Documentation

ShieldNode Docs

ShieldNode lets you share API access with anyone, teammates, clients, or AI agents, without ever exposing your real credentials. Setup takes under two minutes.

Using AI agents?

Drop-in skill for Claude Code, Cursor, and friends, install in one command.

What is ShieldNode?

ShieldNode is a secure proxy gateway that sits between your callers and any third-party API. Instead of sharing your real API key, you create a virtual key, a unique credential that routes through ShieldNode to the real API.

Virtual keys are disposable, configurable, and revocable in under a second. Your real credentials are never sent to callers and never stored in plaintext, anywhere.

Paste your credentials once

Add your real API key and endpoint URL once. ShieldNode handles the rest automatically.

Create virtual keys in seconds

Generate as many virtual keys as you need. Each is independently configurable and revocable.

Revoke in one click

Disable any key instantly. Changes take effect in under a second, no credential rotation needed.

Quick Start

You can be up and running in under two minutes:

1
Add a service
In your dashboard, click "Add service". Paste the base URL of the API you want to proxy (e.g. https://api.openai.com) and your real API key or credentials. ShieldNode automatically detects the authentication format, Bearer token, API key header, or Basic Auth.
2
Create a virtual key
Click "New key" on your service. Give it a name, optionally set a rate limit (requests/min), a total request cap, or an expiry. Your virtual key is generated instantly.
Your virtual key is shown only once at creation. Store it securely, we don't store it in plaintext.
3
Use the virtual key
Replace the API base URL with your ShieldNode proxy URL, and use the virtual key as the API key. That's it. The caller's request is forwarded to the real API automatically, they never see your real credentials.

Example, before and after

Before (exposes your real key):

curl https://api.openai.com/v1/chat/completions \
-H "Authorization: Bearer sk-proj-real-secret-key"

After (virtual key only, your real key stays hidden):

curl https://proxy.shieldnode.app/your-service-id/v1/chat/completions \
-H "X-Api-Key: ask_vk_••••••••"

Works with virtually any HTTP API, including:

OpenAI Anthropic Mistral Stripe Twilio Resend Supabase GitHub Mailgun Airtable Shopify Custom REST APIs

Push approval

Push approval is the feature that changes how comfortable you are giving an AI agent access to real APIs. Keep a virtual key disabled by default. When your agent tries to use it, your phone gets a notification: “Claude is requesting 15 min access to your OpenAI key”with two buttons, Approve and Decline. You tap once. The key activates for a bounded window. It auto-disables when the window ends.

How a single request feels

1. The agent calls the key. The key is off. The proxy replies 403 approval_required with a request id and a polling cadence.
2. The mobile app receives a push notification. Title shows the service name. Body shows who is asking and for how long.
3. You tap Approve. The key activates for the agreed duration. The agent's next retry returns 200.
4. When the window ends, the key auto-disables. The next call by the agent triggers a new push.

Configuring the window

Every virtual key has a default approval window (default 30 min, configurable per key on creation). Agents can override it on each call by sending the X-Approval-Duration header (1 to 1440 minutes). When you approve, the mobile app shows the requested duration and lets you confirm, override (5 min, 1 h, 8 h), or decline.

Agents are encouraged to identify themselves with the X-Agent-Name header (capped to 60 characters). The notification then reads “Claude requests 15 min on production-key”instead of the generic “External agent requests…”. Specific identities get approved. Generic ones get ignored.

Example: an agent asking for 15 minutes on OpenAI

curl -X POST https://proxy.shieldnode.app/v1/chat/completions \
  -H "X-Api-Key: sk_live_..." \
  -H "X-Agent-Name: Claude" \
  -H "X-Approval-Duration: 15m" \
  -H "Content-Type: application/json" \
  -d '{"model": "gpt-4o", "messages": [...]}'

# Response while waiting for approval (HTTP 403):
# {
#   "error": "approval_required",
#   "request_id": "...",
#   "requested_minutes": 15,
#   "poll_interval_seconds": 30,
#   "timeout_seconds": 300
# }

# Once approved, the next retry returns the upstream 200.

Push approval requires the ShieldNode mobile app. If you have no device registered, the proxy falls back to a plain 403 key_disabled so agents do not learn about the approval channel from a credentials they should not have.

Security

Security is the core premise of ShieldNode, not an afterthought. Here is what we guarantee:

Military-grade encryption at rest

Your real API credentials are encrypted using industry-standard symmetric encryption before being persisted. They are never written to disk or stored in any database in plaintext.

Zero plaintext credential storage

No part of our system, application servers, databases, logs, or caches, ever holds your real credentials in plaintext. Decryption happens in memory, on demand, only during request forwarding.

Virtual keys are hashed, not stored

Virtual keys are hashed on creation. The hash is what gets stored and compared during authentication. The plaintext key is shown exactly once, at creation time, and is never recoverable afterward.

Request forwarding, not body inspection

We forward requests transparently. We log request metadata (method, path, status, latency) but we do not log or inspect request or response bodies. Your data stays private.

Instant revocation

Revoking or disabling a key invalidates it in under one second via in-memory cache invalidation. There is no propagation delay. The key stops working immediately.

Configurable access controls

Each virtual key can be restricted to specific API endpoints, capped at a request rate, given a total request cap, or set to expire. Limit exposure to exactly what is needed, nothing more.

Use Cases

AI agents & automation

Give your agent its own virtual key
Cap its rate and total request count
Restrict to specific endpoints (e.g. only /v1/chat/completions)
Delete the key when the task is done

Team & client access

One key per team member or client
Independent rate limits per key
See who used what in the request logs
Revoke access without rotating your real key

Freelancers & contractors

Grant temporary access for a project
Disable the key when the engagement ends
Never hand over your real credentials
No credential rotation needed on offboarding

Development & staging

Separate keys per environment
Lower rate limits on dev to control costs
Safe to commit proxy URL to version control
Switch which real key a proxy uses at any time

Features

Virtual proxy keys, Unique credentials that forward to your real API. Shown once, never stored in plaintext.

Instant revocation, Disable any key in under one second. Propagated via in-memory cache invalidation.

Auto auth detection, Automatically identifies the authentication scheme, Bearer, API key header, Basic Auth, from the base URL and credentials you provide.

Rate limiting, Cap requests per minute per virtual key. Exceeding the limit returns 429 Too Many Requests.

Total request caps, Cap a key at a fixed total number of requests. Once the cap is reached, further calls are rejected.

Endpoint restrictions, Restrict a key to specific URL paths. A key scoped to /v1/embeddings cannot call /v1/images.

Request logs, Every proxied request is logged: method, path, HTTP status, latency, and timestamp. No request or response bodies.

Toggle on/off, Pause a key without deleting it. Re-enable it at any time, effective in under one second.

Multiple services, Add as many APIs as you need under one account. Each service has its own virtual key pool.

FAQ

Do I need to change my code to use ShieldNode?

Mostly no. You only need to replace the API base URL with your ShieldNode proxy URL, and use the virtual key instead of your real key. The rest of your code stays the same.

What happens if I lose a virtual key?

You can delete the old key and generate a new one in seconds. The deleted key stops working immediately. Your real credentials are unaffected and do not need to be rotated.

Can ShieldNode read my API responses?

No. We forward requests and log metadata (method, path, status, latency). We do not log, store, or inspect request or response bodies.

Does it work with APIs that use non-standard authentication?

ShieldNode supports Bearer token, API key headers (e.g. x-api-key, Authorization), and HTTP Basic Auth. These cover the vast majority of public APIs. Custom auth schemes may require manual configuration.

Is there any latency overhead?

Forwarding adds a small overhead, typically a few milliseconds. For most use cases this is imperceptible. The exact overhead depends on network distance to our proxy servers.

What if I want to delete my account and all my data?

You can delete your account from the settings page at any time. All encrypted credentials and associated data are permanently deleted from our systems.

Contact

Need help, found a bug, or want to talk about a use case we have not thought of yet? Email us. We read everything and reply fast.

contact@shieldnode.app

Support, bug reports, billing questions, partnerships.

Ready to get started?

Free plan available, no credit card required. Add your first service and create a virtual key in under two minutes.

Create your free account