API & SDK

Authentication

ShieldAgent uses Bearer token authentication for all API and proxy requests. Proxy access uses a JWT agent token generated in the dashboard, and management operations use a separate admin API key .

Token types

Agent JWTJWT (eyJ…)

Use: Authenticate MCP proxy requests. Scoped to a single agent within a tenant. Generated and rotated from the dashboard.

Obtain: Dashboard → Agents → [your agent] → Keys → Copy Token

Admin API KeyOpaque token

Use: Manage tenants, agents, policies, and audit logs via the REST API.

Obtain: Dashboard → Settings → API Keys → New Key

Making authenticated requests

Pass the token in the Authorization header. Copy your agent JWT from Dashboard → Agents → [your agent] → Keys.

typescript

import ShieldAgent from '@shieldagent/sdk';

// Management API — uses your admin API key (from Settings → API Keys)
const client = new ShieldAgent({ apiKey: '<your-admin-key>' });
const tenants = await client.tenants.list();

// MCP proxy requests use the agent JWT (from Agents → [agent] → Keys)
// Configure your agent's MCP client to send:
//   Authorization: Bearer <your-agent-jwt>

Key rotation

Rotate agent keys without downtime using the two-key overlap pattern:

1.Generate a new key — the old key remains active.
2.Update your agent configuration to use the new key.
3.Verify the new key is working in the dashboard Events tab.
4.Revoke the old key.

Error responses

401Missing or malformed Authorization header

403Valid key but insufficient permissions for this operation

429Rate limit exceeded — see Retry-After header

TypeScript SDK

Official TS client with types

Python SDK

Official Python client

OpenAPI Reference

Full REST API spec

REST API Reference

Browsable endpoint catalog

Authentication

Token types

Making authenticated requests

Key rotation

Error responses

Next