We've shipped AI agents as a new identity class in SikkerKey, and a small MCP server that wires them up to Claude Code, Codex, Cursor, and any other client that speaks the Model Context Protocol.
An AI agent authenticates with the same Ed25519 signed-request scheme machines use, but it lives in a separate identity table and holds management scopes (audit.read, projects.secrets.write, alerts.write, etc.) instead of per-secret grants. The MCP server runs locally as a child process of your AI client and does the signing on every call. The agent does not read the plaintext content of stored secrets. Write actions take plaintext as input, encrypt it server-side, and return only metadata.
Provisioning
From the dashboard's Machines → AI Agents tab, click Bootstrap AI agent. Pick the scopes the agent should hold and an optional project allowlist, then copy the one-time bootstrap token.
On the machine that runs your AI client:
npm install -g sikkerkey-mcp
sikkerkey-mcp install <token>
sikkerkey-mcp config claude-code # or codex, cursor, claude-desktop
Paste the printed config block into your client's MCP config file, restart the client, and the SikkerKey tools appear.
What the agent can do
Sixteen tools across the management surface:
- Identity. List, approve, rename, and revoke machines. Manage peer AI agents (lifecycle only). Issue and revoke enrollment tokens for ephemeral CI machines.
- Projects and secrets. Create projects. Create, rotate, version, rollback, and delete secrets. Manage dynamic-rotation schedules. Generate one-shot self-destructing share links via temporary secrets. Restore or purge from trash.
- Security controls. Author and bind access policies (time window, IP allowlist, rate cap, co-sign, TTL, rotate-after-N). Plant and configure canary trip-wires. Manage the machine-auth IP allowlist.
- Observability. Query the audit log with severity and time filters. Export CSV. View vault stats and recent activity. Configure which actions trigger alerts. Manage outbound webhook endpoints.
- Self-introspection.
whoamireturns the agent's identity, scope set, project allowlist, and recent self-attributed audit entries. Always callable.
Useful for
- Letting an AI assistant audit recent vault activity and highlight things that need attention before a deploy.
- Asking an AI to plant a canary or set up an alert webhook in the same conversation where you're already debugging an incident.
- Drafting access policies from natural language ("only allow reads from our CI subnet on weekdays during business hours") and binding them to specific secrets.
- Spinning up a new project with secrets, machine grants, and a rotation schedule end to end without leaving the editor.
- Scoped automation: an agent restricted to a
stagingproject can drive its rotation schedules and webhooks without ever being able to touchproduction.
Compatibility
The MCP server speaks protocol version 2025-11-25 and runs over stdio. Tested clients:
- Claude Code
- Claude Desktop
- Codex CLI
- Cursor
Other MCP-over-stdio clients should also work. Point them at sikkerkey-mcp serve with SIKKERKEY_AGENT_ID in the env. The binary ships as a single statically-linked Go executable on Linux (x64, arm64), macOS (x64, arm64), and Windows (x64), distributed via npm.
Audit and revocation
Every tool call is signed with the agent's private key and recorded in the audit log with the agent's id attached. The dashboard's Audit page filters and renders AI-agent activity with a distinct badge. Disable or revoke an agent from the dashboard at any time. The next signed request is refused.
Try it
The AI Agents solutions page walks through the setup with terminal demos. Reference docs: overview, setup, tools reference, security model.