--- title: "Secure Masonite APIs with API Key Authentication" description: "Secure your Masonite API using a shared secret." canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/python/masonite/secure-header" framework: "Masonite" language: "Python" authStrategy: "shared secret header" pageType: use-case --- # Secure Masonite APIs with API Key Authentication Secure your Masonite API using a shared secret. ## How Zuplo Handles It Put Zuplo in front of your Masonite backend to authenticate API keys and forward a shared secret header so your origin only accepts traffic from Zuplo. ## Masonite Backend Code ```python from masonite.routes import Route from masonite.request import Request from masonite.response import Response from masonite.environment import env from cryptography.hazmat.primitives import hashes, hmac import hmac as py_hmac def secure_compare(val1, val2): # Use HMAC to perform a timing-safe comparison return py_hmac.compare_digest(val1, val2) def ValidateSharedSecret(request: Request, response: Response): secret = request.header('x-shared-secret') expected_secret = env('SHARED_SECRET') if not expected_secret: return response.json({'error': 'Server configuration error'}, status=500) if not secret: return response.json({'error': 'No secret provided'}, status=401) if not secure_compare(secret.encode('utf-8'), expected_secret.encode('utf-8')): return response.json({'error': 'Invalid secret'}, status=401) return request ROUTES = [ Route.get('/protected', 'MyController@protected').middleware(ValidateSharedSecret), ] # Example controller class MyController: def protected(self, request: Request): return {'message': 'Access granted'} ``` ## Example Request ```bash curl -X GET \ 'https://your-api.zuplo.dev/your-route' \ -H 'Authorization: Bearer YOUR_API_KEY' ``` ## Learn More - [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound) - [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound) - [All use cases](https://zuplo.com/use-cases)