Projects

How projects group secrets, machines, and access in SikkerKey.

Projects are the organizational unit inside your vault. Every secret belongs to exactly one project. Machines are added to specific projects. Organization members are scoped to specific projects. Nothing crosses a project boundary without an explicit grant.

Creating a Project

From the Overview page, click the + icon on the Projects card to open the new project dialog. The sidebar also has a + next to the Projects label that opens the same dialog.

Name the project (up to 100 characters), optionally add a description, and create. It appears in the sidebar under Projects.

Project IDs

Every project gets a unique ID in the format proj_ followed by 10 random alphanumeric characters (e.g. proj_x9y8z7w6v5). The ID is what you pass to the SDK and CLI. You can copy it from the project header on the secrets page.

What a Project Groups

  • Secrets you create inside it (single-value, structured, managed, or TTL)
  • Machines you have added to it
  • Organization members scoped to it
  • Access policies scoped to it (see Access Policies)

Adding any of these to a project never implies access by itself. Each relationship is a separate explicit grant.

The project sidebar surfaces three sub-pages for each project: Secrets, Policies, and Machines. Policies are project-scoped reusable bundles of access constraints (time windows, IP allowlists, rate caps, co-sign, lifecycle triggers) that you bind to secrets opt-in. Read the dedicated Access Policies page for the full model.

Machines in a Project

A machine registered with your vault is not automatically in any project. From the project's Machines tab, click the + icon (hover tooltip: "Add machine to project") and pick the machine.

Adding a machine only makes it eligible to receive secret grants in the project. It cannot read anything until you configure the grants.

Granting Secret Access

Click Configure next to the machine to open the access panel. Move secrets from Available to Granted and save. The machine can now read the granted secrets and nothing else.

There is no wildcard, no "grant all", no inheritance. A machine in a project with access to the database password cannot read the Stripe key in the same project unless you grant it explicitly.

To revoke access, move secrets back to Available and save. The revocation takes effect on the machine's next request.

Removing a Machine from a Project

Removing a machine from a project revokes all its secret grants within the project immediately. The machine itself stays registered in your vault and can be added to other projects without re-bootstrapping.

Organization Members

If you convert your vault to an organization, other people can act inside it. A member's access to a project is governed by their permission template: the capabilities it grants intersected with their project scope, which is either every project or a specific list. A member sees and acts on only the projects in their scope.

Secret management in the dashboard never exposes plaintext. Even a member with full secret-management capability works on metadata and configuration; reading a raw value always requires an authenticated machine with its own per-secret grant.

The project-scoped capabilities that apply here are Secrets: Create / Manage / Delete, Policies: View / Manage, and Project machines: View / Manage. They are assigned through templates rather than toggled per project, so the full model lives in the Organizations docs: see Templates for authoring and assigning them and the Capabilities reference for what each one gates.

Renaming or Editing

In the sidebar, hover over a project to reveal the edit icon. Click it to open the edit dialog and update the name or description. This is a metadata-only change: encryption, machines, secrets, and grants are unaffected.

Deleting

Hover over a project in the sidebar to reveal the delete icon. Deletion requires you to type the project name exactly as confirmation.

Deleting a project permanently removes:

  • All secrets in the project, including full version history
  • All rotation schedules and managed secret agent configurations
  • All TTL secrets created in the project
  • All access policies scoped to the project, and the bindings that referenced them
  • All machine-to-project memberships for this project
  • All machine-to-secret grants for the project's secrets
  • Any organization-member capabilities scoped to this project

Machines and members remain in your vault. They lose only their relationships to the deleted project.

This cannot be undone.