Skip to main content

API Overview

ShieldLabs uses two API hosts for server-side calls. See Endpoints & URLs.

Base URLs

APIHostAuth
Dashboard + Pub APIhttps://account.shieldlabs.aiJWT or keys in URL
Core Management APIhttps://api.shieldlabs.ai{domain}:{secret} in path
Development: dev.account.shieldlabs.ai, dev.api.shieldlabs.ai.

Authentication

Pub API (no JWT)

Query session data from your server using keys in the URL path: 
GET https://account.shieldlabs.ai/pub/{public_key}/{secret_key}/{endpoint}
  • {public_key} — 32-character hex string from the dashboard
  • {secret_key} — 32-character hex string (server-only)

Dashboard API (JWT)

All /api/* endpoints on account.shieldlabs.ai require a JWT in the Authorization header: 
Authorization: Bearer <token>
Get a token: 
curl -X POST "https://account.shieldlabs.ai/api/auth/login" \
  -H "Content-Type: application/json" \
  -d '{"email": "you@example.com", "password": "..."}'
Response: 
{ "token": "eyJhbGciOiJIUzI1NiIs..." }
Refresh the token: 
POST https://account.shieldlabs.ai/api/auth/refresh
The refresh token is stored in an HTTP-only cookie. Returns a new token.

Webhook registration

Recommended — Dashboard or JWT API: 
PUT https://account.shieldlabs.ai/api/domains/{domain_id}/webhook
Authorization: Bearer <token>
Content-Type: application/json

{ "callback": "https://your-server.com/webhook" }
Alternative — Core Management API on api.shieldlabs.ai: 
POST https://api.shieldlabs.ai/{domain}:{secret}/callback
Content-Type: text/plain
Body: https://your-server.com/webhook
This uses {domain}:{secret} (domain hostname + secret key), not {public_key}/{secret_key}.

Response format

All endpoints return JSON. Error responses: 
{ "error": "description" }
Pub API unauthorized responses return "invalid credentials".

Pagination

History endpoints accept limit and offset query parameters: 
?limit=20&offset=40
Response wrapper: 
{ "total": 142, "data": [ ... ] }

Dates

All timestamps are ISO 8601 UTC: 
"2026-04-14T10:00:00Z"