General
This guide is for ArcGIS Location Platform, ArcGIS Online, and ArcGIS Enterprise developers implementing authentication in custom applications.
The table below shows the account types you can use and limitations:
| ArcGIS Location Platform account | ArcGIS Online account | ArcGIS Enterprise account | |
|---|---|---|---|
| ArcGIS Location Services | 1 | ||
| Data services (Item access) | 2 | ||
| Spatial analysis services | |||
| Portal | 3 | ||
| Portal service | 3 |
- 1. Places service not supported.
- 2. Only supports creating and accessing feature services, vector tile services, and map tile services.
- 3. Single-user organization. Limited user, group, and administration functionality available.
The following resources are secure and require authentication to access:
-
Portal: A portal is secure and requires users and applications to sign in. All content items in a portal are secure and may require authentication depending on their sharing level.
-
ArcGIS services: All ArcGIS services hosted in Esri's infrastructure are secure, including location services, spatial analysis services, data services, and the portal service.
-
ArcGIS Enterprise services: All ArcGIS Enterprise services hosted in your own infrastructure are secure.
-
Low/No-code applications: Applications built using low/no-code builders are hosted in a portal and secure and may require authentication depending on their sharing level.
-
ArcGIS tools: All ArcGIS tools are secure, such as ArcGIS Pro, Map Viewer, Scene Viewer.
-
Subscriber and premium content: Subscriber content is a type of secure item hosted in ArcGIS Living Atlas that requires an ArcGIS Online account. Premium content is a subtype of subscriber content that consumes credits.
The following table provides an overview of the functionality available with each type of authentication:
| API key authentication | User authentication | App authentication | |
|---|---|---|---|
| ArcGIS Location Services | |||
| Data services (Item access) | |||
| Spatial analysis services | 1 | 1 | |
| Portal service (General privileges) | 1 | 1 | |
| Portal service (Admin privileges) | 1 | 1 |
- 1. Supported with ArcGIS Online and ArcGIS Location Platform.
The privileges required for an access token depend on the resources and functionality required by your application. To view the complete list, go to Privileges.
The cost to access ArcGIS services depends on the type of ArcGIS account you have and the services you use.
-
If you have an ArcGIS Location Platform account, you are billed in US dollars. To determine the cost of accessing services, go to Pricing. A free tier is available for some services.
-
If you have an ArcGIS Online account, you are billed in credits. To determine the cost of accessing services, go to Understanding credits.
Esri's Terms of Use documents include legal guidelines for the use of Esri products, services, and data.
Some of the key documents you will find are the:
Developer credentials
If you do not see an option for API key credentials in the developer credentials creation menu, your account might not have the correct privileges. If you have an ArcGIS Online account or an ArcGIS Enterprise account, your account needs the following privileges to create and assign authorization to API key credentials:
- General privileges > Content > Generate API keys
- General privileges > Content > Assign privileges to OAuth 2.0 applications
To get these privileges, ask your organization administrator to create a custom role for developers and assign it to your account. To learn more, go to "Roles" in the ArcGIS Online documentation or the ArcGIS Enterprise documentation.
If you do not see the Privileges or Item access windows when creating developer credentials, your account might not have the correct privileges. If you have an ArcGIS Online account or an ArcGIS Enterprise account, your account needs the privilege to work with developer credentials:
- General privileges > Content > Assign privileges to OAuth 2.0 applications
To get this privilege and related developer privileges, ask your organization administrator to create a custom role for developers and assign it to your account. To learn more, go to "Roles" in the ArcGIS Online documentation or the ArcGIS Enterprise documentation.
If a privilege is not available to your developer credentials, it may not be visible for the following reasons:
- Your account does not have the correct user type or roles.
- You have the wrong type of ArcGIS account. The privileges available to you differ depending on if you use ArcGIS Location Platform, ArcGIS Online, or ArcGIS Enterprise
- You do not have pay-as-you-go enabled in your ArcGIS Location Platform account.
- You are using a type of authentication that does not support the privileges you require. To learn more, go to Types of authentication.
API key authentication
API key credentials are available for the following account types:
- ArcGIS Location Platform accounts
- ArcGIS Online accounts:
- You need to be an administrator of your organization or have a custom role that allows you to generate API keys. To start using API key authentication, ask your organization administrator to grant you a role with the following privilege: General privileges > Content > Generate API keys.
- ArcGIS Enterprise accounts:
- Requires ArcGIS Enterprise version 11.4 or greater.
- You need to be an administrator of your organization or have a custom role that allows you to generate API keys. To start using API key authentication, ask your organization administrator to grant you a role with the following privilege: General privileges > Content > Generate API keys.
Support for API key authentication was added to ArcGIS Enterprise in version 11.4. It is not possible to access ArcGIS Enterprise services with an API key in versions prior to 11.4.
API keys (legacy) are not supported in ArcGIS Enterprise.
Service usage with API key authentication is billed to the ArcGIS subscription associated with the developer's account. The developer who created the API key credentials, or the organization the developer belongs to, will incur all costs associated with the key.
API key authentication is recommended for public applications and standalone automation scripts. API keys used in public applications should have a limited set of privileges, and have their referrer URLs configured to prevent the key from being stolen.
To learn about the best practices for API key authentication, go to Security best practices.
User authentication
User authentication requires OAuth credentials, which are available for the following account types:
- ArcGIS Location Platform accounts
- ArcGIS Online accounts
- ArcGIS Enterprise accounts
Service usage with user authentication is individually billed to the ArcGIS subscriptions of each user who signs in to your application. Service usage can still be tracked with the OAuth credentials used to create the application, but all costs will be billed to the organization of users who sign in to the application.
Anyone with an ArcGIS account can sign in to apps that implement user authentication. However, user authentication is typically used for the following account types:
- ArcGIS Online users that are a member of an ArcGIS Online organization.
- ArcGIS Enterprise users that are a member of an ArcGIS Enterprise organization.
User authentication is used to build private applications that require users to sign in with an ArcGIS account. It can be implemented in any environment, including client-facing applications, server-side applications, and full stack applications.
To learn about the best practices for user authentication, go to Security best practices.
App authentication
App authentication requires OAuth credentials, which are available for the following account types:
- ArcGIS Location Platform accounts
- ArcGIS Online accounts
- You need to be an administrator of your organization or a have custom role that allows you to manage the privileges of OAuth applications. To start using app authentication, ask your organization administrator to grant you a role with the following privilege: General privileges > Content > Assign privileges to OAuth 2.0 applications.
- ArcGIS Enterprise accounts:
- Requires ArcGIS Enterprise version >= 11.4.
- You need to be an administrator of your organization or a have custom role that allows you to manage the privileges of OAuth applications. To start using app authentication, ask your organization administrator to grant you a role with the following privilege: General privileges > Content > Assign privileges to OAuth 2.0 applications.
Service usage with app authentication is billed to the ArcGIS subscription associated with the developer's account. The developer who created the OAuth credentials, or the organization the developer belongs to, will incur all costs associated with the application.
App authentication is recommended for public applications with a server-side component, or for standalone console scripts. App authentication is more secure than API key authentication, as client credentials are stored securely and never exposed to the client.
To learn about the best practices for app authentication, go to Security best practices.