API Keys
Each domain in ShieldLabs has two keys. They serve different purposes and have different security requirements.
Public Key
d932476e-9f95-4ad9-820e-6f2118b1d27a
- Used by the browser SDK in the JS snippet
- Embedded in the
<script> tag — safe to expose in HTML source
- Identifies which domain a fingerprint belongs to
- Does not grant access to the API or dashboard
<script type="module">
const mod = await import('https://cdn.shieldlabs.ai/snippet.js?publicKey=d932476e-...');
mod.checkAnonymous();
</script>
Secret Key
- Used to register webhook endpoints and verify webhook signatures
- Must be kept server-side — never expose in browser code
- Used in the webhook registration URL:
https://api.shieldlabs.ai/{domain}:{secret}/callback
- Used as the HMAC key to verify the
Assing field of incoming webhooks
Never commit your secret key to version control. Store it in environment variables or a secrets manager.
Key rotation
To rotate keys, go to Dashboard → Domains → Rotate Keys, or call the API:
curl -X POST "https://api.shieldlabs.ai/api/domains/{domain_id}/keys/rotate" \
-H "Authorization: Bearer YOUR_JWT_TOKEN"
- The old secret key is immediately invalidated
- Update your webhook registration with the new secret
- Update your webhook verification logic with the new secret
- The public key in existing snippet deployments continues to work (new public key issued)
Where to find your keys
Open dashboard.shieldlabs.ai → Domains → click on your domain → Keys tab.
