Skip to main content
Sign in →
API & SDK

Authentication

ShieldAgent uses Bearer token authentication for all API and proxy requests. There are two token types: agent keys for MCP proxy calls, and admin API keys for management operations.

Token types

Agent Keysa_live_

Use: Authenticate MCP proxy requests. Scoped to a single agent within a tenant.

Obtain: Dashboard → Agents → [your agent] → Keys

Admin API Keysa_admin_

Use: Manage tenants, agents, policies, and audit logs via the REST API.

Obtain: Dashboard → Settings → API Keys → New Key

Making authenticated requests

Pass the token in the Authorization header:

bash
# MCP proxy request (agent key)
curl -X POST https://proxy.shieldagent.io/mcp \
  -H 'Authorization: Bearer sa_live_YOUR_AGENT_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"method": "tools/call", "params": {...}}'

# Management API request (admin key)
curl https://api.shieldagent.io/tenants \
  -H 'Authorization: Bearer sa_admin_YOUR_ADMIN_KEY'

Key rotation

Rotate agent keys without downtime using the two-key overlap pattern:

  1. 1.Generate a new key — the old key remains active.
  2. 2.Update your agent configuration to use the new key.
  3. 3.Verify the new key is working in the dashboard Events tab.
  4. 4.Revoke the old key.

Error responses

401Missing or malformed Authorization header
403Valid key but insufficient permissions for this operation
429Rate limit exceeded — see Retry-After header

Next

TypeScript SDK

Official TS client with types

Python SDK

Official Python client

OpenAPI Reference

Full REST API spec

REST API Reference

Browsable endpoint catalog