Nothing — unless they also control your infrastructure. A shield token only works through ShieldKey's proxy, which enforces IP allowlists, rate limits, geo-restrictions, and time-based policies before any request reaches the destination. The proxy is a chokepoint you control, with rules the attacker can't bypass.

Transparency by default

Security Model

A transparent walkthrough of what ShieldKey defends against, how each layer works, what you're trusting, and where the boundaries are. Read the model, verify the math, audit the code.

See the defense layers What you're trusting →
encryption AES-256-GCM key derivation Argon2id enforcement 5 independent layers revoke via email reply
The real problem

API keys have no access control

According to Salt Security's 2024 State of API Security Report, 95% of organizations experienced security problems in production APIs. This isn't about encryption or token swapping. A raw API key is a skeleton key. It has no concept of who's using it, from where, how often, or whether it should still be active.

What a raw API key gives an attacker

When someone gets your Stripe key sk_live_..., they can use it from any IP address, any country, at any volume, at any time of day, and your only signal is the bill at the end of the month. The key has no opinions about who holds it. It simply works.

What a shield token gives an attacker

Nothing — unless they also control your infrastructure. A shield token only works through ShieldKey's proxy, which enforces IP allowlists, rate limits, geo-restrictions, and time-based policies before any request reaches the destination. The proxy is a chokepoint you control, with rules the attacker can't bypass.

CapabilityRaw API keyShield token
IP restriction None. Works from any IP. Locked to your server CIDRs.
Rate limiting Provider's global limits only. Per-token sliding window.
Instant revocation Log into provider, rotate, redeploy. Reply "REVOKE" from your phone. Or one click. Real key untouched.
Audit trail No visibility until the invoice. Every request logged with IP, geo, timing.
Anomaly detection None. Alerts on volume, geo, error spikes.
Key rotation Requires code changes everywhere. Rotate at provider. Token unchanged.
Breach response Hours of scrambling. Kill token. Seconds. Done.
Offboarding Rotate every key they ever saw. Redeploy everything. Revoke their tokens. Real keys untouched.
Attack scenarios

What happens when keys leak

FireTail's 2024 report found 1.6 billion records exposed via API vulnerabilities that year. GitGuardian's 2025 Secrets Sprawl Report counted 23.8 million new secrets leaked on public GitHub in 2024, most never revoked. Same breach, two outcomes.

Scenario A: Database breach — raw Stripe key
01Attacker breaches your platform database.
02Finds sk_live_4eC39HqLyjWDarjtT1zdp7dc in the API keys table.
03Calls api.stripe.com directly from their own machine. Key works.
04Creates charges, transfers funds, exfiltrates data. No alerts, no limits, no trace.
→ Full compromise. Attacker has unrestricted API access.
Scenario B: Same breach — shield token via ShieldKey
01Attacker breaches your platform database.
02Finds sk_shield_7f3a9b2c1d8e5f6a in the API keys table.
03Tries api.stripe.com directly. Rejected — Stripe doesn't recognize shield tokens.
04Tries proxy.shieldkey.io proxy. Rejected — request IP not in allowlist.
05Even if they spoofed the IP: rate limit ceiling hit, anomaly alert fires, you're notified.
06You revoke the token in one click. Real Stripe key stays active for legitimate services.
→ Zero compromise. Attacker gets nothing usable.
Scenario C: Contractor offboarded — had access to API keys
01A contractor's engagement ends. They had access to your codebase, CI/CD, and .env files during the project.
02Without ShieldKey: They have your real Stripe, OpenAI, and AWS keys memorized, screenshotted, or in their shell history. Those keys still work. You'd need to rotate every key they ever saw, then redeploy every service. Most teams never do this.
03With ShieldKey: They saw shield tokens, not real keys. Revoke their tokens in one click. Even if they saved the tokens, the proxy rejects them instantly. Real keys at every provider stay untouched. No rotations, no redeployments, no scramble.
→ Clean offboarding in seconds, not days. No risk of forgotten key rotations.
Architecture diagrams

Registration + request flow

Registration You ShieldKey Storage | | | |-- real API key ------->| | | |-- encrypt(AES-256-GCM) -->| encrypted blob | |-- generate shield token | |<-- shield token ------| | |<-- proxy URL ---------| | Request flow -- every request passes through enforcement Your App ShieldKey Proxy Destination | | | |-- shield token ------->| | | |-- check IP allowlist | | |-- check rate limit | | |-- check geo-restriction | | |-- check token state | | |-- decrypt blob (in-memory) | | |-- real key --------------->| | | (zeroed from memory) | |<-- response ------------|<--- response -------------| | |-- log to audit trail |
Core thesis

Why a proxy gateway, not just encryption

A common question: "If I swap my Stripe key for a shield token, and the attacker has the shield token and knows the proxy URL, aren't they in the same position?"

Yes -- if that's all ShieldKey did. If we only replaced one string with another, an attacker with the token and the proxy URL could call the proxy and the request would forward. That's why token indirection alone is not the security model.

The security comes from what the proxy enforces before it ever touches the encrypted key:

What happens when a request hits ShieldKey's proxy Incoming request with shield token | v +---------------------+ | IP ALLOWLIST CHECK | <- Is the source IP in the allowed CIDRs? | FAIL -> 403 | Attacker's IP? Blocked here. No decryption. +---------+-----------+ v +---------------------+ | RATE LIMIT CHECK | <- Has this token exceeded its request ceiling? | FAIL -> 429 | Brute force? Throttled immediately. +---------+-----------+ v +---------------------+ | GEO RESTRICTION | <- Is the request from an allowed country? | FAIL -> 403 | Wrong continent? Blocked. +---------+-----------+ v +---------------------+ | TOKEN STATE CHECK | <- Is the token active? Expired? Revoked? | FAIL -> 401 | Revoked token? Dead on arrival. +---------+-----------+ v +---------------------+ | DECRYPT + FORWARD | <- All checks passed. Decrypt real key in | ZERO MEMORY | volatile memory. Forward. Zero immediately. +---------+-----------+ v +---------------------+ | AUDIT LOG | <- Log metadata. No keys. No bodies. +---------------------+

Every enforcement check happens before decryption. An attacker who fails the IP check never triggers decryption of your real key. The encrypted blob stays sealed.

Defense in depth

Five layers, each independent

Salt Security found that only 14% of organizations have an API posture governance strategy. Traceable and Ponemon's 2025 report puts the number who can detect attacks at the API layer at just 21%. ShieldKey's security is not a single mechanism. It's a stack of five independent enforcement layers. An attacker would need to defeat all of them simultaneously, and the audit trail would still catch them.

layer 1 -- hardest to defeat

IP allowlisting

Each shield token is locked to a set of CIDR ranges you define, typically your server IPs. The proxy checks the source IP of every request against this allowlist before doing anything else. An attacker calling from their own machine, a VPS, or any IP outside your ranges is rejected with a 403.

This is the most important layer. Without control of your infrastructure, the attacker cannot use the token at all. Even if they have the token, the proxy URL, and knowledge of the API, they're blocked at the network level.

Blocks: External attackers, credential stuffing, stolen tokens used from outside your infra
layer 2 -- damage limitation

Per-token rate limiting

Sliding-window rate limits per shield token. Even in a scenario where an attacker somehow makes requests from an allowed IP (e.g., they've compromised one of your servers), they immediately hit the rate ceiling. This limits the blast radius and buys you time.

Blocks: Runaway usage, compromised server abuse, cost amplification attacks
layer 3 -- geographic fence

Geo-restrictions

Restrict token usage to specific countries or regions. If your servers are in US-East and EU-West, block everything else. Attackers operating from other regions are rejected regardless of IP.

Blocks: Foreign-origin attacks, geographically distant VPS abuse
layer 4 -- instant response

Token state + instant revocation

Shield tokens have explicit states: ACTIVE, PAUSED, REVOKED, EXPIRED. The moment you detect something wrong, you have three options: reply "REVOKE" directly from the anomaly alert email (works from your phone, watch, anywhere), click revoke in the dashboard, or call the API. The next request with that token is rejected. Your real API key at the provider is untouched, so your other integrations continue working.

Compare this to revoking a raw API key: you log into the provider, regenerate the key, then redeploy every service that uses it. That's hours. ShieldKey revocation is seconds — reply to an email and it's done.

Blocks: Ongoing breach exploitation, provides immediate incident response
layer 5 -- detection

Audit trail + anomaly detection

Every proxied request is logged: timestamp, source IP, geo, HTTP status, latency. No request bodies, no API keys. Just metadata. The system checks for anomalies every 5 minutes: unusual source IPs, request volume spikes (3x above your 7-day average), and error rate surges. Alerts fire automatically via email — and you can reply "REVOKE" directly from the alert to kill the token instantly.

IBM's 2024 Cost of a Data Breach Report puts the average breach lifecycle at 258 days to identify and contain. With a raw API key, you have no visibility until the provider's invoice arrives. With ShieldKey, you see suspicious requests within minutes and can kill access from your phone.

Blocks: Nothing directly, but detects everything. Feeds directly into layer 4 for rapid response.
Attack surface analysis

What we defend against -- and what we don't

Traceable and Ponemon found that 57% of organizations experienced an API breach in the past two years. IBM puts the average cost of a data breach at $4.88 million. Transparency about limitations builds more trust than overpromising. Here's where ShieldKey stands.

Attack vectorDefenseStatus
Database breach at your platform Attacker finds shield tokens, not real keys. Tokens blocked by IP allowlist at the proxy. Defended
Source code / .env leak Code contains shield tokens + proxy URL. Tokens useless without allowed source IP. Defended
Log file exposure Only shield tokens appear in logs. Real keys never leave ShieldKey's proxy boundary. Defended
Supply chain attack (malicious dependency) Dependency exfiltrates tokens. Tokens unusable from attacker's infrastructure. Defended
Insider with DB access DB contains shield tokens + encrypted blobs. Tokens IP-restricted. Blobs require master key. Defended
Employee / contractor departure Departing person had shield tokens, not real keys. Revoke their tokens instantly. Real keys at all providers stay active. No rotations, no redeployments. Defended
Disgruntled former employee Saved shield tokens from their time at the company. Tokens are revoked on departure and IP-locked to company infra. Both checks block access. Defended
Compromised server in your infra Attacker has allowed IP but hits rate limits. Anomaly detection flags unusual patterns. Revoke token. Partially defended
ShieldKey's proxy infrastructure compromised Mitigated by: immutable deploys, process isolation, memory zeroing, no-write containers, open-source audit. Mitigated, not eliminated
ShieldKey acts maliciously Mitigated by: open-source proxy code, third-party audits, future self-hosted proxy option for Enterprise. Mitigated, not eliminated
State-level adversary targeting ShieldKey We cannot guarantee defense against state-level actors with physical access to infrastructure. Not defended
The honest tradeoff

ShieldKey reduces your attack surface from "every system that touches an API key" to "ShieldKey's proxy infrastructure only." That's a significant reduction. But it's not zero. You are trusting our proxy. We mitigate this with open-source code, third-party audits, immutable infrastructure, and a future self-hosted option. We'll never claim otherwise.

Personnel security

The offboarding problem nobody solves

GitGuardian found 23.8 million secrets leaked on public GitHub in 2024, most from zombie leaks that were never revoked. Every security framework talks about access revocation when employees and contractors leave. Almost no company does it properly for API keys.

When a developer, contractor, or agency with API key access leaves your organization, those keys are compromised. They exist in shell histories, local .env files, CI/CD logs, Slack messages, password managers, and screenshots. To truly revoke access, you'd need to rotate every key they ever touched at every provider, then redeploy every service that uses those keys. This is so painful that most teams skip it entirely or do it partially -- leaving a window of exposure that can last months or indefinitely.

With ShieldKey, the departing person never had real API keys. They used shield tokens, and those tokens have three independent kill mechanisms:

immediate

Token revocation

Revoke their shield tokens the moment they leave — from the dashboard, the API, or by replying "REVOKE" to an alert email from your phone. The next request with that token returns 401. Their saved tokens are now dead strings. No provider-side rotation needed, no redeployment, no risk of missing one.

automatic

Token expiration

Set expiration dates that match contract end dates. When the engagement ends, tokens auto-expire without anyone needing to remember to revoke them. This is the safety net for the revocation you forgot to do.

always active

IP enforcement

Even if revocation was delayed and the token hasn't expired, the IP allowlist blocks the former employee's requests. They're no longer on your network, so the proxy rejects them before decryption. This is defense that works even when your offboarding process fails.

With raw API keys, every person who leaves is a potential breach. With ShieldKey, every departure is a one-click cleanup that takes seconds, backed by automatic expiration and IP enforcement as safety nets. The real keys at your providers never change. Your production services keep running. Your other team members are unaffected.

This applies to full-time employees, part-time contractors, freelancers, development agencies, and any third party that touches your API integrations during their engagement.

Trust model

What you're trusting when you use ShieldKey

You trust that ShieldKey's proxy infrastructure has not been compromised. We mitigate this with immutable container deployments (no runtime modifications), process isolation between proxy workers, automatic memory zeroing after each request, no SSH access to production, and automated dependency scanning.

You trust that ShieldKey does not log or exfiltrate decrypted keys. We mitigate this by open-sourcing the proxy code so you can verify the claim, and by commissioning third-party security audits. The proxy has no disk write capability in production. Decrypted keys exist only in volatile memory.

You trust that ShieldKey's master encryption key is secure. We mitigate this with HSM-backed key storage, split-knowledge key ceremonies, and key rotation procedures.

Future: Self-hosted proxy

For organizations that need to eliminate even this trust, our Enterprise roadmap includes a self-hosted proxy agent. You run the proxy on your own infrastructure. ShieldKey's server stores only the encrypted blob. Your agent handles all decryption locally. This makes the system fully zero-knowledge. We never see your real keys at any point.

At-rest encryption

How real keys are stored

Even if an attacker bypassed all proxy enforcement and accessed our blob storage directly, they'd find only encrypted data. Each real key is encrypted individually with a unique salt and IV.

Blob format (binary layout) +------+----------+--------+----------+--------------+ | ver | salt | iv | tag | ciphertext | | 1 B | 32 B | 12 B | 16 B | variable | +------+----------+--------+----------+--------------+ Encryption: AES-256-GCM (NIST SP 800-38D) Key derivation: Argon2id (RFC 9106) -> memory: 64 MiB -> iterations: 3 -> parallelism: 4 -> output: 256-bit symmetric key Additional Authenticated Data (AAD): shield_token_id + provider + creation_timestamp Version byte enables future algorithm migration without breaking existing blobs. Current: 0x01

The version byte is forward-looking. If a cryptographic weakness is discovered in AES-256-GCM (unlikely but possible), we can migrate to a new algorithm and re-encrypt all blobs without users needing to re-register keys.

Alternatives

How ShieldKey compares to other approaches

Salt Security's 2024 report found API usage grew 167% in the past year, but only 7.5% of organizations have dedicated API testing or threat modeling. APIs are proliferating faster than anyone is securing them.

Environment variables / .env files -- Your key is plaintext in a file. Any process on the machine can read it. Any developer with SSH access has it. Any log that accidentally prints env vars exposes it. No access control whatsoever.

Secrets managers (Vault, AWS Secrets Manager, etc.) -- Better. Keys are encrypted at rest and access-controlled. But the application still receives the plaintext key at runtime and uses it directly. A compromised application process has the real key in memory for its entire lifecycle. ShieldKey's advantage: the real key exists in memory for one HTTP request, then is zeroed.

Provider-level IP restrictions -- Some providers (Stripe, Google) offer IP restriction natively. If your provider supports it, use it in addition to ShieldKey. But most API providers don't, and none offer per-key rate limiting, audit trails, instant revocation decoupled from key rotation, or anomaly detection. ShieldKey gives you a uniform enforcement layer across all providers.

API gateways (Kong, Apigee, etc.) -- API gateways manage your inbound API. ShieldKey manages your outbound API keys. They solve different problems and can work together.