Glossary

Plain-English definitions for the terms that show up when you're securing credentials at runtime — secrets management, machine identity, and the cryptography around them.

16 terms

Filter

Audit log

An append-only record of privileged actions, capturing who did what, when, and from where, so that operators and compliance reviewers can answer questions about historical behavior after the fact.

Bearer token

A credential where possession alone proves identity. Anyone who holds the token can use it. API keys, OAuth access tokens, session cookies, and most personal access tokens are all bearer tokens.

A modern elliptic-curve digital signature scheme. Fast, deterministic, and with small keys (32 bytes) and signatures (64 bytes), it's the default for modern SSH, TLS 1.3, and machine-to-machine authentication.

Envelope encryption

A pattern where each data value is encrypted with its own data key, which is itself wrapped by a master key, so the master key never directly touches the ciphertext and rotating it is cheap.

Ephemeral machines

Short-lived SikkerKey machines created by enrollment tokens, auto-approved with preconfigured project and secret access, then disabled automatically when their lifetime expires.

Honey token

A fake credential planted alongside real ones, configured to trigger an alert (and often automated containment) the moment anyone tries to use it. Also called canary token, decoy credential, or in SikkerKey, a canary secret.

Long-lived machines

A SikkerKey machine identity with no built-in expiration date, used for servers, VMs, containers, and processes that should keep reading secrets until disabled or revoked.

Machines

A non-human actor with its own cryptographic identity and access grants: a server, container, CI runner, or AI agent that needs to read secrets without a human signing in. Also called non-human identity (NHI) or workload identity.

Secret rotation

The practice of replacing a credential's value on a schedule (or after suspected compromise) so a leaked value stops being useful within a bounded time window. Sometimes called credential rotation or key rotation.

Secret sprawl

What happens when credentials end up scattered across env files, config maps, source code, chat threads, password managers, and forgotten clouds. The default state of any team without a secrets manager.

Secrets

A credential, key, or token used to authenticate or encrypt, where unauthorized knowledge of the value causes material harm. Passwords, API keys, private keys, and OAuth tokens are the common kinds.

Secrets manager

A system that stores, encrypts, and serves credentials to applications and machines at runtime, with centralized access control and audit logging, so secrets don't live in env files, source code, or shared password managers.

Signed requests

An authentication pattern where the client proves identity by signing each request with its private key, so the credential never travels with the request and an intercepted signature is bound to a single specific request.

Structured secrets

A multi-field secret that stores related values, such as host, username, and password, as named fields inside one encrypted, versioned secret object.

Temporary machines

Time-bounded SikkerKey machines created from single-use temp bootstrap tokens, with manual approval, normal secret grants, and optional per-machine IP, geo, and time-window guardrails.

.env files

A plain-text file at the root of a project that defines environment variables as KEY=value lines, loaded by the application at startup so the same code can run against different configurations.