Using short-term tokens
Using short-term tokens
If you're integrating the Shen AI Web SDK, one of the first security decisions you'll make is how your application authenticates with the SDK. During development, it's common to use an SDK key directly. For production deployments, however, we recommend using short-term tokens instead.
Anything that runs in a web browser should be treated as publicly accessible. A permanent SDK key embedded in frontend code can be discovered and reused by others. Short-term tokens help reduce that risk by keeping your permanent credentials securely on your backend.
How short-term tokens work
Instead of sending your SDK key to the browser, your backend generates a temporary token whenever a user starts a measurement. The frontend uses that token to initialize the Web SDK, while the permanent SDK key never leaves your server.
Because these tokens are temporary, you can configure them to match your use case - for example, allowing a single measurement or limiting them to a specific period of time.
When should you use them?
We recommend short-term tokens for all production Web SDK deployments. They're particularly useful when users start measurements through:
- web applications,
- patient or customer portals,
- chatbots,
- WhatsApp or SMS links,
- one-time health assessments or invitation links.
In these scenarios, each measurement session can be authorized individually without exposing long-lived credentials.
Using short-term tokens helps you:
- keep permanent SDK credentials on your backend,
- reduce the risk of unauthorized or unintended use,
- control how long a token remains valid,
- limit access to a single scan or another predefined scope,
- better control scan usage in publicly accessible applications.
Learn more
For implementation details, API endpoints, and configuration examples, see the Short-term tokens section of the developer documentation.

