feat: server side authentication

[davidgamez]

Summary:

Part of MobilityData/mobility-feed-api#1578

This PR adds an authentication mechanism to enable API calls from the UI server components. Here are the major changes:

• The API calls are made using an IAM service account
• A session cookie is added to keep the user context. This user context is added as a header to inform the API which user is impersonating. This is signed with a trusted secret.

Expected behavior:

Explain and/or show screenshots for how you expect the pull request to work in your testing (in case other devices exhibit different behavior).

• Server-side calls to the API are made using the service account minted token
• UI API calls are made with the authenticated(or anonymous) account, the same mechanism as before.

From our AI friend

This pull request introduces new documentation and utility scripts to support authentication workflows for server-side rendering (SSR) and Google Cloud IAP (Identity-Aware Proxy) with Identity Platform (GCIP). It also adds mock fixture data and improves developer tooling for testing IAP-protected APIs. The main themes are authentication architecture documentation, IAP/GCIP test scripts, and fixture data for local development.

Authentication Architecture & Documentation

• Added a comprehensive docs/Authentication.md explaining SSR authentication, session cookies, GCIP ID token flows, server-side token management, environment variables, mock mode (MSW), and security considerations. This document serves as a reference for both implementation and troubleshooting.

Fixture Data for Local Development

• Added new Cypress fixture files (feed_datasets_mdb-2947.json, feed_mdb-2947.json, gtfs_feed_mdb-2947.json) containing mock feed and dataset objects to support local development and testing of feed-related features. [1] [2] [3]
  Testing tips:

Provide tips, procedures and sample files on how to test the feature.
Testers are invited to follow the tips AND to try anything they deem relevant outside the bounds of the testing tips.

Please make sure these boxes are checked before submitting your pull request - thanks!

• Run the unit tests with yarn test to make sure you didn't break anything
• Add or update any needed documentation to the repo
• Format the title like "feat: [new feature short description]". Title must follow the Conventional Commit Specification(https://www.conventionalcommits.org/en/v1.0.0/).
• Linked all relevant issues
• Include screenshot(s) showing how this pull request works and fixes the issue(s)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
mobilitydatabase-web	Ready	Preview, Comment	Feb 4, 2026 9:00pm

[github-actions]

*Lighthouse ran on https://mobilitydatabase-ih3u8u44k-mobility-data.vercel.app/ * (Desktop)
⚡️ HTML Report Lighthouse report for the changes in this PR:

Performance	Accessibility	Best Practices	SEO
🟢 95	🟢 100	🟢 96	🟢 100

*Lighthouse ran on https://mobilitydatabase-ih3u8u44k-mobility-data.vercel.app/feeds * (Desktop)
⚡️ HTML Report Lighthouse report for the changes in this PR:

Performance	Accessibility	Best Practices	SEO
🟢 99	🟢 100	🟢 96	🟢 100

*Lighthouse ran on https://mobilitydatabase-ih3u8u44k-mobility-data.vercel.app/feeds/gtfs/mdb-2126 * (Desktop)
⚡️ HTML Report Lighthouse report for the changes in this PR:

Performance	Accessibility	Best Practices	SEO
🟠 65	🟢 94	🟢 96	🟠 86

*Lighthouse ran on https://mobilitydatabase-ih3u8u44k-mobility-data.vercel.app/feeds/gtfs_rt/mdb-2585 * (Desktop)
⚡️ HTML Report Lighthouse report for the changes in this PR:

Performance	Accessibility	Best Practices	SEO
🟠 65	🟠 87	🟢 100	🟠 86

*Lighthouse ran on https://mobilitydatabase-ih3u8u44k-mobility-data.vercel.app/gbfs/gbfs-flamingo_porirua * (Desktop)
⚡️ HTML Report Lighthouse report for the changes in this PR:

Performance	Accessibility	Best Practices	SEO
🟢 100	🟢 100	🟢 96	🟢 100