Quickstart
From signup to a machine reading a secret in five steps.
You will create a project, store an encrypted secret, register a machine via bootstrap, grant that machine access to the secret, and fetch the value with the SDK. The whole flow takes about five minutes once you have an account.
Sign up at app.sikkerkey.com/register with your email, GitHub or Google account.
1. Create a project
After login you land on the Overview page. On the Projects card in the right column, click the + icon and choose New project. Give it a name (e.g. "production") and create. The project appears in the sidebar under Projects.
(The sidebar offers the same action at the top of the Projects section. The menu also offers New application, which creates a service's Prod, Staging, and Dev projects in one step; see Applications.)
2. Create a secret
Open the project from the sidebar to land on its secrets page. Click the + icon in the top right to open the type menu, and pick Secret. Enter a name like API_KEY, paste a value, and click Create Secret.
The value is encrypted before it is stored. The dashboard never displays the plaintext again. Only authenticated machines can read secret values.
Other secret types are available (structured, managed, TTL). For this guide stick with the single-value type.
3. Bootstrap a machine
Go to the Machines page from the sidebar and click the + icon (hover tooltip: "Validate machine"). A modal appears with a one-time bootstrap command. Select your OS and run the command on the machine that needs the secret.
Linux / macOS:
curl -sSL https://api.sikkerkey.com/v1/bootstrap/YOUR_TOKEN | sh
Windows (PowerShell):
irm https://api.sikkerkey.com/v1/bootstrap/YOUR_TOKEN/ps | iex
The script generates an Ed25519 keypair on the machine, sends only the public key to SikkerKey, and writes the private key to ~/.sikkerkey/vaults/{vaultId}/private.pem with owner-only permissions. The token is single-use and expires after 10 minutes.
The machine appears in your dashboard as Pending.
For CI/CD pipelines and Docker containers, skip this step and see CI/CD and Docker instead.
4. Approve, add, and grant access
Three quick dashboard actions, each required before the machine can read anything:
- On the Machines page, click Approve on the new machine.
- Open your project and go to its Machines tab. Click the + icon (hover tooltip: "Add machine to project") and select the machine.
- Click Configure next to the machine. Move the secret from Available to Granted and save.
The machine can now authenticate and read that one specific secret. Adding the machine to the project alone is not enough: every secret requires its own grant.
5. Fetch the secret
Install the SDK for your language and call getSecret:
val sk = SikkerKey("vault_a1b2c3d4e5")
val apiKey = sk.getSecret("sk_a1b2c3d4e5")
The SDK reads the local private key, signs the request with Ed25519, and returns the decrypted value.
If only one vault is registered on the machine, the SDK auto-detects it:
val sk = SikkerKey()
val apiKey = sk.getSecret("sk_a1b2c3d4e5")
Equivalent clients exist for Go, Python, Node.js, and .NET. See the SDK overview for language-specific install instructions. The CLI provides the same access from shells, scripts, and CI jobs:
sikkerkey get sk_a1b2c3d4e5
Next Steps
- Introduction: the full model and security properties
- Concepts: deeper coverage of access control and encryption
- Dashboard secrets: secret types, rotation, versioning
- Managed secrets: automated database credential rotation
- TTL secrets: one-time self-destructing secrets
- Integrations: CI/CD pipelines (GitHub, GitLab, Bitbucket) and Docker
- Organizations: invite collaborators and scope them with vault and access roles