--- title: "Secure Pyramid APIs with API Key Authentication" description: "Secure your Pyramid API using a shared secret." canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/python/pyramid/secure-header" framework: "Pyramid" language: "Python" authStrategy: "shared secret header" pageType: use-case --- # Secure Pyramid APIs with API Key Authentication Secure your Pyramid API using a shared secret. ## How Zuplo Handles It Put Zuplo in front of your Pyramid backend to authenticate API keys and forward a shared secret header so your origin only accepts traffic from Zuplo. ## Pyramid Backend Code ```python from pyramid.response import Response from pyramid.view import view_config from pyramid.settings import asbool import os from hmac import compare_digest def validate_shared_secret(request): secret = request.headers.get('X-Shared-Secret') expected_secret = os.getenv('SHARED_SECRET') if not expected_secret: request.response.status = 500 return {'error': 'Server configuration error'} if not secret: request.response.status = 401 return {'error': 'No secret provided'} if not compare_digest(secret, expected_secret): request.response.status = 401 return {'error': 'Invalid secret'} return None @view_config(route_name='protected', renderer='json') def protected_view(request): error_response = validate_shared_secret(request) if error_response: return error_response return {'message': 'Access granted'} def main(global_config, **settings): from pyramid.config import Configurator with Configurator(settings=settings) as config: config.add_route('protected', '/protected') config.scan() return config.make_wsgi_app() ``` ## Example Request ```bash curl -X GET \ 'https://your-api.zuplo.dev/your-route' \ -H 'Authorization: Bearer YOUR_API_KEY' ``` ## Learn More - [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound) - [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound) - [All use cases](https://zuplo.com/use-cases)