As STAC APIs power more real-world applications, authentication (authN) and authorization (authZ) become essential. Yet, the STAC specification leaves these concerns to be addressed by implementers.

In this talk, we outline common auth needs seen across STAC deployments, including:

• Route-level access control - marking some or all endpoints as private
• Record-level filtering - limiting collections or items by request context such as user, group, or role
• Asset-level access - transferring our authN policies to the asset files themselves

We’ll introduce stac-auth-proxy, a backend-agnostic FastAPI-based proxy that integrates with any modern STAC API and OIDC authentication server (e.g., Keycloak, AWS, Cognito, Auth0). We will discuss how we utilize existing extensions such as the Authentication Extension, Filter Extension, Collection Search, and Transaction Extension to build a secure and self-descriptive STAC API. Finally, we will discuss how stac-auth-proxy can be integrated with external policy engines, such as Open Policy Agent, to provide a comprehensive decoupled solution.