tracking

All services and content accessed with OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more are tracked. You can monitor the usage of credentials in order to view the consumption of services and the billing amount.

ArcGIS Online developers use their portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more to monitor service usage. To monitor service usage of OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more, use the following steps:

Go to ArcGIS.com and sign in to your portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more with an ArcGIS Online accountAn ArcGIS Online account, also known as an ArcGIS Organization account, is an identity associated with an ArcGIS Online subscription. It can be used to access ArcGIS tools and develop applications with ArcGIS location services for an organization.Learn more.
Click Content > My content.
Find the OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more item you would like to review usage for. Go to its item pageAn item page is a web page in ArcGIS Online or the developer dashboard used to access and manage the properties for an item and the content it references such as a web map, hosted layer, or file.Learn more.
Click Settings > Application > View usage.
Review the usage report for the OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more. The Credits view displays the number of credits the application has consumed. The Users view displays the number of users who have signed in to your application, if applicable.

In addition to these steps, ArcGIS Online administrators can use the portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more to generate a usage report.