Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
OrganizationsMulti-user vaults with permission templates
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
BlogSecurity writeups, engineering deep-dives, and guides
GlossaryPlain-English definitions for secrets and machine identity
SikkerLinkShare a secret with a free self-destructing link
Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
OrganizationsMulti-user vaults with permission templates
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
BlogSecurity writeups, engineering deep-dives, and guides
GlossaryPlain-English definitions for secrets and machine identity
SikkerLinkShare a secret with a free self-destructing link

Bearer token

A credential where possession alone proves identity. Anyone who holds the token can use it. API keys, OAuth access tokens, session cookies, and most personal access tokens are all bearer tokens.

What it is

A bearer token is a credential where possession alone proves identity. Anyone who holds the token can use it to authenticate. The receiving server has no way to distinguish the legitimate holder from someone who copied the token off a laptop, intercepted it in transit, or grepped it out of a log file.

The name comes from RFC 6750, which defines OAuth 2.0 bearer tokens: "Any party in possession of a bearer token (a 'bearer') can use it to get access to the associated resources." The same model predates the RFC by decades; it's how cookies, API keys, and most session credentials have always worked.

Common kinds

The category is broader than the name suggests:

A short-lived bearer token is still a bearer token. Reducing the lifetime narrows the abuse window but doesn't change the model.

Why they work

Bearer tokens are the dominant auth pattern on the internet for three reasons:

If credentials never leaked, bearer tokens would be the right answer. They're simple, fast, and universally supported.

How they fail

Bearer tokens fail through leakage. The structural problem is that the server only sees the token, so it can't tell the legitimate client from anyone else holding the same string.

Common leak paths:

When any of these leak, the attacker uses the token exactly the same as the legitimate client, and there's no way for the receiving server to tell them apart. Detection and rotation are the only mitigations.

Various patterns try to harden the model: short expiry windows, IP allowlists tied to the token, refresh tokens that require a second credential to issue new access tokens, audience restrictions in JWTs. Each helps but doesn't change the fundamental property that the credential is the proof.

What replaces them

The structural alternative is signed requests. The client holds a private key, and each request carries a signature proving that key was used to sign that specific request. The credential never travels with the request, so capturing the request is useless. SSH, AWS Signature v4, modern HTTP Message Signatures (RFC 9421), and most machine-to-machine systems built in the last decade use this pattern.

Bearer tokens still make sense at the user-experience layer (a browser holding a session cookie can't reasonably do per-request signing). For machine-to-machine auth, signed requests are the better default.

How SikkerKey treats them

In SikkerKey, machine reads aren't authenticated with a bearer token. Each machine carries an Ed25519 private key generated locally during bootstrap and signs each request with method:path:timestamp:nonce:body_hash. SikkerKey verifies the signature against the public key on file. A captured request is useless five minutes later (timestamp window) and useless on any other request (signature is bound to the contents). Copying credentials off a laptop or grepping logs for tokens turns up nothing that reads your secrets.

Bearer tokens still exist in SikkerKey at the user layer (dashboard sessions use them, like any web app), but the path your secrets traverse is signature-only.

See also

Signed requestsAn authentication pattern where the client proves identity by signing each request with its private key, so the credential never travels with the request and an intercepted signature is bound to a single specific request.
Ed25519A modern elliptic-curve digital signature scheme. Fast, deterministic, and with small keys (32 bytes) and signatures (64 bytes), it's the default for modern SSH, TLS 1.3, and machine-to-machine authentication.
MachinesA non-human actor with its own cryptographic identity and access grants: a server, container, CI runner, or AI agent that needs to read secrets without a human signing in. Also called non-human identity (NHI) or workload identity.
SecretsA credential, key, or token used to authenticate or encrypt, where unauthorized knowledge of the value causes material harm. Passwords, API keys, private keys, and OAuth tokens are the common kinds.

SikkerKey is the secrets manager built around the patterns in this glossary. Encrypted vault, machine identity over signed requests, dynamic secrets — set up in minutes.

Start for Free