Skip to main content
Sign in →

API Proxy Setup

Configure ShieldAgent as a transparent REST API proxy with per-endpoint policies and audit logging.

How the REST Proxy Works

In addition to MCP proxying, ShieldAgent can intercept REST API calls made by agents to external services (Stripe, Slack, internal microservices, etc.). Every request is authenticated, policy-checked, and audit-logged before forwarding.

Agent──▶ShieldAgent Proxy :$PROXY_PORT──▶External API
auth check·policy eval·audit write·rate limit

Register an API Endpoint

Tell ShieldAgent which external endpoints your agents are allowed to reach:

bash
curl -X POST https://api.shieldagent.io/api-endpoints \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer <admin-key>' \
  -d '{
    "tenantId": "<tenant-id>",
    "name": "stripe-charges",
    "upstreamUrl": "https://api.stripe.com/v1/charges",
    "allowedMethods": ["GET", "POST"],
    "description": "Stripe charges API"
  }'

Configure Agent to Use the Proxy

Agents make REST calls to ShieldAgent instead of the external API directly. ShieldAgent forwards authenticated requests after policy evaluation.

Agent making a proxied REST call
# Instead of calling Stripe directly:
# curl https://api.stripe.com/v1/charges -H 'Authorization: Bearer sk_live_...'

# The agent calls the ShieldAgent proxy:
curl https://proxy.shieldagent.io/rest/stripe-charges \
  -H 'Authorization: Bearer <agent-key>' \
  -H 'Content-Type: application/json' \
  -d '{"amount": 2000, "currency": "usd", "source": "tok_..."}'

Per-Endpoint Policies

Apply method-level restrictions on top of endpoint registration:

policy — block DELETE on stripe-charges
{
  "tenantId": "<tenant-id>",
  "agentId": "<agent-id>",
  "toolName": "rest:stripe-charges",
  "action": "deny",
  "conditions": [
    {
      "type": "param_contains",
      "param": "method",
      "value": "DELETE"
    }
  ]
}

Response Filtering & DLP

ShieldAgent scans responses for sensitive data patterns (PII, secrets, card numbers) before returning them to the agent. Configure DLP rules per tenant:

bash
curl -X POST https://api.shieldagent.io/policies \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer <admin-key>' \
  -d '{
    "tenantId": "<tenant-id>",
    "toolName": "rest:*",
    "action": "shadow",
    "conditions": [
      {
        "type": "response_contains_pii",
        "sensitivity": "high"
      }
    ]
  }'

Audit Trail for REST Calls

Every proxied REST request is recorded in the immutable audit trail with full request/response metadata:

bash
curl "https://api.shieldagent.io/audit?toolType=rest&agentId=<agent-id>&limit=50" \
  -H 'Authorization: Bearer <admin-key>'

Audit record fields

agentId
tenantId
toolName (rest:<endpoint-name>)
method
statusCode
durationMs
policyDecision
timestamp
merkleHash