--- title: "Secure Iris APIs with API Key Authentication" description: "Secure your Iris API using a shared secret." canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/go/iris/secure-header" framework: "Iris" language: "Go" authStrategy: "shared secret header" pageType: use-case --- # Secure Iris APIs with API Key Authentication Secure your Iris API using a shared secret. ## How Zuplo Handles It Put Zuplo in front of your Iris backend to authenticate API keys and forward a shared secret header so your origin only accepts traffic from Zuplo. ## Iris Backend Code ```go package main import ( "crypto/subtle" "os" "github.com/kataras/iris/v12" ) // validateSharedSecret is a middleware that checks for the shared secret header. func validateSharedSecret(ctx iris.Context) { secret := ctx.GetHeader("X-Shared-Secret") expectedSecret := os.Getenv("SHARED_SECRET") if expectedSecret == "" { ctx.StatusCode(iris.StatusInternalServerError) ctx.JSON(iris.Map{"error": "Server configuration error"}) return } if secret == "" { ctx.StatusCode(iris.StatusUnauthorized) ctx.JSON(iris.Map{"error": "No secret provided"}) return } // Use timing-safe comparison to prevent timing attacks if len(secret) != len(expectedSecret) || subtle.ConstantTimeCompare([]byte(secret), []byte(expectedSecret)) != 1 { ctx.StatusCode(iris.StatusUnauthorized) ctx.JSON(iris.Map{"error": "Invalid secret"}) return } ctx.Next() } func main() { app := iris.New() app.Get("/protected", validateSharedSecret, func(ctx iris.Context) { ctx.JSON(iris.Map{"message": "Access granted"}) }) app.Listen(":8080") } ``` ## Example Request ```bash curl -X GET \ 'https://your-api.zuplo.dev/your-route' \ -H 'Authorization: Bearer YOUR_API_KEY' ``` ## Learn More - [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound) - [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound) - [All use cases](https://zuplo.com/use-cases)