Structured Secrets
Multi-field secrets in SikkerKey. Store related credentials as named key-value pairs with per-field rotation.
A structured secret stores multiple named fields as a single encrypted unit. Use this when a secret has several related values that belong together, like database credentials (host, username, password) or an OAuth config (client ID, client secret, redirect URL).
The fields are serialized to JSON and encrypted as a single blob with the same envelope encryption as regular secrets. The field names are stored as unencrypted metadata so the dashboard can display them. The field values are encrypted.
Creating a Structured Secret
From the Secrets page, click + New Secret and select Structured Secret.
Add field name/value pairs:
| Field | Value |
|---|---|
| host | db.example.com |
| username | admin |
| password | hunter2 |
Field names must be unique within the secret. Leave a field's value blank to have SikkerKey auto-generate it on save.
All create, replace, and rotate operations happen from the dashboard. The CLI and SDKs are read-only and cannot create or modify secrets.
Reading Fields
Machines read structured secrets through the SDK or the CLI.
SDK
# Python
db = sk.get_fields("sk_db_prod")
host = db["host"] # "db.example.com"
password = sk.get_field("sk_db_prod", "password")
// Kotlin
val db = sk.getFields("sk_db_prod")
val host = db["host"]
val password = sk.getField("sk_db_prod", "password")
// Go
db, _ := sk.GetFields("sk_db_prod")
host := db["host"]
password, _ := sk.GetField("sk_db_prod", "password")
Calling getSecret() on a structured secret returns the raw JSON string.
CLI
# Get all fields (prints JSON)
sikkerkey get sk_db_prod
# Get a single field
sikkerkey get sk_db_prod password
sikkerkey list marks structured secrets with a [structured] tag so you can tell them apart from single-value secrets.
Replacing Values
Click a secret to expand it. You get labeled inputs for each field. Change the values you need and confirm.
Replacing updates all fields at once, encrypts with a new data key, and creates a new version. Done from the dashboard only.
Rotating Fields
Click Rotate on a structured secret. Pick which fields to rotate. Unselected fields keep their current values. Each rotation creates a new version. Done from the dashboard only.
Available charsets: symbols (default), alphanumeric, numbers, uuid.
Automatic Rotation
When creating a structured secret, you can check Enable automatic rotation. When enabled:
- You mark which fields should rotate and which stay static
- Fields marked for rotation have their values auto-generated (you do not provide values for them)
- Static fields require values upfront
- You configure the rotation interval (minimum 5 minutes), generated length, and charset
- Only the marked fields change on each rotation
- Manual replace and rotate are disabled while rotation is active
Example: a database credential where host and username are static, and password rotates every 6 hours.
Expanding a rotating structured secret on the Secrets page shows the schedule editor where you can pause, resume, change the interval, or modify which fields rotate.
Exporting
Structured secrets are flattened when exported. Field names are uppercased and joined with underscores.
sikkerkey export --format env
Output:
DB_CREDS_HOST=db.example.com
DB_CREDS_USERNAME=admin
DB_CREDS_PASSWORD=hunter2
The same flattening applies to sikkerkey run, which injects secrets as environment variables:
sikkerkey run --all -- ./my-app
# my-app sees DB_CREDS_HOST, DB_CREDS_USERNAME, DB_CREDS_PASSWORD in its environment
Everything Else
Version history, deletion, machine access, and dashboard display work identically to single-value secrets. The only differences are the multi-field UI and the per-field rotation options.