SikkerKey

official

A MCP server to allow your AI agent to manage your SikkerKey secrets vault.

What can you do with Sikker Key MCP?

  • Manage secret metadata and rotation — Create, update, rotate, or rollback secrets and configure dynamic-rotation schedules with manage_secrets.
  • Query the audit log — Search activity, export CSV, and view stats or recent events using read_audit.
  • Provision and revoke machines — List, approve, rename, or revoke machines and manage their project attachments via manage_machines and manage_project_machines.
  • Configure alerts and webhooks — Set up audit-event alert rules with manage_alerts and manage outbound webhook delivery channels with manage_webhooks.
  • Issue temporary share links — Create one-shot self-destructing secret shares through manage_temporary_secrets.
  • Manage canaries and policies — Plant defensive canary secrets with manage_canaries and create access policies bound to secrets via manage_policies.

Documentation

MCP Server Overview

Manage your SikkerKey vault from Claude Code, Codex, Cursor, and other MCP-compatible AI clients.

The SikkerKey MCP server is a local binary that lets an AI client manage your vault through structured tool calls. It speaks the Model Context Protocol over stdio and exposes 17 tools for everything an AI agent should be allowed to touch: applications and projects, secret metadata, rotation schedules, access policies, canaries, machines, AI agents, enrollment tokens, audit log, alerts, webhooks, IP allowlist, SDK reference, support, and trash.

The MCP server runs locally next to the AI client. It authenticates to SikkerKey using an Ed25519 keypair bound to a per-vault AI agent identity, the same signed-request scheme the SDK and CLI use for machine identities.

An AI agent is provisioned like an organization member: it holds a set of management scopes and an access role, and its authority is bounded live by the vault role and access role of the user who created it. It can never do more than that user can do right now.

When to use it

Use the MCP server when you want an AI client (Claude Code, Codex, Cursor, etc.) to act as an operator on your vault: provision machines, plant canaries, configure policies, audit recent activity, set up alerts, draft support tickets. It is the management plane.

Use the SDKs or CLI when an application or human needs to read plaintext secret values at runtime. The MCP server cannot read plaintext. Those flows are bound to machine identities, which are a separate identity class.

What it can do

ToolPurpose
manage_projectsBrowse the applications and projects the agent can reach. Read-only; applications and projects are created by the vault owner.
manage_secretsCreate / update / rotate / rollback secrets. List metadata. Manage dynamic-rotation schedules.
manage_temporary_secretsCreate one-shot self-destructing share links.
manage_policiesCreate access policies and bind them to secrets.
manage_canariesPlant defensive canary secrets that freeze a project on unauthorized read.
manage_machinesList, approve, rename, revoke machines. View name history.
manage_ai_agentsManage other AI agents on the vault (lifecycle only; scope and access-role changes are dashboard-only).
manage_project_machinesAttach machines to projects, set per-secret grants.
manage_enrollmentIssue and revoke enrollment tokens for ephemeral machines.
manage_trashList, restore, or purge soft-deleted secrets.
manage_alertsConfigure which audit actions trigger alert dispatch.
manage_webhooksManage outbound webhook delivery channels.
manage_ipallowlistConfigure machine-auth IP allowlist.
read_auditQuery the audit log, export CSV, view stats and recent activity.
supportOpen and reply to support tickets, manage attachments.
manage_sdksLook up SikkerKey's runtime SDKs: install commands, runtime requirements, quick-start snippets.
whoamiDescribe the calling agent: its management scopes, access role, and recent activity.

What it cannot do

The MCP surface is read-blind on stored secret values. None of these are reachable through any tool:

  • Read the plaintext of an existing secret.
  • Authenticate as a machine identity to read secrets via the SDK/CLI surface.
  • Modify another AI agent's management scopes or access role (dashboard-only, to prevent privilege escalation between agents).
  • Provision new machines via the keypair-bundle download flow (token issuance is exposed; bundle download is a higher trust class and remains dashboard-only).
  • Issue new AI-agent bootstrap tokens (also dashboard-only).
  • Destroy a vault, manage billing, change account auth, or accept invitations on someone else's vault.

Write actions like manage_secrets.create and update_value accept a plaintext input from the AI, encrypt it server-side with envelope encryption, and never round-trip the value back. The response carries only an id and a version. See Security Model for the full plaintext contract.

Compatibility

The MCP server speaks protocol version 2025-11-25 and works with any client that implements MCP over stdio. Tested clients:

  • Claude Code (Anthropic CLI)
  • Codex CLI (OpenAI)
  • Cursor
  • Continue

The binary ships as a single statically-linked Go executable, no runtime dependencies. See Setup to install it and register it with your client.

Source

The MCP server is open source. The full Go source is on GitHub, released under the MIT license.

How an AI agent differs from a machine

A SikkerKey vault has two identity classes that authenticate with Ed25519 signed requests:

  • Machines consume secrets. They live in the machines table, are added to projects, granted access to specific secrets, and authenticate against the SDK / CLI surface to read plaintext at runtime.
  • AI agents manage the vault. They live in a separate AI-agents table, are provisioned like an organization member (a set of management scopes plus an access role that scopes their project reach), and authenticate against /v1/ai/... routes which never return plaintext.

The two tables are physically distinct in the database. There is no path through the MCP surface to authenticate as a machine, and the machine-auth lookups don't see AI agents. Compromising an AI agent's identity gives the attacker the agent's management capabilities, and only those. It gives no path to read stored secret values, and the capabilities themselves are bounded live by what the user who created the agent can currently do (see Security Model).

Next steps

  • Setup: install the binary, provision an AI agent, register with your AI client.
  • Tools Reference: every tool, action, and scope.
  • Security Model: authentication, authorization, plaintext contract, audit.