Authentication
The Shield API authenticates every request with two headers:
| Header | Value |
|---|---|
X-Tenant-ID | Your tenant ID (shown in the portal under Account settings) |
X-API-Key | A key you create in Developer → API keys |
curl "https://shield.orbis.roundbox.dev/api/v1/urlsearch?value=example.com" \
-H "X-Tenant-ID: 00000000-0000-0000-0000-000000000000" \
-H "X-API-Key: shld_live_xxxxxxxxxxxxxxxxxxxxxxxx"
Creating a key
- Sign in to the Orbis Shield portal.
- Go to Developer → API keys → Create a key.
- Give it a name and select the module scopes it may call
(
urlsearch,ipsearch,dnssearch,darkweb,antispam). - Copy the key immediately — the full secret (
shld_live_…) is shown once and is never retrievable again. Only a short prefix is stored for display.
Scopes
A key only works for the modules it was granted. Calling a module the key isn't scoped
for returns 403 Forbidden. Create separate keys per integration (e.g. one for your SMS
gateway with antispam, one for your firewall with urlsearch+ipsearch) so you can
revoke them independently.
Revoking
Revoke a key any time from Developer → API keys. Revocation is immediate — the next
request with that key returns 401. Key creation and revocation are recorded in your
Audit log.
Security notes
- Keep keys server‑side. They are bearer credentials for your whole tenant scope.
- Rotate by creating a new key, deploying it, then revoking the old one.
- All traffic must use HTTPS; requests over plain HTTP are rejected.