FAQ

This guide is for ArcGIS Location PlatformArcGIS Location Platform, formerly known as ArcGIS Platform, is a Platform as a Service (PaaS) product that gives developers access to location services, APIs, and tools to build mapping and spatial analysis applications. It is subscription-based and requires an ArcGIS Location Platform account.Learn more, ArcGIS OnlineArcGIS Online is a GIS mapping, analytics, data hosting, and content management software as a service (SaaS) product. It includes applications, tools, APIs, and location services for users and developers. It is subscription-based and requires an ArcGIS Online account.Learn more, and ArcGIS EnterpriseArcGIS Enterprise is a GIS mapping, analytics, data hosting, and content management product that can be hosted on-premise or in a cloud infrastructure. It includes software, applications, tools, APIs, and services for users and developers.Learn more developers implementing authentication in custom applications.

The table below shows the account types you can use and limitations:

The following resources are secure and require authentication to access:

• Portal: A portal is secure and requires users and applications to sign in. All content itemsAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more in a portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more are secure and may require authentication depending on their sharing levelSharing level is the security setting assigned to an item in a portal that controls which users can access the resource. The sharing levels are Owner, Organization, Groups, and Everyone.Learn more.

• ArcGIS services: All ArcGIS services hosted in Esri's infrastructure are secure, including location servicesArcGIS Location Services, also referred to as Location Services, are services hosted by Esri that provide geospatial functionality for developing mapping applications. They include the ArcGIS Basemap Styles service, ArcGIS Static Basemap Tiles service, ArcGIS Places service, ArcGIS Geocoding service, ArcGIS Routing service, ArcGIS GeoEnrichment service, and ArcGIS Elevation service. An ArcGIS Location Platform or ArcGIS Online account is required to use the services.Learn more, spatial analysis servicesSpatial analysis services are services that perform geometry and statistical analyses on feature and raster data.Learn more, data servicesData services, also known as hosted data services, are services created dynamically to store and provide access to your data in ArcGIS. Examples are feature services, vector tile services, map tile services, image services, and scene services.Learn more, and the portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more.

• ArcGIS Enterprise services: All ArcGIS Enterprise services hosted in your own infrastructure are secure.

• Low/No-code applications: Applications built using low/no-code builders are hosted in a portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more and secure and may require authentication depending on their sharing levelSharing level is the security setting assigned to an item in a portal that controls which users can access the resource. The sharing levels are Owner, Organization, Groups, and Everyone.Learn more.

• ArcGIS tools: All ArcGIS toolsTools, also known as developer tools, are ArcGIS software applications such as portal and ArcGIS Pro that developers can use to prepare content and data for custom applications they are building.Learn more are secure, such as ArcGIS ProArcGIS Pro is a professional desktop GIS application that can explore, visualize, analyze, and manage 2D and 3D data.Learn more, Map ViewerMap Viewer is a browser-based mapping tool that can view, create, and save web maps. It can also perform mapping, visualization, and spatial analysis operations.Learn more, Scene ViewerScene Viewer(™) is a browser-based mapping tool that can view, create, and save web scenes.Learn more.

• Subscriber and premium content: Subscriber content is a type of secure itemAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more hosted in ArcGIS Living Atlas that requires an ArcGIS OnlineArcGIS Online is a GIS mapping, analytics, data hosting, and content management software as a service (SaaS) product. It includes applications, tools, APIs, and location services for users and developers. It is subscription-based and requires an ArcGIS Online account.Learn more account. Premium content is a subtype of subscriber content that consumes credits.

The following table provides an overview of the functionality available with each type of authentication:

The privileges required for an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more depend on the resources and functionality required by your application. To view the complete list, go to Privileges.

The cost to access ArcGIS services depends on the type of ArcGIS account you have and the services you use.

1. If you have an ArcGIS Location Platform accountAn ArcGIS Location Platform account, formerly known as an ArcGIS Developer account, is an identity associated with an ArcGIS Location Platform subscription.Learn more, you are billed in US dollars. To determine the cost of accessing services, go to Pricing. A free tier is available for some services.

2. If you have an ArcGIS Online accountAn ArcGIS Online account, also known as an ArcGIS Organization account, is an identity associated with an ArcGIS Online subscription. It can be used to access ArcGIS tools and develop applications with ArcGIS location services for an organization.Learn more, you are billed in creditsCredits are the currency used by ArcGIS Online Organization accounts to account for data storage and location service consumption. Credits are consumed for specific transactions, such as accessing location services, and types of storage, such as storing features, performing analytics, and using premium content.Learn more. To determine the cost of accessing services, go to Understanding credits.

Esri's Terms of Use documents include legal guidelines for the use of Esri products, services, and data.

Some of the key documents you will find are the:

1. Master Agreements
2. Product-specific Terms of Use
3. ArcGIS Location Platform Agreements
4. Data attributions and Terms of Use
5. Copyrights and Trademarks

A 401 Unauthorized or 403 Forbidden from an secure resourceA secure resource is any item or service in an ArcGIS that requires an ArcGIS account and authentication to access. Examples include ArcGIS Location Services, and items and data services in an ArcGIS portal.Learn more almost always points to one of these causes:

• The access token is set improperly. Confirm the request includes the token parameter (or Authorization: Bearer ... header) and that the value is a valid access token. See HTTP header authorization.
• The access token has been revoked. Make a /self request using the access token to confirm whether the token is valid. See Access tokens > View token properties.
• The access token does not have the correct privileges. Review the privileges of the access token to confirm it can access the service. In addition, the ArcGIS account used to generate the access token must also have the correct privileges. See Privileges.
• The origin of the request is not on the allowed referrers list. If you have set referrer restrictions, requests from any other origin will be rejected. See Developer credentials > Referrers.

If none of these apply, check the response body for an error.message — the service may return a specific reason for the error.

If you do not see an option for API key credentialsAPI key credentials are an item that contains the parameters used to create and manage long-lived access tokens for API key authentication. They are a type of developer credential.Learn more in the developer credentialsDeveloper credentials are a type of item in a portal that contains parameters for authentication. There are two types of developer credentials: API key credentials and OAuth credentials.Learn more creation menu, your account might not have the correct privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more. If you have an ArcGIS Online account or an ArcGIS Enterprise accountAn ArcGIS Enterprise account is an identity for an instance of ArcGIS Enterprise. It can be used to access ArcGIS Enterprise tools, applications, and services, and to develop applications.Learn more, your account needs the following privileges to create and assign authorization to API key credentials:

• General privileges > Content > Generate API keys
• General privileges > Content > Assign privileges to OAuth 2.0 applications

To get these privileges, ask your organizationAn organization a list of members from the same business, association, or entity who can sign in, access tools and applications, and collaborate with other members in a portal. All members have an ArcGIS account and are approved by an administrator to access the same portal.Learn more administrator to create a custom role for developers and assign it to your account. To learn more, go to "Roles" in the ArcGIS Online documentation or the ArcGIS Enterprise documentation.

If you do not see the Privileges or Item access windows when creating developer credentialsDeveloper credentials are a type of item in a portal that contains parameters for authentication. There are two types of developer credentials: API key credentials and OAuth credentials.Learn more, your account might not have the correct privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more. If you have an ArcGIS Online account or an ArcGIS Enterprise accountAn ArcGIS Enterprise account is an identity for an instance of ArcGIS Enterprise. It can be used to access ArcGIS Enterprise tools, applications, and services, and to develop applications.Learn more, your account needs the privilege to work with developer credentials:

• General privileges > Content > Assign privileges to OAuth 2.0 applications

To get this privilege and related developer privileges, ask your organizationAn organization a list of members from the same business, association, or entity who can sign in, access tools and applications, and collaborate with other members in a portal. All members have an ArcGIS account and are approved by an administrator to access the same portal.Learn more administrator to create a custom role for developers and assign it to your account. To learn more, go to "Roles" in the ArcGIS Online documentation or the ArcGIS Enterprise documentation.

If a privilege is not available to your developer credentials, it may not be visible for the following reasons:

• Your account does not have the correct user type or roles.
• You have the wrong type of ArcGIS accountAn ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more. The privileges available to you differ depending on if you use ArcGIS Location PlatformArcGIS Location Platform, formerly known as ArcGIS Platform, is a Platform as a Service (PaaS) product that gives developers access to location services, APIs, and tools to build mapping and spatial analysis applications. It is subscription-based and requires an ArcGIS Location Platform account.Learn more, ArcGIS OnlineArcGIS Online is a GIS mapping, analytics, data hosting, and content management software as a service (SaaS) product. It includes applications, tools, APIs, and location services for users and developers. It is subscription-based and requires an ArcGIS Online account.Learn more, or ArcGIS EnterpriseArcGIS Enterprise is a GIS mapping, analytics, data hosting, and content management product that can be hosted on-premise or in a cloud infrastructure. It includes software, applications, tools, APIs, and services for users and developers.Learn more
• You do not have pay-as-you-go enabled in your ArcGIS Location PlatformArcGIS Location Platform, formerly known as ArcGIS Platform, is a Platform as a Service (PaaS) product that gives developers access to location services, APIs, and tools to build mapping and spatial analysis applications. It is subscription-based and requires an ArcGIS Location Platform account.Learn more account.
• You are using a type of authentication that does not support the privileges you require. To learn more, go to Types of authentication.

Developer credentials allow you to track the service usage of your access tokens. You can monitor the usage of your credentials in order to view the token's resource consumption billing amount for a given period of time.

• ArcGIS Location Platform developers use the Location Platform DashboardThe Location Platform Dashboard is a dashboard in the ArcGIS Location Platform website used to manage billing, view developer credentials, and monitor layers and data service usage. It can only be accessed with an ArcGIS Location Platform account.Learn more to monitor service usage.
• ArcGIS Online and Enterprise developers can go to the item pageAn item page is a web page in ArcGIS Online or the developer dashboard used to access and manage the properties for an item and the content it references such as a web map, hosted layer, or file.Learn more of their developer credentials item to monitor service usage. They can also generate usage reports.

We recommend creating separate developer credentialsDeveloper credentials are a type of item in a portal that contains parameters for authentication. There are two types of developer credentials: API key credentials and OAuth credentials.Learn more for each environment your application runs in (for example, local development, staging, and production). This allows you to:

• Restrict referrers per environment — production credentials only allow your production origin, staging credentials only allow your staging origin, and so on.
• Scope privileges for each credential to only the services and items that environment needs.
• Track usage independently so you can see real production traffic separately from test runs. See Usage tracking.
• Rotate and revoke non-production credentials without affecting the production environment, and vice versa.

By setting the Allowed Referrers of developer credentials, you can limit their use to only authorize requests coming from specific origins. Review the referrers set on your developer credentials by going to their item pageAn item page is a web page in ArcGIS Online or the developer dashboard used to access and manage the properties for an item and the content it references such as a web map, hosted layer, or file.Learn more and clicking Settings > Application > Referrers.

• Referrer URLs and IP address can be fully qualified URLs (https://www.example.com), wildcards URLs to include all subdomains (https://*.example.com), or an IP address (https://10.4.3.4).
• You may specify port number https://server.example.com:8840.
• Wildcards are supported only on the sub-domain part of the referrer. https://*.example.com will match https://www.example.com and https://anything.example.com. https://www*.exam*.com will match https://www2.example-service.com.
• Wildcard domains are supported on HTTPS only.
• Path matching: you can set https://www.example.com/start/path as a valid referrer and match https://www.example.com/start/path/ and https://www.example.com/start/path/subfolder/, but not https://www.example.com/start/path2.

API key credentials are available for the following account types:

• ArcGIS Location Platform accountsAn ArcGIS Location Platform account, formerly known as an ArcGIS Developer account, is an identity associated with an ArcGIS Location Platform subscription.Learn more
• ArcGIS Online accountsAn ArcGIS Online account, also known as an ArcGIS Organization account, is an identity associated with an ArcGIS Online subscription. It can be used to access ArcGIS tools and develop applications with ArcGIS location services for an organization.Learn more:
  • Requires a user type of "Creator" or higher.
  • You need to be an administrator of your organizationAn organization a list of members from the same business, association, or entity who can sign in, access tools and applications, and collaborate with other members in a portal. All members have an ArcGIS account and are approved by an administrator to access the same portal.Learn more or have a custom role with the following privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more: General privileges > Content > Generate API keys, General privileges > Content > Assign privileges to OAuth 2.0 applications.
• ArcGIS Enterprise accountsAn ArcGIS Enterprise account is an identity for an instance of ArcGIS Enterprise. It can be used to access ArcGIS Enterprise tools, applications, and services, and to develop applications.Learn more:
  • Requires ArcGIS Enterprise version 11.4 or greater.
  • Requires a user type of "Creator" or higher.
  • You need to be an administrator of your organizationAn organization a list of members from the same business, association, or entity who can sign in, access tools and applications, and collaborate with other members in a portal. All members have an ArcGIS account and are approved by an administrator to access the same portal.Learn more or have a custom role with the following privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more: General privileges > Content > Generate API keys, General privileges > Content > Assign privileges to OAuth 2.0 applications.

Support for API key authenticationAPI key authentication is a type of authentication that uses an API key to authenticate requests to ArcGIS services and secure portal items.Learn more was added to ArcGIS Enterprise in version 11.4. It is not possible to access ArcGIS Enterprise servicesArcGIS Enterprise services are services an organization can host in ArcGIS Enterprise. This includes map services, feature services, tile services, geometry services, geoprocessing services, spatial analysis services, and many others.Learn more with an API key in versions prior to 11.4.

API keys (legacy)An API key (legacy) is a permanent access token created before June 2024 used for accessing ArcGIS location services. API keys (legacy) have been replaced with API key credentials and can no longer be created.Learn more are not supported in ArcGIS Enterprise.

Service usage with API key authenticationAPI key authentication is a type of authentication that uses an API key to authenticate requests to ArcGIS services and secure portal items.Learn more is billed to the ArcGIS subscriptionAn ArcGIS subscription is a free or paid plan that defines the capabilities of an ArcGIS account and the method of billing for the consumption of location services.Learn more associated with the developer's account. The developer who created the API key credentialsAPI key credentials are an item that contains the parameters used to create and manage long-lived access tokens for API key authentication. They are a type of developer credential.Learn more, or the organization the developer belongs to, will incur all costs associated with the key.

Yes, API keysAn API key is a long-lived access token created using API key credentials. They are valid for up to one year and are typically embedded directly into client applications.Learn more expire at a set time chosen during key generation. They expire after three months by default, but can be customized to remain valid for any amount of time between one day and one year.

For details on revoking or replacing a key, go to API key credentials.

If you discover that an API keyAn API key is a long-lived access token created using API key credentials. They are valid for up to one year and are typically embedded directly into client applications.Learn more has been pushed to a public repository, leaked in a screenshot, or otherwise exposed, treat it as compromised even if you do not have confirmation.

1. Revoke the key. Go to Developer credentials, select the affected API key, and use Manage developer credentials to revoke it. Revocation takes effect immediately.
2. Create a replacement key and deploy it to your application. Assign privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more to only the services and items the application requires.
3. Restrict referrers on the new key so it only works from your application's origins. See API key credentials > Referrers.
4. Review usage for the exposed key on the View usage tab to check whether it was used from unexpected origins or hit unusual service volumes before you revoked it.
5. Mitigate the exposure. Perform the necessary steps to ensure the new key is not exposed before updating your application.

Removing the key from the commit history of a public repository does not undo exposure — assume any value that was ever public has been scraped.

API key authentication is recommended for personal applicationsA personal application is an application used exclusively by its owner and not shared with others. It supports API key, user authentication, or app authentication.Learn more and automation scripts that are not shared to the public. If API keys are used in public applicationsA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more, they should have a limited set of privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more, and have their referrer URLs configured to prevent the key from being stolen.

Each API key credentialAPI key credentials are an item that contains the parameters used to create and manage long-lived access tokens for API key authentication. They are a type of developer credential.Learn more can hold up to two API key access tokensAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more. This allows for applications in production to be rotated without downtime when a key expires or is revoked. To rotate without downtime, alternate between the two tokens — deploy your application with a new access token before invalidating the other.

During development, API keys should never be uploaded to remote code repositories such as GitHub. They are typically stored locally, and the exact method of importing them into an application depends on the programming language you are using.

Production applications may be deployed using API keys as long as the privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more of the keys are severely restricted:

• API keys used in public applicationsA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more can easily be scraped by others. They should only be used to access ArcGIS Location ServicesArcGIS Location Services, also referred to as Location Services, are services hosted by Esri that provide geospatial functionality for developing mapping applications. They include the ArcGIS Basemap Styles service, ArcGIS Static Basemap Tiles service, ArcGIS Places service, ArcGIS Geocoding service, ArcGIS Routing service, ArcGIS GeoEnrichment service, and ArcGIS Elevation service. An ArcGIS Location Platform or ArcGIS Online account is required to use the services.Learn more, and must never be granted access to any sensitive or confidential data.

• API keys deployed in privateA private application is an application that requires users to sign in with an ArcGIS account. It supports user authentication.Learn more and personal applicationsA personal application is an application used exclusively by its owner and not shared with others. It supports API key, user authentication, or app authentication.Learn more can be granted broader access to services and hosted items.

In general, the following practices are always recommended:

• Limit the key's privileges to only the services and itemsAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more it needs to access.
• Set referrers so the key only works when called from your application's origins.

For workloads where exposing a key is not acceptable — for example, requests that act on sensitive user data containing PII, — credentials should only be stored on a backend service using proxied requests. Alternatively, use OAuth 2.0 user authentication instead.

How you split API keysAn API key is a long-lived access token created using API key credentials. They are valid for up to one year and are typically embedded directly into client applications.Learn more across a team depends on whether the key is being used for local development or for a deployed application.

• Local development: Issue a separate API key for every developer. If a key is leaked (committed to a fork, shared in a screenshot), you can revoke it without disrupting anyone else's workflow. Additionally, usage and billing of each development version can be monitored separately.
• Deployed applications: One key per application per deployed environment. An API key represents the application, not the developer.

Prior to June 2024, API key authentication used API keys (legacy)An API key (legacy) is a permanent access token created before June 2024 used for accessing ArcGIS location services. API keys (legacy) have been replaced with API key credentials and can no longer be created.Learn more. Legacy API keys have been retired and can no longer be created or modified. All legacy API keys will be revoked on June 27th, 2026. To learn more, go to API key (legacy) retirement.

All new API keys must be created using API key credentialsAPI key credentials are an item that contains the parameters used to create and manage long-lived access tokens for API key authentication. They are a type of developer credential.Learn more.

To learn about more best practices for API key authenticationAPI key authentication is a type of authentication that uses an API key to authenticate requests to ArcGIS services and secure portal items.Learn more, go to Security best practices.

User authentication requires OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more, which are available for the following account types:

• ArcGIS Location Platform accountsAn ArcGIS Location Platform account, formerly known as an ArcGIS Developer account, is an identity associated with an ArcGIS Location Platform subscription.Learn more
• ArcGIS Online accountsAn ArcGIS Online account, also known as an ArcGIS Organization account, is an identity associated with an ArcGIS Online subscription. It can be used to access ArcGIS tools and develop applications with ArcGIS location services for an organization.Learn more:
  • Requires a user type of "Creator" or higher.
• ArcGIS Enterprise accountsAn ArcGIS Enterprise account is an identity for an instance of ArcGIS Enterprise. It can be used to access ArcGIS Enterprise tools, applications, and services, and to develop applications.Learn more:
  • Requires a user type of "Creator" or higher.

Service usage with user authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more is individually billed to the ArcGIS subscriptionsAn ArcGIS subscription is a free or paid plan that defines the capabilities of an ArcGIS account and the method of billing for the consumption of location services.Learn more of each user who signs in to your application. Service usage can still be tracked with the OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more used to create the application, but all costs will be billed to the organizationAn organization a list of members from the same business, association, or entity who can sign in, access tools and applications, and collaborate with other members in a portal. All members have an ArcGIS account and are approved by an administrator to access the same portal.Learn more of users who sign in to the application.

Anyone with an ArcGIS accountAn ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more can sign in to apps that implement user authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more. However, user authentication is typically used for the following account types:

• ArcGIS Online usersAn ArcGIS Online account, also known as an ArcGIS Organization account, is an identity associated with an ArcGIS Online subscription. It can be used to access ArcGIS tools and develop applications with ArcGIS location services for an organization.Learn more that are a member of an ArcGIS Online organizationAn organization a list of members from the same business, association, or entity who can sign in, access tools and applications, and collaborate with other members in a portal. All members have an ArcGIS account and are approved by an administrator to access the same portal.Learn more.
• ArcGIS Enterprise usersAn ArcGIS Enterprise account is an identity for an instance of ArcGIS Enterprise. It can be used to access ArcGIS Enterprise tools, applications, and services, and to develop applications.Learn more that are a member of an ArcGIS Enterprise organizationAn organization a list of members from the same business, association, or entity who can sign in, access tools and applications, and collaborate with other members in a portal. All members have an ArcGIS account and are approved by an administrator to access the same portal.Learn more.

User authentication is used to build sign-in-enabled private applicationsA private application is an application that requires users to sign in with an ArcGIS account. It supports user authentication.Learn more that require users to authenticate with an ArcGIS accountAn ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more. It can be implemented in any environment, including client-facing applications, server-side applications, and full stack applications.

To learn about the best practices for user authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more, go to Security best practices.

App authentication requires OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more, which are available for the following account types:

• ArcGIS Location Platform accountsAn ArcGIS Location Platform account, formerly known as an ArcGIS Developer account, is an identity associated with an ArcGIS Location Platform subscription.Learn more
• ArcGIS Online accountsAn ArcGIS Online account, also known as an ArcGIS Organization account, is an identity associated with an ArcGIS Online subscription. It can be used to access ArcGIS tools and develop applications with ArcGIS location services for an organization.Learn more:
  • Requires a user type of "Creator" or higher.
  • You need to be an administrator of your organizationAn organization a list of members from the same business, association, or entity who can sign in, access tools and applications, and collaborate with other members in a portal. All members have an ArcGIS account and are approved by an administrator to access the same portal.Learn more or a have custom role with the following privilegePrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more: General privileges > Content > Assign privileges to OAuth 2.0 applications.
• ArcGIS Enterprise accountsAn ArcGIS Enterprise account is an identity for an instance of ArcGIS Enterprise. It can be used to access ArcGIS Enterprise tools, applications, and services, and to develop applications.Learn more:
  • Requires ArcGIS Enterprise 11.4 or greater for full functionality.
  • Requires a user type of "Creator" or higher.
  • You need to be an administrator of your organizationAn organization a list of members from the same business, association, or entity who can sign in, access tools and applications, and collaborate with other members in a portal. All members have an ArcGIS account and are approved by an administrator to access the same portal.Learn more or a have custom role with the following privilegePrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more: General privileges > Content > Assign privileges to OAuth 2.0 applications.

Service usage with app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more is billed to the ArcGIS subscriptionAn ArcGIS subscription is a free or paid plan that defines the capabilities of an ArcGIS account and the method of billing for the consumption of location services.Learn more associated with the developer's account. The developer who created the OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more, or the organization the developer belongs to, will incur all costs associated with the application.

App authentication is recommended for public applicationsA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more with a server-side component, or for standalone console scripts. App authentication is more secure than API key authenticationAPI key authentication is a type of authentication that uses an API key to authenticate requests to ArcGIS services and secure portal items.Learn more, as client credentials are stored securely and never exposed to the client.

To learn about the best practices for app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more, go to Security best practices.