API Keys
Each domain in ShieldLabs has two keys. They serve different purposes and have different security requirements.
Public Key
a3f8c2d1e9b0476a8c5d2f1e0b9a8c7d
- 32-character hexadecimal string (16 random bytes)
- Used by the browser SDK in the JS snippet
- Embedded in the
<script> tag — safe to expose in HTML source
- Identifies which domain a fingerprint belongs to
- Does not grant access to the API or dashboard
<script type="module">
const mod = await import('https://cdn.shieldlabs.ai/snippet.js?publicKey=a3f8c2d1e9b0...');
mod.checkAnonymous();
</script>
Secret Key
7e4b9a2c8d1f6e0a3b5c9d2e7f4a1b8c
- 32-character hexadecimal string (16 random bytes)
- Used to verify webhook signatures and authenticate Pub API / Core Management API calls
- Must be kept server-side — never expose in browser code
- Used as the HMAC key to verify the
Assing field of incoming webhooks
Never commit your secret key to version control. Store it in environment variables or a secrets manager.
Webhook registration
Two ways to set your webhook URL:
- Dashboard → Domains → Webhook, or
PUT /api/domains/{id}/webhook on account.shieldlabs.ai (recommended)
- Core API:
POST https://api.shieldlabs.ai/{domain}:{secret}/callback with plain-text body
See Webhooks for details.
Key rotation
To rotate keys, go to Dashboard → Domains → Rotate Keys, or call the API:
curl -X POST "https://account.shieldlabs.ai/api/domains/{domain_id}/keys/rotate" \
-H "Authorization: Bearer YOUR_JWT_TOKEN"
- Both public and secret keys are replaced immediately
- Update the
publicKey= parameter in your CDN snippet
- Update your webhook verification logic with the new secret key
- Re-register the webhook URL if needed
Where to find your keys
Open dashboard.shieldlabs.ai → Domains → click on your domain → Keys tab.
