Quickstart

Register a machine and fetch a secret in under 5 minutes.

This guide walks you through creating a vault, storing a secret, registering a machine, and fetching the secret programmatically.

1. Create an Account

Sign up at app.sikkerkey.com/register with email or GitHub. Verify your email to unlock full dashboard access.

2. Create a Project

Projects group your secrets by environment or service. In the dashboard sidebar, click New Project, give it a name (e.g. "production"), and optionally a description.

Once created, the project appears in your sidebar and you're taken to the secrets page.

3. Create a Secret

Click + New Secret in the top right and select the type:

  • Secret: a single value (API key, password, token)
  • Structured Secret: multiple named fields (host, username, password)
  • Managed Secret: database credentials that auto-rotate and sync to your database
  • TTL Secret: a one-time self-destructing secret for sharing credentials securely

For this quickstart, select Secret. Enter a name (e.g. "API_KEY") and a value. Click Create Secret.

4. Register a Machine

Go to the Machines page and click + Validate. A modal appears with a bootstrap command. Select your OS and copy the command.

Linux / macOS:

curl -sSL https://api.sikkerkey.com/v1/bootstrap/YOUR_TOKEN | sh

Windows (PowerShell):

irm https://api.sikkerkey.com/v1/bootstrap/YOUR_TOKEN/ps | iex

This generates an Ed25519 keypair on your machine, sends only the public key to SikkerKey, and stores the private key locally at ~/.sikkerkey/vaults/{vaultId}/.

The token expires in 10 minutes and can only be used once.

5. Approve the Machine

The newly registered machine appears in the dashboard as Pending. Click Approve to enable it.

6. Add Machine to Project

Go to your project's page and open the Machines tab. Click + Add Machine To Project and select the machine you just approved.

7. Grant Secret Access

After adding the machine to the project, click Configure next to the machine. This opens the access panel where you select which specific secrets the machine can read.

Move the secrets you want from Available to Granted and save.

8. Fetch the Secret

Install the SDK for your language and fetch the secret:

Kotlin:

val sk = SikkerKey("vault_abc123")
val apiKey = sk.getSecret("sk_a1b2c3d4e5")

Go:

sk, _ := sikkerkey.New("vault_abc123")
apiKey, _ := sk.GetSecret("sk_a1b2c3d4e5")

Python:

from sikkerkey import SikkerKey

sk = SikkerKey("vault_abc123")
api_key = sk.get_secret("sk_a1b2c3d4e5")

Node.js:

import { SikkerKey } from '@sikkerkey/sdk'

const sk = SikkerKey.create('vault_abc123')
const apiKey = await sk.getSecret('sk_a1b2c3d4e5')

C# (.NET):

var sk = SikkerKeyClient.Create("vault_abc123");
var apiKey = await sk.GetSecretAsync("sk_a1b2c3d4e5");

If you only have one vault registered on the machine, you can omit the vault ID and the SDK auto-detects it:

val sk = SikkerKey()
val apiKey = sk.getSecret("sk_a1b2c3d4e5")

9. Using the CLI

The CLI can also read secrets. After bootstrap, set up the CLI:

# Select the vault (skip if only one vault is registered)
sikkerkey connect vault_abc123

# Unlock a project (verifies machine access)
sikkerkey unlock proj_abc123

Then read secrets:

# Read a secret
sikkerkey get sk_a1b2c3d4e5

# Read a specific field from a structured secret
sikkerkey get sk_db_prod password

# List all accessible secrets
sikkerkey list secrets

# Export all secrets as environment variables
sikkerkey export

# Inject secrets into a command's environment
sikkerkey run -- ./my-app

10. Structured Secrets

If you created a structured secret with fields, read individual fields via the SDK:

val creds = sk.getFields("sk_db_prod")
val host = creds["host"]
val password = creds["password"]

Or fetch a single field:

password = sk.get_field("sk_db_prod", "password")

Or via the CLI:

sikkerkey get sk_db_prod password

Next Steps