This topic introduces the different types of authentication you can implement to get an access token. The type you choose depends on the type of application you are building, the types of resources you need to access, and the functionality you need to support in your application.
The three types of authentication are:
To compare the different types of authentication and see different use cases, go to Authentication comparision.
API key authentication
API key authentication is a type of authentication that uses a long-lived access token embedded directly into an application to access location services and portal items. API key authentication requires creating a set of API key credentials that is used to create and manage long-lived access tokens. The privileges of API key credentials can be configured to authorize the tokens to access different services and items.
API key authentication is the easiest type of authentication to set up and is recommended if you are new to ArcGIS or if you are building applications that only access location services.
User authentication
User authentication is a set of authentication workflows that allows ArcGIS users to sign into an application and access secure resources. It requires that all users have an ArcGIS account. The authentication protocol used is OAuth 2.0. When a user signs into an application with their ArcGIS account, an access token is generated that authorizes the application to access services and content on their behalf. The resources and functionality available depend on the user type, roles, and privileges of the user's ArcGIS account. This authentication type was previously known as Named user login and ArcGIS identity.
User authentication generates a unique access token for each user that signs in to your application. Once a user authenticates, the app receives an access token with privileges identical to those of the signed-in user's account. This enables your application to access all content and services the user is authorized to.
App authentication
App authentication is an authentication workflow that grants a short-lived access token via OAuth 2.0, authorizing your application to access location services and portal items. App authentication provides access to similar resources and functionality as API key authentication. Typically, a server-side application component uses a set of OAuth credentials consisting of a client_ and client_ to request an access token. The server-side component then passes the resulting access token to a client application.
Authentication comparison
Below is a quick comparison of the application type, billing method, privileges, and access token storage and duration for the different types of authentication.
| API key authentication | User authentication | App authentication | |
|---|---|---|---|
| Application type | Public (no sign in required) | Private (sign in required) | Public (no sign in required) |
| Billing | Usage billed to your ArcGIS subscription. | Usage billed to the signed-in user's ArcGIS subscription. | Usage billed to your ArcGIS subscription. |
| Access token privileges | Determined by the properties of the developer credentials. | Determined by privileges of the signed-in user's account. | Determined by the properties of the developer credentials. |
| Access token storage | Static, embedded in the application. | New token created for every signed-in user. | Created upon request and stored in the application. |
| Access token duration | Up to 1 year. | Up to 2 weeks, can be refreshed. | 2 weeks. |
Resources and functionality
The following table is an overview of the resources and the functionality available when implementing each type of authentication:
| API key authentication | User authentication | App authentication | |
|---|---|---|---|
| Location services | |||
| Data services (Item access) | |||
| Spatial analysis services | |||
| Portal service (General privileges) | |||
| Portal service (Admin privileges) |
API support
The following table shows the level of API support for each type of authentication:
| API key authentication | User authentication | App authentication | |
|---|---|---|---|
| ArcGIS Maps SDK for JavaScript | |||
| ArcGIS Maps SDK for .NET | |||
| ArcGIS Maps SDK for Kotlin | |||
| ArcGIS Maps SDK for Swift | |||
| ArcGIS Maps SDK for Java | |||
| ArcGIS Maps SDK for Qt | |||
| ArcGIS API for Python | |||
| ArcGIS REST JS | |||
| Esri Leaflet | 1 | ||
| MapLibre GL JS | 1 | ||
| OpenLayers | 1 | ||
| CesiumJS | 1 |
- 1. Supported via ArcGIS REST JS
Choosing a type of authentication
Answer the following questions to help choose the best type of authentication to implement for the custom application you are building:
-
What type of app are you building?
- Public application (no sign in required): API key authentication or app authentication.
- Private application (sign in required): User authentication.
-
What type of ArcGIS product and account do you have?
- ArcGIS Location Platform: Typically API key authentication or app authentication.
- ArcGIS Online: Typically user authentication, but can implement all types of authentication.
- ArcGIS Enterprise: App authentication or user authentication. API key authentication is not supported.
-
What type of secure resources will your application access?
- Only location services and portal items: API key authentication or app authentication.
- All other secure resources: User authentication
-
Which do you value more, simple implementation or higher security?
- Simple implementation: API key authentication.
- Higher security: User authentication or app authentication.
-
What agent will request an access token?
- Client-side app or web app: API key authentication or user authentication with a PKCE flow.
- Server: App authentication or user authentication with an Authorization code flow.
- Console script: App authentication.
The following table provides use cases for each type of authentication:
| Use case | Solution |
|---|---|
| You are building an application that only requires access to location services and you do not want users to log in. | API key authentication or app authentication |
| You are building an application on a server or API back-end that only requires access to location services. | API key authentication or app authentication |
| You are building an application that will read private hosted data on your ArcGIS account. | API key authentication or app authentication |
| You are building an application that will read private hosted data from the ArcGIS accounts of organization members. | User authentication |
| You are building an application that will perform management tasks with the portal service. | User authentication |
| You are building an application that will perform spatial analysis. | User authentication |
| You are building an application using an ArcGIS API. | API key authentication, app authentication, or user authentication |