Configuration¶
The application is configurable via environment variables.
Core¶
UPSTREAM_URL¶
-
STAC API URL
Type: HTTP(S) URL Required: Yes Example:
https://your-stac-api.com/stac
WAIT_FOR_UPSTREAM¶
-
Wait for upstream API to become available before starting proxy
Type: boolean Required: No, defaults to
trueExample:false,1,True
CHECK_CONFORMANCE¶
-
Ensure upstream API conforms to required conformance classes before starting proxy
Type: boolean Required: No, defaults to
trueExample:false,1,True
ENABLE_COMPRESSION¶
-
Enable response compression
Type: boolean Required: No, defaults to
trueExample:false,1,True
HEALTHZ_PREFIX¶
-
Path prefix for health check endpoints
Type: string Required: No, defaults to
/healthzExample:''(disabled)
OVERRIDE_HOST¶
-
Override the host header for the upstream API
Type: boolean Required: No, defaults to
trueExample:false,1,True
ROOT_PATH¶
-
Path prefix for the proxy API
Type: string Required: No, defaults to
''(root path) Example:/api/v1Note: This is independent of the upstream API's path. The proxy will handle removing this prefix from incoming requests and adding it to outgoing links.
Authentication¶
OIDC_DISCOVERY_URL¶
-
OpenID Connect discovery document URL
Type: HTTP(S) URL Required: Yes Example:
https://auth.example.com/.well-known/openid-configuration
OIDC_DISCOVERY_INTERNAL_URL¶
-
Internal network OpenID Connect discovery document URL
Type: HTTP(S) URL Required: No, defaults to the value of
OIDC_DISCOVERY_URLExample:http://auth/.well-known/openid-configuration
ALLOWED_JWT_AUDIENCES¶
-
Unique identifier(s) of API resource server(s)
Type: string Required: No Example:
https://auth.example.audience.1.net,https://auth.example.audience.2.netNote: A comma-separated list of the intended recipient(s) of the JWT. At least one audience value must match theaud(audience) claim present in the incoming JWT. If undefined, the API will not impose a check on theaudclaim
DEFAULT_PUBLIC¶
-
Default access policy for endpoints
Type: boolean Required: No, defaults to
falseExample:false,1,True
PRIVATE_ENDPOINTS¶
-
Endpoints explicitly marked as requiring authentication and possibly scopes
Type: JSON object mapping regex patterns to HTTP methods OR tuples of an HTTP method and string representing required scopes Required: No, defaults to the following:
{ "^/collections$": ["POST"], "^/collections/([^/]+)$": ["PUT", "PATCH", "DELETE"], "^/collections/([^/]+)/items$": ["POST"], "^/collections/([^/]+)/items/([^/]+)$": ["PUT", "PATCH", "DELETE"], "^/collections/([^/]+)/bulk_items$": ["POST"] }
PUBLIC_ENDPOINTS¶
-
Endpoints explicitly marked as not requiring authentication, used when
DEFAULT_PUBLIC == FalseType: JSON object mapping regex patterns to HTTP methods Required: No, defaults to the following:
{ "^/$": ["GET"], "^/api.html$": ["GET"], "^/api$": ["GET"], "^/conformance$": ["GET"], "^/docs/oauth2-redirect": ["GET"], "^/healthz": ["GET"] }
ENABLE_AUTHENTICATION_EXTENSION¶
-
Enable authentication extension in STAC API responses
Type: boolean Required: No, defaults to
trueExample:false,1,True
OpenAPI / Swagger UI¶
OPENAPI_SPEC_ENDPOINT¶
-
Path of OpenAPI specification, used for augmenting spec response with auth configuration
Type: string or null Required: No, defaults to
/apiExample:''(disabled)
OPENAPI_AUTH_SCHEME_NAME¶
-
Name of the auth scheme to use in the OpenAPI spec
Type: string Required: No, defaults to
oidcAuthExample:jwtAuth
OPENAPI_AUTH_SCHEME_OVERRIDE¶
-
Override for the auth scheme in the OpenAPI spec
Type: JSON object Required: No, defaults to
null(disabled) Example:{ "type": "http", "scheme": "bearer", "bearerFormat": "JWT", "description": "Paste your raw JWT here. This API uses Bearer token authorization.\n" }
SWAGGER_UI_ENDPOINT¶
-
Path of Swagger UI, used to indicate that a custom Swagger UI should be hosted, typically useful when providing accompanying
SWAGGER_UI_INIT_OAUTHargumentsType: string or null Required: No, defaults to
/api.htmlExample:''(disabled)
SWAGGER_UI_INIT_OAUTH¶
-
Initialization options for the Swagger UI OAuth2 configuration on custom Swagger UI
Type: JSON object Required: No, defaults to
null(disabled) Example:{"clientId": "stac-auth-proxy", "usePkceWithAuthorizationCodeGrant": true}
Filtering¶
ITEMS_FILTER_CLS¶
-
CQL2 expression generator for item-level filtering
Type: JSON object with class configuration Required: No, defaults to
null(disabled) Example:stac_auth_proxy.filters:Opa,stac_auth_proxy.filters:Template,my_package:OrganizationFilter
ITEMS_FILTER_ARGS¶
-
Positional arguments for CQL2 expression generator
Type: List of positional arguments used to initialize the class Required: No, defaults to
[]Example:["org1"]
ITEMS_FILTER_KWARGS¶
-
Keyword arguments for CQL2 expression generator
Type: Dictionary of keyword arguments used to initialize the class Required: No, defaults to
{}Example:{"field_name": "properties.organization"}
ITEMS_FILTER_PATH¶
-
Regex pattern used to identify request paths that require the application of the items filter
Type: Regex string Required: No, defaults to
^(/collections/([^/]+)/items(/[^/]+)?$|/search$)Example:^(/collections/([^/]+)/items(/[^/]+)?$|/search$|/custom$)
COLLECTIONS_FILTER_CLS¶
-
CQL2 expression generator for collection-level filtering
Type: JSON object with class configuration Required: No, defaults to
null(disabled) Example:stac_auth_proxy.filters:Opa,stac_auth_proxy.filters:Template,my_package:OrganizationFilter
COLLECTIONS_FILTER_ARGS¶
-
Positional arguments for CQL2 expression generator
Type: List of positional arguments used to initialize the class Required: No, defaults to
[]Example:["org1"]
COLLECTIONS_FILTER_KWARGS¶
-
Keyword arguments for CQL2 expression generator
Type: Dictionary of keyword arguments used to initialize the class Required: No, defaults to
{}Example:{"field_name": "properties.organization"}
COLLECTIONS_FILTER_PATH¶
-
Regex pattern used to identify request paths that require the application of the collections filter
Type: Regex string Required: No, defaults to
^/collections(/[^/]+)?$Example:^.*?/collections(/[^/]+)?$