Secure secrets vault and manager
Secure machine authentication

Securely store and manage secrets for every application, machine, and service in your stack. Experience the relief of gating your secrets behind asymmetric, cryptographically signed requests, with a world-class, easy-to-use user interface and developer experience. Allow your AI agents to work within your SecretOps without ever exposing them to a plaintext credential. Try SikkerKey today, for free.

The same machine identity SSH has used since the 90s, brought all the way through your secrets layer.

Start for Free

Static · server

web-prod-01

priv key on diskheld

Ephemeral · CI

ci-7f2a8b9d

priv key on diskheld

Ephemeral · pod

pod-app-x9k2m

priv key on diskheld

AI agent

agt_71c4ee

priv key on diskheld

SikkerKey · public key registry?

4 / 4

mch_8f3a··c7e1

web-prod-01

mch_7f2a··9d31

ci-7f2a8b9d

mch_b1c3··e5f6

pod-app-x9k2m

agt_71c4··a8b9

agt_71c4ee · metadata-only surface

Ed25519 · sha-256 fingerprintverify · decrypt

Ed25519 · asymmetric signing

The keypair

Ed25519 is an elliptic-curve signature scheme. Every machine generates its own keypair on enrollment: a private key that can sign, and a 32-byte public key that can only verify.

What this registry holds

Public keys only — the rows here, displayed as SHA-256 fingerprints. The private key never leaves the machine, so nothing stored on SikkerKey's side can produce a signature or impersonate a machine.

Every request

sign( method:path:timestamp:nonce:bodyHash )

The machine signs this string with its private key; SikkerKey verifies it against the registered public key. Timestamps expire after 5 minutes and every nonce is single-use, so a captured request can never be replayed.

Anywhere code runs.

Native SDKs, a single-binary CLI, and a signed HTTPS API for everything else.
The read path never changes: sign, verify, decrypt.

Native SDKNode.js

Native SDKPython

Native SDKGo

Native SDKKotlin / JVM

Native SDK.NET

Native SDKPHP

ContainerDocker

ContainerPodman

OrchestrationKubernetes

OrchestrationHelm

OrchestrationNomad

OrchestrationOpenShift

Edge deviceRaspberry Pi

CI / CDGitHub Actions

CI / CDGitLab CI

CI / CDBitbucket

CI / CDJenkins

CI / CDCircleCI

CI / CDBuildkite

CI / CDTeamCity

CI / CDTravis CI

CI / CDDrone

GitOpsArgo

PaaSVercel

PaaSNetlify

PaaSRailway

PaaSRender

PaaSFly.io

CloudDigitalOcean

Secrets Management.

Store every credential your applications need in one encrypted vault. Give each machine only the secrets it actually uses, and plant a canary that locks the project the instant it's read.

Read the secrets management docs Try it now

Secrets //productionproj_ch9k82pkcl8 secrets

All Secrets

Search by name, ID, or note...

Name	Note	ID	Fields	Ver	Machines	Policy	Updated	Last Read
db-password	Postgres production credentials	sk_p1q2··f5	—	v3	2	prod-strict▾	2h ago	2m ago	▾
stripe-key	Live key · acct_3aB…	sk_r3s4··g8	—	v1	1	prod-strict▾	3d ago	24m ago	▾
redis-url	Cache cluster · structured	sk_t5u6··h2	3 fields	v2	2	prod-strict▾	1h ago	2m ago	▾
canary-prod-dbArmed	Decoy · trips on read	sk_v7w8··j9	—	v1	3	prod-strict▾	1d ago	2m ago	▾
aws-access-key	S3 + SES · auto-rotates	sk_a4b5··m7	2 fields	v8	1	prod-strict▾	6h ago	7h ago	▾
ssh-bastion	Jump host private key	sk_x9y0··k3	—	v1	1	No policy▾	5d ago	2h ago	▾
github-app-pem	Deploy bot · pkcs8	sk_q2w3··e4	—	v1	1	prod-strict▾	1w ago	Never	▾

Access // Policiesproj_ch9k82pkcl5 policies

Access Policies

Search by name, description, or ID...

Name	Constraints	Bound	Updated
prod-strictProduction secrets, business hours, IP-lockedpol_a8f3e2d1	time-windowip(2)rate-capco-sign	12	5/7/2026
ci-pipelineCI workers, ephemeral access burstspol_4c91b27e	ip(1)ttl-timettl-reads	4	5/6/2026
dev-tempDeveloper machines, expires fastpol_d2e4f6a8	rate-capttl-reads	7	5/3/2026
canary-onlyTripwire — burns project on readpol_f9c3a14d	rotate-after	2	4/29/2026
openpol_e5b8c027	none	0	4/22/2026

Access Policies.

Lock each secret behind the rules you choose: business hours, allowed networks, rate caps, and multi-party approval. Stack as many as you need into one policy and bind it to any secret in the project.

Read the access policy docs Try it now

AI Agents.

Let AI agents manage your vault: rotate secrets, configure policies, audit reads. Reading the actual values stays off limits, because that capability was never built for agents.

Read the AI agents docs Try it now

New AI Agent

> name(optional)release-bot

Scopes(5 of 25)

Every capability is off by default. Tick the ones the agent actually needs.

Vault

machines.readList machines

machines.writeApprove / revoke / rename

aiagents.readList AI agents

aiagents.writeApprove / disable / revoke / rename

audit.readRead audit log

alerts.readView alert prefs

alerts.writeEdit alert prefs

ipallowlist.readView IP allowlist

ipallowlist.writeEdit IP allowlist

Project access(1 selected)

RestrictedSpecific projects only

UnrestrictedEvery project, including future ones

5 scopes, 1 project

Secure secrets vault and managerSecure machine authentication

Anywhere code runs.

Secrets Management.

Access Policies.

AI Agents.

Secure secrets vault and manager
Secure machine authentication