# SikkerKey

> EU-native secrets manager and vault that authenticates machines via Ed25519 signed requests instead of bearer tokens, with support for AI agents, access policies, and multi-cloud workloads.

SikkerKey is a secrets manager and vault built and hosted in the European Union by a Danish team. It stores credentials — database URLs, API keys, signing keys — and authenticates every machine that reads them using Ed25519 signed requests rather than bearer tokens, so there is no transferable credential sitting on a workload's filesystem to leak. The product grew out of SikkerAPI, a threat-intelligence service that ran a global honeypot network using the same signed-request machine authentication model.

## What It Is

SikkerKey is a SaaS secrets management platform in the same category as Doppler, AWS Secrets Manager, Akeyless, and Infisical. Its core job is to store encrypted credentials and deliver them securely to the applications and infrastructure that need them. What distinguishes it from most competitors is the authentication primitive: instead of issuing a bearer token that a workload presents on each API call, SikkerKey registers each machine's Ed25519 public key and requires every request to carry a fresh signature computed from the private key that never leaves the host. The signature commits to the method, path, body, timestamp, and a one-time nonce, making captured requests non-replayable. Timestamps expire after five minutes and every nonce is single-use.

## Encryption and Secret Storage Architecture

Secrets are protected with three-layer envelope encryption. Each secret is encrypted with its own AES-256-GCM data key; that data key is encrypted with a per-project master key; the master key is encrypted with a root key held on separate, isolated infrastructure — not in a third-party KMS and not on the systems that store the data. Each version of a secret has its own data key, so rollback to a prior version decrypts independently without sharing keys with newer versions.

Key storage features include:
- Single-value, structured (multi-field), managed, TTL-bounded, and canary secret types
- Version history and rollback
- Manual and automatic rotation (whole-secret or per-field) for PostgreSQL, MySQL, Redis, and MongoDB
- Canary secrets that lock the entire project in the same database transaction as the first read, optionally extending the lockdown to every other project the same machine can access
- Trash and restore

## Machine Identity and Access Policies

SikkerKey models four distinct identity classes: long-lived machines (servers, services), ephemeral machines (CI runners, autoscaled pods), temporary machines (contractors, incidents, migrations), and AI agents. Each class has its own enrollment path and capability surface.

Access policies stack multiple constraints onto a single policy object that can be bound to any secret:
- Time-of-day windows and business-hours locks
- IP allowlists and country (ISO-3166) allowlists
- Rate caps and TTL-bounded read counts
- Co-sign (multi-party approval)
- Rotate-after-read (canary trigger)

Ephemeral machine enrollment tokens can enforce hostname regex matching, source CIDR ranges, and name templates, and auto-expire machines after a configurable lifetime.

## AI Agent Integration

SikkerKey treats AI agents as a structurally separate identity class stored in a distinct database table with its own scope catalog. The routes that return decrypted secret values look up the machine table and do not accept an agent identity as a caller — the separation is enforced at the data layer, not by a policy check. An agent granted every management scope (rotate secrets, configure policies, audit reads, manage machines) still cannot fetch a stored secret value. The product ships a plaintext-blind MCP server compatible with Claude Code, Codex, and Cursor.

## Platform and Integration Coverage

SikkerKey is cloud-agnostic by design. The same bootstrap script runs on EC2, GKE, AKS, Hetzner, Vercel, Fly.io, on-prem racks, and developer laptops without requiring IAM federation, OIDC bridges, or cloud-specific trust anchors.

Native SDKs are available for Node.js, Python, Go, Kotlin/JVM, .NET, and PHP. Container and orchestration integrations cover Docker, Podman, Kubernetes, Helm, Nomad, and OpenShift. CI/CD integrations include GitHub Actions, GitLab CI, Bitbucket, Jenkins, CircleCI, Buildkite, TeamCity, Travis CI, and Drone. PaaS integrations include Vercel, Netlify, Railway, Render, and Fly.io. A single-binary CLI and a signed HTTPS API cover everything else.

## EU Jurisdiction and Origin

The vault, dashboard, API, audit log, and rotation worker run on SikkerKey's infrastructure inside the European Union, under EU law, operated from Denmark. The product is positioned as the European alternative for teams whose compliance or data-residency requirements preclude storing sensitive credentials on platforms governed outside the EU. SikkerKey is SaaS-only; running the vault in a customer's own data center is explicitly not supported.

## Features
- Ed25519 signed request machine authentication
- Three-layer envelope encryption (AES-256-GCM)
- Canary secrets with project lockdown on first read
- Structured multi-field secrets with per-field grants
- Secret version history and rollback
- Manual and automatic secret rotation (PostgreSQL, MySQL, Redis, MongoDB)
- Access policies with time windows, IP allowlists, rate caps, co-sign, and TTL
- Long-lived, ephemeral, and temporary machine identity classes
- AI agent identity class structurally read-blind on secret values
- Plaintext-blind MCP server for Claude Code, Codex, and Cursor
- Single-binary CLI and sync agent
- Native SDKs for Node.js, Python, Go, Kotlin/JVM, .NET, and PHP
- Audit log with CSV export and severity-tagged alerts
- HMAC-signed webhooks with SSRF protection
- SSO (SAML 2.0)
- Passkeys (WebAuthn) and two-factor authentication
- EU-hosted infrastructure under EU jurisdiction
- Cloud-agnostic bootstrap (no IAM federation required)
- Trash and restore for secrets
- CI template builder for ephemeral machine enrollment

## Integrations
Node.js, Python, Go, Kotlin / JVM, .NET, PHP, Docker, Podman, Kubernetes, Helm, Nomad, OpenShift, Raspberry Pi, GitHub Actions, GitLab CI, Bitbucket, Jenkins, CircleCI, Buildkite, TeamCity, Travis CI, Drone, Argo, Vercel, Netlify, Railway, Render, Fly.io, DigitalOcean, Claude Code, Codex, Cursor, PostgreSQL, MySQL, Redis, MongoDB, Supabase

## Platforms
WEB, API, CLI, DEVELOPER_SDK

## Pricing
Freemium — Free tier available with paid upgrades

## Links
- Website: https://sikkerkey.com
- Documentation: https://docs.sikkerkey.com/
- Repository: https://github.com/SikkerKeyOfficial
- EveryDev.ai: https://www.everydev.ai/tools/sikkerkey
