Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
OrganizationsMulti-user vaults with permission templates
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
BlogSecurity writeups, engineering deep-dives, and guides
Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
OrganizationsMulti-user vaults with permission templates
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
BlogSecurity writeups, engineering deep-dives, and guides
Organizations

Multi-user secrets vaults
with permission templates.

Start for FreeRead the Docs
SikkerKey organization member roster showing usernames, assigned templates, project scopes, joined dates, and per-member action controls

Permission templates, authored once and assigned to many

Author capability templates in the dashboard and assign them to members. A template bundles a name, a set of capabilities across the matrix (Machines, Audit log, Alerts, IP allowlist, Integrations, Templates, Support, Projects), and a project scope. The same template can be assigned to many members, keeping their permissions in sync. Adjust a template once and every member who holds it picks up the change on their next request, with no re-login or publish step.

SikkerKey template editor showing the capability matrix with categories like Machines, Audit log, Alerts, IP allowlist, Projects, and Secrets, each with checkable cells
Read the templates docs

Global access or a specific project list

Project-scoped capabilities apply only to projects in the member's scope. Choose global access (every project in the vault) or a specific list, on a per-member basis without touching their template. Scope changes are recorded in the audit log alongside the assignment that triggered them.

SikkerKey member project scope editor with toggle between global access and a specific project list, plus per-project checkboxes
Read the capabilities reference

One identity, multiple vaults

Members sign in with their own SikkerKey credentials and pick which vault to act inside for the session, whether that's their personal vault or any organization they're a member of. Switching vaults is two clicks. Owners never see members' passwords or 2FA factors, and members never share credentials to act on your vault.

SikkerKey post-login vault picker showing a member's personal vault alongside the organization vaults they belong to, with vault names and roles
Read the vault switching docs

Every action attributed by username

When a member reads a secret, edits a policy, or invites a teammate, the audit log records it with their username. Members with Audit log: View see their own actions only. Audit log: View others expands the view to every actor in the vault, including other members, machines, and AI agents, so an owner gets a single trail of who did what across the org.

SikkerKey audit log filtered to show member-attributed actions with usernames, source IPs, severity badges, and timestamps
Read the members docs

Invite, suspend, remove, leave

Invite teammates by email. The recipient must already have a SikkerKey account, and the response never reveals whether they do, so your dashboard can't be used to enumerate customers. Suspension cuts the member's session immediately and bars them from the vault until you unsuspend; their audit entries stay intact. Removal drops the membership. A member who wants to leave on their own opens Settings → Leave organization from inside your vault.

SikkerKey member roster row with action menu showing change template, change scope, suspend, and remove options
Read the lifecycle docs

Built for teams that share a vault

The details that make multi-user vaults workable.

Email invitations

Pre-assign a template and project scope at invite time. Invites expire after seven days and never disclose whether the recipient is a SikkerKey customer.

Owner-only template editing

Three cells stay locked to the owner: editing templates, assigning templates to members, and changing member project scope. Closes off the privilege-escalation path that delegated admins would otherwise have.

Self-service leave

Members can end their own membership from Settings → Leave organization inside your vault. Their personal vault and SikkerKey account remain in place; your roster updates in real time.

Plan-based member limits

Plans cap the number of members per organization. The cap is enforced at invite-send time with a clear error pointing at your billing page.

Real-time propagation

Template edits propagate on the next request from every member who holds the template. Suspensions and removals take effect immediately on the next request.

Trust separation

Dashboard membership decides what humans can do in the editor. Machine identity decides what workloads can read at runtime. The two planes are deliberately independent.

Stop sharing one set of credentials.

Convert your vault to an organization in two clicks. No credit card required.

Start for Free