{"id":2961359,"date":"2026-04-09T09:52:45","date_gmt":"2026-04-09T16:52:45","guid":{"rendered":"https:\/\/www.esri.com\/arcgis-blog\/?post_type=blog&#038;p=2961359"},"modified":"2026-04-09T13:23:52","modified_gmt":"2026-04-09T20:23:52","slug":"user-app-or-api-key-authentication","status":"publish","type":"blog","link":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication","title":{"rendered":"Security Best Practices for Implementing User, App, and API Key Authentication within ArcGIS Online Developer Applications"},"author":167172,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","format":"standard","meta":{"_acf_changed":false,"_searchwp_excluded":""},"categories":[37501,738191],"tags":[],"industry":[],"product":[763582],"class_list":["post-2961359","blog","type-blog","status-publish","format-standard","hentry","category-administration","category-developers","product-trust-arcgis"],"acf":{"authors":[{"ID":167172,"user_firstname":"Gregory","user_lastname":"Ponto","nickname":"Gregory Ponto","user_nicename":"gponto","display_name":"Gregory Ponto","user_email":"GPonto@esri.com","user_url":"","user_registered":"2021-01-28 20:29:23","user_description":"","user_avatar":"<img alt='' src='https:\/\/secure.gravatar.com\/avatar\/80457d6c05a24bc78ee26da831a875019b15c87d19939edfc27ec0a869e69bc5?s=96&#038;d=blank&#038;r=g' srcset='https:\/\/secure.gravatar.com\/avatar\/80457d6c05a24bc78ee26da831a875019b15c87d19939edfc27ec0a869e69bc5?s=192&#038;d=blank&#038;r=g 2x' class='avatar avatar-96 photo' height='96' width='96' loading='lazy' decoding='async'\/>"}],"short_description":"Security Best Practices for User, App, and API Key Authentication with ArcGIS Online","flexible_content":[{"acf_fc_layout":"youtube","start_time":"0","end_time":"","youtube_video_url":"<iframe title=\"App, User, API key Authentication Overview\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/m6MUPqCbRTk?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>"},{"acf_fc_layout":"content","content":"<p>What Security Best Practices should ArcGIS Online Developers consider when implementing OAuth 2.0 User Authentication, OAuth 2.0 App Authentication, API Key Authentication? As an ArcGIS developer, when &amp; where is it appropriate to use these authentication options?<\/p>\n"},{"acf_fc_layout":"content","content":"<h1>Implementing OAuth 2.0 User Authentication<\/h1>\n<p><em>Implement <a href=\"https:\/\/developers.arcgis.com\/documentation\/security-and-authentication\/user-authentication\/\">OAuth 2.0 User Authentication<\/a> for human-interactive applications.<\/em><\/p>\n<p><a href=\"https:\/\/developers.arcgis.com\/documentation\/security-and-authentication\/user-authentication\/\">OAuth 2.0 User Authentication<\/a> is suited to the majority of developer use cases where interactive login is required.\u00a0 OAuth 2.0 User Authentication carries relatively low implementation risk because there is no static secret or key for the developer to manage.\u00a0 User Authentication requires the human user of the application to login interactively, preserving their identity for the purpose of accessing the application and dependent services.\u00a0 While using the application, content the user is permitted to access will be available for use within the application; content the user is not allowed to access will be denied.\u00a0 Additionally, data reads and writes will occur under the logged in user&#8217;s context and will be tracked through audit records.<\/p>\n<p>User authentication is fully supported by all interactive authentication flows (ArcGIS Login, SAML, OIDC, &amp; WebAuthn) and ArcGIS applications, services, APIs, and SDKs.\u00a0 User Authentication can be implemented with minimal code\/effort by leveraging the Identity Manager class (<a href=\"https:\/\/developers.arcgis.com\/javascript\/latest\/tutorials\/implement-user-authentication\/#register-credentials-with-identity-manager\">Implement user authentication | ArcGIS Maps SDK for JavaScript<\/a>).\u00a0 For more details, see: <a href=\"https:\/\/developers.arcgis.com\/documentation\/security-and-authentication\/user-authentication\/\">Introduction to user authentication | Documentation | Esri Developer<\/a>.<\/p>\n"},{"acf_fc_layout":"image","image":{"ID":2961460,"id":2961460,"title":"User Authentication","filename":"User-Authentication-scaled.png","filesize":696357,"url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/User-Authentication-scaled.png","link":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication\/user-authentication","alt":"User Authentication","author":"167172","description":"User Authentication","caption":"User Authentication","name":"user-authentication","status":"inherit","uploaded_to":2961359,"date":"2026-03-27 20:49:08","modified":"2026-03-27 20:49:33","menu_order":0,"mime_type":"image\/png","type":"image","subtype":"png","icon":"https:\/\/www.esri.com\/arcgis-blog\/wp-includes\/images\/media\/default.png","width":2560,"height":1214,"sizes":{"thumbnail":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/User-Authentication-213x200.png","thumbnail-width":213,"thumbnail-height":200,"medium":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/User-Authentication-scaled.png","medium-width":464,"medium-height":220,"medium_large":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/User-Authentication-scaled.png","medium_large-width":768,"medium_large-height":364,"large":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/User-Authentication-scaled.png","large-width":1920,"large-height":911,"1536x1536":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/User-Authentication-1536x729.png","1536x1536-width":1536,"1536x1536-height":729,"2048x2048":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/User-Authentication-2048x972.png","2048x2048-width":2048,"2048x2048-height":972,"card_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/User-Authentication-826x392.png","card_image-width":826,"card_image-height":392,"wide_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/User-Authentication-1920x911.png","wide_image-width":1920,"wide_image-height":911}},"image_position":"center","orientation":"horizontal","hyperlink":""},{"acf_fc_layout":"content","content":"<h2>Monitoring OAuth 2.0 User Authentication Activity within ArcGIS Online<\/h2>\n<p>Upon implementing User Authentication within a developer application, organizations should schedule and review <a href=\"https:\/\/doc.arcgis.com\/en\/arcgis-online\/administer\/reports.htm\">Organization Activity Reports<\/a> to ensure the User Application is used as expected.\u00a0 Upon downloading and viewing the Organization Activity Report for a given timeframe, the following columns\/filters are useful to identify User Authentication workflows relative to applications you have published:<\/p>\n<ul>\n<li>Column: idType, Filter Value: user<\/li>\n<li>Column: clientid, Filter Value: &lt;Client ID associated with Developer User Application&gt;<\/li>\n<\/ul>\n<p>These reports can help ArcGIS Online Developers and Administrators trace source IP, User, Action, Request, and Timestamp details related to User Authentication operations specific to each application published within their organization:<\/p>\n"},{"acf_fc_layout":"image","image":{"ID":2962348,"id":2962348,"title":"Activity Reports - User Authentication","filename":"Activity-Reports-User-Authentication-1.png","filesize":70132,"url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-User-Authentication-1.png","link":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication\/activity-reports-user-authentication-2","alt":"","author":"167172","description":"","caption":"","name":"activity-reports-user-authentication-2","status":"inherit","uploaded_to":2961359,"date":"2026-04-08 22:54:16","modified":"2026-04-08 22:54:16","menu_order":0,"mime_type":"image\/png","type":"image","subtype":"png","icon":"https:\/\/www.esri.com\/arcgis-blog\/wp-includes\/images\/media\/default.png","width":1082,"height":270,"sizes":{"thumbnail":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-User-Authentication-1-213x200.png","thumbnail-width":213,"thumbnail-height":200,"medium":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-User-Authentication-1.png","medium-width":464,"medium-height":116,"medium_large":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-User-Authentication-1.png","medium_large-width":768,"medium_large-height":192,"large":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-User-Authentication-1.png","large-width":1082,"large-height":270,"1536x1536":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-User-Authentication-1.png","1536x1536-width":1082,"1536x1536-height":270,"2048x2048":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-User-Authentication-1.png","2048x2048-width":1082,"2048x2048-height":270,"card_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-User-Authentication-1-826x206.png","card_image-width":826,"card_image-height":206,"wide_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-User-Authentication-1.png","wide_image-width":1082,"wide_image-height":270}},"image_position":"center","orientation":"horizontal","hyperlink":""},{"acf_fc_layout":"content","content":"<h1>OAuth 2.0 App Authentication<\/h1>\n<p><em>Implement <a href=\"https:\/\/developers.arcgis.com\/documentation\/security-and-authentication\/app-authentication\/\">OAuth 2.0 App Authentication<\/a> for non-interactive (scripted) processing.<\/em><\/p>\n<p>App Authentication makes use of an OAuth Client ID, Client Secret exchange that returns a short-lived OAuth 2.0 Bearer token which can authenticate non-interactive processes against sensitive content; this is analogous to a &#8220;service account&#8221; or &#8220;service principal&#8221;.\u00a0 OAuth 2.0 App Authentication presents moderate implementation risk because it requires the application developer manage the Client Secret carefully (never embed in static code).\u00a0 OAuth 2.0 App Authentication is only suitable for scenarios where human user interaction is not possible, such as CI\/CD Pipelines and other non-interactive automation.\u00a0 App Authentication utilizes the identity of the application and its privileges; thus audit records record these changes as the Application Identity, not any specific human user.<\/p>\n<p><strong>App Authentication is <em>NOT<\/em> appropriate for user-interactive applications that access sensitive content<\/strong> such as: web applications, mobile applications, or user distributed ArcGIS Notebooks. Such a practice is known as &#8220;impersonation&#8221; which leads to issues of non-repudiation and potential organization compromise.\u00a0 For more details, see:\u00a0<a href=\"https:\/\/developers.arcgis.com\/documentation\/security-and-authentication\/app-authentication\/\">Introduction to app authentication | Documentation | Esri Developer<\/a>.<\/p>\n"},{"acf_fc_layout":"image","image":{"ID":2961461,"id":2961461,"title":"App Authentication","filename":"App-Authentication-scaled.png","filesize":709352,"url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/App-Authentication-scaled.png","link":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication\/app-authentication","alt":"App Authentication","author":"167172","description":"App Authentication","caption":"App Authentication","name":"app-authentication","status":"inherit","uploaded_to":2961359,"date":"2026-03-27 20:49:59","modified":"2026-03-27 20:50:14","menu_order":0,"mime_type":"image\/png","type":"image","subtype":"png","icon":"https:\/\/www.esri.com\/arcgis-blog\/wp-includes\/images\/media\/default.png","width":2560,"height":1371,"sizes":{"thumbnail":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/App-Authentication-213x200.png","thumbnail-width":213,"thumbnail-height":200,"medium":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/App-Authentication-scaled.png","medium-width":464,"medium-height":248,"medium_large":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/App-Authentication-scaled.png","medium_large-width":768,"medium_large-height":411,"large":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/App-Authentication-scaled.png","large-width":1920,"large-height":1028,"1536x1536":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/App-Authentication-1536x823.png","1536x1536-width":1536,"1536x1536-height":823,"2048x2048":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/App-Authentication-2048x1097.png","2048x2048-width":2048,"2048x2048-height":1097,"card_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/App-Authentication-826x442.png","card_image-width":826,"card_image-height":442,"wide_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/App-Authentication-1920x1028.png","wide_image-width":1920,"wide_image-height":1028}},"image_position":"center","orientation":"horizontal","hyperlink":""},{"acf_fc_layout":"content","content":"<h2>Monitoring OAuth 2.0 App Authentication Activity within ArcGIS Online<\/h2>\n<p>Upon implementing App Authentication within a developer application, organizations should schedule and review <a href=\"https:\/\/doc.arcgis.com\/en\/arcgis-online\/administer\/reports.htm\">Organization Activity Reports<\/a> to ensure the App Auth Item is used as expected.\u00a0 Upon downloading and viewing the Organization Activity Report for a given timeframe, the following columns\/filters are useful to identify App Authentication workflows relative to applications you have published:<\/p>\n<ul>\n<li>Column: id, Filter Value: &lt;Published Application Item ID&gt;<\/li>\n<li>Column: idType, Filter Value: app<\/li>\n<\/ul>\n<p>These reports can help ArcGIS Online Developers and Administrators trace source IP, Action, Request, and Timestamp, and Client ID details related to App Authentication operations specific to each application published within their organization.<\/p>\n"},{"acf_fc_layout":"image","image":{"ID":2962344,"id":2962344,"title":"Activity Reports - App Authentication","filename":"Activity-Reports-App-Authentication-1.png","filesize":117237,"url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-App-Authentication-1.png","link":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication\/activity-reports-app-authentication-2","alt":"","author":"167172","description":"","caption":"","name":"activity-reports-app-authentication-2","status":"inherit","uploaded_to":2961359,"date":"2026-04-08 22:52:11","modified":"2026-04-08 22:52:11","menu_order":0,"mime_type":"image\/png","type":"image","subtype":"png","icon":"https:\/\/www.esri.com\/arcgis-blog\/wp-includes\/images\/media\/default.png","width":1145,"height":442,"sizes":{"thumbnail":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-App-Authentication-1-213x200.png","thumbnail-width":213,"thumbnail-height":200,"medium":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-App-Authentication-1.png","medium-width":464,"medium-height":179,"medium_large":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-App-Authentication-1.png","medium_large-width":768,"medium_large-height":296,"large":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-App-Authentication-1.png","large-width":1145,"large-height":442,"1536x1536":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-App-Authentication-1.png","1536x1536-width":1145,"1536x1536-height":442,"2048x2048":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-App-Authentication-1.png","2048x2048-width":1145,"2048x2048-height":442,"card_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-App-Authentication-1-826x319.png","card_image-width":826,"card_image-height":319,"wide_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-App-Authentication-1.png","wide_image-width":1145,"wide_image-height":442}},"image_position":"center","orientation":"horizontal","hyperlink":""},{"acf_fc_layout":"content","content":"<h1>API Key Authentication<\/h1>\n<p><em><a href=\"https:\/\/developers.arcgis.com\/documentation\/security-and-authentication\/api-key-authentication\/\">API Key Authentication<\/a> should be limited to use with ArcGIS Location Services and other non-sensitive workflows.<\/em><\/p>\n<p>An ArcGIS API Key is a long-lived, replay-able, static authenticator that can be embedded into processes and applications that can impersonate a human identity.\u00a0 Given these attributes, <strong>API Keys present considerable implementation risk<\/strong> and should be limited to accessing ArcGIS Location Services and other non-sensitive workflows.<\/p>\n<p><strong>API Key Authentication is <em>NOT<\/em> appropriate for user-interactive applications that access sensitive content<\/strong> such as: web applications, mobile applications, or user distributed ArcGIS Notebooks. Such a practice is known as &#8220;impersonation&#8221; which leads to issues of non-repudiation and potential organization compromise.\u00a0 For further details, see:\u00a0<a href=\"https:\/\/developers.arcgis.com\/documentation\/security-and-authentication\/api-key-authentication\/\">Introduction to API key authentication | Documentation | Esri Developer<\/a>.<\/p>\n"},{"acf_fc_layout":"image","image":{"ID":2961462,"id":2961462,"title":"API key Authentication","filename":"API-key-Authentication.png","filesize":531496,"url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/API-key-Authentication.png","link":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication\/api-key-authentication","alt":"API key Authentication","author":"167172","description":"API key Authentication","caption":"API key Authentication","name":"api-key-authentication","status":"inherit","uploaded_to":2961359,"date":"2026-03-27 20:50:35","modified":"2026-03-27 20:50:48","menu_order":0,"mime_type":"image\/png","type":"image","subtype":"png","icon":"https:\/\/www.esri.com\/arcgis-blog\/wp-includes\/images\/media\/default.png","width":2277,"height":1233,"sizes":{"thumbnail":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/API-key-Authentication-213x200.png","thumbnail-width":213,"thumbnail-height":200,"medium":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/API-key-Authentication.png","medium-width":464,"medium-height":251,"medium_large":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/API-key-Authentication.png","medium_large-width":768,"medium_large-height":416,"large":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/API-key-Authentication.png","large-width":1920,"large-height":1040,"1536x1536":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/API-key-Authentication-1536x832.png","1536x1536-width":1536,"1536x1536-height":832,"2048x2048":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/API-key-Authentication-2048x1109.png","2048x2048-width":2048,"2048x2048-height":1109,"card_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/API-key-Authentication-826x447.png","card_image-width":826,"card_image-height":447,"wide_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/API-key-Authentication-1920x1040.png","wide_image-width":1920,"wide_image-height":1040}},"image_position":"center","orientation":"horizontal","hyperlink":""},{"acf_fc_layout":"content","content":"<h2>Monitoring OAuth 2.0 API Key Authentication Activity within ArcGIS Online<\/h2>\n<p>Upon implementing API Authentication within a developer application, organizations should schedule and review <a href=\"https:\/\/doc.arcgis.com\/en\/arcgis-online\/administer\/reports.htm\">Organization Activity Reports<\/a> to ensure the API Key item is used as expected.\u00a0 Upon downloading and viewing the Organization Activity Report for a given timeframe, the following columns\/filters are useful to identify App Authentication workflows relative to applications you have published:<\/p>\n<ul>\n<li>Column: id, Filter Value: &lt;Published API Key Item ID&gt;<\/li>\n<li>Column: idType, Filter Value: app<\/li>\n<\/ul>\n<p>These reports can help ArcGIS Online Developers and Administrators trace source IP, Action, Request, and Timestamp details related to API Key Authentication operations specific to each application published within their organization.<\/p>\n"},{"acf_fc_layout":"image","image":{"ID":2962345,"id":2962345,"title":"Activity Reports - API Key Authentication","filename":"Activity-Reports-API-Key-Authentication-1.png","filesize":31513,"url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-API-Key-Authentication-1.png","link":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication\/activity-reports-api-key-authentication-2","alt":"","author":"167172","description":"","caption":"","name":"activity-reports-api-key-authentication-2","status":"inherit","uploaded_to":2961359,"date":"2026-04-08 22:52:40","modified":"2026-04-08 22:52:40","menu_order":0,"mime_type":"image\/png","type":"image","subtype":"png","icon":"https:\/\/www.esri.com\/arcgis-blog\/wp-includes\/images\/media\/default.png","width":979,"height":154,"sizes":{"thumbnail":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-API-Key-Authentication-1-213x154.png","thumbnail-width":213,"thumbnail-height":154,"medium":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-API-Key-Authentication-1.png","medium-width":464,"medium-height":73,"medium_large":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-API-Key-Authentication-1.png","medium_large-width":768,"medium_large-height":121,"large":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-API-Key-Authentication-1.png","large-width":979,"large-height":154,"1536x1536":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-API-Key-Authentication-1.png","1536x1536-width":979,"1536x1536-height":154,"2048x2048":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-API-Key-Authentication-1.png","2048x2048-width":979,"2048x2048-height":154,"card_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-API-Key-Authentication-1-826x130.png","card_image-width":826,"card_image-height":130,"wide_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2026\/03\/Activity-Reports-API-Key-Authentication-1.png","wide_image-width":979,"wide_image-height":154}},"image_position":"center","orientation":"horizontal","hyperlink":""},{"acf_fc_layout":"content","content":"<h2>References<\/h2>\n<ul>\n<li><a href=\"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Authentication_Cheat_Sheet.html\">Authentication &#8211; OWASP Cheat Sheet Series<\/a><\/li>\n<li><a href=\"https:\/\/pages.nist.gov\/800-63-4\/sp800-63b.html\">NIST Special Publication 800-63B<\/a><\/li>\n<li><a href=\"https:\/\/csf.tools\/reference\/nist-sp-800-53\/r5\/ia\/ia-2\/ia-2-8\/\">IA-2(8): Access to Accounts \u2013 Replay Resistant &#8211; CSF Tools<\/a><\/li>\n<li><a href=\"https:\/\/www.nist.gov\/publications\/zero-trust-architecture\">Zero Trust Architecture | NIST<\/a><\/li>\n<\/ul>\n"}],"related_articles":"","show_article_image":false,"card_image":false,"wide_image":false},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.9 (Yoast SEO v25.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Security Best Practices for Implementing User, App, and API Key Authentication within ArcGIS Online Developer Applications<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Security Best Practices for Implementing User, App, and API Key Authentication within ArcGIS Online Developer Applications\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication\" \/>\n<meta property=\"og:site_name\" content=\"ArcGIS Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/esrigis\/\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-09T20:23:52+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@ESRI\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":[\"Article\",\"BlogPosting\"],\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication\"},\"author\":{\"name\":\"Gregory Ponto\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/a2cccbe9d564e427d4473957dc79603a\"},\"headline\":\"Security Best Practices for Implementing User, App, and API Key Authentication within ArcGIS Online Developer Applications\",\"datePublished\":\"2026-04-09T16:52:45+00:00\",\"dateModified\":\"2026-04-09T20:23:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication\"},\"wordCount\":16,\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"articleSection\":[\"Administration\",\"Developers\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication\",\"name\":\"Security Best Practices for Implementing User, App, and API Key Authentication within ArcGIS Online Developer Applications\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\"},\"datePublished\":\"2026-04-09T16:52:45+00:00\",\"dateModified\":\"2026-04-09T20:23:52+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esri.com\/arcgis-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security Best Practices for Implementing User, App, and API Key Authentication within ArcGIS Online Developer Applications\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"name\":\"ArcGIS Blog\",\"description\":\"Get insider info from Esri product teams\",\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\",\"name\":\"Esri\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"contentUrl\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"width\":400,\"height\":400,\"caption\":\"Esri\"},\"image\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/esrigis\/\",\"https:\/\/x.com\/ESRI\",\"https:\/\/www.linkedin.com\/company\/5311\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/a2cccbe9d564e427d4473957dc79603a\",\"name\":\"Gregory Ponto\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/80457d6c05a24bc78ee26da831a875019b15c87d19939edfc27ec0a869e69bc5?s=96&d=blank&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/80457d6c05a24bc78ee26da831a875019b15c87d19939edfc27ec0a869e69bc5?s=96&d=blank&r=g\",\"caption\":\"Gregory Ponto\"},\"url\":\"\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Security Best Practices for Implementing User, App, and API Key Authentication within ArcGIS Online Developer Applications","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication","og_locale":"en_US","og_type":"article","og_title":"Security Best Practices for Implementing User, App, and API Key Authentication within ArcGIS Online Developer Applications","og_url":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication","og_site_name":"ArcGIS Blog","article_publisher":"https:\/\/www.facebook.com\/esrigis\/","article_modified_time":"2026-04-09T20:23:52+00:00","twitter_card":"summary_large_image","twitter_site":"@ESRI","twitter_misc":{"Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":["Article","BlogPosting"],"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication#article","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication"},"author":{"name":"Gregory Ponto","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/a2cccbe9d564e427d4473957dc79603a"},"headline":"Security Best Practices for Implementing User, App, and API Key Authentication within ArcGIS Online Developer Applications","datePublished":"2026-04-09T16:52:45+00:00","dateModified":"2026-04-09T20:23:52+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication"},"wordCount":16,"publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"articleSection":["Administration","Developers"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication","url":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication","name":"Security Best Practices for Implementing User, App, and API Key Authentication within ArcGIS Online Developer Applications","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#website"},"datePublished":"2026-04-09T16:52:45+00:00","dateModified":"2026-04-09T20:23:52+00:00","breadcrumb":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/developers\/user-app-or-api-key-authentication#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esri.com\/arcgis-blog\/"},{"@type":"ListItem","position":2,"name":"Security Best Practices for Implementing User, App, and API Key Authentication within ArcGIS Online Developer Applications"}]},{"@type":"WebSite","@id":"https:\/\/www.esri.com\/arcgis-blog\/#website","url":"https:\/\/www.esri.com\/arcgis-blog\/","name":"ArcGIS Blog","description":"Get insider info from Esri product teams","publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization","name":"Esri","url":"https:\/\/www.esri.com\/arcgis-blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","contentUrl":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","width":400,"height":400,"caption":"Esri"},"image":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/esrigis\/","https:\/\/x.com\/ESRI","https:\/\/www.linkedin.com\/company\/5311\/"]},{"@type":"Person","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/a2cccbe9d564e427d4473957dc79603a","name":"Gregory Ponto","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/80457d6c05a24bc78ee26da831a875019b15c87d19939edfc27ec0a869e69bc5?s=96&d=blank&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/80457d6c05a24bc78ee26da831a875019b15c87d19939edfc27ec0a869e69bc5?s=96&d=blank&r=g","caption":"Gregory Ponto"},"url":""}]}},"text_date":"April 9, 2026","author_name":"Gregory Ponto","author_page":false,"custom_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2025\/08\/Newsroom-Keyart-Wide-1920-x-1080.jpg","primary_product":"ArcGIS Trust Center","tag_data":[],"category_data":[{"term_id":37501,"name":"Administration","slug":"administration","term_group":0,"term_taxonomy_id":37501,"taxonomy":"category","description":"","parent":0,"count":424,"filter":"raw"},{"term_id":738191,"name":"Developers","slug":"developers","term_group":0,"term_taxonomy_id":738191,"taxonomy":"category","description":"","parent":0,"count":422,"filter":"raw"}],"product_data":[{"term_id":763582,"name":"ArcGIS Trust Center","slug":"trust-arcgis","term_group":0,"term_taxonomy_id":763582,"taxonomy":"product","description":"Reserved for articles authored by the ArcGIS Trust Center team","parent":36981,"count":87,"filter":"raw"}],"primary_product_link":"https:\/\/www.esri.com\/arcgis-blog\/?s=#&products=trust-arcgis","_links":{"self":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/2961359","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/users\/167172"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/comments?post=2961359"}],"version-history":[{"count":0,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/2961359\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/media?parent=2961359"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/categories?post=2961359"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/tags?post=2961359"},{"taxonomy":"industry","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/industry?post=2961359"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/product?post=2961359"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}