A contractor finishes a 3-month project. During that time they had access to your Stripe test and live keys, your OpenAI key, your SendGrid key, and two AWS IAM credentials. To properly offboard them, you need to rotate all five keys at their respective providers, update every service that uses them, redeploy everything, and verify nothing broke. Realistically? Most teams rotate one or two, forget the rest, and hope for the best.

The fastest, easiest, most secure way to protect API keys. We never see your keys — they're encrypted with AES-256-GCM before they leave your request. Revoke a compromised key from your inbox in seconds. Built for solo devs, startups, and enterprise.

Get Started Free Try the sandbox →
1,181 live keys exposed
15,857 leaked credentials
15,035 repos affected
exposed and at risk right now
*based on weekly scans of public GitHub repositories
Zero-knowledge
we never see your keys
Reply "REVOKE"
kill a key from your inbox
2 lines of code
to migrate any API key
Free forever
up to 3 keys, no card
Protects keys from
The people problem

Keys outlive the people who touched them

The average breach takes 258 days to detect. 23.8 million API secrets were leaked on public GitHub in 2024, most never revoked. Every person who leaves your organization carries credentials with them.

contractors

Contractor offboarded

✕ Without ShieldKey They have your real keys in their shell history and local .env files. Those keys still work. You'd need to rotate every key they touched, then redeploy every service.
✓ With ShieldKey Revoke their shield tokens in one click. Real keys stay untouched. Done in seconds.
employees

Employee quit

✕ Without ShieldKey They had access to production keys across five providers. IT disables their laptop but forgets about the API credentials in their personal notes and CI/CD configs.
✓ With ShieldKey Select their tokens, click revoke. Every provider is cut off instantly. No rotations, no redeployments.
agencies

Agency engagement ended

✕ Without ShieldKey The agency had six developers. Each one had access to your keys. Good luck tracking down which credentials ended up where across their organization.
✓ With ShieldKey Tokens auto-expire when the engagement ends. Even if they saved them, the proxy rejects everything.
Offboarding

Two ways to handle someone leaving. One of them works.

The painful way — rotate everything

Without ShieldKey

A contractor finishes a 3-month project. During that time they had access to your Stripe test and live keys, your OpenAI key, your SendGrid key, and two AWS IAM credentials. To properly offboard them, you need to rotate all five keys at their respective providers, update every service that uses them, redeploy everything, and verify nothing broke. Realistically? Most teams rotate one or two, forget the rest, and hope for the best.

The ShieldKey way — revoke tokens, done

With ShieldKey

The contractor never saw a real API key. They used shield tokens scoped to their work, locked to your infrastructure IPs, with rate limits and audit trails. When they leave: open the dashboard, select their tokens, click revoke. Done. All five tokens are dead in seconds. Real keys at every provider stay active. No rotations, no redeployments, no forgotten credentials.

Attack scenarios

Same breach, two outcomes

1.6 billion records were exposed via API vulnerabilities in 2024 alone. Walk through what an attacker actually faces.

Without ShieldKey

01Contractor's engagement ends. They had access to codebase, CI/CD, and .env files.
02They have your real Stripe, OpenAI, and AWS keys memorized, screenshotted, or in shell history. Those keys still work.
03You'd need to rotate every key they ever saw, then redeploy every service. Most teams never do this.
→ Days of scrambling. Forgotten keys linger indefinitely.

With ShieldKey

01Contractor saw shield tokens, not real keys.
02Revoke their tokens in one click. Even saved tokens are rejected instantly by the proxy.
03Real keys at every provider stay untouched. No rotations, no redeployments, no scramble.
→ Clean offboarding in seconds, not days.

Raw API key

01Attacker breaches your database and finds API credentials.
02Finds sk_live_4eC39HqLyjWDarjtT1zdp7dc. Calls Stripe directly. Key works.
03Creates charges, transfers funds, exfiltrates data. No alerts, no limits, no trace.
→ Full compromise. Unrestricted API access.

Shield token

01Attacker breaches your database and finds sk_shield_7f3a9b2c1d8e5f6a.
02Tries Stripe directly — rejected, unrecognized token. Tries proxy — IP not in allowlist.
03Rate limit hit. Anomaly alert fires. You reply "REVOKE" from your phone. Token dead.
→ Zero compromise. Attacker gets nothing usable.

The key insight

The security isn't in the token swap alone. If ShieldKey only replaced one string with another, an attacker with the token and proxy URL would be in the same position. The security is in the enforcement layers on the proxy — IP allowlists, rate limits, geo-restrictions, anomaly detection, and instant revocation that raw API keys simply don't have.

Architecture

How it works

Your real key is encrypted at rest and only decrypted in volatile memory for the duration of a single request.

01

Register key + set policies

Pass your real API key once. We encrypt it with AES-256-GCM (Argon2id derived key), store the blob, and purge plaintext from memory. Set IP allowlists, rate limits, geo rules.

02

Get a shield token

We return a sk_shield_... token via CSPRNG — no derivation from your real key. This is what lives in your codebase.

03

Requests hit the gateway

Before any decryption, the proxy enforces: IP allowlist, rate limit, geo restriction, token state, expiration. Only passing requests trigger decryption.

04

Ephemeral decrypt + forward

Real key decrypted in an isolated process, request forwarded over TLS, memory zeroed. Every request logged — no keys, no bodies, just metadata.

See full request flow diagram + crypto spec →
Integration

Two-line migration

Change the API key value and the base URL. Everything else stays identical.

✕ Vulnerable
import Stripe from 'stripe';

const stripe = new Stripe('sk_live_4eC39HqLyjWDarjtT1zdp7dc');
// ^ Anyone with this string has full access. No IP check. No limits.
✓ Protected
import Stripe from 'stripe';

const stripe = new Stripe('sk_shield_7f3a9b2c1d8e5f6a', {
  apiVersion: '2024-12-18.acacia',
  host: 'proxy.shieldkey.io/v1/stripe'
});
// ^ IP-locked, rate-limited, audited. Revoke in one click.
Registration
# Register a key with enforcement policies
$ curl https://api.shieldkey.io/v1/keys/register \
  -H "Authorization: Bearer $SHIELDKEY_TOKEN" \
  -d '{'
    "provider": "openai",
    "key": "sk-proj-abc123...",
    "policies": {
      "ip_allowlist": ["203.0.113.0/24"],
      "rate_limit": { "requests": 1000, "window": "1h" },
      "geo_restrict": ["US", "EU"]
    }
  }'
The enforcement layer

Only 21% of companies can detect attacks at the API layer. Only 13% can prevent them.

Primary

Instant Revocation

Reply "REVOKE" to an alert email from your phone. Token is dead before you put it down. Or one click in the dashboard. Real key stays active. No redeployment, no code changes.

Unique

Dead Man's Switch

Auto-pause tokens if you don't check in. If you're unreachable, your keys stop working until you confirm you're okay. Reversible, not destructive.

Primary

IP Allowlisting

Lock each token to your server CIDRs. Attacker calls from their machine — rejected before decryption begins.

Rate control

Per-Token Rate Limiting

Sliding-window limits per shield token. Even from an allowed IP, attackers hit your ceiling immediately.

Visibility

Full Audit Trail

Every proxied request logged — timestamp, source IP, geo, status code, latency. Know about breaches immediately.

Detection

Anomaly Alerts

Unusual source IP? Volume spike? Error rate jump? Alert fires within minutes. Reply "REVOKE" directly from the alert email.

Operations

Key Rotation

Rotate the real key at the provider on demand. Shield token stays the same. Zero code changes, zero downtime.

Team

RBAC Permissions

Owner, Admin, Member, Viewer. Every permission change is audit-logged. Nobody sees real keys — not even admins.

By the numbers

What the data says about API key security

23.8 million API secrets were leaked on public GitHub in 2024. Most were never revoked.

GitGuardian State of Secrets Sprawl 2025
13M+ exposed secrets
$10.2M average US breach cost

The average data breach costs $4.88 million globally. In the United States, it's $10.2 million.

IBM Cost of a Data Breach Report 2024

It takes 258 days on average to identify a compromised credential. ShieldKey detects anomalies in minutes.

IBM / Ponemon Institute 2024
241 days to detect a breach
1 reply to revoke with ShieldKey

Get an anomaly alert, reply "REVOKE" from your phone. Token dead in seconds. Your real API key stays active. No dashboard, no rotations, no redeployments.

ShieldKey
Pricing

For solo devs. For startups. For enterprise.
Average US breach: $10.2M. ShieldKey Pro: $19/mo.

Starter
$0 /forever
Get started, no credit card
  • 3 shield tokens
  • 10K proxied requests/mo
  • IP allowlisting
  • Basic audit log
Get started
Pro
$19 /mo
Per team · everything you need
  • Unlimited shield tokens
  • 500K proxied requests/mo
  • Rate limiting + geo-restrictions
  • Auto-rotation + spend alerts
  • 5 team seats with RBAC
  • Anomaly detection
Get started
Enterprise
Monthly Annual Save 17%
$41 /mo
1M+ requests · scales from here
  • Unlimited tokens + seats
  • Dead man's switch
  • SSO + SAML
  • Dedicated support
Get started
Frequently asked

Everything you need to know before you begin

You register your real API key with ShieldKey once. We encrypt it with AES-256-GCM and return a proxy token. Use that token in your code with our proxy URL. Every request is authenticated, policy-checked, and forwarded with your real key — which never leaves our infrastructure.
No. Change two environment variables — your API key value and the base URL. Every SDK that supports a custom base URL works without code changes. That includes OpenAI, Anthropic, Stripe, and most other providers.
Revoke it in one click and generate a new one. Your real API key stays active and untouched. The leaked token is rejected immediately at the proxy, even if the attacker has the correct proxy URL. IP allowlists and rate limits provide additional defense layers.
Any provider that accepts bearer token authentication over HTTPS. We have first-class support for OpenAI, Anthropic, Stripe, AWS, Google Cloud, Twilio, and SendGrid. Custom provider configuration is available on all plans.
Median overhead is under 25 milliseconds. For most API calls — especially LLM requests that take seconds — the proxy overhead is negligible. We run on edge infrastructure close to major API providers.
Your real key is encrypted at rest with AES-256-GCM using an Argon2id-derived key. It is only decrypted in volatile memory for the duration of a single request, then the memory is zeroed. We never log, cache, or persist plaintext keys.
3 shield tokens, 10,000 proxied requests per month, IP allowlisting, and basic audit logging. No credit card required. That is enough for most solo developers and their active projects.
Your next step

Stop hoping your old contractors forgot your API keys.

Protect every API key your team uses. Proxy tokens with built-in spend limits, IP restrictions, and instant revocation.

Get Started →