Back to Templates

Protect your feathers backend

Custom authentication strategy

Repository
Written by
unrenamed
Framework
feathers
Language
Typescript
Custom authentication strategy

Protect your Feathers API with Custom Key Auth Strategy

Overview

This guide demonstrates how to protect your Feathers app using a custom authentication strategy built around the Unkey for managing and validating API keys. By leveraging Unkey's API key validation system, we can ensure that requests to your Feathers backend are authenticated using time-sensitive, secure keys.

Tech Stack

  • Feathers JS: An open source framework for building APIs and real-time applications.
  • Unkey: A service to manage API keys with advanced features like time-bound access, rate limiting, and access control.

Features

  • Secure endpoints with both Local Auth and API Key-based strategies.
  • Integration with Unkey API to validate keys for time-sensitive access.

How it works

Within the custom API key auth strategy, we'll check if there is a specific header in the request containing a valid API key. If true, we'll successfully authorize the request.

Quickstart

Create your first root key

  1. Go to settings.root-keys and click on the "Create New Root Key" button.
  2. Enter a name for the key.
  3. Select the following workspace permissions: create_key, read_key, encrypt_key and decrypt_key.
  4. Click "Create".

Create your first API

  1. Go to apis and click on the "Create New API" button.
  2. Give it a name.
  3. Click "Create".

Set up the example

  1. Clone the repository

    1git clone git@github.com:unrenamed/unkey-feathers
    2cd unkey-feathers

  2. Install your dependencies

    1pnpm install

  3. Create a.env.local file and add the following:

    1UNKEY_ROOT_KEY=your-root-key
    2UNKEY_API_ID=your-api-id

  4. Start your app

    1pnpm compile # Compile TypeScript source
    2pnpm migrate # Run migrations to set up the database
    3pnpm start

    The server will start and listen on 3030 port.

Test the API routes

  1. Create some users before accesing GET endpoint

    1curl -X POST http://localhost:3030/users \
    2-H "Content-Type: application/json" \
    3-d '{
    4    "email": "alice@unkey.com",
    5    "password": "supersecret"
    6}'

  2. Validate if you can access /users and /users/:id endpoints

    1curl -X GET http://localhost:3030/users
    2curl -X GET http://localhost:3030/users/1

    These two are protected. You should NOT be able to access them before authorization.

  3. Authorize using local strategy, i.e. email + password

    1curl -X POST http://localhost:3030/authentication \
    2-H "Content-Type: application/json" \
    3-d '{
    4    "email": "alice@unkey.com",
    5    "password": "supersecret",
    6    "strategy": "local"
    7}'

  4. Validate if you can access /users and /users/:id endpoints

    1curl -X GET http://localhost:3030/users \
    2-H "Authorization: Bearer <your-bearer-token>"
    1curl -X GET http://localhost:3030/users/:id \
    2-H "Authorization: Bearer <your-bearer-token>"

    The first one still not accessible, because it requires an API key for access.

  5. Create an API key to access routes protected with API key strategy

    1curl -X POST http://localhost:3030/keys \
    2-H "Content-Type: application/json" \
    3-d '{}'

    You will get key and keyId in the response object.

  6. Now you can access /users route with x-api-key header and valid key

    1curl -X GET http://localhost:3030/users \
    2-H 'Content-Type: application/json' \
    3-H 'x-api-key: <your-api-key>'

Protect your API.
Start today.

Chat with us
Start Now

2500 verifications and 100K successful rate‑limited requests per month. No CC required.