---
title: "Secure undefined APIs with API Key Authentication"
description: undefined
canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/php/slim/secure-header"
framework: undefined
language: undefined
authStrategy: "shared secret header"
pageType: use-case
---

# Secure undefined APIs with API Key Authentication



## How Zuplo Handles It

Put Zuplo in front of your undefined backend to authenticate API keys and forward a shared secret header so your origin only accepts traffic from Zuplo.

## undefined Backend Code

```php
<?php
use Psr\Http\Message\ServerRequestInterface as Request;
use Psr\Http\Message\ResponseInterface as Response;
use Slim\Factory\AppFactory;
use Slim\Exception\HttpUnauthorizedException;
use Slim\Exception\HttpInternalServerErrorException;

require __DIR__ . '/vendor/autoload.php';

$app = AppFactory::create();

// Middleware to validate shared secret header
$validateSharedSecret = function (Request $request, Response $response, $next) {
    $expectedSecret = getenv('SHARED_SECRET');

    if (!$expectedSecret) {
        throw new HttpInternalServerErrorException($request, "Server configuration error");
    }

    $secret = $request->getHeaderLine('X-Shared-Secret');

    if (!$secret) {
        throw new HttpUnauthorizedException($request, "No secret provided");
    }

    if (!hash_equals($expectedSecret, $secret)) {
        throw new HttpUnauthorizedException($request, "Invalid secret");
    }

    return $next($request, $response);
};

// Example protected route
$app->get('/protected', function (Request $request, Response $response) {
    $response->getBody()->write(json_encode(['message' => 'Access granted']));
    return $response->withHeader('Content-Type', 'application/json');
})->add($validateSharedSecret);

$app->run();
```

## Example Request

```bash
curl -X GET \
  'https://your-api.zuplo.dev/your-route' \
  -H 'Authorization: Bearer YOUR_API_KEY'
```

## Learn More

- [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound)
- [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound)
- [All use cases](https://zuplo.com/use-cases)