Shield Token is a revocable proxy credential issued by ShieldKey that grants scoped access to an encrypted API key without exposing the underlying secret.
Shield Token
Shield Token is a revocable proxy credential issued by ShieldKey that grants scoped access to an encrypted API key without exposing the underlying secret.
Why It Matters
Traditional API key sharing forces teams to choose between security and convenience. Shield tokens solve this by giving each team member their own revocable credential with built-in enforcement policies, eliminating the need to share raw API keys.
How It Works
When you store an API key in ShieldKey, the system encrypts it with AES-256-GCM and generates Shield Tokens (prefixed sk_shield_t_) for team members. Each token maps to the encrypted key and carries its own permissions. Requests using a Shield Token are proxied through ShieldKey, which decrypts the real key in memory and forwards the request.
Best Practices
- Issue one Shield Token per team member, never share tokens
- Apply IP restrictions and spend limits to each token
- Revoke tokens immediately when team members depart
- Monitor token usage in the audit log
Common Mistakes
- Sharing a single Shield Token across multiple people (defeats attribution)
- Not setting IP restrictions on tokens used in production
How ShieldKey Helps
Shield Tokens are ShieldKey's core product — revocable, scoped, auditable proxy credentials that replace raw API key sharing entirely.
Try ShieldKey FreeFAQ
What is a Shield Token?
A Shield Token is a proxy credential from ShieldKey that lets you use an API without seeing the real API key. It can be instantly revoked without affecting other team members or the underlying key.