# Secure Unleash The Unleash API is split in two different paths: `/api/client` and `/api/admin`. This makes it easy to have different authentication strategy for the admin interface and the client-api used by the applications integrating with Unleash. ## General settings Unleash uses an encrypted cookie to maintain a user session. This allows users to be logged in across instances of Unleash. To protect this cookie you should specify the `secret` option when starting unleash.- ## Securing the Admin API In order to secure the Admin API you have to tell Unleash that you are using a custom admin authentication and implement your authentication logic as a preHook. You should also set the secret option to a protected secret in your system. ```javascript const unleash = require('unleash-server'); const myCustomAdminAuth = require('./auth-hook'); unleash.start({ databaseUrl: 'postgres://unleash_user:passord@localhost:5432/unleash', secret: 'super-duper-secret', adminAuthentication: 'custom', preRouterHook: myCustomAdminAuth }).then(unleash => { console.log(`Unleash started on http://localhost:${unleash.app.get('port')}`); }); ``` Examples on custom authentication hooks: - [google-auth-hook.js](https://github.com/Unleash/unleash/blob/master/examples/google-auth-hook.js) - [basic-auth-hook.js](https://github.com/Unleash/unleash/blob/master/examples/basic-auth-hook.js) ## Securing the Client API A common way to support client access is to use pre shared secrets. This can be solved by having clients send a shared key in a http header with every client requests to the Unleash API. All official Unleash clients should support this. In the [Java client](https://github.com/Unleash/unleash-client-java#custom-http-headers) this looks like: ```java UnleashConfig unleashConfig = UnleashConfig.builder() .appName("my-app") .instanceId("my-instance-1") .unleashAPI(unleashAPI) .customHttpHeader("Authorization", "12312Random") .build(); ``` On the unleash server side you need to implement a preRouter hook which verifies that all calls to `/api/client` includes this pre shared key in the defined header. This could look something like this: ```javascript const unleash = require('unleash-server'); const sharedSecret = '12312Random'; unleash.start({ databaseUrl: 'postgres://unleash_user:passord@localhost:5432/unleash', enableLegacyRoutes: false, preRouterHook: (app) => { app.use('/api/client', (req, res, next) => { if(req.headers.authorization !== sharedSecret) { res.sendStatus(401); } else { next() } }); } }).then(unleash => { console.log(`Unleash started on http://localhost:${unleash.app.get('port')}`); }); ``` [client-auth-unleash.js](https://github.com/Unleash/unleash/blob/master/examples/client-auth-unleash.js) PS! Remember to disable legacy route with by setting the `enableLegacyRoutes` option to false. This will require all your clients to be on v3.x.