Zuplo

API Key Authentication

Secure Your Dropwizard API with API Keys

The Zuplo API Gateway protects your backend API from unauthorized access, abuse, and overload. Add API key authentication to your Dropwizard API in minutes.

Secure Access

Authenticate every request before it reaches your backend.

Control Costs

Set rate limits and quotas to prevent runaway usage.

Ensure Reliability

Shield your backend from overload with traffic management.

How it works

The Zuplo API Gateway sits between your clients and your Dropwizard backend, providing a secure layer of protection and control.

Client
Zuplo API Gateway

Customer VPC

Backend

Step-by-step tutorial

It takes only a few minutes to put Zuplo in front of your Dropwizard backend, adding API key authentication, and configuring your origin to trust requests from Zuplo using shared secrets.

1

Create a Route in Zuplo

First, create a new route in your Zuplo project that will proxy requests to your Dropwizard backend. This route will be the entry point for your API consumers.

Creating a route in Zuplo
Learn how to create routes

📄 OpenAPI native. Import your existing OpenAPI spec to instantly create routes and power your API documentation .

2

Add API Key Authentication Policy

Add the API Key Authentication policy to your route. This policy validates incoming API keys and ensures only authorized consumers can access your API.

Adding API Key Authentication policy in Zuplo
API Key Authentication docs

🔐 Leaked key? No problem. As a GitHub Secret Scanning partner, Zuplo can automatically revoke exposed keys before they can be exploited.

3

Add Set Header Policy

Add the Set Header policy to your route. This policy sets the shared secret header on requests to ensure only requests from Zuplo are accepted by your API.

Adding Set Header policy in Zuplo
Set Header Policy docs
4

Secure Your Dropwizard API with the Shared Secret

Configure your Dropwizard backend to validate the shared secret header set by Zuplo. This ensures that only requests coming through your Zuplo gateway are accepted.

Java
import io.dropwizard.Application;
import io.dropwizard.setup.Bootstrap;
import io.dropwizard.setup.Environment;
import io.dropwizard.jersey.setup.JerseyEnvironment;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.ext.Provider;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import java.util.Objects;

// Filter to validate shared secret header
@Provider
public class SharedSecretFilter implements ContainerRequestFilter {

    private static final String SHARED_SECRET_HEADER = "X-Shared-Secret";
    private final String expectedSecret;

    public SharedSecretFilter() {
        this.expectedSecret = System.getenv("SHARED_SECRET");
    }

    @Override
    public void filter(ContainerRequestContext requestContext) throws IOException {
        if (expectedSecret == null) {
            throw new IllegalStateException("Server configuration error: SHARED_SECRET not set");
        }

        String secret = requestContext.getHeaderString(SHARED_SECRET_HEADER);
        if (secret == null) {
            requestContext.abortWith(javax.ws.rs.core.Response.status(401)
                .entity("{\"error\":\"No secret provided\"}")
                .build());
            return;
        }

        try {
            if (!secureCompare(secret, expectedSecret)) {
                requestContext.abortWith(javax.ws.rs.core.Response.status(401)
                    .entity("{\"error\":\"Invalid secret\"}")
                    .build());
            }
        } catch (NoSuchAlgorithmException e) {
            requestContext.abortWith(javax.ws.rs.core.Response.status(500)
                .entity("{\"error\":\"Server error\"}")
                .build());
        }
    }

    private boolean secureCompare(String a, String b) throws NoSuchAlgorithmException {
        byte[] aDigest = MessageDigest.getInstance("SHA-256").digest(a.getBytes());
        byte[] bDigest = MessageDigest.getInstance("SHA-256").digest(b.getBytes());
        return MessageDigest.isEqual(aDigest, bDigest);
    }
}

// Main application class
public class MyApplication extends Application<MyConfiguration> {

    @Override
    public void initialize(Bootstrap<MyConfiguration> bootstrap) {
    }

    @Override
    public void run(MyConfiguration configuration, Environment environment) {
        JerseyEnvironment jersey = environment.jersey();
        jersey.register(new SharedSecretFilter());
        jersey.register(MyResource.class);
    }

    public static void main(String[] args) throws Exception {
        new MyApplication().run(args);
    }
}

// Example resource class
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.core.Response;

@Path("/protected")
public class MyResource {

    @GET
    public Response getProtected() {
        return Response.ok("{\"message\":\"Access granted\"}").build();
    }
}
5

Call Your API Through Zuplo

Now you can call your API through Zuplo using an API key. The request will be authenticated at the gateway, and securely forwarded to your Dropwizard backend.

Terminalbash
curl -X GET \
  'https://your-api.zuplo.dev/your-route' \
  -H 'Authorization: Bearer YOUR_API_KEY'

Ready to secure your API?

Get started with Zuplo for free and add API key authentication to your Dropwizard API in minutes.

Start for Free Read the Docs