diff --git a/package-lock.json b/package-lock.json
index 2268f80..8520a0e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -452,7 +452,8 @@
     "deep-equal": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/deep-equal/-/deep-equal-1.0.1.tgz",
-      "integrity": "sha1-9dJgKStmDghO/0zbyfCK0yR0SLU="
+      "integrity": "sha1-9dJgKStmDghO/0zbyfCK0yR0SLU=",
+      "dev": true
     },
     "deep-is": {
       "version": "0.1.3",
@@ -2331,12 +2332,11 @@
       "dev": true
     },
     "secret-handshake": {
-      "version": "1.1.16",
-      "resolved": "https://registry.npmjs.org/secret-handshake/-/secret-handshake-1.1.16.tgz",
-      "integrity": "sha512-iJgGEykTXa8772vmYMGM20jYifTV7lg96bFeitGjly99aIEkIKHkiJWb+3KZ98dg4gwtF/6L+XhL/76iBgKhpA==",
+      "version": "1.1.20",
+      "resolved": "https://registry.npmjs.org/secret-handshake/-/secret-handshake-1.1.20.tgz",
+      "integrity": "sha512-sDtmZDpibGH2ixj3FOmsC3Z/b08eaB2/KAvy2oSp4qvcGdhatBSfb1RdVpwjQl5c3J83WbBo1HSZ7DBtMu43lA==",
       "requires": {
-        "chloride": "^2.2.7",
-        "deep-equal": "~1.0.0",
+        "chloride": "^2.2.8",
         "explain-error": "^1.0.4",
         "pull-box-stream": "^1.0.13",
         "pull-handshake": "^1.1.1",
diff --git a/src/plugins/shs.ts b/src/plugins/shs.ts
index fd935c2..451c512 100644
--- a/src/plugins/shs.ts
+++ b/src/plugins/shs.ts
@@ -22,6 +22,10 @@ export = {
   name: 'multiserver-shs',
   version: '1.0.0',
   init (api: any, config: Config) {
+    if (!config.keys && !config.seed) {
+      throw new Error('Config object should contains SHS keys or a seed')
+    }
+
     let timeoutHandshake: number | undefined
     if (!isNaN(config.timers?.handshake as any)) {
       timeoutHandshake = config.timers?.handshake!
diff --git a/src/types.ts b/src/types.ts
index b773911..e9ea6df 100644
--- a/src/types.ts
+++ b/src/types.ts
@@ -24,21 +24,13 @@ export type Transform = {
   create: () => unknown;
 };
 
-export type Config = {
+export interface BaseConfig {
   // Cryptographic capability key
   caps?: {
     shs?: Buffer | string;
   };
   appKey?: Buffer | string;
 
-  // Cryptographic keys
-  keys?: {
-    public?: string;
-    private?: string;
-    id?: string;
-  };
-  seed?: unknown;
-
   // Multiserver
   connections?: {
     incoming?: {
@@ -59,4 +51,21 @@ export type Config = {
   // Legacy but still supported
   host?: string;
   port?: number;
-};
\ No newline at end of file
+};
+
+export interface SeedConfig extends BaseConfig {
+  seed: unknown;
+  keys: never;
+};
+
+export interface KeysConfig extends BaseConfig {
+  seed: never;
+  // Cryptographic keys
+  keys: {
+    public: string;
+    private: string;
+    id: string;
+  };
+};
+
+export type Config = KeysConfig | SeedConfig;
\ No newline at end of file
diff --git a/test/server.js b/test/server.js
index efecee0..63b04d3 100644
--- a/test/server.js
+++ b/test/server.js
@@ -31,6 +31,26 @@ var create = SecretStack({
 var alice = create({ seed: seeds.alice })
 var bob = create({ seed: seeds.bob })
 
+tape('throw error when no seed or keys are supplied', function (t) {
+  var noop = () => {}
+  var shsPlugin = require('../lib/plugins/shs')
+  var api = {
+    multiserver: {
+      transform: noop
+    }
+  }
+  var config = {
+    caps: {shs: appkey}
+  }
+
+  t.throws(
+    () => shsPlugin.init(api, config),
+    /Config object should contains SHS keys/,
+    'SHS plugin throws without seed or keys'
+  )
+  t.end()
+})
+
 tape('alice connects to bob', function (t) {
   alice.connect(bob.address(), function (err, rpc) {
     if (err) throw err