Model: Passthrough — InferShield never stores or has custody of your API keys or OAuth tokens. Tokens stay on your machine, encrypted at rest, and are used only to forward your requests.
InferShield supports OAuth Device Flow authentication, letting IDEs like GitHub Copilot and Cursor authenticate without requiring you to paste API keys into environment variables.
What you get:
- One-time browser-based login per provider
- Automatic token refresh (no re-login until you explicitly revoke)
- All requests still inspected by InferShield threat detection
- Tokens encrypted on disk; not sent to InferShield servers
- Docker (or Node.js >=18 for non-Docker installs)
- InferShield proxy v0.2+
- An account with your LLM provider (OpenAI, GitHub Copilot, etc.)
```bash git clone https://github.com/InferShield/infershield.git cd infershield cp .env.example .env ```
Edit `.env`:
```bash
INFERSHIELD_MASTER_KEY=your-32-byte-hex-key-here
INFERSHIELD_PORT=8000
LOG_LEVEL=info ```
```bash docker-compose up -d ```
The proxy starts at `http://localhost:8000\`.
OpenAI: ```bash docker exec -it infershield-proxy infershield auth login openai ```
GitHub Copilot: ```bash docker exec -it infershield-proxy infershield auth login github ```
You will see: ``` Visit: https://github.com/login/device Enter code: ABCD-1234
Waiting for authorization... ✓ Authenticated as alex@example.com Token expires: 2026-04-01 (auto-refreshes) ```
Open the URL in your browser, enter the code, and authorize InferShield. Done.
```bash docker exec infershield-proxy infershield auth status ```
``` Provider Status User Expires ───────────────────────────────────────────────────── openai ✓ Active alex@example.com in 59 days (auto-refresh) github ✗ Not set — — ```
```bash export OPENAI_BASE_URL=http://localhost:8000/v1 ```
Or configure in your IDE — see IDE Integration Guide.
Your requests now flow: ``` IDE / App → InferShield (threat detection) → LLM provider ```
InferShield attaches the stored OAuth token automatically.
| Variable | Required | Default | Description |
|---|---|---|---|
| `INFERSHIELD_MASTER_KEY` | Yes | — | 32-byte hex key for token encryption. Generate: `openssl rand -hex 32` |
| `INFERSHIELD_PORT` | No | `8000` | Port the proxy listens on. |
| `INFERSHIELD_MODE` | No | `single-user` | `single-user` or `multi-user` |
| `INFERSHIELD_LOG_LEVEL` | No | `info` | `debug`, `info`, `warn`, or `error` |
| `INFERSHIELD_TOKEN_PATH` | No | `~/.infershield/tokens.json` | Path to encrypted token storage |
Tokens are stored encrypted in `~/.infershield/tokens.json`. They are never sent to InferShield servers.
``` ~/.infershield/ └── tokens.json ← AES-256-GCM encrypted, keyed by INFERSHIELD_MASTER_KEY ```
To revoke and delete all stored tokens:
```bash infershield auth logout --all ```
```bash
docker run -p 8000:8000
-e INFERSHIELD_MODE=multi-user
-e INFERSHIELD_MASTER_KEY=
-v /opt/infershield:/data
infershield/proxy:latest
infershield admin create-user alex@example.com
infershield auth login openai --user alex@example.com ```
```bash echo "INFERSHIELD_MASTER_KEY=$(openssl rand -hex 32)" >> .env ```
Device codes expire in ~15 minutes. Re-run `infershield auth login openai`.
Your refresh token may have been revoked by the provider. Re-authenticate:
```bash infershield auth logout openai && infershield auth login openai ```
```bash infershield auth status ```
If status is active but requests fail, enable debug logging: `LOG_LEVEL=debug docker-compose up`.
Set `INFERSHIELD_PORT=8001` in `.env` and update your IDE's base URL.
Ensure the IDE is pointing to `http://localhost:8000/v1\`. Check port mapping:
```bash docker ps | grep infershield ```
- IDE Integration Guide — Configure Cursor, Copilot, VS Code, and more
- Token Security Model — Storage, encryption, rotation, blast radius
- OAuth Architecture — Internal design and flow diagrams