---
title: "Secure Quarkus APIs with API Key Authentication"
description: "Secure your Quarkus API using a shared secret."
canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/java/quarkus/secure-header"
framework: "Quarkus"
language: "Java"
authStrategy: "shared secret header"
pageType: use-case
---

# Secure Quarkus APIs with API Key Authentication

Secure your Quarkus API using a shared secret.

## How Zuplo Handles It

Put Zuplo in front of your Quarkus backend to authenticate API keys and forward a shared secret header so your origin only accepts traffic from Zuplo.

## Quarkus Backend Code

```java
import io.quarkus.vertx.web.RouteFilter;
import io.vertx.ext.web.RoutingContext;

import javax.enterprise.context.ApplicationScoped;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import java.security.MessageDigest;
import java.util.Arrays;

@ApplicationScoped
public class SecretHeaderFilter {

    @ConfigProperty(name = "shared.secret")
    String expectedSecret;

    @RouteFilter(400)
    void validateSharedSecret(RoutingContext rc) {
        String secret = rc.request().getHeader("x-shared-secret");

        if (expectedSecret == null || expectedSecret.isEmpty()) {
            rc.response().setStatusCode(500).end("{\"error\": \"Server configuration error\"}");
            return;
        }

        if (secret == null || secret.isEmpty()) {
            rc.response().setStatusCode(401).end("{\"error\": \"No secret provided\"}");
            return;
        }

        try {
            if (secret.length() != expectedSecret.length() ||
                !MessageDigest.isEqual(secret.getBytes(), expectedSecret.getBytes())) {
                rc.response().setStatusCode(401).end("{\"error\": \"Invalid secret\"}");
                return;
            }
        } catch (Exception e) {
            rc.response().setStatusCode(500).end("{\"error\": \"Internal server error\"}");
            return;
        }

        rc.next();
    }
}
```

## Example Request

```bash
curl -X GET \
  'https://your-api.zuplo.dev/your-route' \
  -H 'Authorization: Bearer YOUR_API_KEY'
```

## Learn More

- [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound)
- [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound)
- [All use cases](https://zuplo.com/use-cases)