General
This guide is for ArcGIS Location Platform, ArcGIS Online, and ArcGIS Enterprise developers implementing authentication in custom applications.
The table below shows the account types you can use and limitations:
| ArcGIS Location Platform account | ArcGIS Online account | ArcGIS Enterprise account | |
|---|---|---|---|
| Location services | 1 | ||
| Data services (Item access) | 2 | ||
| Spatial analysis services | |||
| Portal | 3 | ||
| Portal service | 3 |
- 1. Places service not supported.
- 2. Only supports creating and accessing feature services, vector tile services, and map tile services.
- 3. Single-user organization. Limited user, group, and administration functionality available.
The following resources are secure and require authentication to access:
-
Portal: A portal is secure and requires users and applications to sign in. All content items in a portal are secure and may require authentication depending on their sharing level.
-
ArcGIS services: All ArcGIS services hosted in Esri's infrastructure are secure, including location services, spatial analysis services, data services, and the portal service.
-
ArcGIS Enterprise services: All ArcGIS Enterprise services hosted in your own infrastructure are secure.
-
Low/No-code applications: Applications built using low/no-code builders are hosted in a portal and secure and may require authentication depending on their sharing level.
-
ArcGIS tools: All ArcGIS tools are secure, such as ArcGIS Pro, Map Viewer, Scene Viewer.
-
Subscriber and premium content: Subscriber content is a type of secure item hosted in ArcGIS Living Atlas that requires an ArcGIS Online account. Premium content is a subtype of subscriber content that consumes credits.
The following table provides an overview of the functionality available with each type of authentication:
| API key authentication | User authentication | App authentication | |
|---|---|---|---|
| Location services | |||
| Data services (Item access) | |||
| Spatial analysis services | |||
| Portal service (General privileges) | |||
| Portal service (Admin privileges) |
The privileges required for an access token depend on the resources and functionality required by your application. To view the complete list, go to Privileges.
The cost to access ArcGIS services depends on the type of ArcGIS account you have and the services you use.
-
If you have an ArcGIS Location Platform account, you are billed in US dollars. To determine the cost of accessing services, go to Pricing. A free tier is available for some services.
-
If you have an ArcGIS Online account, you are billed in credits. To determine the cost of accessing services, go to Understanding credits.
Esri's Terms of Use documents include legal guidelines for the use of Esri products, services, and data.
Some of the key documents you will find are the:
API key authentication
API key credentials are available for the following account types:
- ArcGIS Location Platform accounts
- ArcGIS Online accounts: You need to be an ArcGIS Online administrator or a have custom role that allows you to generate API keys. To start using API key authentication, ask your organization administrator to grant you a role with the following privilege: General privileges > Content > Generate API keys.
API key credentials are not available for ArcGIS Enterprise accounts.
No. ArcGIS Enterprise accounts cannot create API key credentials. It is not possible to access ArcGIS Enterprise services with an API key.
Service usage with API key authentication is billed to the ArcGIS subscription associated with the developer's account. The developer who created the API key credentials, or the organization the developer belongs to, will incur all costs associated with the key.
API key authentication is recommended for public applications and standalone automation scripts. API keys used in public applications should have a limited set of privileges, and have their referrer URLs configured to prevent the key from being stolen.
To learn about the best practices for API key authentication, go to Security best practices.
User authentication
User authentication requires OAuth credentials, which are available for the following account types:
- ArcGIS Location Platform accounts
- ArcGIS Online accounts: You need to be an ArcGIS Online administrator or a have custom role that allows you to manage the privileges of OAuth applications. To start using user authentication, ask your organization administrator to grant you a role with the following privilege: General privileges > Content > Assign privileges to OAuth 2.0 applications.
- ArcGIS Enterprise accounts
Service usage with user authentication is individually billed to the ArcGIS subscriptions of each user who signs in to your application. Service usage can still be tracked with the OAuth credentials used to create the application, but all costs will be billed to the organization of users who sign in to the application.
Anyone with an ArcGIS account can sign in to apps that implement user authentication. However, user authentication is typically used for the following account types:
- ArcGIS Online users that are a member of an ArcGIS Online organization.
- ArcGIS Enterprise users that are a member of an ArcGIS Enterprise organization.
User authentication is used to build private applications that require users to sign in with an ArcGIS account. It can be implemented in any environment, including client-facing applications, server-side applications, and full stack applications.
To learn about the best practices for user authentication, go to Security best practices.
App authentication
App authentication requires OAuth credentials, which are available for the following account types:
- ArcGIS Location Platform accounts
- ArcGIS Online accounts: You need to be an ArcGIS Online administrator or a have custom role that allows you to manage the privileges of OAuth applications. To start using app authentication, ask your organization administrator to grant you a role with the following privilege: General privileges > Content > Assign privileges to OAuth 2.0 applications.
- ArcGIS Enterprise accounts
Service usage with app authentication is billed to the ArcGIS subscription associated with the developer's account. The developer who created the OAuth credentials, or the organization the developer belongs to, will incur all costs associated with the application.
App authentication is recommended for public applications with a server-side component as well as console scripts. App authentication is more secure than API key authentication, as client credentials are stored securely and never exposed to the client.
To learn about the best practices for app authentication, go to Security best practices.