--- title: "Secure Fiber APIs with API Key Authentication" description: "Secure your Fiber API using a shared secret." canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/go/fiber/secure-header" framework: "Fiber" language: "Go" authStrategy: "shared secret header" pageType: use-case --- # Secure Fiber APIs with API Key Authentication Secure your Fiber API using a shared secret. ## How Zuplo Handles It Put Zuplo in front of your Fiber backend to authenticate API keys and forward a shared secret header so your origin only accepts traffic from Zuplo. ## Fiber Backend Code ```go package main import ( "crypto/subtle" "github.com/gofiber/fiber/v2" "log" "os" ) // Middleware to validate shared secret header func validateSharedSecret(c *fiber.Ctx) error { secret := c.Get("X-Shared-Secret") expectedSecret := os.Getenv("SHARED_SECRET") if expectedSecret == "" { log.Println("Server configuration error: SHARED_SECRET is not set") return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{ "error": "Server configuration error", }) } if secret == "" { return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{ "error": "No secret provided", }) } // Use timing-safe comparison to prevent timing attacks if subtle.ConstantTimeCompare([]byte(secret), []byte(expectedSecret)) == 0 { return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{ "error": "Invalid secret", }) } return c.Next() } func main() { app := fiber.New() // Protected route app.Get("/protected", validateSharedSecret, func(c *fiber.Ctx) error { return c.JSON(fiber.Map{ "message": "Access granted", }) }) log.Fatal(app.Listen(":3000")) } ``` ## Example Request ```bash curl -X GET \ 'https://your-api.zuplo.dev/your-route' \ -H 'Authorization: Bearer YOUR_API_KEY' ``` ## Learn More - [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound) - [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound) - [All use cases](https://zuplo.com/use-cases)