Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
Team Access ControlPer-project granular permission grants
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
Team Access ControlPer-project granular permission grants
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
← All updates
Improvements

Passkey sign-in for the dashboard

Passwords are the weakest link in any authentication system. Phishing pages, credential stuffing, password reuse, and keyloggers all rely on the password being something a human knows and types. Passkeys remove the password from the picture.

Today we're rolling out passkey sign-in for the dashboard. From your Settings page, you can register a passkey on every device you sign in from: FaceID and TouchID on Apple devices, Windows Hello on PCs, hardware security keys (YubiKey, Titan), and any other FIDO2 authenticator your browser supports.

How it works

Once you've registered at least one passkey, the sign-in page offers Sign in with passkey as an alternative to typing your password. The browser challenges your authenticator, you approve with biometrics or a tap, and the dashboard signs you in.

Behind the scenes, every passkey assertion is verified against a credential public key stored in your account, with a per-credential signature counter that detects cloning attempts. The private key never leaves your authenticator. SikkerKey never sees it.

Passkeys are phishing-resistant by construction. The browser binds the credential to the origin where it was registered, so a fake sikkerkey.com domain (no matter how convincing) can't trick the authenticator into signing for the real one.

Passwordless mode

Customers using passkeys plus an OAuth provider (GitHub or Google) can opt out of passwords entirely. Toggle passwordless mode in Settings and your password is removed. Sign-in then goes through your passkey or your OAuth provider.

At first passkey enrollment we generate eight single-use recovery codes, hashed at rest with Argon2id. Save them somewhere safe. If you lose your authenticator and your OAuth provider is unreachable, recovery codes are how you regain access to your vault.

What it covers

What it doesn't cover

Machine authentication still uses Ed25519 keypairs and is unchanged. Passkeys are designed for human-in-the-browser flows; machine-to-API authentication has its own protocol (HTTP signatures with strict replay protection) that isn't going anywhere.

Try it

Head to Settings → Security and click Add a passkey.