Convert to Organization

Promote a personal vault to an organization vault so other SikkerKey users can join.

A personal vault becomes an organization through a one-way conversion from Settings. Conversion is irreversible: an organization vault cannot be downgraded back to personal. Everything in the vault stays in place; only the trust shape around it changes.

What you need first

Either a password set on your account, or a registered passkey, or both. SikkerKey requires fresh proof of presence before flipping a vault's shape, and one of those two factors is the proof. If you registered a passkey, you'll be prompted to step up with it. If you only have a password, you'll be asked for your password and your 2FA code if 2FA is on.

Walking through it

Open Settings, find the Organization card, and pick a name for your organization. The name is what invited members see on their post-login picker and what shows up in their dashboard chrome, so it should be the name of your team or company rather than an internal codename.

Click Convert to organization. SikkerKey re-prompts you for the strongest factor on your account. On success, the vault is promoted and the dashboard reloads.

What changes after conversion

  • The dashboard sidebar grows an Organization category with member roster and template editor pages.
  • Your Settings page exposes the invite flow under the Organization card.
  • Other SikkerKey users you invite can pick your vault from their post-login picker.
  • A small chrome badge in the top-left shows your organization name, distinguishing the org vault from members' personal vaults.

What does not change

  • The vault ID. Machines and SDK calls keep working with the same vault_... identifier they already had.
  • Existing projects, secrets, machines, AI agents, audit log entries, alert configurations, integrations, webhooks, IP allowlist, plan, and billing.
  • Machine authentication. Every machine continues to authenticate with its existing Ed25519 keypair; conversion has no effect on the machine plane.
  • Your role. You stay the owner of the vault. Owners hold every capability unconditionally; templates and capability gates apply only to invited members.

Picking the organization name

The name is customer-visible in three places:

  • The vault chooser when an invited member logs in.
  • The invite email and the invitee's pending-invitations panel.
  • The dashboard chrome banner while you or a member is acting inside the vault.

You can rename the organization later from the same Settings card. The vault ID never changes.

Re-authentication budget

Like every other destructive or shape-changing action, conversion is gated by the per-action attempt tracker. Repeatedly failing the password or 2FA check on this action will invalidate your current dashboard session and force you to sign in again before retrying. This protects against an attacker on a stolen session attempting to brute-force the gate at API speed.

After conversion

Head to Members to send your first invites, or Templates to author the capability bundles you'll assign to members. You don't have to do these in any particular order; an invited member with no template has no capabilities until you assign one.