🔐 Authentication & Security

API Security

Secure your GeoServer API integrations with industry-standard authentication, authorization, encryption, and monitoring mechanisms.

📅 Updated: Jan 15, 2025 ⏱️ ~12 min read 📦 v3.8.2

Security Overview

GeoServer employs a multi-layered security architecture to protect your geospatial data and API endpoints. Our security model follows the principle of least privilege and supports multiple authentication strategies.

💡

Security by Default All GeoServer API endpoints require authentication. We recommend combining API keys with OAuth 2.0 for production deployments to achieve defense-in-depth.

🔑

API Key Authentication

Simple, secure key-based auth for server-to-server communication and automated workflows.

🎫

OAuth 2.0 / OpenID

Industry-standard delegated authorization for user-facing applications and third-party integrations.

🪪

JWT Tokens

Stateless, signed tokens with configurable expiration, scopes, and custom claims.

📝

Signature Verification

HMAC-SHA256 request signing to prevent tampering and replay attacks on sensitive endpoints.

🛡️

Role-Based Access

Fine-grained RBAC with customizable roles, permissions, and resource-level scoping.

📊

Audit Logging

Immutable audit trail of all API activity with tamper-proof logging and real-time alerting.

Authentication Flow

Every request to the GeoServer API follows this security pipeline. Understanding the flow helps you implement the right authentication method for your use case.

Client Request

With credentials

→

TLS Validation

Certificate check

→

Rate Limiter

Quota check

→

Auth Middleware

Token / Key verify

→

RBAC Engine

Permission check

→

Handler

Process & respond

⚠️

Enforced TLS 1.2+ All API endpoints enforce TLS 1.2 or higher. Connections using older protocols will be rejected with a 403 Forbidden response. TLS 1.3 is recommended and enabled by default.

API Key Authentication

API keys are the simplest way to authenticate your application with the GeoServer API. Each key is tied to your account and can be scoped to specific permissions.

Generating an API Key

Navigate to your Dashboard → Settings → API Keys to generate a new key. Each key consists of a prefix and a secret:

// Your GeoServer API key structure
key:   geo_live_4f8a2b...     # Public key ID
secret: ••••••••••••••••  # Never share this

Using API Keys in Requests

Include your API key in the Authorization header using the Bearer scheme:

GET /api/v3/layers HTTP/1.1
Host: api.geoserver.io
Authorization: Bearer geo_live_4f8a2b...
X-API-Version: 2025-01
Content-Type: application/json

🚨

Never expose API keys in client-side code Keys embedded in browser JavaScript, mobile apps, or public repositories can be compromised. Use environment variables or server-side proxying for all secret management.

Key Scopes & Permissions

Scope	Access Level	Description
`layers:read`	Read	Retrieve layer metadata and feature data
`layers:write`	Write	Create, update, and delete layers
`maps:read`	Read	Access published map configurations
`styles:write`	Write	Manage SLD/SSA styling rules
`admin:full`	Admin	Full administrative access (use with caution)

OAuth 2.0 Authentication

For user-facing applications, GeoServer supports the OAuth 2.0 Authorization Code flow with PKCE (Proof Key for Code Exchange) for enhanced security.

Authorization Code Flow with PKCE

GET /oauth2/authorize

Redirect users to the GeoServer authorization page to grant access to your application.

GET https://api.geoserver.io/oauth2/authorize?
  response_type=code
  client_id=your_client_id
  redirect_uri=https://yourapp.com/callback
  scope=layers:read maps:read
  code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
  code_challenge_method=S256
  state=random_csrf_token

POST /oauth2/token

Exchange the authorization code for an access token and refresh token.

POST https://api.geoserver.io/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code
code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7
redirect_uri=https://yourapp.com/callback
client_id=your_client_id
code_verifier=dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk

Token Response

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "refresh_token": "dBjftJeZ4CVP-mB92K27uhb...",
  "scope": "layers:read maps:read"
}

✅

Best Practice: Short-Lived Tokens Access tokens expire after 1 hour by default. Use the refresh token to obtain new access tokens without re-prompting the user for consent.

JWT Token Configuration

GeoServer supports JSON Web Tokens (JWT) with RS256 and ES256 signing algorithms. JWTs can include custom claims for fine-grained authorization decisions.

Token Structure

{
  "iss": "https://api.geoserver.io",
  "sub": "usr_2a8b4c",
  "aud": "geo-api-v3",
  "exp": 1737648000,
  "iat": 1737644400,
  "scopes": ["layers:read", "maps:read"],
  "org_id": "org_9f3e1a",
  "jti": "a1b2c3d4-e5f6-7890"
}

Custom Claims

You can add custom claims to JWTs for organization-specific authorization logic:

Claim	Type	Description
`org_id`	String	Organization identifier for multi-tenancy
`data_regions`	Array	Allowed geographic data regions
`max_layers`	Integer	Maximum layers accessible per request
`mfa_verified`	Boolean	Whether MFA was used for authentication

Rate Limiting

To ensure fair usage and protect infrastructure, GeoServer API endpoints enforce rate limits. Limits vary by plan and endpoint type.

Rate Limit Headers

Every API response includes rate limit information:

HTTP/1.1 200 OK
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 847
X-RateLimit-Reset: 1737648000
X-RateLimit-Window: 3600

Rate Limits by Plan

Plan	Read Requests	Write Requests	Burst Allowance
Starter	100 / min	10 / min	20 / burst
Professional	1,000 / min	100 / min	200 / burst
Enterprise	10,000 / min	1,000 / min	Custom

⚠️

Rate Limit Exceeded When you exceed the rate limit, the API returns 429 Too Many Requests with a Retry-After header indicating when to retry.

Security Best Practices

Follow these guidelines to maximize the security of your GeoServer API integration:

Use environment variables — Store API keys and secrets in environment variables or a secrets manager, never in source code.
Enable TLS certificate pinning — For mobile and desktop applications, pin the GeoServer TLS certificate to prevent MITM attacks.
Implement token rotation — Rotate API keys and refresh tokens on a regular schedule. We recommend every 90 days.
Use the principle of least privilege — Only request the scopes your application actually needs. Avoid admin:full in production.
Enable audit logging — Monitor all API activity through the audit log endpoint and set up alerts for anomalous behavior.
Validate all inputs — Sanitize user-provided data before passing it to GeoServer endpoints to prevent injection attacks.
Implement retry logic with backoff — Handle rate limiting gracefully with exponential backoff (starting at 1s, doubling up to 60s).
Use signed requests for sensitive operations — Enable HMAC request signing for write operations involving sensitive geospatial data.

Request Signing Example

For high-security operations, sign your requests with HMAC-SHA256:

// JavaScript example
const crypto = require('crypto');

// Construct the signing string
const timestamp = Math.floor(Date.now() / 1000);
const method = 'POST';
const path = '/api/v3/layers';
const bodyHash = crypto.createHash('sha256').update(JSON.stringify(body)).digest('hex');

const signingString = `${method}\n${path}\n${timestamp}\n${bodyHash}`;

// Create the signature
const signature = crypto
  .createHmac('sha256', process.env.GEOSERVER_SECRET)
  .update(signingString)
  .digest('base64');

// Include in request headers
const headers = {
  'X-API-Key': process.env.GEOSERVER_API_KEY,
  'X-Signature-Timestamp': timestamp,
  'X-Signature': signature,
  'X-Content-Hash': bodyHash
};

Security Error Responses

Authentication and authorization failures return specific HTTP status codes with descriptive error messages:

Status	Error Code	Description
401	`AUTH_REQUIRED`	No authentication credentials provided
401	`INVALID_TOKEN`	Expired or malformed authentication token
401	`INVALID_SIGNATURE`	Request signature verification failed
403	`INSUFFICIENT_SCOPE`	Token lacks required permission scope
403	`IP_NOT_ALLOWED`	Request origin not in IP whitelist
429	`RATE_LIMITED`	Too many requests within the time window
429	`ACCOUNT_SUSPENDED`	Account suspended due to repeated violations

// Example error response
HTTP/1.1 403 Forbidden
{
  "error": {
    "code": "INSUFFICIENT_SCOPE",
    "message": "The 'layers:write' scope is required for this operation.",
    "required_scopes": ["layers:write"],
    "granted_scopes": ["layers:read", "maps:read"],
    "request_id": "req_8f3a2b1c"
  }
}

🔑 API Keys Reference

Detailed documentation on generating, rotating, and managing API keys.

Learn more →

🎫 OAuth 2.0 Guide

Step-by-step walkthrough of the OAuth 2.0 authorization flows.

Learn more →

🛡️ RBAC Configuration

Set up role-based access control for your organization.

Learn more →

📊 Audit Log API

Query and export your API audit trail programmatically.

Learn more →