SikkerKey Python SDK — read secrets with Ed25519 machine authentication

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for sikkerkey from gravatar.com sikkerkey

Unverified details

These details have not been verified by PyPI
Project links
Meta
Report project as malware

Project description

SikkerKey Python SDK

License: MIT PyPI Python

The official Python SDK for SikkerKey. Read-only access to secrets using Ed25519 machine authentication.

Installation

pip install sikkerkey

Requires Python 3.10+. Single dependency: cryptography (for Ed25519 signing).

Quick Start

from sikkerkey import SikkerKey

sk = SikkerKey("vault_abc123")
api_key = sk.get_secret("sk_stripe_key")

The SDK reads the machine identity from ~/.sikkerkey/vaults/<vault-id>/identity.json, signs every request with the machine's Ed25519 private key, and returns the decrypted value.

Client Creation

# Explicit vault ID
sk = SikkerKey("vault_abc123")

# Direct path to identity file
sk = SikkerKey("/etc/sikkerkey/vaults/vault_abc123/identity.json")

# Auto-detect from SIKKERKEY_IDENTITY env or single vault on disk
sk = SikkerKey()

Raises ConfigurationError if the identity is missing, the key can't be loaded, or multiple vaults exist without a specified vault ID.

Reading Secrets

Single Value

api_key = sk.get_secret("sk_stripe_prod")

Structured (Multiple Fields)

fields = sk.get_fields("sk_db_prod")
host = fields["host"]       # "db.example.com"
password = fields["password"]  # "hunter2"

Raises SecretStructureError if the secret value is not a JSON object.

Single Field

password = sk.get_field("sk_db_prod", "password")

Raises FieldNotFoundError if the field doesn't exist. The error message includes available field names.

Listing Secrets

# All secrets this machine can access
secrets = sk.list_secrets()
for s in secrets:
    print(f"{s.id}: {s.name}")

# Secrets in a specific project
secrets = sk.list_secrets_by_project("proj_production")

Each SecretListItem has id, name, field_names (None for single-value), and project_id.

Export

# All secrets as a flat dict
env = sk.export()
# {"API_KEY": "sk-live-...", "DB_CREDS_HOST": "db.example.com", "DB_CREDS_PASSWORD": "s3cret"}

# Scoped to a project
env = sk.export("proj_production")

# Inject into environment
import os
os.environ.update(sk.export())

Structured secrets are flattened: SECRET_NAME_FIELD_NAME.

Watching for Changes

Watch secrets for real-time updates. When a secret is rotated, updated, or deleted, the callback fires with the new value. Polling happens on a background daemon thread - your application is never blocked.

from sikkerkey import WatchStatus

def on_change(event):
    if event.status == WatchStatus.CHANGED:
        print(f"New value: {event.value}")
        # Structured secrets include parsed fields
        print(f"Fields: {event.fields}")
    elif event.status == WatchStatus.DELETED:
        print("Secret was deleted")
    elif event.status == WatchStatus.ACCESS_DENIED:
        print("Access revoked")
    elif event.status == WatchStatus.ERROR:
        print(f"Error: {event.error}")

sk.watch("sk_db_password", on_change)

Practical Example

# Auto-rotate database credentials
def rotate_db(event):
    if event.status == WatchStatus.CHANGED:
        db.configure_credentials(
            username=event.fields["username"],
            password=event.fields["password"],
        )

sk.watch("sk_db_credentials", rotate_db)

Poll Interval

The default poll interval is 15 seconds. The server enforces a minimum of 10 seconds.

sk.set_poll_interval(30)  # seconds

Stop Watching

# Stop watching a specific secret
sk.unwatch("sk_db_password")

# Stop all watches and shut down polling
sk.close()

SikkerKey can be used as a context manager:

with SikkerKey("vault_abc123") as sk:
    sk.watch("sk_api_key", on_change)
    # ... application logic ...
# Automatically closed on exit

Multi-Vault

prod = SikkerKey("vault_a1b2c3")
staging = SikkerKey("vault_x9y8z7")

prod_key = prod.get_secret("sk_api_key")
staging_key = staging.get_secret("sk_api_key")

List Registered Vaults

vaults = SikkerKey.list_vaults()
# ["vault_a1b2c3", "vault_x9y8z7"]

Machine Info

sk.machine_id    # "550e8400-e29b-41d4-a716-446655440000"
sk.machine_name  # "api-server-1"
sk.vault_id      # "vault_abc123"
sk.api_url       # "https://api.sikkerkey.com"

Error Handling

from sikkerkey import SikkerKey, NotFoundError, AccessDeniedError, AuthenticationError

try:
    secret = sk.get_secret("sk_nonexistent")
except NotFoundError:
    # Secret doesn't exist
except AccessDeniedError:
    # Machine not approved or no grant
except AuthenticationError:
    # Invalid signature or unknown machine

Exception Hierarchy

SikkerKeyError
├── ConfigurationError      — identity file missing, bad key, invalid config
├── SecretStructureError    — secret is not a JSON object (get_fields)
├── FieldNotFoundError      — field not in structured secret (get_field)
└── ApiError                — HTTP error (has http_status attribute)
    ├── AuthenticationError — 401
    ├── AccessDeniedError   — 403
    ├── NotFoundError       — 404
    ├── ConflictError       — 409
    ├── RateLimitedError    — 429
    └── ServerSealedError   — 503

Identity Resolution

  1. Explicit path — starts with / or contains identity.json
  2. Vault ID — looks up ~/.sikkerkey/vaults/{vault_id}/identity.json
  3. SIKKERKEY_IDENTITY env — path to identity file
  4. Auto-detect — single vault on disk

The vault_ prefix is added automatically if not present.

Environment Variables

Variable Description
SIKKERKEY_IDENTITY Path to identity.json — overrides vault lookup
SIKKERKEY_HOME Base config directory (default: ~/.sikkerkey)

Retry Behavior

429 and 503 responses are retried up to 3 times with exponential backoff (1s, 2s, 4s). Each retry uses a fresh timestamp and nonce. Network errors are also retried.

Authentication

Every request includes Ed25519-signed headers: X-Machine-Id, X-Timestamp, X-Nonce, X-Signature. HTTPS enforced for non-localhost. 15-second timeout.

Method Reference

Method Returns Description
SikkerKey(vault_or_path?) SikkerKey Create client
SikkerKey.list_vaults() list[str] List registered vault IDs (static)
get_secret(secret_id) str Read a secret value
get_fields(secret_id) dict[str, str] Read structured secret
get_field(secret_id, field) str Read single field
list_secrets() list[SecretListItem] List all accessible secrets
list_secrets_by_project(project_id) list[SecretListItem] List secrets in a project
export(project_id?) dict[str, str] Export as env map
watch(secret_id, callback) None Watch a secret for changes
unwatch(secret_id) None Stop watching a secret
set_poll_interval(seconds) None Set poll interval (min 10s)
close() None Stop all watches, shut down polling

Dependencies

  • cryptography>=41.0 — Ed25519 key loading and signing

All other functionality uses Python stdlib: urllib, json, hashlib, os, pathlib.

Documentation

License

MIT — see LICENSE for details.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for sikkerkey from gravatar.com sikkerkey

Unverified details

These details have not been verified by PyPI
Project links
Meta

Release history Release notifications | RSS feed

1.2.2

1.2.1

1.2.0

This version

1.1.0

1.0.1

1.0.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sikkerkey-1.1.0.tar.gz (12.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sikkerkey-1.1.0-py3-none-any.whl (11.3 kB view details)

Uploaded Python 3

File details

Details for the file sikkerkey-1.1.0.tar.gz.

File metadata

  • Download URL: sikkerkey-1.1.0.tar.gz
  • Upload date:
  • Size: 12.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for sikkerkey-1.1.0.tar.gz
Algorithm Hash digest
SHA256 b692be8c13029d92b590572a8487d529b3bc861b5c9cfc59762798433aab515e
MD5 39b0ae799b4f7229f0cd752d9decc9bb
BLAKE2b-256 486bd6ceea7f4845e6e6d499845a2dcc8d7af9f3ebedfde21767b37d7f42b596

See more details on using hashes here.

Provenance

The following attestation bundles were made for sikkerkey-1.1.0.tar.gz:

Publisher: publish.yml on SikkerKeyOfficial/sikkerkey-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sikkerkey-1.1.0-py3-none-any.whl.

File metadata

  • Download URL: sikkerkey-1.1.0-py3-none-any.whl
  • Upload date:
  • Size: 11.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for sikkerkey-1.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 6d8708087676565898066cb04c3c490485978855d613113f75dd963ad831fe31
MD5 3e844949fafc34e9d75ce65a41432c1a
BLAKE2b-256 03c15d42e7f29fdc388ea5b640029d4bbdc669a80c55d099d58c9027ad649a22

See more details on using hashes here.

Provenance

The following attestation bundles were made for sikkerkey-1.1.0-py3-none-any.whl:

Publisher: publish.yml on SikkerKeyOfficial/sikkerkey-python

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page