User authentication flows | Documentation

The process of programmatically verifying users and requesting an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more is called an authentication flow. User authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more can be implemented using several different authorization flows. This section provides an overview of the different flows, as well as a comparison below.

In general, user authentication flows are divided into OAuth 2.0 flows and Non-OAuth flows. An OAuth 2.0 flow is recommended for almost all use cases, except for some developers working with ArcGIS EnterpriseArcGIS Enterprise is a GIS mapping, analytics, data hosting, and content management product that can be hosted on-premise or in a cloud infrastructure. It includes software, applications, tools, APIs, and services for users and developers.Learn more.

Authentication flow	OAuth 2.0OAuth 2.0 is an industry standard protocol for authorization. It defines how to obtain and manage credentials for web, desktop, and mobile applications. It is supported by ArcGIS.Learn more compliant	OAuth 2.0 `grant_type`	Use cases
Authorization code with PKCE	✔	`authorization_code`	Client-side apps such as native apps, mobile apps, and web applications without a server-side component
Authorization code	✔	`authorization_code` with PKCE	Web apps with a server-side component
Implicit	✔	`implicit`	Deprecated. No longer recommended for use.
Generate token	✖	✖	Trusted or local applications when other flows cannot be used
Integrated Windows Authentication (IWA)	✖	✖	ArcGIS Enterprise applications
Public key infrastructure (PKI)	✖	✖	ArcGIS Enterprise applications

OAuth 2.0 flows

ArcGIS follows the industry-standard OAuth 2.0 protocol for authorization. It supports the following OAuth 2.0 flows for user authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more.

Authorization code flow with PKCE
Authorization code flow
Implicit flow (deprecated)

Authorization code with PKCE

Authorization code flow with Proof Key for Code Exchange (PKCE) is the primary OAuth 2.0 flow that ArcGIS recommends for user authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more. It is an extension of the authorization code flow that implements Proof Key for Code Exchange (PKCE) as an additional layer of security.

It uses the OAuth 2.0 authorization_code grant type and requires a client_id from a set of OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more.

All of the AuthenticationManager and IdentityManager classes in ArcGIS APIsAn ArcGIS API is a web, native, game engine, or scripting API that has advanced mapping and spatial analysis capabilities and can be used to access ArcGIS services. ArcGIS APIs are designed to work optimally with the ArcGIS system and provide the most advanced GIS features and the highest performance possible.Learn more and SDKsArcGIS Maps SDKs are developer products for building mapping and spatial analysis applications for web browsers, native devices, and game engines.Learn more use this flow for user authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more. Support for PKCE was introduced in 2020 for ArcGIS OnlineArcGIS Online is a GIS mapping, analytics, data hosting, and content management software as a service (SaaS) product. It includes applications, tools, APIs, and location services for users and developers. It is subscription-based and requires an ArcGIS Online account.Learn more and at version 10.8.1 for ArcGIS EnterpriseArcGIS Enterprise is a GIS mapping, analytics, data hosting, and content management product that can be hosted on-premise or in a cloud infrastructure. It includes software, applications, tools, APIs, and services for users and developers.Learn more.

Authorization code

The authorization code flow is an OAuth 2.0 flow used to implement user authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more. It uses the authorization_code grant type and requires a client_id from a set of OAuth credentialsOAuth credentials are an item that contains parameters required to implement user authentication or app authentication, including a client_id, client_secret, and redirect URIs. They are a type of developer credential.Learn more.

This flow grants an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more to petitioners using a multi-step process. First, users request an authorization code from the authorization endpoint by providing their username and password. They use that authorization code to request an access token from the token endpoint. The access token can then be used to authorize requests to secure ArcGIS resources.

Implicit (deprecated)

The implicit flow is an OAuth 2.0 flow that was previously used to implement user authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more in client-side web apps. It is considered deprecated in current versions of ArcGIS, and the Authorization code flow with PKCE is now recommended instead.

This flow grants an access tokenAn access token is an authorization string that provides access to secure ArcGIS content, data, and services. Its capabilities are determined by the privileges it supports. It is obtained by implementing API key authentication, User authentication, or App authentication.Learn more to petitioners using a single-step process. Users request an access token directly from the authorization endpoint by providing their username and password and setting a response_type of token. The access token can then be used to authorize requests to secure ArcGIS resources

Non-OAuth 2.0 flows

ArcGIS supports additional user authenticationUser authentication is a type of authentication that allows users with an ArcGIS account to sign into an application and allow it to access ArcGIS content, services, and resources on their behalf. The typical authorization protocol used is OAuth2.0.Learn more flows that do not adhere to the OAuth 2.0 protocol. They include the following:

Generate token flow
Integrated Windows Authentication (IWA) flow for ArcGIS Enterprise
Public Key Infrastructure (PKI) flow for ArcGIS Enterprise.

Generate token

Enterprise flows

These flows are only supported by ArcGIS EnterpriseArcGIS Enterprise is a GIS mapping, analytics, data hosting, and content management product that can be hosted on-premise or in a cloud infrastructure. It includes software, applications, tools, APIs, and services for users and developers.Learn more portal servicesA portal service provides the functionality to securely create, access, and manage content, data services, users, and groups in a portal. The service can be hosted by Esri or in ArcGIS Enterprise.Learn more.

Integrated Windows Authentication (IWA)

This method manages user login through Microsoft Windows Active Directory and the user typically manually enters their username + password. To use Integrated Window Authentication, you will need to configure it in ArcGIS Enterprise.

Public key infrastructure (PKI)

Public and private digital keys support authentication and secure communication over insecure networks. To use PKI, you need to configure it in ArcGIS Enterprise using either Lightweight Directory Access Protocol (LDAP) or Windows Active Directory.

Tutorials

Create OAuth credentials for user authentication

Create and configure OAuth credentials to set up user authentication.

ArcGIS portal

Sign in with user authentication

Create an application that requires users to sign in with an ArcGIS accountAn ArcGIS account is an identity with a user type and set of privileges that can access specific ArcGIS products, tools, APIs, services, and resources. The main account types that can be used for development are an ArcGIS Location Platform account, ArcGIS Online account, and ArcGIS Enterprise account. ArcGIS Location Platform and ArcGIS Online accounts are also associated with a subscription.Learn more.

JavaScript Maps SDK .NET Maps SDK Kotlin Maps SDK Swift Maps SDK Java Maps SDK Qt Maps SDK REST JS (Server)REST JS (Browser)