To build applications that use ArcGIS services and resources, you must first implement authentication to obtain an access token. There are two primary authentication methods: API key authentication and User authentication. The method you choose depends on several factors, including:
- The ArcGIS product you are using
- The type of application you're developing
- The types of services and resources you need to access
- The types of operations your application will perform
For an overview of these methods and tutorials, see the sections below.
API keys
As a developer working with ArcGIS Location Platform or ArcGIS Online, you can use API key authentication to authorize secure service requests without requiring users to sign in. This method embeds a long-lived access token directly in your application, granting access to specific services and content based on the API key’s configured privileges. It is well-suited for building public-facing applications.
General steps:
- Create an API key credential item in your portal.
- Assign privileges (scopes) to define accessible services and data.
- Use the access token to access services.
Key Information
- No user sign-in required: API key access tokens are ideal for public-facing applications that do not require users to log in with an ArcGIS account.
- Long-lived tokens: Access tokens can last up to one year (based on the API key credential settings).
- Key rotation: Each API key credential can have two active tokens at once to support seamless rotation.
- Invalidation: Access tokens can be revoked by regenerating the key or deleting the API key credential in the portal.
- Service access: Applications can use API key access tokens to access location services (e.g., basemaps, geocoding, routing), spatial analysis services (where supported), portal services, and hosted data services. Some operations however may not be supported and may may require OAuth-based authentication.
- Privilege control: The scope of access of tokens is defined through the API key credential item settings in the portal.
- Billing model:
- ArcGIS Location Platform: Service usage and data storage is billed in US dollars based on service transactions. Learn more about free tiers and usage costs.
- ArcGIS Online: Service usage and data storage is billed based on credit consumption. Learn more about credit consumption costs.
For more details and best practices, go to Security and authentication > API key authentication.
User tokens
If you're building applications with ArcGIS Online, you can use user authentication to authenticate users and access services on their behalf. This method requires each user to sign in with their ArcGIS account, which generates a unique access token tied to their individual privileges. It is well-suited for building private applications for your organization.
General steps:
- Create an OAuth credential item in your portal to obtain a client ID, client secret, and redirect URL.
- Use these credentials in your application to initiate the OAuth 2.0 flow and request an access token.
- Use the access token to access services on behalf of the signed-in user.
Key Information
- User sign-in required: Ideal for building private applications for your organization that requires users to sign in with an ArcGIS account.
- OAuth workflow: Create OAuth 2.0 credentials and implement OAuth 2.0 flows to get an access token.
- Short-lived tokens: Access token duration is determined by the grant type and can be refreshed when expires.
- Resource access: Applications can access all services and resources available to the signed-in user, including location services, spatial analysis services, data services, secure items, and portal management operations.
- Privileges: Privileges and portal item access are defined by the user's account.
- Billing model: Service usage and data storage is billed to the organization of the user signed into the application.
- Service support: All services and operations are supported and only limited by the signed-in user's privileges. Specific user types and roles may be required to perform certain operations.
For more details and best practices, go to Security and authentication > User authentication.