Security and authentication
Authentication is used to keep corporate and network data secure and ensure that only valid, authenticated users can access private information. Your application or its users are required to authenticate their credentials through a qualified, compatible ArcGIS product such as ArcGIS Platform, ArcGIS Online, or ArcGIS Enterprise whenever attempting to:
- Access private user or corporate-owned information.
- Create, edit, or publish content.
- Access premium (payment-secured) web content or services.
You must implement an authentication method in order to grant your app's users access to secured resources. The authentication method you decide to implement might vary based upon the resources required by your application. Esri's preferred authentication methods are:
- ArcGIS identity (OAuth 2.0): This method obtains user credentials and authentication through an ArcGIS platform sign-on, and the platform responds with an OAuth 2.0
access_token tothe client app. The app uses this
tokenin all subsequent requests to the platform. This is the recommended method, and is most commonly used with ArcGIS Online and ArcGIS Enterprise.
- API keys: A unique identifier to authenticate a user, developer, or calling program to an API, although most typically used to authenticate a project rather than a human user.
When your app requires access to user content, you should implement OAuth 2.0 to obtain an ArcGIS identity. You can set the OAuth 2.0 configuration in the editor to load the content from restricted services while you are working on your project. When you deploy the app, authorized users can sign in with their ArcGIS Online or ArcGIS Enterprise accounts via OAuth 2.0.Learn more about ArcGIS identity
API keys allow access to location services with a permanent key that can be restricted to specific services and included in public applications. Unlike OAuth 2.0, API keys don't allow access to private content from an ArcGIS Online organization, although ArcGIS Developer accounts can use API keys to access their own (read only) private content.Learn more about API keys
The choice of which type of authentication to implement is mostly dependent upon the resources required by your application.
In general, it is recommended that you use: