Developer credentials: What's new and improved

With the latest release, significant changes have been made to how developers create credentials to access secure resources in ArcGIS. This article guides you through the updates and provides essential information to help you understand the new experience.

In this article we will discuss:

• Motivations for change
• The status of existing API keys and apps
• What’s new
• New developer guide resources
• Conclusion

Motivations for change

Our primary focus was to make API keys more functional, performant, and secure:

• • We added better permission granularity than OAuth credentials to help support server-side workflows and automation.
  • We wanted to improve the UI across developers.arcgis.com and arcgis.com to simplify the experience.
  • And lastly, we wanted to deliver a better API key developer experience without disrupting existing API keys or apps.

The status of existing API keys and apps

The new experience is available starting June 27, 2024. In the documentation, when referring to API keys created before this date, they will be referred to as API keys (Legacy).

Here’s what this means: 

• • • Your existing applications will continue to function as usual. They won’t be disrupted by these changes.
    • You won’t be able to create or edit these legacy API keys any longer. However, they will remain functional until you decide to remove them.

What’s new

Enhanced functionality

• • • Unified API key experience: Developers building applications with ArcGIS Online now have the same API key functionality as those using ArcGIS Location Platform. You can grant (scope) API keys to specific services and content items, offering more precise control.
    • Scoped OAuth credentials: OAuth credentials can now be granted (scoped) privileges, providing better security and usability.

Improved performance and security

• • • Faster validation: We have optimized API key validation for faster HTTP responses.
    • Expiration times: API keys now have expiration times of up to one year. This ensures that keys are regularly updated and limits the risk of long-term exposure.
    • One-time display: API keys are now displayed only once upon creation. This makes it crucial to save your API key securely when it is generated, as you will not be able to view it again.

New workflows

• • • Unified credential creation: Developers building applications with ArcGIS Online and ArcGIS Location Platform must now sign in to their portal at ArcGIS.com to create credentials. Note: Learn more about sign in and dashboard changes in this article.
    • Updated key strings: Modifying the expiration date or privileges for API key credentials or OAuth credentials will change the key string.
    • API key rotation: API keys come with built-in support for key rotation. Meaning secondary API keys have been introduced. This enables you to rotate keys without interrupting services while maintaining usage tracking.
    • Partial keys and client IDs: Partial API keys and Client IDs (along with a Client Secret), are now provided for lookup usage with REST endpoints.

New developer guide resources

To learn more about how use developer credentials, go to the new Security and authentication guide. Here you will find information about the following:

• • • API key authentication: How to create and renew your keys, migrate from legacy API keys, and known limitations
    • User authentication: How to allow users with an ArcGIS account to sign into an application and access ArcGIS resources with their credentials.
    • App authentication: How to implement app authentication with detailed instructions.

Conclusion

We hope this article has helped you understand why we made these changes, in addition to what has changed.

If you still have any questions, send them to Esri Community > Developer Questions.