Time-boxed machines
for work with an end date.
One machine, one command, a built-in expiry
A temporary machine is a single identity you stand up for a scoped piece of work: a contractor engagement, an incident response, a one-off migration, or a live demo. You choose its lifetime when you create it, from one hour to twelve months, and it carries that expiry from its very first request.
curl -sSL https://api.sikkerkey.com/v1/<vault>/temp-bootstrap/<token> | shRun the one-time bootstrap command on the host (Linux, macOS, or Windows). It generates an Ed25519 keypair locally, registers only the public key, and the machine shows up pending in your dashboard. Approve it, add it to the projects it needs, and grant it the secrets it should read, the same way you would any other machine.
Expires on its own, extends when work runs long
When a temporary machine reaches its expiry, authentication is refused and a background sweep disables it within a minute. There is no revocation step to remember, no cleanup script to run, and no stale identity left in your dashboard after the work is done.
If the engagement runs longer than planned, push the expiry forward, up to twelve months from now, with a reason that lands in the audit log. Every extension is reversible, and the machine keeps its full history either way.
expiresAtGuardrails scoped to this one machine
A temporary machine often runs somewhere you do not fully control, such as a contractor's laptop or a vendor's network. Pin it to guardrails that are checked on every secret read, on top of the standard access checks: a time window of specific hours and days in a timezone you choose, an IP allowlist of the CIDRs it must connect from, and a restriction on the countries it can connect from.
Each guardrail is opt-in and fails closed. An unparseable rule, or a source location that cannot be resolved, denies the read instead of letting it through. The guardrails stack with your vault-wide IP allowlist and any per-secret access policy.
Still a first-class machine on every request
A temporary machine is not a lesser credential. Every request it makes is Ed25519-signed, protected against replay with a single-use nonce, checked against your IP allowlist, and recorded in the audit log against that specific machine. There is no bearer token to leak and nothing to rotate.
Per-machine attribution means every secret read is logged against the temporary identity that made it. When the engagement ends, you have a complete record of exactly which secrets it touched and when.
Built for short engagements
Everything a scoped, time-boxed identity needs.
Set the lifetime
From one hour to twelve months, chosen when you create the machine. It carries the expiry from its first request.
Automatic expiry
At its deadline, authentication is refused and a background sweep disables the machine within a minute. No cleanup required.
Extend and revert
Push the expiry forward, up to twelve months out, with an audited reason. Every extension can be reverted.
Per-machine guardrails
A time window, an IP allowlist, and a country restriction, each enforced on every secret read and stacked on the standard checks.
Fail-closed by design
An unparseable guardrail, or an unresolved source location, denies the read rather than allowing it.
Per-machine audit
Every read is attributed to the individual temporary machine, leaving a complete and traceable record of the engagement.
Scoped work deserves a scoped machine.
Create a temporary machine in under a minute.
Start for Free