API Authentication
This page defines how clients authenticate to the Geoportal API and how the API responds to authentication and authorization failures.
/* TODO: add information on API keys. Add information in enterprise and if they qualify. */
Authentication Model
Section titled “Authentication Model”Geoportal API authentication is session-based for browser clients:
- The API is the trust boundary.
- Successful sign-in establishes a secure server-managed session.
- The browser receives a secure session cookie.
- Protected endpoints validate session and permissions on every request.
Transport and Client Requirements
Section titled “Transport and Client Requirements”- API authentication traffic must use HTTPS/TLS.
- Browser clients must send credentials (cookies) with requests.
- Cross-origin clients must be explicitly allowed by API CORS policy.
Sign-In and Session Lifecycle
Section titled “Sign-In and Session Lifecycle”Personal Account (Email + Password)
Section titled “Personal Account (Email + Password)”- Client submits credentials over HTTPS.
- API validates credentials and account status.
- API creates session and sets secure cookie.
- Client calls protected endpoints with cookie-based session.
Enterprise Account (Microsoft Entra ID SSO)
Section titled “Enterprise Account (Microsoft Entra ID SSO)”- Client starts SSO flow.
- User authenticates with Microsoft Entra ID.
- API validates the identity response.
- API creates Geoportal session and sets secure cookie.
- Client calls protected endpoints with cookie-based session.
Protected Endpoints
Section titled “Protected Endpoints”Protected endpoints require a valid authenticated session.
If authentication succeeds, authorization is still evaluated per endpoint (organization access, roles, and permissions).
Standard Response Semantics
Section titled “Standard Response Semantics”Use these semantics consistently across protected routes:
| Status | Meaning | Client Action |
|---|---|---|
| 200 / 2xx | Request authorized and successful | Continue normal flow. |
| 401 Unauthorized | Authentication missing, expired, or invalid | Redirect to login or restart auth flow. |
| 403 Forbidden | Authenticated but not permitted for resource/action | Show access denied or request elevated access. |
| 401 Unauthorized | Expired Credentials | API returns 401 Unauthorized. Session is treated as no longer valid. Client should prompt user to sign in again. |
| 401 Unauthorized | Invalid or Tampered Credentials | API returns 401 Unauthorized. API does not expose sensitive validation details in client-facing responses. Events are logged and monitored for abuse detection. |
Session Security Characteristics
Section titled “Session Security Characteristics”Geoportal session cookies are configured for secure browser use:
HttpOnlyto prevent JavaScript access.Secureto require HTTPS transport.SameSiteto reduce cross-site request risk.- Bounded session lifetime with expiration handling.
Compatibility Notes
Section titled “Compatibility Notes”- This API reference is authentication-system agnostic at the protocol level.
- Internal provider configuration and identity plumbing may evolve.
- Public client behavior and status-code contract in this page are the stable integration surface.