Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
OrganizationsMulti-user vaults with permission templates
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
BlogSecurity writeups, engineering deep-dives, and guides
GlossaryPlain-English definitions for secrets and machine identity
SikkerLinkShare a secret with a free self-destructing link
Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
OrganizationsMulti-user vaults with permission templates
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
BlogSecurity writeups, engineering deep-dives, and guides
GlossaryPlain-English definitions for secrets and machine identity
SikkerLinkShare a secret with a free self-destructing link

Glossary

Plain-English definitions for the terms that show up when you're securing credentials at runtime — secrets management, machine identity, and the cryptography around them.

12 terms
Filter
A1

Audit log

An append-only record of privileged actions, capturing who did what, when, and from where, so that operators and compliance reviewers can answer questions about historical behavior after the fact.

Read more
B1

Bearer token

A credential where possession alone proves identity. Anyone who holds the token can use it. API keys, OAuth access tokens, session cookies, and most personal access tokens are all bearer tokens.

Read more
E2

Ed25519

A modern elliptic-curve digital signature scheme. Fast, deterministic, and with small keys (32 bytes) and signatures (64 bytes), it's the default for modern SSH, TLS 1.3, and machine-to-machine authentication.

Read more

Envelope encryption

A pattern where each data value is encrypted with its own data key, which is itself wrapped by a master key, so the master key never directly touches the ciphertext and rotating it is cheap.

Read more
H1

Honey token

A fake credential planted alongside real ones, configured to trigger an alert (and often automated containment) the moment anyone tries to use it. Also called canary token, decoy credential, or in SikkerKey, a canary secret.

Read more
M1

Machines

A non-human actor with its own cryptographic identity and access grants: a server, container, CI runner, or AI agent that needs to read secrets without a human signing in. Also called non-human identity (NHI) or workload identity.

Read more
S5

Secret rotation

The practice of replacing a credential's value on a schedule (or after suspected compromise) so a leaked value stops being useful within a bounded time window. Sometimes called credential rotation or key rotation.

Read more

Secret sprawl

What happens when credentials end up scattered across env files, config maps, source code, chat threads, password managers, and forgotten clouds. The default state of any team without a secrets manager.

Read more

Secrets

A credential, key, or token used to authenticate or encrypt, where unauthorized knowledge of the value causes material harm. Passwords, API keys, private keys, and OAuth tokens are the common kinds.

Read more

Secrets manager

A system that stores, encrypts, and serves credentials to applications and machines at runtime, with centralized access control and audit logging, so secrets don't live in env files, source code, or shared password managers.

Read more

Signed requests

An authentication pattern where the client proves identity by signing each request with its private key, so the credential never travels with the request and an intercepted signature is bound to a single specific request.

Read more
#1

.env files

A plain-text file at the root of a project that defines environment variables as KEY=value lines, loaded by the application at startup so the same code can run against different configurations.

Read more