Introduction to security and authentication | Documentation

This topic provides an overview of the key concepts and terminology you should be familiar with before implementing authentication in your applications.

Security in ArcGIS

ArcGIS is a secure system that requires authentication to access all secure apps, content, data, and services. It implements industry-standard protocols to ensure that only authorized users and applications can access secure resourcesA secure resource is any item or service in an ArcGIS that requires an ArcGIS account and authentication to access. Examples include ArcGIS Location Services, and items and data services in an ArcGIS portal.Learn more.

Some common workflows that use security in ArcGIS are:

ArcGIS users sign in to apps such as ArcGIS ProArcGIS Pro is a professional desktop GIS application that can explore, visualize, analyze, and manage 2D and 3D data.Learn more, Map ViewerMap Viewer is a browser-based mapping tool that can view, create, and save web maps. It can also perform mapping, visualization, and spatial analysis operations.Learn more and Scene ViewerScene Viewer(™) is a browser-based mapping tool that can view, create, and save web scenes.Learn more.
Developers create custom applications that use authentication to access secure resourcesA secure resource is any item or service in an ArcGIS that requires an ArcGIS account and authentication to access. Examples include ArcGIS Location Services, and items and data services in an ArcGIS portal.Learn more.
Administrators manage the privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more and roles of users to enhance security within their organizationAn organization a list of members from the same business, association, or entity who can sign in, access tools and applications, and collaborate with other members in a portal. All members have an ArcGIS account and are approved by an administrator to access the same portal.Learn more.
Members of an organization upload and shareSharing level is the security setting assigned to an item in a portal that controls which users can access the resource. The sharing levels are Owner, Organization, Groups, and Everyone.Learn more content securely in a portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more.

What is authentication?

Authentication is the process of verifying the identity of a user or application in ArcGIS. Authentication allows users and applications to access secure resources such as a portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more, location servicesArcGIS Location Services, also referred to as Location Services, are services hosted by Esri that provide geospatial functionality for developing mapping applications. They include the ArcGIS Basemap Styles service, ArcGIS Static Basemap Tiles service, ArcGIS Places service, ArcGIS Geocoding service, ArcGIS Routing service, ArcGIS GeoEnrichment service, and ArcGIS Elevation service. An ArcGIS Location Platform or ArcGIS Online account is required to use the services.Learn more, and other servicesA service, also known as an ArcGIS service, is software that supports an ArcGIS REST API and provides geospatial functionality or data. A service can be hosted by Esri or in ArcGIS Enterprise.Learn more.

Authorization is the process of verifying client privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more prior to accessing a secure resource. After users and applications successfully authenticate with ArcGIS, the serviceA service, also known as an ArcGIS service, is software that supports an ArcGIS REST API and provides geospatial functionality or data. A service can be hosted by Esri or in ArcGIS Enterprise.Learn more they are trying to access will authorize the request if they have the appropriate privileges.

How authentication works

ArcGIS uses token-based authentication for all requests. Authentication works by interacting with a portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more to get an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more. The access token contains information that determines the privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more of the application as well as the associated ArcGIS account. Once obtained, the access token is included in requests to provide authorization for secure resourcesA secure resource is any item or service in an ArcGIS that requires an ArcGIS account and authentication to access. Examples include ArcGIS Location Services, and items and data services in an ArcGIS portal.Learn more.

The general process of authentication includes the following:

Authenticate with a portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more to get an access token.
Use the access token to authorize requests to secure resources.

Below is a sample HTTP request to access a secure resource in ArcGIS with an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more.

Use dark colors for code blocksCopy
https://<SERVICE_URL>?token=<YOUR_ACCESS_TOKEN>

An overview of how authentication works in ArcGIS

Types of authentication

ArcGIS supports three types of authentication to get an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more. Each type requires following a specific workflow and supports the development of a specific type of application.

Diagram showing the ArcGIS API key workflow, where an app includes an API key in requests to authenticate and access ArcGIS services without user sign-in.

Authentication comparison

The following table provides an overview of the functionality available with each type of authentication:

	API key authentication	User authentication	App authentication
ArcGIS Location Services	¹	¹	¹
Data services (Item access)	²
Spatial analysis services	¹		¹
Portal service (General privileges)
Portal service (Admin privileges)

Full supportPartial supportNo support

1. Supported with ArcGIS Online and ArcGIS Location Platform.
2. Supported, but not recommended due to security risks.

Terminology

This section contains important terminology you should be familiar with before implementing authentication in your apps.

ArcGIS accounts

You need an ArcGIS accountAn ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more to implement authentication in custom applications. The following table shows the supported types of authentication for each type of account:

	ArcGIS Location Platform account	ArcGIS Online account	ArcGIS Enterprise account
API key authentication		¹	²
User authentication
App authentication		¹	²

Full supportPartial supportNo support

1. Requires an administrator account or a custom role with developer privileges.
2. Supported in ArcGIS Enterprise 11.4 or greater. Requires an administrator account or a custom role with developer privileges.

If you are using an ArcGIS OnlineAn ArcGIS Online account, also known as an ArcGIS Organization account, is an identity associated with an ArcGIS Online subscription. It can be used to access ArcGIS tools and develop applications with ArcGIS location services for an organization.Learn more or an ArcGIS Enterprise accountAn ArcGIS Enterprise account is an identity for an instance of ArcGIS Enterprise. It can be used to access ArcGIS Enterprise tools, applications, and services, and to develop applications.Learn more, your account must have certain privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more enabled to create developer credentialsDeveloper credentials are a type of item in a portal that contains parameters for authentication. There are two types of developer credentials: API key credentials and OAuth credentials.Learn more with privileges and item access. To learn more, go to the FAQ.

Types of applications

From a security perspective, the type of application you build is defined by its sharing level and its target audience. This classification determines the appropriate authentication method for your application, as well as the privileges and resources your app can access.

Public application

A public application is an app that allows user access anonymouslyAn anonymous user is an individual who does not have an ArcGIS account and interacts with a user's content or an ArcGIS product, portal, or application. An anonymous user's identity is not authenticated, and they can only interact with ArcGIS resources that are public.Learn more, without requiring sign-in with an ArcGIS accountAn ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more. Public applications may use API key authenticationAPI key authentication is a type of authentication that uses an API key to authenticate requests to ArcGIS services and secure portal items.Learn more or app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more to authenticate requests to secure resourcesA secure resource is any item or service in an ArcGIS that requires an ArcGIS account and authentication to access. Examples include ArcGIS Location Services, and items and data services in an ArcGIS portal.Learn more. These applications typically only access location services and specific itemsAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more in a portal.

Developers with an ArcGIS Online or ArcGIS Enterprise account may choose to omit authentication in public apps if the application only accesses items and resources with a sharing levelSharing level is the security setting assigned to an item in a portal that controls which users can access the resource. The sharing levels are Owner, Organization, Groups, and Everyone.Learn more of Everyone (public).

Private application

A private application is an application that requires users to sign in with an ArcGIS accountAn ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more. Private applications implement user authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more and are typically built by ArcGIS Online or ArcGIS Enterprise developers for members of an organizationAn organization a list of members from the same business, association, or entity who can sign in, access tools and applications, and collaborate with other members in a portal. All members have an ArcGIS account and are approved by an administrator to access the same portal.Learn more or to perform specific tasks for the signed in user. The privileges available to the application depend on the user type and roles assigned to the account. All usage costs for accessing secure resources are billed to the organization associated with the signed-in user.

Developer credentials

Developer credentialsDeveloper credentials are a type of item in a portal that contains parameters for authentication. There are two types of developer credentials: API key credentials and OAuth credentials.Learn more are a type of itemAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more in a portal that contains the necessary properties for authentication. You can create and manage developer credentials in your portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more to support all types of authentication. In most cases, a developer credential is created for every application you create.

You can use developer credentials to:

Create, regenerate, and invalidate API keysAn API key is a long-lived access token created using API key credentials. They are valid for up to one year and are typically embedded directly into client applications.Learn more in API key authenticationAPI key authentication is a type of authentication that uses an API key to authenticate requests to ArcGIS services and secure portal items.Learn more.
Obtain an OAuth 2.0OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage credentials for web, desktop, and mobile applications. It is supported by ArcGIS.Learn more client ID for user authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more.
Obtain an OAuth 2.0OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage credentials for web, desktop, and mobile applications. It is supported by ArcGIS.Learn more client ID and client secret for app authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more.
Define the privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more and itemAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more access of your application.
Authorize redirect URIs and referrer domains to improve application security.

Privileges

A privilegePrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more is a set of permissions that grant access to secure resources and functionality in ArcGIS. You use privileges to define the capabilities of a user account or developer credentialsDeveloper credentials are a type of item in a portal that contains parameters for authentication. There are two types of developer credentials: API key credentials and OAuth credentials.Learn more for a custom application.

Privileges can be applied to ArcGIS accounts and developer credentials:

Privileges for users: Privileges define the capabilities and permissions for usersAn ArcGIS user is a user who has an ArcGIS account and uses it to access an ArcGIS application, custom ArcGIS application, or a resource in an ArcGIS portal.Learn more in an organization. They are determined by the user type and role assigned to the account.
Privileges for developer credentials: Privileges defined for developer credentialsDeveloper credentials are a type of item in a portal that contains parameters for authentication. There are two types of developer credentials: API key credentials and OAuth credentials.Learn more for custom applications you are building. They determine the capabilities and permissions of the access tokensAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more used by your applications.

Access tokens

An access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more is an authorization string that provides access to secure ArcGIS resources. It can be used to access resources such as ArcGIS servicesA service, also known as an ArcGIS service, is software that supports an ArcGIS REST API and provides geospatial functionality or data. A service can be hosted by Esri or in ArcGIS Enterprise.Learn more or itemsAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more in a portal. To get an access token, you need to implement a type of authentication. The access token's capabilities are determined by the privileges associated with it.

Example of an access token:

Use dark colors for code blocksCopy
AAPTKUgfudpnh_cXrZ7wRiqGE4q0VCQENKpafTPqVh27cldNPiqORWEyVueCmI67s3ebSNEYl0Sn3IitIyf18X8PxF3N8m9ZE30i5iwGHtGfnv6-DoKA-C8-lJ9GM30s-Wxn75jLBdnQnMjIgwVXEjIoualIMSfk4IWraDv3GMV8XP3fAUA73P23Vfs-THx2QjfDNVD3iuGCqLG0udK_TVLchskcBFVbsj1PRWXGcFaKKzdPkwWMXps_4P_cZEBAZdImAT1_L1aY2CIy

Portal

An ArcGIS portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more is a website with applications, tools, and functionality for creating and sharing geospatial content and data. A portal plays a key role in supporting authentication. It has built in security functionality to control access to sensitive data, manage users, and protect your organization. It also provides important tools for developers that allow them to create developer credentials required to build custom applications.

The portal supports the following security features:

Membership: Only members can sign in, view content, access applications and tools, and participate in the organization/portal.
Item sharing levels: Item sharing levelsSharing level is the security setting assigned to an item in a portal that controls which users can access the resource. The sharing levels are Owner, Organization, Groups, and Everyone.Learn more can be private, group, organization, or public. Only users with the correct privileges can access items in a portal.
Groups: Members can create groups to share items with specific members.
Roles: Administrators can grant custom roles to a member with privileges that specify that items, tools, and applications the member is allowed to access.

Additionally, a portal's underlying portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more is responsible for granting access tokensAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more for Authentication.

Secure resources

The following resources are secure and require authentication to access:

Portal: A portal is secure and requires users and applications to sign in. The underlying portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more is also secure and requires authentication to access.
Secure items: All content itemsAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more in a portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more are secure and may require authentication depending on their sharing levelSharing level is the security setting assigned to an item in a portal that controls which users can access the resource. The sharing levels are Owner, Organization, Groups, and Everyone.Learn more. Items can also be shared with specific groups in an organization.
ArcGIS services: All ArcGIS services hosted in Esri's infrastructure are secure, including location servicesArcGIS Location Services, also referred to as Location Services, are services hosted by Esri that provide geospatial functionality for developing mapping applications. They include the ArcGIS Basemap Styles service, ArcGIS Static Basemap Tiles service, ArcGIS Places service, ArcGIS Geocoding service, ArcGIS Routing service, ArcGIS GeoEnrichment service, and ArcGIS Elevation service. An ArcGIS Location Platform or ArcGIS Online account is required to use the services.Learn more, spatial analysis servicesSpatial analysis services are services that perform geometry and statistical analyses on feature and raster data.Learn more, data servicesData services, also known as hosted data services, are services created dynamically to store and provide access to your data in ArcGIS. Examples are feature services, vector tile services, map tile services, image services, and scene services.Learn more, and the portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more.
ArcGIS Enterprise services: All ArcGIS Enterprise services hosted in your own infrastructure are secure.
Low/No-code applications: Applications built using low/no-code builders are hosted in a portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more and secure and may require authentication depending on their sharing levelSharing level is the security setting assigned to an item in a portal that controls which users can access the resource. The sharing levels are Owner, Organization, Groups, and Everyone.Learn more.
ArcGIS tools: All ArcGIS toolsTools, also known as developer tools, are ArcGIS software applications such as portal and ArcGIS Pro that developers can use to prepare content and data for custom applications they are building.Learn more are secure, such as ArcGIS ProArcGIS Pro is a professional desktop GIS application that can explore, visualize, analyze, and manage 2D and 3D data.Learn more, Map ViewerMap Viewer is a browser-based mapping tool that can view, create, and save web maps. It can also perform mapping, visualization, and spatial analysis operations.Learn more, Scene ViewerScene Viewer(™) is a browser-based mapping tool that can view, create, and save web scenes.Learn more.
Subscriber and premium content: Subscriber content is a type of secure itemAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more hosted in ArcGIS Living Atlas that requires an ArcGIS OnlineArcGIS Online is a GIS mapping, analytics, data hosting, and content management software as a service (SaaS) product. It includes applications, tools, APIs, and location services for users and developers. It is subscription-based and requires an ArcGIS Online account.Learn more account. Premium content is a subtype of subscriber content that consumes credits.

Tutorials

Create an API key

Create and configure API key credentials to get a long-lived API key access token.

ArcGIS portal REST JS

Create OAuth credentials for user authentication

Create and configure OAuth credentials to set up user authentication.

ArcGIS portal

Create OAuth credentials for app authentication

Create and configure OAuth credentials to set up app authentication.

ArcGIS portal

API support

	API key authentication	User authentication	App authentication
ArcGIS Maps SDK for JavaScript
ArcGIS Maps SDK for .NET
ArcGIS Maps SDK for Kotlin
ArcGIS Maps SDK for Swift
ArcGIS Maps SDK for Flutter
ArcGIS Maps SDK for Java
ArcGIS Maps SDK for Qt
ArcGIS API for Python
ArcGIS REST JS
Leaflet		¹
MapLibre GL JS		¹
OpenLayers		¹
CesiumJS		¹

Full supportPartial supportNo support

1. Supported via ArcGIS REST JS