Authentication

ShieldSignup uses bearer-token authentication. There is no alternative — no query parameter, no basic auth, no signed request.

API key format

API keys begin with one of two prefixes:

Use one key per environment. Never commit keys to source control. Read the key from an environment variable at runtime; the rest of these docs assume the variable is named SHIELDSIGNUP_API_KEY.

How to pass the key

Pass the key as a Bearer token in the Authorization header on every request:

Authorization: Bearer sk_live_YOUR_API_KEY
Content-Type: application/json

Where to get a key

Open the dashboard at Dashboard → API Keys, click Create key, name it, and copy the token. The token is shown once — save it to your secret manager immediately.

Each key can be named and revoked independently. Revoking a key takes effect on the next request; in-flight requests are not interrupted.

What happens with an invalid or missing key

The API returns 401 with this envelope. Note the error field is an object, not a string.

HTTP/1.1 401 Unauthorized
Content-Type: application/json

{
  "error": {
    "code": "unauthorized",
    "message": "Missing or invalid bearer token"
  }
}

A revoked key returns the same 401 status with a different code:

{
  "error": {
    "code": "token_revoked",
    "message": "Token was revoked from the dashboard"
  }
}

Always switch on error.code, not on error.message (the message is human-readable and may change between releases).

Key security rules

• Never expose keys in client-side JavaScript or public repositories.
• Rotate keys immediately if compromised: revoke the old key in the dashboard, then create and deploy a new one.
• Use different keys per environment (development, staging, production).
• Keys do not expire automatically. Revoke them manually when they're no longer needed.
• When emailing support, share only the first 12 characters of the key (sk_live_abcd…). Never paste the full token.