Email notifications
seekrit sends transactional emails for security-significant events — a new service token, an access grant, an expiring credential. They keep you aware of who can reach your secrets without opening the dashboard.
Notification emails carry only metadata already in your audit log — names, roles, timestamps, organization and environment names, and links. They never contain secret values, ciphertext, private keys, passphrases, or token strings.
What seekrit sends
| When | Who receives it | |
|---|---|---|
| Service token created | A service token is minted in an organization | Owners & admins |
| Service token revoked | A service token is revoked | Owners & admins |
| Environment access granted | You're granted a key for an environment | The person granted access |
| Environment access revoked | Your access to an environment is removed | The person affected |
| Denied-access alerts | A principal is denied when resolving secrets | Owners & admins (throttled to one per environment per hour) |
| Welcome & key setup | You join or create an organization | You |
| Service token expiring | A token expires within 7 days | Owners & admins (sent once per token) |
| Temporary credential expired | A lease reaches its expiry and is revoked | The lease owner & admins |
Managing your preferences
Each type has its own on/off switch. In the dashboard, open the account menu (top right) →
notification settings, or go to /account/notifications. Toggling a switch saves
immediately. Preferences are per-user and apply across every organization you belong to. All
types are on by default.
Every email also includes a Manage which emails you receive link in its footer that leads to the same page.
Setup (self-hosted)
Sending uses Cloudflare Email Sending. The
sender domain must be onboarded once (wrangler email sending enable <domain>), and the API
worker configures EMAIL_FROM, EMAIL_FROM_NAME, and APP_BASE_URL. When the email binding is
absent (for example in local development), notifications are simply skipped.