Introduction to security and authentication

This topic provides an overview of the key concepts and terminology you should be familiar with before implementing authentication in your applications.

Security in ArcGIS

ArcGIS is a secure system that requires authentication to access all secure apps, content, data, and services. It implements industry-standard protocols to ensure that only authorized users and applications can access secure resources.

Some common workflows that use security in ArcGIS are:

  • ArcGIS users sign in to apps such as ArcGIS Pro, Map Viewer and Scene Viewer.
  • Developers create custom applications that use authentication to access secure resources.
  • Administrators manage the privileges and roles of users to enhance security within their organization.
  • Members of an organization upload and share content securely in a portal.

What is authentication?

Authentication is the process of verifying the identity of a user or application in ArcGIS. Authentication allows users and applications to access secure resources such as a portal, location services, and other services.

Authorization is the process of verifying client privileges prior to accessing a secure resource. After users and applications successfully authenticate with ArcGIS, the service they are trying to access will authorize the request if they have the appropriate privileges.

How authentication works

ArcGIS uses token-based authentication for all requests. Authentication works by interacting with a portal service to get an access token. The access token contains information that determines the privileges of the application as well as the associated ArcGIS account. Once obtained, the access token is included in requests to provide authorization for secure resources.

The general process of authentication includes the following:

  1. Authenticate with a portal to get an access token.
  2. Use the access token to authorize requests to secure resources.

Below is a sample HTTP request to access a secure resource in ArcGIS with an access token.

Use dark colors for code blocksCopy
1
https://<SERVICE_URL>?token=<YOUR_ACCESS_TOKEN>
Basic authentication process
An overview of how authentication works in ArcGIS

Types of authentication

ArcGIS supports three types of authentication to get an access token. Each type requires following a specific workflow and supports the development of a specific type of application.

Authentication comparison

The following table provides an overview of the functionality available with each type of authentication:

API key authenticationUser authenticationApp authentication
Location services
Data services (Item access)
Spatial analysis services
Portal service (General privileges)
Portal service (Admin privileges)
Full supportPartial supportNo support

    Terminology

    This section contains important terminology you should be familiar with before implementing authentication in your apps.

    ArcGIS accounts

    You need an ArcGIS account to implement authentication in custom applications. The following table shows the supported types of authentication for each type of account:

    ArcGIS Location Platform accountArcGIS Online accountArcGIS Enterprise account
    API key authentication1
    User authentication2
    App authentication2
    Full supportPartial supportNo support
    • 1. Requires an administrator account or a custom role with the "Generate API keys" privilege
    • 2. Requires an administrator account or a custom role with the "Manage privileges for OAuth applications" privilege

    Public applications

    A public application is an application developers create that does not require users to sign in with an ArcGIS account.

    Public applications typically implement API key authentication or app authentication to authenticate requests to secure resources without prompting users to sign in. Usage costs for accessing secure resources in a public application are billed to the developer's account. Developers with an ArcGIS Online or ArcGIS Enterprise account can choose to omit authentication in public apps if the application only accesses resources with a sharing level set to Everyone (public).

    Private applications

    A private application is an application developers create that requires users to sign in with an ArcGIS account. Private applications implement user authentication and are typically built by ArcGIS Online or Enterprise developers for members of an organization. Usage costs for accessing secure resources in a private application are billed to the accounts of users.

    Developer credentials

    Developer credentials are a type of item in a portal that contains the necessary properties for authentication. You can create and manage developer credentials in your portal to support all types of authentication. In most cases, a developer credential is created for every application you create.

    You can use developer credentials to:

    • Create, regenerate, and invalidate API keys in API key authentication.
    • Obtain an OAuth 2.0 client ID for user authentication.
    • Obtain an OAuth 2.0 client ID and client secret for app authentication.
    • Define the privileges and item access of your application.
    • Authorize redirect URIs and referrer domains to improve application security.

    Privileges

    A privilege is a set of permissions that grant access to secure resources and functionality in ArcGIS. You use privileges to define the capabilities of a user account or developer credentials for a custom application.

    Privileges can be applied to ArcGIS accounts and developer credentials:

    1. Privileges for users: Privileges define the capabilities and permissions for users in an organization. They are determined by the user type and role assigned to the account.
    2. Privileges for developer credentials: Privileges defined for developer credentials for custom applications you are building. They determine the capabilities and permissions of the access tokens used by your applications.

    Access tokens

    An access token is an authorization string that provides access to secure ArcGIS resources. It can be used to access resources such as private content in a portal or location services. To get an access token, you need to implement a type of authentication. The access token's capabilities are determined by the privileges associated with either the ArcGIS account or developer credentials used for authentication.

    Example of an access token:

    Use dark colors for code blocksCopy
    1
    AAPTKUgfudpnh_cXrZ7wRiqGE4q0VCQENKpafTPqVh27cldNPiqORWEyVueCmI67s3ebSNEYl0Sn3IitIyf18X8PxF3N8m9ZE30i5iwGHtGfnv6-DoKA-C8-lJ9GM30s-Wxn75jLBdnQnMjIgwVXEjIoualIMSfk4IWraDv3GMV8XP3fAUA73P23Vfs-THx2QjfDNVD3iuGCqLG0udK_TVLchskcBFVbsj1PRWXGcFaKKzdPkwWMXps_4P_cZEBAZdImAT1_L1aY2CIy

    Portal

    An ArcGIS portal is a website with applications, tools, and functionality for creating and sharing geospatial content and data. A portal plays a key role in supporting authentication. It has built in security functionality to control access to sensitive data, manage users, and protect your organization. It also provides important tools for developers that allow them to create developer credentials required to build custom applications.

    The portal supports the following security features:

    • Membership: Only members can sign in, view content, access applications and tools, and participate in the organization/portal.
    • Item sharing levels: Item sharing levels can be private, group, organization, or public. Only users with the correct privileges can access items in a portal.
    • Groups: Members can create groups to share items with specific members.
    • Roles: Administrators can grant custom roles to a member with privileges that specify that items, tools, and applications the member is allowed to access.

    Additionally, a portal's underlying portal service is responsible for granting access tokens for Authentication.

    Secure resources

    The following resources are secure and require authentication to access:

    • Portal: A portal is secure and requires users and applications to sign in. The underlying portal service is also secure and requires authentication to access.

    • Secure items: All content items in a portal are secure and may require authentication depending on their sharing level. Items can also be shared with specific groups in an organization.

    • ArcGIS services: All ArcGIS services hosted in Esri's infrastructure are secure, including location services, spatial analysis services, data services, and the portal service.

    • ArcGIS Enterprise services: All ArcGIS Enterprise services hosted in your own infrastructure are secure.

    • Low/No-code applications: Applications built using low/no-code builders are hosted in a portal and secure and may require authentication depending on their sharing level.

    • ArcGIS tools: All ArcGIS tools are secure, such as ArcGIS Pro, Map Viewer, Scene Viewer.

    • Subscriber and premium content: Subscriber content is a type of secure item hosted in ArcGIS Living Atlas that requires an ArcGIS Online account. Premium content is a subtype of subscriber content that consumes credits.

    Tutorials

    Create an API key

    Create and configure API key credentials to get a long-lived API key access token.


    Create OAuth credentials for user authentication

    Create and configure OAuth credentials to set up user authentication.


    Create OAuth credentials for app authentication

    Create and configure OAuth credentials to set up app authentication.


    API support

    API key authenticationUser authenticationApp authentication
    ArcGIS Maps SDK for JavaScript
    ArcGIS Maps SDK for .NET
    ArcGIS Maps SDK for Kotlin
    ArcGIS Maps SDK for Swift
    ArcGIS Maps SDK for Java
    ArcGIS Maps SDK for Qt
    ArcGIS API for Python
    ArcGIS REST JS
    Esri Leaflet1
    MapLibre GL JS1
    OpenLayers1
    CesiumJS1
    Full supportPartial supportNo support
    • 1. Supported via ArcGIS REST JS

    Your browser is no longer supported. Please upgrade your browser for the best experience. See our browser deprecation post for more details.