Tokens leak. Machines don't.
API keys can be stolen. A private key can't leave the machine. No tokens. No rotation. No leakage surface. No request, no decryption. Ever.
Nobody copies SSH private keys between servers.
Nobody should copy API tokens either.
The token problem
- API keys get committed to repositories
- Service account credentials get shared over chat
- Tokens need rotation schedules and monitoring
- IAM policies grow into unreadable permission mazes
- A leaked token compromises every secret it can access
The SikkerKey approach
- Every request is signed with a private key that never leaves the machine
- Nothing to copy, nothing to paste, nothing to share
- No tokens, sessions, or API keys anywhere in the system
- Per-secret access grants, not broad IAM policies
- Compromise one machine, learn nothing about any other
One bootstrap. Cryptographic identity forever.
A single command registers your machine and generates its keypair. From that point on, every request is signed. No credentials to rotate, no tokens to expire. See the quickstart →
Bootstrap
Generate a one-time registration code from the dashboard. Run one curl command. The machine generates an Ed25519 keypair and registers its public key.
Approve & grant
Review and approve the machine. Add it to a project and grant access to specific secrets. No wildcards, no inheritance.
Authenticate
Every request is signed with the machine's private key. SikkerKey verifies the signature, checks all five access requirements, and returns the secret.
How SikkerKey compares
SikkerKey takes a fundamentally different approach to machine authentication and secrets access control.
| Capability | SikkerKey | Token-based managers |
|---|---|---|
| No credentials to leak | ✓ | ✗ |
| Per-secret access grants | ✓ | Per-path or per-project |
| Replay attack protection | Cryptographically prevented | Depends on TLS |
| Machine identity verification | Cryptographic proof | Bearer token |
| Credential rotation needed | Never | Periodically |
| Envelope encryption at rest | ✓ AES-256-GCM | Varies |
| Immutable audit trail | ✓ | ✓ |
Everything you need. Nothing you don't.
Built for teams that want strong security without the operational overhead.
Three-layer envelope encryption
Every secret has its own AES-256 data key, wrapped by a project master key, protected by a server key that exists only in memory. A database breach reveals nothing. Learn more →
Every access logged, every denial traced
Every read, write, and denied access is logged with machine identity, source IP, and timestamp. Exportable, filterable, alertable. Learn more →
Machine-level access control for teams
Invite team members with granular permissions. Control who can view machines, manage projects, or configure per-secret access grants. Learn more →
Automatic secret rotation without client changes
Configure secrets to rotate on a schedule. SikkerKey generates new values automatically. Machines always retrieve the current value, no redeployment needed. Learn more →
Native SDKs, zero-dependency CLI
SDKs for Go, Python, Node.js, Kotlin, and .NET. A single-binary CLI that injects secrets as environment variables. All use Ed25519 machine auth.
Signed webhook alerts with delivery guarantees
HMAC-signed HTTP callbacks when secrets are accessed, machines register, or permissions change. Retries with backoff, unique delivery IDs for deduplication. Learn more →
Simple, transparent pricing
Free tier includes machine authentication, encrypted vaults, and audit logging. Scale as your team grows.
View pricing →Ready to try a different approach?
Create a vault, bootstrap a machine, and retrieve your first secret in under five minutes. No credit card required.