API Key Authentication

Secure Your Nginx API with API Keys

The Zuplo API Gateway protects your backend API from unauthorized access, abuse, and overload. Add API key authentication to your Nginx API in minutes.

Secure Access

Authenticate every request before it reaches your backend.

Control Costs

Set rate limits and quotas to prevent runaway usage.

Ensure Reliability

Shield your backend from overload with traffic management.

How it works

The Zuplo API Gateway sits between your clients and your Nginx backend, providing a secure layer of protection and control.

Customer VPC

Backend

Client

Zuplo API Gateway

Step-by-step tutorial

It takes only a few minutes to put Zuplo in front of your Nginx backend, adding API key authentication, and configuring your origin to trust requests from Zuplo using shared secrets.

Create a Route in Zuplo

First, create a new route in your Zuplo project that will proxy requests to your Nginx backend. This route will be the entry point for your API consumers.

Learn how to create routes

📄 OpenAPI native. Import your existing OpenAPI spec to instantly create routes and power your API documentation.

Add API Key Authentication Policy

Add the API Key Authentication policy to your route. This policy validates incoming API keys and ensures only authorized consumers can access your API.

Adding API Key Authentication policy in Zuplo

API Key Authentication docs

🔐 Leaked key? No problem. As a GitHub Secret Scanning partner, Zuplo can automatically revoke exposed keys before they can be exploited.

Add Set Header Policy

Add the Set Header policy to your route. This policy sets the shared secret header on requests to ensure only requests from Zuplo are accepted by your API.

Set Header Policy docs

Secure Your Nginx API with the Shared Secret

Configure your Nginx backend to validate the shared secret header set by Zuplo. This ensures that only requests coming through your Zuplo gateway are accepted.

#include <ngx_config.h>
#include <ngx_core.h>
#include <ngx_http.h>
#include <openssl/crypto.h>
#include <string.h>

// Preprocessor for environment variable
#define SHARED_SECRET_ENV "SHARED_SECRET"

static ngx_int_t ngx_http_shared_secret_handler(ngx_http_request_t *r);
static char *ngx_http_shared_secret(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);

// Module context
static ngx_http_module_t ngx_http_shared_secret_module_ctx = {
    NULL,                          /* preconfiguration */
    NULL,                          /* postconfiguration */

    NULL,                          /* create main configuration */
    NULL,                          /* init main configuration */

    NULL,                          /* create server configuration */
    NULL,                          /* merge server configuration */

    NULL,                          /* create location configuration */
    NULL                           /* merge location configuration */
};

// Commands
static ngx_command_t ngx_http_shared_secret_commands[] = {

    { ngx_string("shared_secret"),
      NGX_HTTP_LOC_CONF|NGX_CONF_NOARGS,
      ngx_http_shared_secret,
      0,
      0,
      NULL },

    ngx_null_command
};

// Module
ngx_module_t ngx_http_shared_secret_module = {
    NGX_MODULE_V1,
    &ngx_http_shared_secret_module_ctx, /* module context */
    ngx_http_shared_secret_commands,    /* module directives */
    NGX_HTTP_MODULE,                    /* module type */
    NULL,                               /* init master */
    NULL,                               /* init module */
    NULL,                               /* init process */
    NULL,                               /* init thread */
    NULL,                               /* exit thread */
    NULL,                               /* exit process */
    NULL,                               /* exit master */
    NGX_MODULE_V1_PADDING
};

// Handler function
static ngx_int_t ngx_http_shared_secret_handler(ngx_http_request_t *r) {
    ngx_str_t secret_header_name = ngx_string("x-shared-secret");
    ngx_table_elt_t *secret_header;
    u_char *env_secret;

    secret_header = ngx_http_get_header(r, secret_header_name);
    env_secret = (u_char *) getenv(SHARED_SECRET_ENV);

    if (env_secret == NULL) {
        return NGX_HTTP_INTERNAL_SERVER_ERROR;
    }

    if (secret_header == NULL) {
        return NGX_HTTP_UNAUTHORIZED;
    }

    if (strlen((char *)secret_header->value.data) != strlen((char *)env_secret) ||
        CRYPTO_memcmp(secret_header->value.data, env_secret, strlen((char *)env_secret)) != 0) {
        return NGX_HTTP_UNAUTHORIZED;
    }

    return NGX_DECLINED; // Proceed with request
}

// Configuration function
static char *ngx_http_shared_secret(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) {
    ngx_http_core_loc_conf_t  *clcf;

    clcf = ngx_http_conf_get_module_loc_conf(cf, ngx_http_core_module);

    clcf->handler = ngx_http_shared_secret_handler;

    return NGX_CONF_OK;
}

Call Your API Through Zuplo

Now you can call your API through Zuplo using an API key. The request will be authenticated at the gateway, and securely forwarded to your Nginx backend.

bash

curl -X GET \
  'https://your-api.zuplo.dev/your-route' \
  -H 'Authorization: Bearer YOUR_API_KEY'

Ready to secure your API?

Get started with Zuplo for free and add API key authentication to your Nginx API in minutes.

Start for Free Read the Docs