Introduction to security and authentication

This topic provides an overview of the key concepts and terminology you should be familiar with before implementing authentication in your applications.

Security in ArcGIS

ArcGIS is a secure system that requires authentication to access all secure apps, content, data, and services. It implements industry-standard protocols to ensure that only authorized users and applications can access .

Some common workflows that use security in ArcGIS are:

  • ArcGIS users sign in to apps such as , and .
  • Developers create custom applications that use authentication to access .
  • Administrators manage the and roles of users to enhance security within their .
  • Members of an organization upload and content securely in a .

What is authentication?

Authentication is the process of verifying the identity of a user or application in ArcGIS. Authentication allows users and applications to access secure resources such as a , , and other .

Authorization is the process of verifying client prior to accessing a secure resource. After users and applications successfully authenticate with ArcGIS, the they are trying to access will authorize the request if they have the appropriate privileges.

How authentication works

ArcGIS uses token-based authentication for all requests. Authentication works by interacting with a to get an . The access token contains information that determines the of the application as well as the associated ArcGIS account. Once obtained, the access token is included in requests to provide authorization for .

The general process of authentication includes the following:

  1. Authenticate with a to get an access token.
  2. Use the access token to authorize requests to secure resources.

Below is a sample HTTP request to access a secure resource in ArcGIS with an .

1
https://<SERVICE_URL>?token=<YOUR_ACCESS_TOKEN>
Basic authentication process
An overview of how authentication works in ArcGIS

Types of authentication

ArcGIS supports three types of authentication to get an . Each type requires following a specific workflow and supports the development of a specific type of application.

Authentication comparison

The following table provides an overview of the functionality available with each type of authentication:

API key authenticationUser authenticationApp authentication
ArcGIS Location Services
Data services (Item access)
Spatial analysis services11
Portal service (General privileges)11
Portal service (Admin privileges)11
Full supportPartial supportNo support
  • 1. Supported with ArcGIS Online and ArcGIS Location Platform.

Terminology

This section contains important terminology you should be familiar with before implementing authentication in your apps.

ArcGIS accounts

You need an to implement authentication in custom applications. The following table shows the supported types of authentication for each type of account:

ArcGIS Location Platform accountArcGIS Online accountArcGIS Enterprise account
API key authentication12
User authentication
App authentication12
Full supportPartial supportNo support
  • 1. Requires an administrator account or a custom role with developer privileges.
  • 2. Supported in ArcGIS Enterprise 11.4 or greater. Requires an administrator account or a custom role with developer privileges.

If you are using an or an , your account must have certain enabled to create with privileges and item access. To learn more, go to the FAQ.

Public applications

A is an application developers create that does not require to sign in with an .

Public applications typically implement or to authenticate requests to without prompting users to sign in. Usage costs for accessing secure resources in a public application are billed to the developer's account. Developers with an or account can choose to omit authentication in public apps if the application only accesses resources with a sharing level set to Everyone (public).

Private applications

A is an application developers create that requires to sign in with an . Private applications implement and are typically built by or developers for of an . Usage costs for accessing secure resources in a private application are billed to the accounts of users.

Developer credentials

are a type of in a portal that contains the necessary properties for authentication. You can create and manage developer credentials in your to support all types of authentication. In most cases, a developer credential is created for every application you create.

You can use developer credentials to:

  • Create, regenerate, and invalidate in .
  • Obtain an client ID for .
  • Obtain an client ID and client secret for .
  • Define the and access of your application.
  • Authorize redirect URIs and referrer domains to improve application security.

Privileges

A is a set of permissions that grant access to secure resources and functionality in ArcGIS. You use privileges to define the capabilities of a user account or for a custom application.

Privileges can be applied to ArcGIS accounts and developer credentials:

  1. Privileges for users: Privileges define the capabilities and permissions for in an organization. They are determined by the user type and role assigned to the account.
  2. Privileges for developer credentials: Privileges defined for for custom applications you are building. They determine the capabilities and permissions of the used by your applications.

Access tokens

An is an authorization string that provides access to secure ArcGIS resources. It can be used to access resources such as or in a portal. To get an access token, you need to implement a type of authentication. The access token's capabilities are determined by the privileges associated with it.

Example of an access token:

1
AAPTKUgfudpnh_cXrZ7wRiqGE4q0VCQENKpafTPqVh27cldNPiqORWEyVueCmI67s3ebSNEYl0Sn3IitIyf18X8PxF3N8m9ZE30i5iwGHtGfnv6-DoKA-C8-lJ9GM30s-Wxn75jLBdnQnMjIgwVXEjIoualIMSfk4IWraDv3GMV8XP3fAUA73P23Vfs-THx2QjfDNVD3iuGCqLG0udK_TVLchskcBFVbsj1PRWXGcFaKKzdPkwWMXps_4P_cZEBAZdImAT1_L1aY2CIy

Portal

An is a website with applications, tools, and functionality for creating and sharing geospatial content and data. A portal plays a key role in supporting authentication. It has built in security functionality to control access to sensitive data, manage users, and protect your organization. It also provides important tools for developers that allow them to create developer credentials required to build custom applications.

The portal supports the following security features:

  • Membership: Only members can sign in, view content, access applications and tools, and participate in the organization/portal.
  • Item sharing levels: Item can be private, group, organization, or public. Only users with the correct privileges can access items in a portal.
  • Groups: Members can create groups to share items with specific members.
  • Roles: Administrators can grant custom roles to a member with privileges that specify that items, tools, and applications the member is allowed to access.

Additionally, a portal's underlying is responsible for granting for Authentication.

Secure resources

The following resources are secure and require authentication to access:

  • Portal: A portal is secure and requires users and applications to sign in. The underlying is also secure and requires authentication to access.

  • Secure items: All content in a are secure and may require authentication depending on their . Items can also be shared with specific groups in an organization.

  • ArcGIS services: All ArcGIS services hosted in Esri's infrastructure are secure, including , , , and the .

  • ArcGIS Enterprise services: All ArcGIS Enterprise services hosted in your own infrastructure are secure.

  • Low/No-code applications: Applications built using low/no-code builders are hosted in a and secure and may require authentication depending on their .

  • ArcGIS tools: All are secure, such as , , .

  • Subscriber and premium content: Subscriber content is a type of secure hosted in ArcGIS Living Atlas that requires an account. Premium content is a subtype of subscriber content that consumes credits.

Tutorials

Create an API key

Create and configure API key credentials to get a long-lived API key access token.


Create OAuth credentials for user authentication

Create and configure OAuth credentials to set up user authentication.


Create OAuth credentials for app authentication

Create and configure OAuth credentials to set up app authentication.


API support

API key authenticationUser authenticationApp authentication
ArcGIS Maps SDK for JavaScript
ArcGIS Maps SDK for .NET
ArcGIS Maps SDK for Kotlin
ArcGIS Maps SDK for Swift
ArcGIS Maps SDK for Flutter
ArcGIS Maps SDK for Java
ArcGIS Maps SDK for Qt
ArcGIS API for Python
ArcGIS REST JS
Esri Leaflet1
MapLibre GL JS1
OpenLayers1
CesiumJS1
Full supportPartial supportNo support
  • 1. Supported via ArcGIS REST JS

Your browser is no longer supported. Please upgrade your browser for the best experience. See our browser deprecation post for more details.

You can no longer sign into this site. Go to your ArcGIS portal or the ArcGIS Location Platform dashboard to perform management tasks.

Your ArcGIS portal

Create, manage, and access API keys and OAuth 2.0 developer credentials, hosted layers, and data services.

Your ArcGIS Location Platform dashboard

Manage billing, monitor service usage, and access additional resources.

Learn more about these changes in the What's new in Esri Developers June 2024 blog post.

Close