geeViz.eeAuth.registry

Multi-tenant Earth Engine service-account registry.

Loads service-account credentials from env vars at startup and provides per-tenant token minting with caching. Used by the proxy server to pick which SA to authenticate as for each incoming request.

Env-var convention: - GEE_SERVICE_ACCOUNT_B64 — the default tenant (legacy name kept

for backward compatibility).

• GEE_<NAME>_SERVICE_ACCOUNT — additional tenants. The middle capture group becomes the tenant id, lowercased. So GEE_TRAINING_SERVICE_ACCOUNT registers as the training tenant.

Each value is base64-encoded service-account JSON. To add a tenant:

1. Create the SA, register it with Earth Engine.

2. Base64-encode the JSON key file.

3. Set GEE_<NAME>_SERVICE_ACCOUNT=<b64> in your env / deploy.

Tokens are minted on demand and cached. The registry is thread-safe; concurrent requests for the same tenant share one in-flight refresh via the lock.

Functions

get_registry()	Return the process-wide SA registry, constructing it lazily on first access.
reset_registry()	Clear the singleton — used by tests to re-load after env changes.

Classes

SARegistry()

Per-tenant service-account credentials + cached access tokens.