Types of authentication | Documentation

This topic introduces the different types of authentication you can implement to get an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more. The type you choose depends on the type of application you are building, the types of resources you need to access, and the functionality you need to support in your application.

The three types of authentication are:

API key authentication
User authentication
App authentication

To compare the different types of authentication and see different use cases, go to Authentication comparison.

API key authentication

API key authentication is a type of authentication that uses a long-lived access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more embedded directly into an application or console script. The access tokens are called API keysAn API key is a long-lived access token created using API key credentials. They are valid for up to one year and are typically embedded directly into client applications.Learn more and are created and managed through API key credentialsAPI key credentials are an item that contains the parameters used to create and manage long-lived access tokens for API key authentication. They are a type of developer credential.Learn more. The privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more of API key credentials can be configured to authorize API keys to access secure ArcGIS servicesA service, also known as an ArcGIS service, is software that supports an ArcGIS REST API and provides geospatial functionality or data. A service can be hosted by Esri or in ArcGIS Enterprise.Learn more and itemsAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more.

API key authentication can be used to create public applicationsA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more that access ArcGIS Location ServicesArcGIS Location Services, also referred to as Location Services, are services hosted by Esri that provide geospatial functionality for developing mapping applications. They include the ArcGIS Basemap Styles service, ArcGIS Static Basemap Tiles service, ArcGIS Places service, ArcGIS Geocoding service, ArcGIS Routing service, ArcGIS GeoEnrichment service, and ArcGIS Elevation service. An ArcGIS Location Platform or ArcGIS Online account is required to use the services.Learn more and secure itemsAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more that you own. It can also be used to create personal applications and scripts that perform spatial analysisSpatial analysis services are services that perform geometry and statistical analyses on feature and raster data.Learn more and portal managementA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more operations.

API key authentication is the easiest type of authentication to use, but it is not sufficient to protect confidential information. It is recommended only if you are an ArcGIS developer working exclusively with public information and basic location servicesArcGIS Location Services, also referred to as Location Services, are services hosted by Esri that provide geospatial functionality for developing mapping applications. They include the ArcGIS Basemap Styles service, ArcGIS Static Basemap Tiles service, ArcGIS Places service, ArcGIS Geocoding service, ArcGIS Routing service, ArcGIS GeoEnrichment service, and ArcGIS Elevation service. An ArcGIS Location Platform or ArcGIS Online account is required to use the services.Learn more. If you are building applications that access private itemsAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more or hosted data servicesData services, also known as hosted data services, are services created dynamically to store and provide access to your data in ArcGIS. Examples are feature services, vector tile services, map tile services, image services, and scene services.Learn more that contain confidential or sensitive data, you should use a stronger authentication method provided by ArcGIS Online or ArcGIS Enterprise. These are user authentication and app authentication.

Best practices

Implement API key authenticationAPI key authentication is a type of authentication that uses an API key to authenticate requests to ArcGIS services and secure portal items.Learn more to:

Create public applicationsA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more that do not require users to sign in.
Build applications that access ArcGIS Location ServicesArcGIS Location Services, also referred to as Location Services, are services hosted by Esri that provide geospatial functionality for developing mapping applications. They include the ArcGIS Basemap Styles service, ArcGIS Static Basemap Tiles service, ArcGIS Places service, ArcGIS Geocoding service, ArcGIS Routing service, ArcGIS GeoEnrichment service, and ArcGIS Elevation service. An ArcGIS Location Platform or ArcGIS Online account is required to use the services.Learn more and private items such as hosted layersA hosted layer is an item in a portal that contains the properties and settings for a hosted data service or a layer in a hosted data service.Learn more or data servicesData services, also known as hosted data services, are services created dynamically to store and provide access to your data in ArcGIS. Examples are feature services, vector tile services, map tile services, image services, and scene services.Learn more.
Create personal applications that access the portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more and spatial analysis servicesSpatial analysis services are services that perform geometry and statistical analyses on feature and raster data.Learn more.
Quickly and easily generate access tokensAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more for your applications.
Create long-lived access tokens that remain valid for up to one year.

Avoid using API key authentication to:

Provide a high level of security in public applicationsA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more, as the access token is long-lived and can be scraped.
Access private items and data services whose privacy and confidentiality is sensitive and must be preserved.
Access privileges for portalA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more operations in public applications.
Create applications that require users to authenticate with an ArcGIS account.

Learn more about API key authentication

User authentication

User authentication is a set of authentication workflows that allows ArcGIS usersAn ArcGIS user is a user who has an ArcGIS account and uses it to access an ArcGIS application, custom ArcGIS application, or a resource in an ArcGIS portal.Learn more to sign into an application and access secure resourcesA secure resource is any item or service in an ArcGIS that requires an ArcGIS account and authentication to access. Examples include ArcGIS Location Services, and items and data services in an ArcGIS portal.Learn more. It requires that all users have an ArcGIS account. The authentication protocol used is OAuth 2.0OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage credentials for web, desktop, and mobile applications. It is supported by ArcGIS.Learn more. When a user signs into an application with their ArcGIS account, an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more is generated that authorizes the application to access services and content on their behalf. The resources and functionality available depend on the user type, roles, and privileges of the user's ArcGIS account. This authentication type was previously known as Named user login and ArcGIS identity.

User authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more generates a unique access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more for each userAn ArcGIS user is a user who has an ArcGIS account and uses it to access an ArcGIS application, custom ArcGIS application, or a resource in an ArcGIS portal.Learn more that signs in to your application. Once a user authenticates, the app receives an access token with privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more identical to those of the signed-in user's account. This enables your application to access all content and services the user is authorized to.

Best practices

Implement user authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more to:

Create applications that require users to authenticate with an ArcGIS accountAn ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more.
Create apps that let members of your organizationAn organization a list of members from the same business, association, or entity who can sign in, access tools and applications, and collaborate with other members in a portal. All members have an ArcGIS account and are approved by an administrator to access the same portal.Learn more perform spatial analysisSpatial analysis services are services that perform geometry and statistical analyses on feature and raster data.Learn more and portal managementA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more operations.
Access and manage secure items stored in a user's portalArcGIS portal, also known as a portal, is a website with applications and tools that can be used to create, manage, access, and share geospatial content and data. It supports security and authentication, developer credentials, content and data service management, user and group management, and site administration. A portal can be hosted in Esri's infrastructure or your own infrastructure.Learn more.
Meter usage of private and public data, contentContent is a collection of items in a portal that belong to a user, group, or organization.Learn more, or service transactions to the authenticated user.
Generate short-lived access tokensAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more that are valid for a specified duration, and include a refresh token.

Avoid using user authentication to:

Create public applicationsA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more that do not require a user to sign in.

Learn more about user authentication

App authentication

App authenticationApp authentication is a type of authentication that grants a short-lived access token based on an OAuth 2.0 client ID and client secret, authorizing an application to access ArcGIS services and items.Learn more is an authentication workflow that grants a short-lived access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more via OAuth 2.0OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage credentials for web, desktop, and mobile applications. It is supported by ArcGIS.Learn more. App authentication provides access to similar resources and functionality as API key authentication. Typically, a server-side application component uses a set of OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more consisting of a client_id and client_secret to request an access token. The server-side component then passes the resulting access token to a client application.

App authentication can be used to create public applicationsA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more with a server-side component that access ArcGIS Location ServicesArcGIS Location Services, also referred to as Location Services, are services hosted by Esri that provide geospatial functionality for developing mapping applications. They include the ArcGIS Basemap Styles service, ArcGIS Static Basemap Tiles service, ArcGIS Places service, ArcGIS Geocoding service, ArcGIS Routing service, ArcGIS GeoEnrichment service, and ArcGIS Elevation service. An ArcGIS Location Platform or ArcGIS Online account is required to use the services.Learn more and secure content itemsAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more. It can also be used to create personal applications that perform spatial analysisSpatial analysis services are services that perform geometry and statistical analyses on feature and raster data.Learn more and portal managementA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more operations.

Best practices

Use app authentication to:

Create public applicationsA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more that do not require users to sign in.
Build applications that access location servicesArcGIS Location Services, also referred to as Location Services, are services hosted by Esri that provide geospatial functionality for developing mapping applications. They include the ArcGIS Basemap Styles service, ArcGIS Static Basemap Tiles service, ArcGIS Places service, ArcGIS Geocoding service, ArcGIS Routing service, ArcGIS GeoEnrichment service, and ArcGIS Elevation service. An ArcGIS Location Platform or ArcGIS Online account is required to use the services.Learn more and private items such as hosted layersA hosted layer is an item in a portal that contains the properties and settings for a hosted data service or a layer in a hosted data service.Learn more or data servicesData services, also known as hosted data services, are services created dynamically to store and provide access to your data in ArcGIS. Examples are feature services, vector tile services, map tile services, image services, and scene services.Learn more.
Create personal applications that access the portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more and spatial analysis servicesSpatial analysis services are services that perform geometry and statistical analyses on feature and raster data.Learn more.
Authenticate with an OAuth 2.0OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage credentials for web, desktop, and mobile applications. It is supported by ArcGIS.Learn more process that provides better security than API key authenticationAPI key authentication is a type of authentication that uses an API key to authenticate requests to ArcGIS services and secure portal items.Learn more.
Use the privileges of your ArcGIS accountAn ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more to access secure resources.

Avoid using app authentication to:

Authenticate in public applicationsA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more without a server-side component.
Access privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more for portalA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more operations in public applications.
Create applications that require users to authenticate with an ArcGIS account.
Access private items and data services whose privacy and confidentiality is sensitive and must be preserved. Accessing private items using app authentication is an improvement in security over API keys. However, care must be taken with both the client application and the server-side component to not expose confidential aspects of the information being accessed. For more information, see Security best practices.

Learn more about app authentication

Authentication comparison

Below is a quick comparison of the application type, billing method, privileges, and access token storage and duration for the different types of authentication.

	API key authentication	User authentication	App authentication
Application type	Public (no sign in required)	Private (sign in required)	Public (no sign in required)
Billing	Usage billed to your ArcGIS subscriptionAn ArcGIS subscription is a free or paid plan that defines the capabilities of an ArcGIS account and the method of billing for the consumption of location services.Learn more.	Usage billed to the signed-in user's ArcGIS subscriptionAn ArcGIS subscription is a free or paid plan that defines the capabilities of an ArcGIS account and the method of billing for the consumption of location services.Learn more.	Usage billed to your ArcGIS subscriptionAn ArcGIS subscription is a free or paid plan that defines the capabilities of an ArcGIS account and the method of billing for the consumption of location services.Learn more.
Access token privileges	Determined by the properties of the developer credentialsDeveloper credentials are a type of item in a portal that contains parameters for authentication. There are two types of developer credentials: API key credentials and OAuth credentials.Learn more.	Determined by privilegesPrivileges are a set of permissions assigned to ArcGIS accounts, developer credentials, and applications that grant access to secure resources and functionality in ArcGIS.Learn more of the signed-in user's account.	Determined by the properties of the developer credentialsDeveloper credentials are a type of item in a portal that contains parameters for authentication. There are two types of developer credentials: API key credentials and OAuth credentials.Learn more.
Access token storage	Static, embedded in the application.	New token created for every signed-in user.	Created upon request and stored in the application.
Access token duration	Up to 1 year.	Up to 2 weeks, can be refreshed.	2 weeks.

Resources and functionality

The following table provides an overview of the functionality available with each type of authentication:

	API key authentication	User authentication	App authentication
ArcGIS Location Services	¹	¹	¹
Data services (Item access)	²
Spatial analysis services	¹		¹
Portal service (General privileges)
Portal service (Admin privileges)

Full supportPartial supportNo support

1. Supported with ArcGIS Online and ArcGIS Location Platform.
2. Supported, but not recommended due to security risks.

API support

The following table shows the level of API support for each type of authentication:

	API key authentication	User authentication	App authentication
ArcGIS Maps SDK for JavaScript
ArcGIS Maps SDK for .NET
ArcGIS Maps SDK for Kotlin
ArcGIS Maps SDK for Swift
ArcGIS Maps SDK for Flutter
ArcGIS Maps SDK for Java
ArcGIS Maps SDK for Qt
ArcGIS API for Python
ArcGIS REST JS
Leaflet		¹
MapLibre GL JS		¹
OpenLayers		¹
CesiumJS		¹

Full supportPartial supportNo support

1. Supported via ArcGIS REST JS

Choosing a type of authentication

Answer the following questions to help choose the best type of authentication to implement for the custom application you are building:

What is the target audience of your of app?
- Public applicationA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more (no sign in required): API key authentication or app authentication.
- Private applicationA private application is an application that requires users to sign in with an ArcGIS account. It supports user authentication.Learn more (ArcGIS sign in required): User authentication.
- Personal application (only accessible by the owner): Any authentication type.
What type of ArcGIS product and account do you have?
- ArcGIS Location PlatformArcGIS Location Platform, formerly known as ArcGIS Platform, is a Platform as a Service (PaaS) product that gives developers access to location services, APIs, and tools to build mapping and spatial analysis applications. It is subscription-based and requires an ArcGIS Location Platform account.Learn more: Typically API key authentication or app authentication.
- ArcGIS OnlineArcGIS Online is a GIS mapping, analytics, data hosting, and content management software as a service (SaaS) product. It includes applications, tools, APIs, and location services for users and developers. It is subscription-based and requires an ArcGIS Online account.Learn more: Typically user authentication, but can implement all types of authentication.
- ArcGIS EnterpriseArcGIS Enterprise is a GIS mapping, analytics, data hosting, and content management product that can be hosted on-premise or in a cloud infrastructure. It includes software, applications, tools, APIs, and services for users and developers.Learn more: Typically user authentication, but can implement all types of authentication.
Which do you value more, simple implementation or higher security?
- Simple implementation: API key authentication.
- Higher security: User authentication or app authentication.
What agent will request an access token?
- Client-side app or web app: API key authentication or user authentication with a PKCE flow.
- Server: App authentication or user authentication with an Authorization code flow.
- Console script: App authentication.

The following table provides use cases for each type of authentication:

Use case	Solution
You are building an application using an ArcGIS API or ArcGIS Maps SDK.	API key authentication, app authentication, or user authentication
You are building a public applicationA public application is an application that allows anonymous access without requiring users to sign in with an ArcGIS account. It supports API key or app authentication.Learn more that only requires access to location servicesArcGIS Location Services, also referred to as Location Services, are services hosted by Esri that provide geospatial functionality for developing mapping applications. They include the ArcGIS Basemap Styles service, ArcGIS Static Basemap Tiles service, ArcGIS Places service, ArcGIS Geocoding service, ArcGIS Routing service, ArcGIS GeoEnrichment service, and ArcGIS Elevation service. An ArcGIS Location Platform or ArcGIS Online account is required to use the services.Learn more.	API key authentication
You are building a private applicationA private application is an application that requires users to sign in with an ArcGIS account. It supports user authentication.Learn more intended only for members of your ArcGIS organizationAn organization a list of members from the same business, association, or entity who can sign in, access tools and applications, and collaborate with other members in a portal. All members have an ArcGIS account and are approved by an administrator to access the same portal.Learn more.	User authentication
You are building a personal application on a local machine or API back-end that will not be shared.	API key authentication or app authentication
You are building an application that will access private itemsAn item, also known as a content item, is a resource stored in a portal such as a web map, hosted layer, style, script tool, file, or notebook.Learn more owned by your ArcGIS account.	API key authentication or app authentication
You are building an application that will access private items owned by other membersMember is an individual with an ArcGIS account who can sign in, access tools and applications, and collaborate with other organization members in a portal.Learn more of your organization.	User authentication
You are building an application that will access private items containing sensitive or confidential data.	User authentication
You are building a personal automation script to perform tasks with the portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more or spatial analysis servicesSpatial analysis services are services that perform geometry and statistical analyses on feature and raster data.Learn more.	API key authentication
You are building an application that enables users to perform management tasks with the portal serviceA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more.	User authentication
You are building an application that enables users to perform spatial analysisSpatial analysis services are services that perform geometry and statistical analyses on feature and raster data.Learn more.	User authentication