Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
OrganizationsMulti-user vaults with permission templates
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
BlogSecurity writeups, engineering deep-dives, and guides
Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
OrganizationsMulti-user vaults with permission templates
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
BlogSecurity writeups, engineering deep-dives, and guides
← All updates
Releases

Multi-user secrets management with Organizations

A personal vault can now host more than one person. Convert from Settings → Organization, invite people by email, and assign each one a permission template that bundles capabilities and project scope. Every action they take is attributed to them in the audit log. Existing projects, secrets, machines, billing, and integrations stay exactly where they are.

How the conversion works

The owner re-authenticates (password and 2FA, or a passkey step-up), picks a name for the organization, and confirms. The vault flips to organization mode and the dashboard sidebar grows an Organization category with a member roster and a template editor.

Conversion is one-way; an organization vault can't be downgraded back to personal.

Inviting members

Invite by email from Organization → Members. The invitee must already have a SikkerKey account, because membership joins an existing user identity to your vault rather than creating a new one. If they don't have an account, they sign up first, and you invite the email they signed up with.

The invitee accepts or declines from a panel in their own sidebar. Invites expire after seven days. Once accepted, your vault appears in their post-login picker alongside their personal vault. They sign in as themselves and choose which vault to act inside for the session.

Permission templates

The owner assigns each member a template: a named bundle of capability checks authored in the dashboard. A template has three parts:

  1. A name and description.
  2. Capabilities across the matrix (Machines, Audit log, Alerts, IP allowlist, Integrations, Trash, Projects, Secrets, Policies, Templates, Organization, Support).
  3. A project scope, either global (every project in the vault) or a specific list.

Capabilities are checkable cells. Some are vault-wide; the member can see every machine in the vault. Others are project-scoped; the member can only manage secrets in projects they're scoped to. A change to a template takes effect on the next request from every member who holds it, with no re-login or publish step.

The machine plane is untouched

The vault ID is unchanged. Machines and SDK calls keep working with the same vault_... identifier they already had. Every machine continues to authenticate with its existing Ed25519 keypair. Membership in an organization is a human-side concept and has no effect on the runtime trust between machines and the vault.

The separation is deliberate. Dashboard membership decides what humans can do in the editor. Machine identity decides what workloads can read at runtime. Inviting someone doesn't add any runtime access, and registering a machine doesn't add any dashboard access. The two cross only when the owner (or a member with the right capability) explicitly attaches a machine to a project or grants it a secret.

Member lifecycle

Invite, accept, decline, suspend, unsuspend, remove. Suspension cuts the member's session immediately and blocks them from the vault until you unsuspend them; their audit entries stay. Removal drops the membership. A member who wants to end their own membership opens Settings → Leave organization inside your vault. Whichever path triggers it, the action lands in your audit log attributed to the member's username.

Audit attribution

Every action a member takes is attributed to that member by username in your audit log. A member with Audit log: View sees their own actions; Audit log: View others expands that to every actor in the vault, including other members, machines, and AI agents.

Plan limits

Plans cap the number of members per organization. The cap is enforced when you send an invite; an invite that would push you over the cap is rejected with a link to your billing page. The current plan, used count, and cap are visible on the Members page.

Teams is deprecated

Organizations replaces the Teams feature.

Teams let you grant another SikkerKey user access to specific projects in your vault. They stayed inside their own dashboard and saw your shared projects under a sidebar group named after you. Per-project permissions were configured through a modal with toggles for machine, provision, and policy actions.

Organizations is a different shape. The invitee becomes a member of your vault, picks your vault from their post-login picker, and acts inside it directly. Permissions are configured through templates the owner authors once and assigns to members. Project scope is either every project in the vault or a specific list.

The Teams docs page now carries a deprecation banner pointing to the Organizations overview.

Docs