---
title: "Secure Revel APIs with API Key Authentication"
description: "Secure your Revel API using a shared secret."
canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/go/revel/secure-header"
framework: "Revel"
language: "Go"
authStrategy: "shared secret header"
pageType: use-case
---

# Secure Revel APIs with API Key Authentication

Secure your Revel API using a shared secret.

## How Zuplo Handles It

Put Zuplo in front of your Revel backend to authenticate API keys and forward a shared secret header so your origin only accepts traffic from Zuplo.

## Revel Backend Code

```go
package controllers

import (
    "crypto/subtle"
    "net/http"
    "os"

    "github.com/revel/revel"
)

// SharedSecretFilter is a Revel filter to validate the shared secret header.
var SharedSecretFilter = func(c *revel.Controller, fc []revel.Filter) {
    secret := c.Request.Header.Get("X-Shared-Secret")
    expectedSecret := os.Getenv("SHARED_SECRET")

    if expectedSecret == "" {
        c.Result = c.RenderJSON(map[string]string{"error": "Server configuration error"})
        c.Response.SetStatus(http.StatusInternalServerError)
        return
    }

    if len(secret) == 0 {
        c.Result = c.RenderJSON(map[string]string{"error": "No secret provided"})
        c.Response.SetStatus(http.StatusUnauthorized)
        return
    }

    // Use timing-safe comparison to prevent timing attacks
    if subtle.ConstantTimeCompare([]byte(secret), []byte(expectedSecret)) != 1 {
        c.Result = c.RenderJSON(map[string]string{"error": "Invalid secret"})
        c.Response.SetStatus(http.StatusUnauthorized)
        return
    }

    // Call the next filter
    fc[0](c, fc[1:])
}

func init() {
    revel.Filters = append(revel.Filters, SharedSecretFilter)
}

type App struct {
    *revel.Controller
}

func (c App) Protected() revel.Result {
    return c.RenderJSON(map[string]string{"message": "Access granted"})
}

// In routes/conf/routes
// GET /protected App.Protected
```

## Example Request

```bash
curl -X GET \
  'https://your-api.zuplo.dev/your-route' \
  -H 'Authorization: Bearer YOUR_API_KEY'
```

## Learn More

- [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound)
- [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound)
- [All use cases](https://zuplo.com/use-cases)