Types of authentication

This topic introduces the different types of authentication you can implement to get an . The type you choose depends on the type of application you are building, the types of resources you need to access, and the functionality you need to support in your application.

The three types of authentication are:

  1. API key authentication

  2. User authentication

  3. App authentication

To compare the different types of authentication and see different use cases, go to Authentication comparision.

API key authentication

API key authentication is a type of authentication that uses a long-lived embedded directly into an application or console script. The access tokens are called and are created and managed through . The of API key credentials can be configured to authorize API keys to access secure and .

API key authentication can be used to create that access and secure content . It can also be used to create personal scripts that perform and operations.

API key authentication is the easiest type of authentication to set up and is recommended if you are new to ArcGIS.

Learn more about API key authentication

User authentication

User authentication is a set of authentication workflows that allows to sign into an application and access . It requires that all users have an ArcGIS account. The authentication protocol used is . When a user signs into an application with their ArcGIS account, an is generated that authorizes the application to access services and content on their behalf. The resources and functionality available depend on the user type, roles, and privileges of the user's ArcGIS account. This authentication type was previously known as Named user login and ArcGIS identity.

generates a unique for each that signs in to your application. Once a user authenticates, the app receives an access token with identical to those of the signed-in user's account. This enables your application to access all content and services the user is authorized to.

Learn more about user authentication

App authentication

is an authentication workflow that grants a short-lived via . App authentication provides access to similar resources and functionality as API key authentication. Typically, a server-side application component uses a set of consisting of a client_id and client_secret to request an access token. The server-side component then passes the resulting access token to a client application.

App authentication can be used to create with a server-side component that access and secure content . It can also be used to create web servers or standalone console scripts that perform and operations.

Learn more about app authentication

Authentication comparison

Below is a quick comparison of the application type, billing method, privileges, and access token storage and duration for the different types of authentication.

API key authenticationUser authenticationApp authentication
Application typePublic (no sign in required)Private (sign in required)Public (no sign in required)
BillingUsage billed to your .Usage billed to the signed-in user's .Usage billed to your .
Access token privilegesDetermined by the properties of the .Determined by of the signed-in user's account.Determined by the properties of the .
Access token storageStatic, embedded in the application.New token created for every signed-in user.Created upon request and stored in the application.
Access token durationUp to 1 year.Up to 2 weeks, can be refreshed.2 weeks.

Resources and functionality

The following table provides an overview of the functionality available with each type of authentication:

API key authenticationUser authenticationApp authentication
ArcGIS Location Services
Data services (Item access)
Spatial analysis services11
Portal service (General privileges)11
Portal service (Admin privileges)11
Full supportPartial supportNo support
  • 1. Supported with ArcGIS Online and ArcGIS Location Platform.

API support

The following table shows the level of API support for each type of authentication:

API key authenticationUser authenticationApp authentication
ArcGIS Maps SDK for JavaScript
ArcGIS Maps SDK for .NET
ArcGIS Maps SDK for Kotlin
ArcGIS Maps SDK for Swift
ArcGIS Maps SDK for Flutter
ArcGIS Maps SDK for Java
ArcGIS Maps SDK for Qt
ArcGIS API for Python
ArcGIS REST JS
Esri Leaflet1
MapLibre GL JS1
OpenLayers1
CesiumJS1
Full supportPartial supportNo support
  • 1. Supported via ArcGIS REST JS

Choosing a type of authentication

Answer the following questions to help choose the best type of authentication to implement for the custom application you are building:

  1. What is the target audience of your of app?

    • (no sign in required): API key authentication or app authentication.
    • (ArcGIS sign in required): User authentication.
  2. What type of ArcGIS product and account do you have?

    • : Typically API key authentication or app authentication.
    • : Typically user authentication, but can implement all types of authentication.
    • : Typically user authentication, but can implement all types of authentication.
  3. Which do you value more, simple implementation or higher security?

    • Simple implementation: API key authentication.
    • Higher security: User authentication or app authentication.
  4. What agent will request an access token?

    • Client-side app or web app: API key authentication or user authentication with a PKCE flow.
    • Server: App authentication or user authentication with an Authorization code flow.
    • Console script: App authentication.

The following table provides use cases for each type of authentication:

Use caseSolution
You are building a that requires access to .API key authentication or app authentication
You are building a intended for members of your User authentication
You are building an application on a server or API back-end that will not be seen by users.API key authentication or app authentication
You are building an application that will read private hosted data on your ArcGIS account.API key authentication or app authentication
You are building an application that will read private hosted data from the ArcGIS accounts of organization .User authentication
You are building a personal automation script to perform tasks with the or .API key authentication
You are building an application that enables users to perform management tasks with the User authentication
You are building an application that enables users to perform .User authentication
You are building an application using an ArcGIS API.API key authentication, app authentication, or user authentication

Your browser is no longer supported. Please upgrade your browser for the best experience. See our browser deprecation post for more details.

You can no longer sign into this site. Go to your ArcGIS portal or the ArcGIS Location Platform dashboard to perform management tasks.

Your ArcGIS portal

Create, manage, and access API keys and OAuth 2.0 developer credentials, hosted layers, and data services.

Your ArcGIS Location Platform dashboard

Manage billing, monitor service usage, and access additional resources.

Learn more about these changes in the What's new in Esri Developers June 2024 blog post.

Close