Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
OrganizationsMulti-user vaults with permission templates
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
BlogSecurity writeups, engineering deep-dives, and guides
GlossaryPlain-English definitions for secrets and machine identity
SikkerLinkShare a secret with a free self-destructing link
Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
OrganizationsMulti-user vaults with permission templates
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
BlogSecurity writeups, engineering deep-dives, and guides
GlossaryPlain-English definitions for secrets and machine identity
SikkerLinkShare a secret with a free self-destructing link
← All updates
Releases

Single sign-on (SAML 2.0) for your organization

Organizations can now route dashboard sign-in through their own identity provider with SAML 2.0 single sign-on (SSO). Your members sign in with Okta, Microsoft Entra ID, Google Workspace, or any SAML provider, the way they sign in to everything else.

Connect your identity provider

Open the Single sign-on page in the dashboard. Upload your provider's SAML metadata and SikkerKey reads the entity ID, sign-in URL, and signing certificate out of it, or paste those three by hand if you'd rather. SikkerKey gives you back the SP details to drop into your provider's side.

Verify the domains you own

Add your email domains and publish the DNS record SikkerKey shows you. Once a domain is verified, anyone in it who can authenticate at your provider becomes a member on their first sign-in. Nothing to create up front. New members land on a default template you choose, so they arrive with the access you meant them to have and nothing more.

Offer SSO, or enforce it

Two switches. Leave SSO enabled and members can use it next to their existing password or passkey. Turn on enforcement and SSO becomes the only way in for anyone in your verified domains. You always keep your own way in, so a provider misconfiguration can lock out a member but never you.

Machines are untouched

SSO is about how people reach the dashboard. The machines and agents that read secrets at runtime keep authenticating with their own keys, exactly as before. Enabling or enforcing SSO changes nothing about your integrations.

Availability

Single sign-on is available to organizations depending on your plan. If your vault isn't an organization yet, convert it first.

Docs

Full setup walkthrough: Single sign-on.