Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
Team Access ControlPer-project granular permission grants
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
Team Access ControlPer-project granular permission grants
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
AI Agents

Hand the management plane to an AI that can’t read your secrets.

Run a small local MCP server next to Claude Code, Codex, or Cursor. The AI gets a scope-restricted, Ed25519-bound identity that can manage projects, plant canaries, configure policies, audit recent activity, and set up alerts — but never authenticate as a machine and never see the plaintext content of a stored secret.

Start for FreeRead the Docs
codex

It does the forensics work for you.

The agent has audit.read, so it can pull the critical-severity slice of the audit log, cross-check current state with manage_ipallowlist, manage_machines, and manage_projects, convert epoch timestamps to local time, and present a triage summary. No plaintext leaves the vault. The whole investigation is signed and itself recorded in the audit log.

Docs →
codex

It writes the integration. The runtime reads the secret.

The agent has projects.secrets.read, so it can see that "SMTP Credentials" is a structured secret with server, username, and password fields — but never the values. It uses that schema to write a script that fetches the credentials at runtime through the SDK, on a machine that’s actually authorized to read them. The agent stays plaintext-blind end to end.

Docs →
claude-code

How it works

The MCP server is a single Go binary running locally as a child of your AI client. It authenticates to SikkerKey on every call with the agent’s Ed25519 private key.

1

Provision an agent

In the dashboard, name the agent and pick its scope set. SikkerKey issues a one-time bootstrap token that expires in minutes.

2

Install the MCP server

Run sikkerkey-mcp install <token> on the host that runs your AI client. The binary generates the Ed25519 keypair locally; the private key never leaves the machine.

3

Wire up the AI client

sikkerkey-mcp config claude-code prints a ready-to-paste JSON block. Restart the client. Tools appear immediately.

4

Sign every call

Every tool invocation becomes an Ed25519-signed request to /v1/ai/… with timestamp + nonce replay protection. Every call is recorded in the audit log.

5

Revoke instantly

Disable or revoke the agent from the dashboard. The next signed request is refused. No cache to wait on, no token to expire.

6

Edit scopes any time

Tighten or expand the agent’s scope set from the dashboard. The agent cannot grant itself or peers more than the vault owner authorized.

Bring your AI to the management plane.

Free to start. No credit card required.

Start for FreeSetup Guide