Applications

Group a service's Prod, Staging, and Dev projects under one named application.

An application is a named set of projects for one service: a Prod, a Staging, and a Dev project, created together. It sits one layer above projects, which is where the secrets, machines, and grants live; the application keeps that service's three projects together in the dashboard and the CLI.

Applications are optional. Projects can still exist on their own (standalone), and an application is never required to use SikkerKey.

What an Application Is

An application is a vault-scoped container for projects. A typical application represents one service and groups three projects, named Prod, Staging, and Dev.

Creating an application provisions those three projects in one step. Each is an ordinary project with its own encryption key, machines, secrets, and grants. The application itself stores no secrets; it exists purely to organize its projects.

An application's projects are created together with it. Existing standalone projects cannot be moved into an application, and its projects cannot be detached from it.

Every application gets a unique ID in the format app_ followed by 10 random alphanumeric characters (e.g. app_x9y8z7w6v5).

Creating an Application

From the Overview page, click the + on the Projects card and choose New application. The same menu offers New project for a standalone project, and the sidebar exposes both actions at the top of the Projects section.

Name the application (up to 100 characters), optionally add a description, and create. SikkerKey creates the application together with its Prod, Staging, and Dev projects, and drops you into Prod.

How Applications Appear

In the sidebar and on the Overview Projects card, projects are grouped under their application, which you can collapse and expand. Projects that belong to no application are listed under Standalone. The application row shows how many projects it contains, and the Overview card adds its rolled-up secret and machine totals.

Working Inside an Application

The projects inside an application behave like any other project. You add machines to Prod, Staging, or Dev individually, grant secrets per machine, bind access policies, and scope organization members, all exactly as described in Projects. The application is only how those projects are organized.

Because an application's projects are managed as a set, the individual projects cannot be renamed or deleted on their own. You manage the application as a whole.

Renaming

Rename an application or edit its description from its row in the sidebar (hover to reveal the edit action). This is a metadata-only change and does not affect the child projects, their secrets, machines, or grants.

Deleting

Deleting an application is destructive: it removes the application and every project inside it. Each project is torn down exactly as a single-project deletion is, so deleting an application permanently removes, across all of its projects:

  • All secrets, including full version history
  • All rotation schedules and managed secret agent configurations
  • All TTL secrets
  • All access policies and the bindings that referenced them
  • All machine-to-project memberships and machine-to-secret grants
  • Any organization-member capabilities scoped to those projects

Deletion requires you to type the application name exactly as confirmation, the same gravity as deleting a project. Machines and members stay in your vault and lose only their relationships to the deleted projects. This cannot be undone.

Individual projects inside an application cannot be deleted on their own; to remove one, delete the whole application.