---
title: "Secure Traefik APIs with API Key Authentication"
description: "Secure your Traefik API using a shared secret."
canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/go/traefik/secure-header"
framework: "Traefik"
language: "Go"
authStrategy: "shared secret header"
pageType: use-case
---

# Secure Traefik APIs with API Key Authentication

Secure your Traefik API using a shared secret.

## How Zuplo Handles It

Put Zuplo in front of your Traefik backend to authenticate API keys and forward a shared secret header so your origin only accepts traffic from Zuplo.

## Traefik Backend Code

```go
package main

import (
	"context"
	"crypto/subtle"
	"log"
	"net/http"
	"os"

	"github.com/traefik/traefik/v2/pkg/config/dynamic"
	"github.com/traefik/traefik/v2/pkg/middlewares"
)

func main() {
	secret := os.Getenv("SHARED_SECRET")
	if secret == "" {
		log.Fatal("Server configuration error: SHARED_SECRET is not set")
	}

	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		w.WriteHeader(http.StatusOK)
		w.Write([]byte(`{"message": "Access granted"}`))
	})

	secretMiddleware := func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			secretHeader := r.Header.Get("X-Shared-Secret")

			if secretHeader == "" {
				http.Error(w, `{"error": "No secret provided"}`, http.StatusUnauthorized)
				return
			}

			if subtle.ConstantTimeCompare([]byte(secretHeader), []byte(secret)) != 1 {
				http.Error(w, `{"error": "Invalid secret"}`, http.StatusUnauthorized)
				return
			}

			next.ServeHTTP(w, r)
		})
	}

	httpMux := http.NewServeMux()
	httpMux.Handle("/protected", secretMiddleware(handler))

	server := &http.Server{
		Addr:    ":8080",
		Handler: httpMux,
	}

	log.Println("Server running on port 8080")
	log.Fatal(server.ListenAndServe())
}
```

## Example Request

```bash
curl -X GET \
  'https://your-api.zuplo.dev/your-route' \
  -H 'Authorization: Bearer YOUR_API_KEY'
```

## Learn More

- [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound)
- [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound)
- [All use cases](https://zuplo.com/use-cases)