Skip to main content
Use apiKey(...) when you want a lightweight header-based auth layer for HTTP clients.

Basic usage

app.use(
  apiKey({
    secret: process.env.API_SECRET,
    headerName: "x-api-key",
    ctxKey: "apiKey",
  })
);

What it does

  • reads a header from request.headers
  • validates it against a static secret or custom validator
  • stores the validated value on ctx

When to move beyond the built-in helper

If you want to attach richer auth metadata to ctx, build a custom plugin instead of just storing the raw key. That pattern is shown in Plugin example, where API-key lookup attaches:
  • keyId
  • owner
  • plan

Common mistake

Do not expect header auth to run in stdio mode. The built-in auth helpers are HTTP-oriented and skip when the transport is not HTTP.