Tutorial: Create OAuth credentials for app authentication

Learn how to create OAuth credentials to support app authentication.

The developer credentials creation interface in a portal

OAuth credentials are an item required to implement app authentication. They contain client_id and client_secret parameters that are used to implement an OAuth 2.0 client credentials flow. The item page of OAuth credentials allows you to manage settings related to app authentication, including the authorized privileges of an application.

This tutorial shows you how to create OAuth credentials for use in app authentication and do the following:

Configure privileges to allow your application to access ArcGIS services, content, and functionality.
Set authorized referrer URLs.
Manage settings of the OAuth credentials and monitor usage using its item page.

Prerequisites

Steps

You use your portal to create and manage items, including OAuth credentials.

Access your portal by navigating to ArcGIS.com or the URL of your ArcGIS Enterprise portal instance.
Sign in with your ArcGIS account.

Create a new item

The following steps differ depending on if you have an ArcGIS Location Platform, ArcGIS Online, or an ArcGIS Enterprise account:

In your portal, click Content > My content > New item.
Click Developer credentials > OAuth credentials and click Next.

Set referrer URLs

You can set referrer URLs on OAuth credentials that restrict the credentials to only be usable from authorized domains. This is highly recommended for security purposes.

In the next window, scroll down to Referrer URLs.
Set the Referrers field to the web domains you would like to restrict the access token to. To learn more about referrers, go to OAuth credentials (for app authentication).
Under Application environment, select the type of environment your application will run in. This will affect when the OAuth credentials appear in portal search results.
Click Next.

Select privileges

You use developer credentials to configure the privileges of access tokens. For an access token to work in your application, it needs to have the correct privileges to access the content and services your app is using. Select privileges in this menu to apply them to your developer credentials.

The following steps differ depending on if you have an ArcGIS Location Platform, ArcGIS Online, or an ArcGIS Enterprise account:

In the Create developer credentials > Privileges window, browse the available privileges.
Tip
If a privilege is not visible in your developer credentials, it may not be available for the following reasons:
- Your account does not have the correct user type or roles.
- You have the wrong type of subscription. Some privileges are only available to ArcGIS Location Platform users, and some are only available to ArcGIS Online users.
- You do not have pay-as-you-go enabled in your ArcGIS Location Platform account.
- You are using a type of authentication that does not support the privilege you require. To learn more, go to Types of authentication.

Browse the table below to view the available privileges, privilege strings, and descriptions based on your account type:

Category	Label	Privilege string	Description
Basemaps	Basemap styles service	`premium:user:basemaps`	Allow application to access the basemap styles service.
Basemaps	Static basemap tiles (beta)	`premium:user:staticbasemaptiles`	Allow application to access the static basemap tiles service.
Data enrichment	GeoEnrichment service	`premium:user:geoenrichment`	Allow application to access the GeoEnrichment service. Learn more
Elevation	Elevation service (beta)	`premium:user:elevation`	Allow application to access the elevation service.
Geocoding	Geocode (stored)	`premium:user:geocode:stored`	Allow application to access the geocoding service and perform stored geocodes. Learn more
Geocoding	Geocode (not stored)	`premium:user:geocode:temporary`	Allow application to access the geocoding service and perform geocodes that are not stored. Learn more
Places	Place finding	`premium:user:places`	Allow application to access the places service. Learn more
Routing	Routing	`premium:user:networkanalysis:routing`	Allow application to access the routing service and perform standard routing operations. Learn more
Routing	Closest facility	`premium:user:networkanalysis:closestfacility`	Allow application to access the routing service and perform closest facility routing operations. Learn more
Routing	Location allocation	`premium:user:networkanalysis:locationallocation`	Allow application to access the routing service and perform location allocation operations. Learn more
Routing	Optimized routing	`premium:user:networkanalysis:optimizedrouting`	Allow application to access the routing service and perform optimized routing operations. Learn more
Routing	Origin/destination cost matrix	`premium:user:networkanalysis:origindestinationcostmatrix`	Allow application to access the routing service and generate travel cost matrices. Learn more
Routing	Service area	`premium:user:networkanalysis:servicearea`	Allow application to access the routing service and generate service areas. Learn more
Routing	Multi-vehicle routing	`premium:user:networkanalysis:vehiclerouting`	Allow application to access the routing service and perform fleet routing operations. Learn more
Routing	Last mile	`premium:user:networkanalysis:lastmiledelivery`	Allow application to access the routing service and perform routing operations for last mile delivery. Learn more

Select the required privileges and click Next.

In the Create developer credentials > Privileges window, browse the available privileges.
Tip
If a privilege is not visible in your developer credentials, it may not be available for the following reasons:
- Your account does not have the correct user type or roles.
- You have the wrong type of subscription. Some privileges are only available to ArcGIS Location Platform users, and some are only available to ArcGIS Online users.
- You do not have pay-as-you-go enabled in your ArcGIS Location Platform account.
- You are using a type of authentication that does not support the privilege you require. To learn more, go to Types of authentication.

Browse the table below to view the available privileges, privilege strings, and descriptions based on your account type:

Category	Label	Privilege string	Description
Basemaps	Basemap styles service	`premium:user:basemaps`	Allow application to access the basemap styles service.
Data enrichment	GeoEnrichment service	`premium:user:geoenrichment`	Allow application to access the GeoEnrichment service. Learn more
Geocoding	Geocode service	`premium:user:geocode`	Allow application to access the geocoding service. Learn more
Routing	Routing (Network analysis)	`premium:user:networkanalysis`	Allow application to access the routing service. Learn more
Routing	Last mile	`premium:user:networkanalysis:lastmiledelivery`	Allow application to access the routing service and perform routing operations for last mile delivery. Learn more

Select the required privileges and click Next.

Select items (optional)

If your application will require access to specific private items, you will need to configure your developer credentials to access them. The Item access menu allows you to browse your portal's content and grant your key fine-grained access to specific items.

The following steps differ depending on if you have an ArcGIS Location Platform, ArcGIS Online, or an ArcGIS Enterprise account:

If your token does not require item access, click Skip.
In the Grant item access window, click Browse items.
Select the items you want to grant access to. You can select up to 100 items in this menu.

Warning
Certain privileges such as features:user:edit will grant global access to all items associated with your account. Setting fine-grained item access privileges using this menu will override any global privileges you have set.
Click Add items.

If your token does not require item access, click Skip.
In the Grant item access window, click Browse items.
Select the items you want to grant access to. You can select up to 100 items in this menu.

Warning
Certain privileges such as features:user:edit will grant global access to all items associated with your account. Setting fine-grained item access privileges using this menu will override any global privileges you have set.
Click Add items.

Save the item

After configuring the properties of your API key credentials, you can save the credentials as a new item.

In the Create developer credentials window, set the following properties:
- Title: My OAuth credentials (for app authentication)
- Folder: Developer credentials (Create a new folder)
- Tags: Add tags related to the privileges of the credentials.
- Description: Describe the application that these developer credentials will be used in.
Click Next.
In the Summary window, review the properties, privileges, and item access you have set.
Click Create to create your OAuth credentials.

Copy the client ID and client secret

Your OAuth credentials contain client_id and client_secret parameters that are required to implement app authentication. Copy these values and paste them into your application or script.

On the item page of your OAuth credentials, scroll down to Credentials.
Copy the Client ID and Client Secret values and paste them into your application. Never expose the value of your client secret.

Manage your credentials

After creating an OAuth credentials item, its privileges and item access can be managed at any time by going to the item page.

To learn more and see management steps, go to OAuth credentials (for app authentication).

Additional resources

Learn more about app authentication in the following topics:

Tutorial: Create OAuth credentials for app authentication

Prerequisites

Steps

Sign in to your portal

Create a new item

Set referrer URLs

Select privileges

Select items (optional)

Save the item

Copy the client ID and client secret

Manage your credentials

Additional resources

How to implement app authentication

Client credentials flow

App authentication with Node.js