ShieldNode Docs
ShieldNode lets you share API access with anyone — teammates, clients, or AI agents — without ever exposing your real credentials. Setup takes under two minutes.
What is ShieldNode?
ShieldNode is a secure proxy gateway that sits between your callers and any third-party API. Instead of sharing your real API key, you create a virtual key — a unique credential that routes through ShieldNode to the real API.
Virtual keys are disposable, configurable, and revocable in under a second. Your real credentials are never sent to callers and never stored in plaintext — anywhere.
Paste your credentials once
Add your real API key and endpoint URL once. ShieldNode handles the rest automatically.
Create virtual keys in seconds
Generate as many virtual keys as you need. Each is independently configurable and revocable.
Revoke in one click
Disable any key instantly. Changes take effect in under a second — no credential rotation needed.
Quick Start
You can be up and running in under two minutes:
- 1
Add a service
In your dashboard, click "Add service". Paste the base URL of the API you want to proxy (e.g. https://api.openai.com) and your real API key or credentials. ShieldNode automatically detects the authentication format — Bearer token, API key header, or Basic Auth.
- 2
Create a virtual key
Click "New key" on your service. Give it a name, optionally set a rate limit (requests/min) or a spending budget. Your virtual key is generated instantly.
Your virtual key is shown only once at creation. Store it securely — we don't store it in plaintext.
- 3
Use the virtual key
Replace the API base URL with your ShieldNode proxy URL, and use the virtual key as the API key. That's it. The caller's request is forwarded to the real API automatically — they never see your real credentials.
Before (exposes your real key):
-H "Authorization: Bearer sk-proj-real-secret-key"
After (virtual key only — your real key stays hidden):
-H "X-Api-Key: ask_vk_••••••••"
Works with virtually any HTTP API, including:
Security
Security is the core premise of ShieldNode — not an afterthought. Here is what we guarantee:
Military-grade encryption at rest
Your real API credentials are encrypted using industry-standard symmetric encryption before being persisted. They are never written to disk or stored in any database in plaintext.
Zero plaintext credential storage
No part of our system — application servers, databases, logs, or caches — ever holds your real credentials in plaintext. Decryption happens in memory, on demand, only during request forwarding.
Virtual keys are hashed, not stored
Virtual keys are hashed on creation. The hash is what gets stored and compared during authentication. The plaintext key is shown exactly once — at creation time — and is never recoverable afterward.
Request forwarding, not body inspection
We forward requests transparently. We log request metadata (method, path, status, latency) but we do not log or inspect request or response bodies. Your data stays private.
Instant revocation
Revoking or disabling a key invalidates it in under one second via in-memory cache invalidation. There is no propagation delay. The key stops working immediately.
Configurable access controls
Each virtual key can be restricted to specific API endpoints, capped at a request rate, or given a spending budget. Limit exposure to exactly what is needed — nothing more.
Use Cases
AI agents & automation
- Give your agent its own virtual key
- Set a spending budget so it can't go over
- Restrict to specific endpoints (e.g. only /v1/chat/completions)
- Delete the key when the task is done
Team & client access
- One key per team member or client
- Independent rate limits per key
- See who used what in the request logs
- Revoke access without rotating your real key
Freelancers & contractors
- Grant temporary access for a project
- Disable the key when the engagement ends
- Never hand over your real credentials
- No credential rotation needed on offboarding
Development & staging
- Separate keys per environment
- Lower rate limits on dev to control costs
- Safe to commit proxy URL to version control
- Switch which real key a proxy uses at any time
Features
FAQ
Do I need to change my code to use ShieldNode?
Mostly no. You only need to replace the API base URL with your ShieldNode proxy URL, and use the virtual key instead of your real key. The rest of your code stays the same.
What happens if I lose a virtual key?
You can delete the old key and generate a new one in seconds. The deleted key stops working immediately. Your real credentials are unaffected and do not need to be rotated.
Can ShieldNode read my API responses?
No. We forward requests and log metadata (method, path, status, latency). We do not log, store, or inspect request or response bodies.
Does it work with APIs that use non-standard authentication?
ShieldNode supports Bearer token, API key headers (e.g. x-api-key, Authorization), and HTTP Basic Auth. These cover the vast majority of public APIs. Custom auth schemes may require manual configuration.
Is there any latency overhead?
Forwarding adds a small overhead — typically a few milliseconds. For most use cases this is imperceptible. The exact overhead depends on network distance to our proxy servers.
What if I want to delete my account and all my data?
You can delete your account from the settings page at any time. All encrypted credentials and associated data are permanently deleted from our systems.
Ready to get started?
Free plan available — no credit card required. Add your first service and create a virtual key in under two minutes.
Create your free account