08-30, 10:00–13:00 (Japan), 605
A hands-on workshop covering the full lifecycle of a production STAC API: ingesting Earth observation datasets into eoAPI, securing it with OpenID Connect authentication, apply route-level and row-level access control, and using STAC Browser to see auth policies in action.
The STAC ecosystem has matured rapidly, but documentation on the full operational lifecycle (getting data in, controlling who can read it, and securing how it gets changed) remains fragmented. Teams building production Earth observation platforms repeatedly solve the same problems from scratch.
This hands-on workshop provides a complete, end-to-end walkthrough of building a production-ready STAC API using eoAPI (pgSTAC + stac-fastapi-pgstac) and securing it with stac-auth-proxy, a backend-agnostic reverse proxy purpose-built for STAC.
Starting from a bare Docker Compose stack running entirely on participants' laptops, we'll ingest real Earth observation datasets and then query the catalog using CQL2 filters and spatial search. From there, we'll progressively layer in authentication using OpenID Connect (OIDC), connecting a local mock identity server to the proxy, locking down write endpoints behind token-scoped access control, and protecting the Transactions Extension so only authorized clients can modify the catalog.
The penultimate section tackles row-level authorization: using CQL2 filter injection to build public/private collection support and multi-tenant data isolation, where each user's JWT claims determine what slice of the catalog they can see, all without modifying the underlying API.
We close by connecting STAC Browser to the secured API, configuring its OAuth2/OIDC settings to authenticate against the mock identity server, and demonstrating how the auth policies built throughout the workshop shape what different users can discover in real time.
Participants will leave with a working local stack, reusable configuration patterns, and a clear mental model for applying these techniques in cloud deployments.
2 - intermediate
Pre-requirements for attendees –The workshop assumes comfort with developer tooling but no prior STAC experience. Experience with Python is helpful but not required. Participants who have deployed a web service, worked with a REST API, and are comfortable in a terminal will be able to follow along without difficulty. The auth concepts (OIDC, JWTs, scopes) are introduced from first principles, so no prior identity/security background is required — though attendees with some exposure will move through those sections faster.
What skills do participants require to have? –- Docker and Docker Compose - the entire stack runs locally in containers
- Python 3.10+ with
piporuv- used for pypgstac bulk ingestion exercises - A REST client -
curlis sufficient - A modern web browser — for STAC Browser and inspecting OIDC flows
- Git — to clone the workshop repository distributed in advance
Pete Gadomski is an open source geospatial software engineer at Development Seed living in Longmont, CO. His focus is on the intersection between commercial and government remote sensing, with a side hobby in building Rust tooling for geospatial.
Anthony Lukach is a software engineer at Development Seed, where he builds open-source tools for geospatial data infrastructure. His work spans the eoAPI ecosystem, STAC-based access control, and cloud-native data platforms.