Community
Select to view content in your preferred language

Questions regarding apiKey usage on layers loaded from AGOL and requests to utility.arcgis.com

328
3
3 weeks ago
EmilAura
by
Emerging Contributor
3 weeks ago

Hi,

I am having some trouble with the authentication of a layer loaded from a Portal item when using the ArcGIS Maps SDK for JavaScript. I was hoping you could clarify if I’m missing a configuration step or if I’ve encountered a known behaviour.

The Scenario: I am loading a specific layer from a Portal item and providing an apiKey directly in the portalItem configuration:

const layer = await Layer.fromPortalItem({
  portalItem: {
    id: "MY_LAYERS_PORTAL_ID",
    apiKey: "MY_SPECIFIC_API_KEY"
  }
});


In my application, I also use a global request interceptor that manages dynamic tokens for other general services by updating esriConfig.apiKey.

esriConfig.request.interceptors.unshift({
  async before() {
    esriConfig.apiKey = await getEsriToken();
  }
  urls: [
    'https://www.arcgis.com',
    'https://snla.maps.arcgis.com',
    'https://services-eu1.arcgis.com',
    'https://utility.arcgis.com',
    'https://services-eu1.arcgis.com',
    'https://elevation.arcgis.com',
    'https://route-api.arcgis.com',
    'https://geocode.arcgis.com'
  ]
});

 


The Problem: I've noticed that while the initial portal metadata requests (sharing/rest) correctly use the provided apiKey, the subsequent request for the layer data (routed through the utility service proxy) behaves differently:

  • URL: https://utility.arcgis.com/usrsvcs/servers/PORTAL_ID/rest/services/SERVICE_NAME/FeatureServer/0 Uses the key from esriConfig.apiKey
  • Observation: If I remove the utility.arcgis.com domain from my global interceptor, this request triggers an ArcGIS login prompt, suggesting it isn't using the apiKey I provided to the layer.
  • Conflict: If my global interceptor is active, the request uses the global esriConfig.apiKey instead of the layer-specific one, which causes an authentication failure for this private layer.

My Questions:

  1. Should requests routed through utility.arcgis.com automatically inherit the apiKey provided to the PortalItem or Layer?
  2. Am I doing something wrong in how I'm passing the key? I tried setting the apiKey on the resulting layer instance or the portal object as well, without success.
  3. Is there a recommended pattern for maintaining a global API key while allowing certain layers to use their own specific keys for proxied services?

Best Regards,

Emil Aura

0 Kudos
3 Replies
ShlokWagle7
by Esri Contributor
Esri Contributor
2 weeks ago

Hi EmilAura, 

I can offer a recommendation. 

Remove the URL https://utility.arcgis.com from your global API key config. As you said, this will prompt a login since it no longer has an API key to grant access. 

Instead, set apiKeys (not apiKey) property with the right scope and services for your ArcGIS Portal items, services and also URL https://utility.arcgis.com

apiKey is used for globally configure API key, whereas apiKeys is used as more fine grained API Keys for specific classes.

In addition to your global API key configuration, set a apiKeys configuration for your specific portal and service URLs. Here is an example snippet from official documentation: https://developers.arcgis.com/javascript/latest/references/core/config/#Config-apiKeys

// Set an API key for multiple services.
config.apiKeys.scopes = [
{
// The API key value. This is for your portal API key
token: "API_KEY_FOR_SERVICE",
// An array of URLs that the API key applies to.
//my recommendation is adding your "https://utility.arcgis.com" here instead as well as your portal URL
urls: [portalURL, serverURL
},
// More scopes can be added here...
];

This will probably suffice for all services coming from your ArcGIS Portal, no longer needing to set apiKey property in the portalItem object.  
 
Hope this helps. Let me know if this works for you. 

 

0 Kudos
SebastianKrings
by
Frequent Contributor
Wednesday

Do you need an API Key at all when having a portal?
Doesnt the portal provide everything one needs when only defining a "WebApp"-Object in the Portal?

0 Kudos
ShlokWagle7
by Esri Contributor
Esri Contributor
Wednesday

Hi @SebastianKrings  Any secured content (web map, services) hosted in ArcGIS Portal or ArcGIS Online requires one of the three forms of authentication -- API key, temporary ArcGIS Token, or your OAuth 2.0 credentials. 

If there is no API key or ArcGIS token provided for a secured Web Map in ArcGIS portal, the web app will prompt a default username and password login. The app will try to access the item from https://arcgis.com ArcGIS Online by default instead of your specific ArcGIS Enterprise portal.

When consuming secured items from Enterprise portal, you should add the portal URL to your esriConfig.apiKeys.scopes (for scoped config) or esriConfig.portralUrl (for global config) which will open a new browser window directed to your portal's ArcGIS OAuth 2.0 login.

 

0 Kudos