docs: fix getting started link

alukach · alukach · commit 7428e39f81cb · 2025-08-05T11:48:08.000-07:00
diff --git a/README.md b/README.md
@@ -30,7 +30,7 @@ STAC Auth Proxy is a proxy API that mediates between the client and your interna
 
 [Full documentation is available on the website](https://developmentseed.org/stac-auth-proxy).
 
-Head to [Getting Started](https://developmentseed.org/stac-auth-proxy/getting-started/) to dig in.
+Head to [Getting Started](https://developmentseed.org/stac-auth-proxy/user-guide/getting-started/) to dig in.
 
 [pypi-version-badge]: https://badge.fury.io/py/stac-auth-proxy.svg
 [pypi-link]: https://pypi.org/project/stac-auth-proxy/
diff --git a/docs/architecture/filtering-data.md b/docs/architecture/filtering-data.md
@@ -0,0 +1,31 @@
+# Filtering Data
+
+> [!NOTE]
+>
+> For more information on using filters to solve authorization needs, more information can be found in the [user guide](../user-guide/record-level-auth.md).
+
+## Example Request Flow for multi-record endpoints
+
+```mermaid
+sequenceDiagram
+    Client->>Proxy: GET /collections
+    Note over Proxy: EnforceAuth checks credentials
+    Note over Proxy: BuildCql2Filter creates filter
+    Note over Proxy: ApplyCql2Filter applies filter to request
+    Proxy->>STAC API: GET /collection?filter=(collection=landsat)
+    STAC API->>Client: Response
+```
+
+## Example Request Flow for single-record endpoints
+
+The Filter Extension does not apply to fetching individual records. As such, we must validate the record _after_ it is returned from the upstream API but _before_ it is returned to the user:
+
+```mermaid
+sequenceDiagram
+    Client->>Proxy: GET /collections/abc123
+    Note over Proxy: EnforceAuth checks credentials
+    Note over Proxy: BuildCql2Filter creates filter
+    Proxy->>STAC API: GET /collection/abc123
+    Note over Proxy: ApplyCql2Filter validates the response
+    STAC API->>Client: Response
+```
diff --git a/docs/user-guide/record-level-auth.md b/docs/user-guide/record-level-auth.md
@@ -17,6 +17,10 @@ Record-level authorization is implemented through **data filtering**—a strateg
 
 For endpoints where the filter extension doesn't apply (such as single-item endpoints), the filters are used to validate response data from the upstream STAC API before the user receives the data, ensuring complete authorization coverage.
 
+> [!NOTE]
+>
+> For more information on _how_ data filtering works, some more information can be found in the [architecture section](../architecture/filtering-data.md) of the docs.
+
 ## Supported Operations
 
 ### Collection-Level Filtering
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -37,6 +37,7 @@ nav:
       - Tips: user-guide/tips.md
   - Architecture:
       - Middleware Stack: architecture/middleware-stack.md
+      - Filtering Data: architecture/filtering-data.md
   - Changelog: changelog.md
 
 plugins:
