Products / Infrastructure / Security & Authentication

Security & Authentication

Enterprise-grade protection for your geospatial data, infrastructure, and API endpoints. Zero-trust architecture with flexible identity management.

Read Security Docs View Compliance Report
Core Capabilities

Defense-in-Depth Architecture

Multi-layered security controls designed specifically for high-volume spatial data workloads.

🔐

Role-Based Access Control

Fine-grained RBAC with spatial scoping. Control access at the layer, feature, or coordinate level with customizable policies.

Granular Permissions
🔑

OAuth 2.0 & SAML 2.0

Native support for enterprise SSO providers. Integrate with Okta, Azure AD, Auth0, or any standards-compliant IdP in minutes.

Enterprise SSO
🛡️

End-to-End Encryption

TLS 1.3 for data in transit, AES-256 for data at rest. Optional client certificate authentication for private VPC deployments.

Zero Trust Ready
📜

Audit Logging & SIEM

Immutable event logs for all authentication attempts, layer access, and configuration changes. Native export to Splunk, Datadog, and CloudWatch.

Compliance Ready
Authentication Flow

How Secure Access Works

Streamlined token-based authentication optimized for low-latency map rendering and API calls.

01

Identity Verification

User or service authenticates via OIDC, SAML, or API key. MFA enforced for admin & data-write roles.

02

Token Issuance

Short-lived JWT issued with spatial scopes. Refresh tokens handled securely with rotation & revocation.

03

Policy Evaluation

GeoServer evaluates RBAC rules against request metadata, IP allowlists, and data sensitivity tags.

04

Secure Delivery

Authorized spatial data or WMS/WFS tiles delivered over encrypted channels with request signing.

Developer Integration

Secure API Access

Authenticate your applications using bearer tokens or OAuth2 client credentials flow.

cURL JavaScript Python
auth_example.sh
# Exchange client credentials for a spatial access token curl -X POST https://auth.geoserver.com/oauth2/token \ -H "Content-Type: application/json" \ -d '{ "grant_type": "client_credentials", "client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", "scope": "wms:read wfs:write geo:analytics" }' # Use the returned access token in your requests curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \ https://api.geoserver.com/v1/layers/terrain/elevations
Compliance & Certifications

Trusted by Regulated Industries

Built to meet the strictest data sovereignty and security standards.

🔒
SOC 2 Type IIAnnually Audited
🌍
GDPR CompliantEEU Data Residency
🏛️
ISO 27001Certified Infrastructure
🛡️
FedRAMP ModerateGovernment Ready
FAQ

Security & Auth Questions

All API keys and tokens support graceful rotation. New credentials can be provisioned and activated while old ones remain valid until their TTL expires, preventing service interruption.
Yes. Conditional access policies allow you to trigger step-up authentication (MFA, OTP, or biometric) based on user role, geographic location, IP reputation, or data sensitivity classification.
Absolutely. All storage tiers use AES-256 encryption. You can also bring your own KMS (AWS KMS, GCP KMS, Azure Key Vault) for complete key management control.
Yes. Enterprise plans include dedicated VPC peering, private endpoints, and network isolation options. No traffic ever traverses the public internet when configured correctly.