Integrations

If it runs code, it's already integrated.

SikkerKey doesn't push copies of your secrets into other vendors' stores. Every machine reads from one vault at runtime, by signing the request. So the list of things you can integrate is just the list of things that run code.

Command line

sikkerkey run --all -- ./app

Inject secrets as env vars into any process. --watch restarts it when a value rotates.

SDK

client.getSecret("db-url")

Six languages, each signs locally and auto-detects the machine's identity.

Signed HTTP

GET /v1/secret/:id

No SDK for your language? Sign the request yourself. The wire format is the whole API.

Anywhere your code runs

None of these are connectors we maintain. Each one is just a machine that authenticates and reads. That's why the list can be this long.

CI / CDA fresh machine enrolls each run and expires after.

GitHub Actions

GitLab CI/CD

Bitbucket Pipelines

Jenkins

CircleCIAzure DevOps

Travis CI

Argo Workflows

DroneWoodpecker

TeamCity

Buildkite

Containers & orchestrationFetch at startup, or wrap the entrypoint with the CLI.

Docker

Kubernetes

Docker ComposeAmazon ECS

Nomad

Podman

Helm

OpenShift

App platformsYour container is the machine; it enrolls at boot and reads like any host.

Google Cloud Run

Fly.io

Railway

RenderHeroku

DigitalOcean Apps

Serverless functionsNo disk needed: a fresh identity is minted in memory per cold start.

AWS Lambda

Vercel

NetlifyGoogle Cloud FunctionsAzure Functions

Servers, VMs & jobsPersistent identity on the host; read on demand.

Amazon EC2Google Compute EngineAny VPSBare metalsystemd servicesCron jobsOn-prem racks

Edge & localIf it can make an HTTPS request, it qualifies.

Edge nodesIoT devices

Raspberry PiDev containersYour laptopMakefiles

Native SDKsDrop-in clients that handle the signing for you.

Kotlin / JVM

Node.js

Python

.NET / C#

PHP

There's nothing to request.

Old secrets managers end this page with “don't see your platform? request an integration.” SikkerKey doesn't have that button, because there's no connector to build. The one thing a machine needs is its own identity: a private key it holds, written to disk at enrollment or minted in memory at runtime. With that in place, anything that can run sikkerkey run, import an SDK, or sign an HTTPS request works today.

Point your next machine at one vault.

Free to start. No connector backlog, no second copy of your secrets.

Start for free Read the docs