---
title: "Secure AdonisJS APIs with API Key Authentication"
description: "Secure your AdonisJS API using a shared secret."
canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/typescript/adonisjs/secure-header"
framework: "AdonisJS"
language: "TypeScript"
authStrategy: "shared secret header"
pageType: use-case
---

# Secure AdonisJS APIs with API Key Authentication

Secure your AdonisJS API using a shared secret.

## How Zuplo Handles It

Put Zuplo in front of your AdonisJS backend to authenticate API keys and forward a shared secret header so your origin only accepts traffic from Zuplo.

## AdonisJS Backend Code

```typescript
import { HttpContextContract } from "@ioc:Adonis/Core/HttpContext";
import { Exception } from "@adonisjs/core/build/standalone";
import Env from "@ioc:Adonis/Core/Env";
import crypto from "crypto";

// Middleware to validate shared secret header
export default class ValidateSharedSecret {
  public async handle(
    { request, response }: HttpContextContract,
    next: () => Promise<void>,
  ) {
    const secret = request.header("x-shared-secret");
    const expectedSecret = Env.get("SHARED_SECRET");

    if (!expectedSecret) {
      throw new Exception("Server configuration error", 500);
    }

    if (!secret) {
      response.unauthorized({ error: "No secret provided" });
      return;
    }

    // Use timing-safe comparison to prevent timing attacks
    const isEqual = crypto.timingSafeEqual(
      Buffer.from(secret),
      Buffer.from(expectedSecret),
    );

    if (secret.length !== expectedSecret.length || !isEqual) {
      response.unauthorized({ error: "Invalid secret" });
      return;
    }

    await next();
  }
}

// Example route in start/routes.ts
import Route from "@ioc:Adonis/Core/Route";

Route.get("/protected", async ({ response }) => {
  response.json({ message: "Access granted" });
}).middleware("validateSharedSecret");
```

## Example Request

```bash
curl -X GET \
  'https://your-api.zuplo.dev/your-route' \
  -H 'Authorization: Bearer YOUR_API_KEY'
```

## Learn More

- [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound)
- [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound)
- [All use cases](https://zuplo.com/use-cases)