SikkerKey Python SDK — read secrets with Ed25519 machine authentication

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for sikkerkey from gravatar.com sikkerkey

Unverified details

These details have not been verified by PyPI
Project links
Meta
Report project as malware

Project description

SikkerKey Python SDK

The official Python SDK for SikkerKey. Read-only access to secrets using Ed25519 machine authentication.

Installation

pip install sikkerkey

Requires Python 3.10+. Single dependency: cryptography (for Ed25519 signing).

Quick Start

from sikkerkey import SikkerKey

sk = SikkerKey("vault_abc123")
api_key = sk.get_secret("sk_stripe_key")

The SDK reads the machine identity from ~/.sikkerkey/vaults/<vault-id>/identity.json, signs every request with the machine's Ed25519 private key, and returns the decrypted value.

Client Creation

# Explicit vault ID
sk = SikkerKey("vault_abc123")

# Direct path to identity file
sk = SikkerKey("/etc/sikkerkey/vaults/vault_abc123/identity.json")

# Auto-detect from SIKKERKEY_IDENTITY env or single vault on disk
sk = SikkerKey()

Raises ConfigurationError if the identity is missing, the key can't be loaded, or multiple vaults exist without a specified vault ID.

Reading Secrets

Single Value

api_key = sk.get_secret("sk_stripe_prod")

Structured (Multiple Fields)

fields = sk.get_fields("sk_db_prod")
host = fields["host"]       # "db.example.com"
password = fields["password"]  # "hunter2"

Raises SecretStructureError if the secret value is not a JSON object.

Single Field

password = sk.get_field("sk_db_prod", "password")

Raises FieldNotFoundError if the field doesn't exist. The error message includes available field names.

Listing Secrets

# All secrets this machine can access
secrets = sk.list_secrets()
for s in secrets:
    print(f"{s.id}: {s.name}")

# Secrets in a specific project
secrets = sk.list_secrets_by_project("proj_production")

Each SecretListItem has id, name, field_names (None for single-value), and project_id.

Export

# All secrets as a flat dict
env = sk.export()
# {"API_KEY": "sk-live-...", "DB_CREDS_HOST": "db.example.com", "DB_CREDS_PASSWORD": "s3cret"}

# Scoped to a project
env = sk.export("proj_production")

# Inject into environment
import os
os.environ.update(sk.export())

Structured secrets are flattened: SECRET_NAME_FIELD_NAME.

Multi-Vault

prod = SikkerKey("vault_a1b2c3")
staging = SikkerKey("vault_x9y8z7")

prod_key = prod.get_secret("sk_api_key")
staging_key = staging.get_secret("sk_api_key")

List Registered Vaults

vaults = SikkerKey.list_vaults()
# ["vault_a1b2c3", "vault_x9y8z7"]

Machine Info

sk.machine_id    # "550e8400-e29b-41d4-a716-446655440000"
sk.machine_name  # "api-server-1"
sk.vault_id      # "vault_abc123"
sk.api_url       # "https://api.sikkerkey.com"

Error Handling

from sikkerkey import SikkerKey, NotFoundError, AccessDeniedError, AuthenticationError

try:
    secret = sk.get_secret("sk_nonexistent")
except NotFoundError:
    # Secret doesn't exist
except AccessDeniedError:
    # Machine not approved or no grant
except AuthenticationError:
    # Invalid signature or unknown machine

Exception Hierarchy

SikkerKeyError
├── ConfigurationError      — identity file missing, bad key, invalid config
├── SecretStructureError    — secret is not a JSON object (get_fields)
├── FieldNotFoundError      — field not in structured secret (get_field)
└── ApiError                — HTTP error (has http_status attribute)
    ├── AuthenticationError — 401
    ├── AccessDeniedError   — 403
    ├── NotFoundError       — 404
    ├── ConflictError       — 409
    ├── RateLimitedError    — 429
    └── ServerSealedError   — 503

Identity Resolution

  1. Explicit path — starts with / or contains identity.json
  2. Vault ID — looks up ~/.sikkerkey/vaults/{vault_id}/identity.json
  3. SIKKERKEY_IDENTITY env — path to identity file
  4. Auto-detect — single vault on disk

The vault_ prefix is added automatically if not present.

Environment Variables

Variable Description
SIKKERKEY_IDENTITY Path to identity.json — overrides vault lookup
SIKKERKEY_HOME Base config directory (default: ~/.sikkerkey)

Retry Behavior

429 and 503 responses are retried up to 3 times with exponential backoff (1s, 2s, 4s). Each retry uses a fresh timestamp and nonce. Network errors are also retried.

Authentication

Every request includes Ed25519-signed headers: X-Machine-Id, X-Timestamp, X-Nonce, X-Signature. HTTPS enforced for non-localhost. 15-second timeout.

Method Reference

Method Returns Description
SikkerKey(vault_or_path?) SikkerKey Create client
SikkerKey.list_vaults() list[str] List registered vault IDs (static)
get_secret(secret_id) str Read a secret value
get_fields(secret_id) dict[str, str] Read structured secret
get_field(secret_id, field) str Read single field
list_secrets() list[SecretListItem] List all accessible secrets
list_secrets_by_project(project_id) list[SecretListItem] List secrets in a project
export(project_id?) dict[str, str] Export as env map

Dependencies

  • cryptography>=41.0 — Ed25519 key loading and signing

All other functionality uses Python stdlib: urllib, json, hashlib, os, pathlib.

Documentation

License

Proprietary. See sikkerkey.com/terms for details.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for sikkerkey from gravatar.com sikkerkey

Unverified details

These details have not been verified by PyPI
Project links
Meta

Release history Release notifications | RSS feed

1.2.2

1.2.1

1.2.0

1.1.0

1.0.1

This version

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sikkerkey-1.0.0.tar.gz (9.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sikkerkey-1.0.0-py3-none-any.whl (8.4 kB view details)

Uploaded Python 3

File details

Details for the file sikkerkey-1.0.0.tar.gz.

File metadata

  • Download URL: sikkerkey-1.0.0.tar.gz
  • Upload date:
  • Size: 9.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for sikkerkey-1.0.0.tar.gz
Algorithm Hash digest
SHA256 4403a6d5d83a60dfa66c74c734942b9f065cdbec2842d62c44c88da8f84c1d66
MD5 33bff483886596c47013d72e97a435cb
BLAKE2b-256 3eedd243023c8d671e607348a5c7d2ac52c7572afad8d0ef961e407b992d62fc

See more details on using hashes here.

Provenance

The following attestation bundles were made for sikkerkey-1.0.0.tar.gz:

Publisher: publish.yml on SikkerKeyOfficial/sikkerkey-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sikkerkey-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: sikkerkey-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 8.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for sikkerkey-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 2feb6c91e241637c96e0e526c725cbaa6f10ea681369b85f248883af1707f2c4
MD5 ff6c9fb61fd18a76ac8196ceb9510e9b
BLAKE2b-256 df38c2a3579fc5deea4d5e7ccf01196f637e6ae8f66d9c42399dd1f90adc8a62

See more details on using hashes here.

Provenance

The following attestation bundles were made for sikkerkey-1.0.0-py3-none-any.whl:

Publisher: publish.yml on SikkerKeyOfficial/sikkerkey-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page