---
title: "Secure Feathers APIs with API Key Authentication"
description: "Secure your Feathers API using a shared secret."
canonicalUrl: "https://zuplo.com/use-cases/api-key-auth/typescript/feathers/secure-header"
framework: "Feathers"
language: "TypeScript"
authStrategy: "shared secret header"
pageType: use-case
---

# Secure Feathers APIs with API Key Authentication

Secure your Feathers API using a shared secret.

## How Zuplo Handles It

Put Zuplo in front of your Feathers backend to authenticate API keys and forward a shared secret header so your origin only accepts traffic from Zuplo.

## Feathers Backend Code

```typescript
import { HookContext, NextFunction } from "@feathersjs/feathers";
import { BadRequest, GeneralError } from "@feathersjs/errors";
import crypto from "crypto";

// Middleware to validate shared secret header
function validateSharedSecret(context: HookContext, next: NextFunction) {
  const secret = context.params.headers?.["x-shared-secret"];
  const expectedSecret = process.env.SHARED_SECRET;

  if (!expectedSecret) {
    throw new GeneralError("Server configuration error");
  }

  if (!secret) {
    throw new BadRequest("No secret provided");
  }

  // Use timing-safe comparison to prevent timing attacks
  if (
    secret.length !== expectedSecret.length ||
    !crypto.timingSafeEqual(Buffer.from(secret), Buffer.from(expectedSecret))
  ) {
    throw new BadRequest("Invalid secret");
  }

  return next();
}

// Example usage
import feathers from "@feathersjs/feathers";
import express from "@feathersjs/express";

const app = express(feathers());

// Register the middleware for a protected route
app.use("/protected", validateSharedSecret, (req, res) => {
  res.json({
    message: "Access granted",
  });
});

app
  .listen(3030)
  .on("listening", () =>
    console.log("Feathers server listening on http://localhost:3030"),
  );
```

## Example Request

```bash
curl -X GET \
  'https://your-api.zuplo.dev/your-route' \
  -H 'Authorization: Bearer YOUR_API_KEY'
```

## Learn More

- [API Key Authentication on Zuplo](https://zuplo.com/docs/policies/api-key-auth-inbound)
- [JWT Authentication on Zuplo](https://zuplo.com/docs/policies/open-id-jwt-auth-inbound)
- [All use cases](https://zuplo.com/use-cases)