---
title: "Secure Vapor APIs with API Key Authentication"
description: "Secure your Vapor API using a shared secret."
canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/swift/vapor/secure-header"
framework: "Vapor"
language: "Swift"
authStrategy: "shared secret header"
pageType: use-case
---

# Secure Vapor APIs with API Key Authentication

Secure your Vapor API using a shared secret.

## How Zuplo Handles It

Put Zuplo in front of your Vapor backend to authenticate API keys and forward a shared secret header so your origin only accepts traffic from Zuplo.

## Vapor Backend Code

```swift
import Vapor

// Middleware to validate the shared secret
struct ValidateSharedSecretMiddleware: Middleware {
    func respond(to request: Request, chainingTo next: Responder) -> EventLoopFuture<Response> {
        guard let expectedSecret = Environment.get("SHARED_SECRET") else {
            return request.eventLoop.makeFailedFuture(Abort(.internalServerError, reason: "Server configuration error"))
        }

        guard let secret = request.headers["x-shared-secret"].first else {
            return request.eventLoop.makeFailedFuture(Abort(.unauthorized, reason: "No secret provided"))
        }

        // Use timing-safe comparison to prevent timing attacks
        guard secret.count == expectedSecret.count,
              subtleCompare(secret, expectedSecret) else {
            return request.eventLoop.makeFailedFuture(Abort(.unauthorized, reason: "Invalid secret"))
        }

        return next.respond(to: request)
    }

    private func subtleCompare(_ a: String, _ b: String) -> Bool {
        let aBytes = Array(a.utf8)
        let bBytes = Array(b.utf8)

        guard aBytes.count == bBytes.count else {
            return false
        }

        var difference = UInt8(0)
        for i in 0..<aBytes.count {
            difference |= aBytes[i] ^ bBytes[i]
        }
        return difference == 0
    }
}

func routes(_ app: Application) throws {
    // Protected route
    app.get("protected", use: { req -> String in
        "Access granted"
    }).middleware(ValidateSharedSecretMiddleware())
}
```

## Example Request

```bash
curl -X GET \
  'https://your-api.zuplo.dev/your-route' \
  -H 'Authorization: Bearer YOUR_API_KEY'
```

## Learn More

- [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound)
- [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound)
- [All use cases](https://zuplo.com/use-cases)