The Gulf of Mexico Coastal Ocean Observing System Regional Association (GCOOS-RA) has been a Stormpath customer for over two years. We’re excited to share this post on their experience with user authentication via the Stormpath Python SDK, from Senior Data Engineer Bob Currier.


The Gulf of Mexico Coastal Ocean Observing System (GCOOS) provides timely information about the coastal environment of the United States portion of the Gulf of Mexico and its estuaries for use by decision-makers, researchers, government managers, industry, the military, educators, emergency responders, and the general public.

GCOOS is one of a series of Regional Coastal Ocean Observing Systems and is part of the U.S. Integrated Ocean Observing System, which is part of the intergovernmental Global Ocean Observing System and a significant national contributor to the Global Earth Observing System of Systems.

We’re currently using the Python API in two deployed projects and are in the process of adding authentication to a third site. Our first application using Stormpath was for a project called iTAG: Integrated Tracking of Aquatic Animals in the Gulf of Mexico.

User Management for iTag

iTAG is a politically sensitive project as acoustic tracking researchers are notoriously protective of their tagging data. A typical tagging project can see as many as fifty receivers deployed and hundreds of fish tagged and released. Maintaining the receivers over the lifetime of the project is expensive and difficult, so the principal scientists do not want ‘freeloaders’ taking advantage of their receivers. It is rare for taggers to share data in anything close to real-time, and iTAG was asking close to a hundred researchers to upload their data to our project web site. The members were very skeptical that their data could be protected in an acceptable manner.

When we first started building out the iTAG site using Python and Flask, we tried several authentication solutions but none really worked for the project. They were either insanely difficult to get working or had limited abilities to protect subsets of the data. I tried rolling my own, but that effort ended quickly as I realized how little I knew about cryptography and building authentication systems.

I found Stormpath when I Googled “Python Flask user authentication” and found this post by Python Evangelist Randall Degges. It took me only a few minutes to ‘pip install Flask-Stormpath’ and get started solving my authentication problem.

Using the information from the excellent articles by Mr. Degges, I was able to quickly add fine-grained control of data to the iTAG application. Scientists can log in to the site and upload data files of tags, receivers and unknown or ‘orphan’ tags that their receivers detected. Each data record can be set to be private to the investigator, viewable by members of iTAG or visible to the general public.

Records can be edited or deleted if the record belongs to the logged in user. Adding this functionality took just a few seconds and the addition of {% if == orphan.reporting_pi %} into the template. That’s it – no complicated code, just a simple if statement. It doesn’t get much easier.

We make extensive use of the custom data function of the Stormpath API to add attributes such as organizational affiliation, project codes and team membership. The Custom Data editor on the Stormpath website allows new elements to be quickly added, modified or deleted.

iTAG currently has more than 100 members. Given the size of the membership list adding users on an individual basis was not feasible. We used the Python API to write an automated account creation application that parses a CSV file and rebuilds all the accounts. We also use the Python API to construct our membership list in just a few lines of code with the application.accounts feature.

Security and Data Privacy with Stormpath

iTAG was demonstrated to the members in the summer of 2015. The initial reaction was extremely positive. The majority of the members were overwhelmed by the degree of control they had over their data – something that they had not believed possible. The ability to set privacy bits on each data element based on their authenticated Stormpath credentials was a major contributor to getting the researchers’ buy-in to the project.

The success of iTAG has allowed me to continue to use Stormpath in new applications. HABscope is a machine-learning application for the automated identification of harmful algal blooms using a field-portable microscope, iPod Touch and a Karma Go hotspot. GANDALF is an autonomous underwater vehicle (AUV) piloting tool for AUV operators in the Gulf of Mexico. The new version of GANDALF will be rolled out in the spring of 2017 and will feature Stormpath authentication.

The Stormpath Product Documentation is top-notch and I’ve had very good response from customer support the few times I’ve needed help. If you need a reliable, easy to implement authentication layer for your application you need look no further than Stormpath.

Test drive Stormpath in your project today with a forever-free developer account! Sign up at