This topic introduces the different types of authentication you can implement to get an access token
The three types of authentication are:
To compare the different types of authentication and see different use cases, go to Authentication comparison.
API key authentication
API key authentication is a type of authentication that uses a long-lived access token
API key authentication can be used to create public applications
API key authentication is the easiest type of authentication to use, but it is not sufficient to protect confidential information. It is recommended only if you are an ArcGIS developer working exclusively with public information and basic location services
User authentication
User authentication is a set of authentication workflows that allows ArcGIS users
User authentication
App authentication
App authenticationclient_id, client_secret, and redirect URIs. They are a type of developer credential.client and client to request an access token. The server-side component then passes the resulting access token to a client application.
App authentication can be used to create public applications
Authentication comparison
Below is a quick comparison of the application type, billing method, privileges, and access token storage and duration for the different types of authentication.
| API key authentication | User authentication | App authentication | |
|---|---|---|---|
| Application type | Used in public | Used in private applications | Used in personal applications |
| Billing | Usage is metered to your organization's ArcGIS subscription | Usage is metered to the signed-in user's ArcGIS subscription | Usage is metered to your organization's ArcGIS subscription |
| Access token privileges | Set using the API key credential | Inherits the privileges of the signed-in user's account. | Set using the OAuth 2.0 credentialclient_id, client_secret, and redirect URIs. They are a type of developer credential. |
| Item access | Set to specific items from the owner's account, or inherits the full item access of the owner. | Inherits the full item access of the signed-in user's account. | Set to specific items from the owner's account, or inherits the full item access of the owner. |
| Access token generation | Static token (2 per credential), typically embedded in the application. | Tokens dynamically created when a user signs in, and can be refreshed upon expiration. | Tokens dynamically created when requested by the application, typically stored server-side or in a personal script. |
| Access token duration | Expiration date set using the API key credential, up to 1 year. | Expiration date is customizable, up to 2 weeks. | Expiration date is 2 weeks. |
Resources and functionality
The following table provides an overview of the functionality available with each type of authentication:
| API key authentication | User authentication | App authentication | |
|---|---|---|---|
| ArcGIS Location Services | 1 | 1 | 1 |
| Data services (Item access) | 2 | ||
| Spatial analysis services | 1 | 1 | |
| Portal service (General privileges) | |||
| Portal service (Administrative privileges) |
- 1. Supported with ArcGIS Online and ArcGIS Location Platform.
- 2. Supported, but not recommended due to security risks.
API support
The following table shows the level of API support for each type of authentication:
- 1. Supported via ArcGIS REST JS
Choosing a type of authentication
Answer the following questions to help choose the best type of authentication to implement for the custom application you are building:
-
What is the target audience of your of app?
- Public application
A public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication. (no sign in required): API key authentication or app authentication. - Private application
A private application is an application that requires users to sign in with an ArcGIS account. It supports user authentication. (ArcGIS sign in required): User authentication. - Personal application
A personal application is an application used exclusively by its owner and not shared with others. It supports API key, user authentication, or app authentication. (only accessible by the owner): Any authentication type.
- Public application
-
What type of ArcGIS product and account do you have?
- ArcGIS Location Platform
ArcGIS Location Platform, formerly known as ArcGIS Platform, is a Platform as a Service (PaaS) product that gives developers access to location services, APIs, and tools to build mapping and spatial analysis applications. It is subscription-based and requires an ArcGIS Location Platform account. : Typically API key authentication or app authentication. - ArcGIS Online
ArcGIS Online is a GIS mapping, analytics, data hosting, and content management software as a service (SaaS) product. It includes applications, tools, APIs, and location services for users and developers. It is subscription-based and requires an ArcGIS Online account. : Typically user authentication, but can implement all types of authentication. - ArcGIS Enterprise
ArcGIS Enterprise is a GIS mapping, analytics, data hosting, and content management product that can be hosted on-premise or in a cloud infrastructure. It includes software, applications, tools, APIs, and services for users and developers. : Typically user authentication, but can implement all types of authentication.
- ArcGIS Location Platform
-
Which do you value more, simple implementation or higher security?
- Simple implementation: API key authentication.
- Higher security: User authentication or app authentication.
-
What agent will request an access token?
- Client-side app or web app: API key authentication or user authentication with a PKCE flow.
- Server: App authentication or user authentication with an Authorization code flow.
- Console script: App authentication.
The following table provides use cases for each type of authentication:
| Use case | Solution |
|---|---|
| You are building an application using an ArcGIS API or ArcGIS Maps SDK. | API key authentication, app authentication, or user authentication |
| You are building a public application | API key authentication |
| You are building a private application | User authentication |
| You are building a personal application | API key authentication or app authentication |
| You are building an application that will access private items | API key authentication or app authentication |
| You are building an application that will access private items owned by other members | User authentication |
| You are building an application that will access private items containing sensitive or confidential data. | User authentication |
| You are building a personal automation script to perform tasks with the portal service | API key authentication |
| You are building an application that enables users to perform management tasks with the portal service | User authentication |
| You are building an application that enables users to perform spatial analysis | User authentication |