--- title: "Secure undefined APIs with API Key Authentication" description: undefined canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/php/fuelphp/secure-header" framework: undefined language: undefined authStrategy: "shared secret header" pageType: use-case --- # Secure undefined APIs with API Key Authentication ## How Zuplo Handles It Put Zuplo in front of your undefined backend to authenticate API keys and forward a shared secret header so your origin only accepts traffic from Zuplo. ## undefined Backend Code ```php // bootstrap.php // Load .env file if (file_exists(DOCROOT . '.env')) { $dotenv = Dotenv\Dotenv::createImmutable(DOCROOT); $dotenv->load(); } // app/classes/filter/SharedSecret.php namespace Filter; class SharedSecret { public static function validate(\Fuel\Core\Request $request) { $secretHeader = $request->get_header('x-shared-secret'); $expectedSecret = getenv('SHARED_SECRET'); if (!$expectedSecret) { return \Response::forge(['error' => 'Server configuration error'], 500); } if (!$secretHeader) { return \Response::forge(['error' => 'No secret provided'], 401); } if (!hash_equals($expectedSecret, $secretHeader)) { return \Response::forge(['error' => 'Invalid secret'], 401); } // Proceed to the next filter/controller return null; } } // app/config/routes.php return [ '_root_' => 'welcome/index', '_404_' => 'welcome/404', 'protected' => [ ['filter' => 'SharedSecret::validate', 'path' => 'protected'] ], ]; // app/classes/controller/Protected.php namespace Controller; class Protected extends \Fuel\Core\Controller { public function action_index() { return \Response::forge(['message' => 'Access granted'], 200); } } ``` ## Example Request ```bash curl -X GET \ 'https://your-api.zuplo.dev/your-route' \ -H 'Authorization: Bearer YOUR_API_KEY' ``` ## Learn More - [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound) - [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound) - [All use cases](https://zuplo.com/use-cases)