Quickstart
From signup to a machine reading a secret in five steps.
You will create a project, store an encrypted secret, register a machine via bootstrap, grant that machine access to the secret, and fetch the value with the SDK. The whole flow takes about five minutes once you have an account.
Sign up at app.sikkerkey.com/register with email or GitHub, verify your email, and continue.
1. Create a project
After login you land on the Overview page. On the Projects card in the right column, click the + icon to open the new project dialog. Give it a name (e.g. "production") and create. The project appears in the sidebar under Projects.
(The sidebar also has a + next to the Projects label that opens the same dialog.)
2. Create a secret
Open the project from the sidebar to land on its secrets page. Click the + icon in the top right to open the type menu, and pick Secret. Enter a name like API_KEY, paste a value, and click Create Secret.
The value is encrypted before it is stored. The dashboard never displays the plaintext again. Only authenticated machines can read secret values.
Other secret types are available (structured, managed, TTL). For this guide stick with the single-value type.
3. Bootstrap a machine
Go to the Machines page from the sidebar and click the + icon (hover tooltip: "Validate machine"). A modal appears with a one-time bootstrap command. Select your OS and run the command on the machine that needs the secret.
Linux / macOS:
curl -sSL https://api.sikkerkey.com/v1/bootstrap/YOUR_TOKEN | sh
Windows (PowerShell):
irm https://api.sikkerkey.com/v1/bootstrap/YOUR_TOKEN/ps | iex
The script generates an Ed25519 keypair on the machine, sends only the public key to SikkerKey, and writes the private key to ~/.sikkerkey/vaults/{vaultId}/private.pem with owner-only permissions. The token is single-use and expires after 10 minutes.
The machine appears in your dashboard as Pending.
For CI/CD pipelines and Docker containers, skip this step and use the Integrations page instead.
4. Approve, add, and grant access
Three quick dashboard actions, each required before the machine can read anything:
- On the Machines page, click Approve on the new machine.
- Open your project and go to its Machines tab. Click the + icon (hover tooltip: "Add machine to project") and select the machine.
- Click Configure next to the machine. Move the secret from Available to Granted and save.
The machine can now authenticate and read that one specific secret. Adding the machine to the project alone is not enough: every secret requires its own grant.
5. Fetch the secret
Install the SDK for your language and call getSecret:
val sk = SikkerKey("vault_a1b2c3d4e5")
val apiKey = sk.getSecret("sk_a1b2c3d4e5")
The SDK reads the local private key, signs the request with Ed25519, and returns the decrypted value.
If only one vault is registered on the machine, the SDK auto-detects it:
val sk = SikkerKey()
val apiKey = sk.getSecret("sk_a1b2c3d4e5")
Equivalent clients exist for Go, Python, Node.js, and .NET. See the SDK overview for language-specific install instructions. The CLI provides the same access from shells, scripts, and CI jobs:
sikkerkey get sk_a1b2c3d4e5
Next Steps
- Introduction: the full model and security properties
- Concepts: deeper coverage of access control and encryption
- Dashboard secrets: secret types, rotation, versioning
- Managed secrets: automated database credential rotation
- TTL secrets: one-time self-destructing secrets
- Integrations: GitHub, GitLab, Bitbucket, Docker, Kubernetes
- Organizations: invite collaborators under capability templates you author