Community
Select to view content in your preferred language

Rotating API Keys

233
2
04-01-2026 06:02 AM
Labels (3)
Labels
KarenRobine1
by
Regular Contributor
‎04-01-2026 06:02 AM

Hello:
Wondering if folks out there have switched over to "rotating API keys" for their MAUI/iOS/Android applications, especially for any public-facing applications? Are you asking users to sign in to AGOL (for public-facing applications, I couldn't imagine this being likely)? Or perhaps, you have a 'subscription service' and ask users to sign into your service first. Then, once signed in, you can pass back the key?

How are you storing the key: 

  • On users devices in code (or JSON),
    • Are you 'obfuscating your code? If so, what Obfuscation product are you using? Does the obfuscation make the code unstable, or has it been flawless? Do you think it does a sufficient job of hiding the key value?
  • On users devices, in Secure Storage
    • If so, how do you get the API Key to the device?
  • Obtain it from Server
    • Once obtained, do you store it somewhere on the device?
    • How do you have users access it?
  • Other method
    • Please expand on this.

Thanks for any insight on this. We're looking at options right now, and it'll be helpful to know how others are dealing with this.  The Legacy keys expire in June, 2026, so need to figure this out fairly quickly.  Thanks.

 

 

2 Replies
Ting
by Esri Regular Contributor
Esri Regular Contributor
a week ago

Thanks for the question Karen. We're actively looking into the topics you asked. We'll share when we come up with a cohesive plan.

A few notes:

  • Each operating system provides some different mechanisms for a) deliver a key from a server to the device, and b) securely storing the key locally*. Our first step is to figure out what is the most suitable way on each platform, and eventually (hopefully) combining them into a platform-agnostic set of methods for all products.
    • *For instance, iOS has iCloud Keychain, Android has Keystore.
  • Different platforms provide different obfuscation methods. Some platforms obfuscate the app by default in release mode (for example, iOS apps), while some may not.
    • Me personally would encourage using existing libraries for obfuscation, if your target platform doesn't have obfuscation already.
    • Because the plain-text API key is included in the request to an ArcGIS service, obfuscation doesn't have any effect if the request is hijacked/sniffed. Methods like SSL pinning can further reduce the risk of API key being leaked during transfer.
    • This applies to both the legacy API keys and the new keys moving forward, so not essentially part of the rotating the key discussion.
  • While we are working on it, one interim option is to create a new key with a longer expiration period. The maximum expiration period for an API key is 1 year.

Stay tuned for our future updates.

 

KarenRobine1
by
Regular Contributor
a week ago

Thanks for responding. We've reached out to some folks at ESRI and hope to hear back soon.  
Another thing too: It would be nice if the .NET Maps SDK API supported 'referrers' in requests (ie. ArcGISPortal.CreateAsync(siteUri, referrer).  That could theoretically be used to provide a bit more security. 
And we will definitely change our API Key length to a longer length.
I'll respond as well if I get additional insight. Thanks again.

0 Kudos