Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
OrganizationsMulti-user vaults with permission templates
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
BlogSecurity writeups, engineering deep-dives, and guides
Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
OrganizationsMulti-user vaults with permission templates
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
BlogSecurity writeups, engineering deep-dives, and guides
← All updates
Releases

Temporary machines for scoped, time-bounded access

We've shipped temporary machines, a new way to provision a single time-bounded identity with an opt-in stack of per-machine guardrails. From the Machines page, click + and pick Temp Machine.

A temp machine is a normal machine identity (Ed25519 keypair, signed requests, per-secret grants) with two extras: a fixed expiration timestamp that runs from one hour to twelve months, and a per-machine guardrail stack that enforces on every signed request.

Useful for

How it works

From the Machines page, click the + dropdown and pick Temp Machine to open the configuration modal. Set a name, an optional description, a lifetime in months, days, and hours, and toggle on any guardrails you want enforced. On save, the dashboard shows a single-use bootstrap command for Linux, macOS, and Windows once.

curl -sSL https://api.sikkerkey.com/v1/{vaultId}/temp-bootstrap/{token} | sh

The script generates an Ed25519 keypair locally, registers the machine in pending state, and writes the identity files under ~/.sikkerkey/vaults/{vaultId}/. You approve the registration from the dashboard, then add it to projects and grant the secrets it needs, the same way you would for any other machine. The name you set at token issuance is what the machine is called once it registers.

Guardrails

Three opt-in axes, enforced on every signed request:

The axes compose: a request is rejected if any enabled axis fails. Guardrails run on top of the standard machine-auth checks and any access policy bound to the secret being read.

Extending and reverting

If a workload runs longer than you planned, open the machine and click Extend. The new expiry cannot sit more than twelve months out from now. The cap rolls with the clock, so total remaining runway stays at most a year regardless of how many extensions you stack. The most recent un-reverted extension can be rolled back in a single click if you change your mind.

Audit

Every guardrail block fires a temp_machine_blocked audit entry naming the failing axis. A series of these is the canonical signal that an out-of-scope party has gotten hold of the identity. The full action set (issue, register, extend, revert, expire, purge, block) is in the audit log reference, and each action can be wired to an email or webhook alert from Settings → Alerts.

Try it

Open the Machines page, hit the + button, and pick Temp Machine. Reference docs: Temporary Machines.