Tutorial: Create OAuth credentials for app authentication | Documentation

Learn how to create OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more with ArcGIS Location Platform to support app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more.

The first window of the Developer credentials creator with the OAuth 2.0 credentials (for App authentication) option selected. The account used is an ArcGIS Location Platform account.

The developer credentials creation interface in a portal

OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more are an itemAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more required to implement app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more. They contain client_id and client_secret parameters that are used to implement an OAuth 2.0OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage credentials for web, desktop, and mobile applications. It is supported by ArcGIS.Learn more client credentials flow. The item pageAn item page is a web page in ArcGIS Online or the developer dashboard used to access and manage the properties for an item and the content it references such as a web map, hosted layer, or file.Learn more of OAuth credentials allows you to manage settings related to app authentication, including the authorized privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more of an application.

This tutorial shows you how to create OAuth credentials for use in app authentication and do the following:

Configure privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more to allow your application to access ArcGIS services, content, and functionality.
Set authorized referrer URLs.
Manage settings of the OAuth credentials and monitor usage using its item pageAn item page is a web page in ArcGIS Online or the developer dashboard used to access and manage the properties for an item and the content it references such as a web map, hosted layer, or file.Learn more.

This tutorial focuses on creating OAuth 2.0 credentials for a private application with selected privileges and access.

Prerequisites

You need an ArcGIS Location Platform accountAn ArcGIS Location Platform account, formerly known as an ArcGIS Developer account, is an identity associated with an ArcGIS Location Platform subscription.Learn more.
You need to know the privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more required by your application. The privileges assigned to developer credentials allow your application to access ArcGIS services and resources.

Steps

You use your portal to create and manage items, including OAuth credentials.

In your web browser, go to https://location.arcgis.com, and sign in with your ArcGIS Location Platform account. In the dashboard, click My portal to go to your portal.

Create a new item

In your portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more, click Content > My content > New item.
Click Developer credentialsDeveloper credentials are a type of item in a portal that contains parameters for authentication. There are two types of developer credentials: API key credentials and OAuth credentials.Learn more.
In the credential type screen, select OAuth 2.0 credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more and click Next.

Need troubleshooting help?

If the Developer credentials option is not visible when creating a new item, your ArcGIS Online account does not have the correct permissions. You need an ArcGIS account with a user type of Creator or higher. Learn more about user types in the ArcGIS Online documentation.

If the Select credential type menu does not display when creating developer credentials, OAuth 2.0 credentials will still be created by default. This menu only displays if your account has privileges to create multiple types of developer credentials, such as API key credentialsAPI key credentials are an item that contains the parameters used to create and manage long-lived access tokens for API key authentication. They are a type of developer credential.Learn more.

Select application type

You can configure your OAuth 2.0 credentials in the Where will you use these credentials? menu to define how your credentials will be used. This setting restricts where and how the credentials can be used and helps prevent unauthorized access to secure services.

For this tutorial, select Private application with selected privileges and access.
Click Next.

Select items (optional)

If your application will require access to specific private itemsAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more, you will need to configure your developer credentials to access them. The Item access menu allows you to browse your portal'sArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more content and grant your developer credentials access to specific items.

If your token does not require item access, select No item access. Then, click Next.
Otherwise, select Grant access to specific items.
Select the items you want to grant access to. You can select up to 100 items in this menu.
Click Next.

Select privileges

You can configure the settings of OAuth 2.0 credentials to configure the privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more of access tokens granted via app authentication. For an access token to work in your application, it needs to have the correct privileges to access the content and services your app is using. Select the privileges your app requires in this menu.

In the Create developer credentials > Privileges window, browse the available privileges.

Browse the table below to view the available privileges, privilege strings, and descriptions for ArcGIS Location Platform:

Category	Label	Privilege string	Description
Basemaps	Basemap styles service	`premium:user:basemaps`	Allow application to access the basemap styles service. Learn more
Basemaps	Static basemap tiles	`premium:user:staticbasemaptiles`	Allow application to access the static basemap tiles service. Learn more
Static maps	Static maps service (beta)	`premium:user:staticmaps`	Allow application to access the static maps service. Learn more
Places	Place finding	`premium:user:places`	Allow application to access the places service. Learn more
Geocoding	Geocode (stored)	`premium:user:geocode:stored`	Allow application to access the geocoding service and perform stored geocodes. Learn more
Geocoding	Geocode (not stored)	`premium:user:geocode:temporary`	Allow application to access the geocoding service and perform geocodes that are not stored. Learn more
Routing	Routing	`premium:user:networkanalysis:routing`	Allow application to access the routing service and perform standard routing operations. Learn more
Routing	Closest facility	`premium:user:networkanalysis:closestfacility`	Allow application to access the routing service and perform closest facility routing operations. Learn more
Routing	Location allocation	`premium:user:networkanalysis:locationallocation`	Allow application to access the routing service and perform location allocation operations. Learn more
Routing	Optimized routing	`premium:user:networkanalysis:optimizedrouting`	Allow application to access the routing service and perform optimized routing operations. Learn more
Routing	Origin/destination cost matrix	`premium:user:networkanalysis:origindestinationcostmatrix`	Allow application to access the routing service and generate travel cost matrices. Learn more
Routing	Service area	`premium:user:networkanalysis:servicearea`	Allow application to access the routing service and generate service areas. Learn more
Routing	Multi-vehicle routing	`premium:user:networkanalysis:vehiclerouting`	Allow application to access the routing service and perform fleet routing operations. Learn more
Routing	Last mile	`premium:user:networkanalysis:lastmiledelivery`	Allow application to access the routing service and perform routing operations for last mile delivery. Learn more
Routing	Snap to roads	`premium:user:networkanalysis:snaptoroads`	Allow member to perform network analysis tasks such as snap GPS track points to roads. Learn more
Data enrichment	GeoEnrichment service	`premium:user:geoenrichment`	Allow application to access the GeoEnrichment service. Learn more
Elevation	Elevation service	`premium:user:elevation`	Allow application to access the elevation service. Learn more

Category	Label	Privilege string	Description
Feature analysis	Spatial analysis service	`premium:user:spatialanalysis`	Allow application to access the spatial analysis service. Learn more

Category	Label	Privilege string	Description
AI assistants	Use AI assistants	`portal:user:useAIAssistants`	Allow member to use generative AI and ArcGIS assistants.
Members	View	`portal:user:viewOrgUsers`	Allow application to view members of the organization.
Members	Take ArcGIS Pro license offline	`portal:user:arcgispro:takeLicenseOffline`	Allow member to take their ArcGIS Pro license offline. Requires "ArcGIS Pro offline settings" to allow taking ArcGIS Pro license offline.
Groups	Join organizational groups	`portal:user:joinGroup`	Allow application to join groups within your organization.
Groups	Join external groups	`portal:user:joinNonOrgGroup`	Allow application to join groups external to your organization.
Groups	View groups shared with organization	`portal:user:viewOrgGroups`	Allow application to view groups shared with the organization.
Content	Publish hosted feature layers	`portal:publisher:publishFeatures`	Allow application to publish hosted feature layers from shapefiles, CSVs, etc.
Content	Publish hosted tile layers	`portal:publisher:publishTiles`	Allow application to publish hosted tile layers from tile packages, features, etc.
Content	Publish hosted scene layers	`portal:publisher:publishScenes`	Allow application to publish hosted scene layers.
Content	Published hosted tiled imagery layers	`portal:publisher:publishTiledImagery`	Allow application to publish hosted tiled imagery layers from a single image or collection of images. Requires an ArcGIS Image for ArcGIS Online user type extension.
Content	View location tracks	`portal:user:viewTracks`	Allow application to view members' location tracks via shared track views when location sharing is enabled.
Content	Create and run data pipelines	`portal:publisher:createDataPipelines`	Allow application to create, edit, and run data pipelines.
Sharing	Make groups visible to organization	`portal:user:shareGroupToOrg`	Allow application to make groups discoverable by your organization.
Sharing	Make groups visible to public	`portal:user:shareGroupToPublic`	Allow application to make groups discoverable by the public.
Apps and capabilities	Allow beta access	`portal:user:allowBetaAccess`	Allow members to access Esri beta apps and capabilities.

Category	Label	Privilege string	Description
Groups	View all	`portal:admin:viewGroups`	Allow application to view all groups within your organization.
Groups	Update	`portal:admin:updateGroups`	Allow application to update groups within your organization.
Groups	Delete	`portal:admin:deleteGroups`	Allow application to delete groups within your organization.
Groups	Reassign ownership	`portal:admin:reassignGroups`	Allow application to reassign groups to other members within your organization.
Groups	Assign members	`portal:admin:assignToGroups`	Allow application to assign your members to, update your member's group role, and remove your members from groups within your organization.
Groups	Create with leaving disallowed	`portal:admin:createLeavingDisallowedGroup`	Allow application to create and own groups that do not allow members to leave (administrative groups).
Content	View all	`portal:admin:viewItems`	Allow application to view all content within your organization.
Content	Publish web tools	`portal:publisher:publishServerGPServices`	Allow application to publish web tools.
Content	Create and manage administrative reports	`portal:admin:createReports`	Allow application to create and manage administrative reports for your organization
Organization settings	Organization website	`portal:admin:manageWebsite`	Allow application to manage the organization's website settings.
Organization settings	Collaborations	`portal:admin:manageCollaborations`	Allow application to manage the organization's collaborations.
Organization settings	Utility services	`portal:admin:manageUtilityServices`	Allow application to manage the organization's utility service settings

Select the privileges required by your application and click Next.

Need troubleshooting help?

If the Privileges window is not visible when creating API key credentials, your ArcGIS Online account does not have the correct permissions. You need an ArcGIS account with a user type of Creator or higher. Your account must also have these additional privileges:

General privileges > Content > Generate API keys
General privileges > Content > Assign privileges to OAuth 2.0 applications

Your organization administrator can grant you these privileges using a custom role. To learn how, go to the ArcGIS Online documentation.

If you don't see a specific privilege in the Privileges window, there are several possible reasons:

The application type you selected may only allow a limited set of privileges. To access a broader set of privileges, choose a different type of application in the Where will you use these credentials? menu.

Certain location services are only available for ArcGIS Location Platform. Check the privileges available for your product type in Security and authentication > Privileges.
If you have an ArcGIS Location Platform account, you need to enable pay-as-you-goPay-as-you-go refers to a type of billing where services are metered and you pay only for the services you use.Learn more in the Billing section of your dashboard to access some services, such as the GeoEnrichment service.
If you have an ArcGIS Online account, your account may not have the correct role to access the services you need. Contact your organization administrator.

Set referrer URLs

You can set referrer URLs on OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more that restrict the credentials to only be usable from authorized domains. This is highly recommended for security purposes.

In the next window, scroll down to Referrer URLs.
Set the Referrers field to the web domains you would like to restrict the access token to. To learn more about referrers, go to OAuth credentials (for app authentication).
Click Next.

Save the item

After configuring the properties of your OAuth credentials, you can save the credentials as a new itemAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more.

In the Create developer credentials window, set the following properties:
- Title: My OAuth credentials (for app authentication)
- Folder: Developer credentials (Create a new folder)
- Tags: Add tags related to the privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more of the credentials.
- Description: Describe the application that these developer credentials will be used in.
Click Next.
In the Summary window, review the properties, privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more, and item access you have set.
Click Create to create your OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more.

Copy the client ID and client secret

Your OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more contain client_id and client_secret parameters that are required to implement app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more. Copy these values and paste them into your application or script.

On the item pageAn item page is a web page in ArcGIS Online or the developer dashboard used to access and manage the properties for an item and the content it references such as a web map, hosted layer, or file.Learn more of your OAuth credentials, scroll down to Credentials.
Copy the Client ID and Client Secret values and paste them into your application. Never expose the value of your client secret.

Manage your credentials

After creating an OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more item, its privileges and item access can be managed at any time by going to the item pageAn item page is a web page in ArcGIS Online or the developer dashboard used to access and manage the properties for an item and the content it references such as a web map, hosted layer, or file.Learn more.

To learn more and see management steps, go to OAuth credentials (for app authentication).

Additional resources

Learn more about app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more in the following topics: