Learn how to secure STAC APIs using OIDC, CQL filtering, and existing STAC extensions. We present stac-auth-proxy, a backend-agnostic FastAPI proxy for enforcing flexible auth policies, including integration with Open Policy Agent.
As STAC APIs power more real-world applications, authentication (authN) and authorization (authZ) become essential. Yet the STAC specification leaves these concerns to implementers.
In this talk, we outline common auth*n needs seen across STAC deployments, including:
- Route-level access control — marking some or all endpoints as private
- Record-level filtering — limiting collections or items by request context such as user, group, or role
- Asset-level access — transferring our authN policies to the asset files themselves
We’ll introduce stac-auth-proxy, a backend-agnostic FastAPI-based proxy that integrates with any modern STAC API and OIDC authentication server (e.g. Keycloak, AWS, Cognito, Auth0). We will discuss how we make use of already existing extensions such as the Authentication Extension, Filter Extension, Collection Search, and Transaction Extension to build out a secure and self-descriptive STAC API. Finally, we will discuss how stac-auth-proxy can be integrated with external policy engines such as Open Policy Agent to provide a more complete solution.
eoAPI is an open-source toolkit for building scalable Earth Observation applications. This talk covers the state of core components like pgSTAC, TiTiler, and STAC-FastAPI, introduces new tools like stac-auth-proxy and stac-manager, and highlights recent infrastructure work in CDK and Kubernetes for deploying production-ready STAC services.
In 2023, Development Seed launched the eoAPI project—a growing collection of open-source tools and infrastructure aimed at making it easier to build, deploy, and scale modern Earth Observation (EO) applications. In this talk, we’ll explore the current state of the ecosystem, highlight new developments, and share what’s coming next.
We’ll start by revisiting some of the core building blocks of eoAPI:
- pgSTAC — A performant, normalized STAC catalog backed by PostgreSQL
- TiTiler — A dynamic tile server for Cloud Optimized GeoTIFFs and STAC Items
- TiPg — A lightweight OGC API - Features implementation built on top of pgSTAC
- STAC-FastAPI — A high-performance, pluggable STAC API built with FastAPI
We’ll then showcase some exciting new additions:
- stac-auth-proxy — A flexible FastAPI-based proxy for adding authentication and authorization to any STAC API
- stac-manager — A tool for orchestrating STAC metadata ingestion, validation, and management across pipelines
Finally, we’ll cover recent infrastructure efforts that support deploying and scaling these services:
- eoAPI-CDK — AWS CDK constructs for cloud-native eoAPI deployments
- eoAPI-K8s — Kubernetes Helm charts for containerized, production-grade deployments
Together, these tools form a modular, interoperable foundation for building next-generation EO platforms. Whether you’re running a small data portal or a high-scale STAC service, eoAPI provides the pieces to get you up and running—securely and efficiently.