Organizations

Multi-user secrets vaults
with role-based access.

SikkerKey organization member roster showing usernames, vault roles, access roles, joined dates, and per-member action controls

Vault roles

A vault role sets what a member can do across the vault: manage machines and AI agents, read the audit log, configure alerts, manage the IP allowlist, invite teammates, and manage billing. Four built-in roles cover the common cases, Owner, Admin, Developer, and Collaborator. On enterprise plans you can author custom roles cell by cell. Every member holds one vault role.

SikkerKey vault role editor showing the management capability matrix with categories like Machines, AI agents, Audit log, Alerts, IP allowlist, Members, and Billing, each with checkable cells
Read the roles docs

Access roles

An access role sets which applications and projects a member can open, and what they can do in each: manage secrets by type, attach and remove machines, and author access policies. Scope it to everything, to whole applications, or to specific projects, with per-environment overrides. When a project is in scope, every capability is on by default; turn off the ones you don't need. Every member holds one access role, or none.

SikkerKey access role editor showing application and project scoping with per-project capability toggles for secrets, machines, and policies
Read the access roles docs

Switching vaults

Members sign in with their own SikkerKey credentials and pick which vault to act inside for the session, whether that's their personal vault or any organization they're a member of. Switching vaults is two clicks. Owners never see members' passwords or 2FA factors, and members never share credentials to act on your vault.

SikkerKey post-login vault picker showing a member's personal vault alongside the organization vaults they belong to, with vault names and roles
Read the vault switching docs

Audit attribution

When a member reads a secret, edits a policy, or invites a teammate, the audit log records it with their username. Members with Audit log: View see their own actions only. Audit log: View others expands the view to every actor in the vault, including other members, machines, and AI agents, so an owner gets a single trail of who did what across the org.

SikkerKey audit log filtered to show member-attributed actions with usernames, source IPs, severity badges, and timestamps
Read the members docs

Managing members

Invite teammates by email. The recipient must already have a SikkerKey account, and the response never reveals whether they do, so your dashboard can't be used to enumerate customers. Suspension cuts the member's session immediately and bars them from the vault until you unsuspend; their audit entries stay intact. Removal drops the membership. A member who wants to leave on their own opens Settings → Leave organization from inside your vault.

SikkerKey member roster row with action menu showing change vault role, change access role, suspend, and remove options
Read the lifecycle docs

More for organizations

Other features for teams sharing a vault.

Email invitations

Invite teammates by email and pre-assign a vault role. Their access role is set after they join. Invites expire after seven days.

Delegated administration

Admins can manage members and assign roles below their own. An access role can only grant access its author already holds.

Self-service leave

Members can end their own membership from Settings → Leave organization inside your vault. Their personal vault and SikkerKey account remain in place; your roster updates in real time.

Plan-based member limits

Plans cap the number of members per organization. The cap is enforced at invite-send time with a clear error pointing at your billing page.

Real-time propagation

Role changes resolve on the next request. Suspensions and removals take effect immediately.

Trust separation

Dashboard membership decides what humans can do in the editor. Machine identity decides what workloads can read at runtime. The two planes are deliberately independent.

Convert your vault to an organization

Invite your team, assign roles, and attribute every action by username. No credit card required.

Start for Free