seekrit

Email notifications

seekrit sends transactional emails for security-significant events — a new service token, an access grant, an expiring credential. They keep you aware of who can reach your secrets without opening the dashboard.

note

Notification emails carry only metadata already in your audit log — names, roles, timestamps, organization and environment names, and links. They never contain secret values, ciphertext, private keys, passphrases, or token strings.

What seekrit sends

EmailWhenWho receives it
Service token createdA service token is minted in an organizationOwners & admins
Service token revokedA service token is revokedOwners & admins
Environment access grantedYou're granted a key for an environmentThe person granted access
Environment access revokedYour access to an environment is removedThe person affected
Denied-access alertsA principal is denied when resolving secretsOwners & admins (throttled to one per environment per hour)
Welcome & key setupYou join or create an organizationYou
Service token expiringA token expires within 7 daysOwners & admins (sent once per token)
Temporary credential expiredA lease reaches its expiry and is revokedThe lease owner & admins

Managing your preferences

Each type has its own on/off switch. In the dashboard, open the account menu (top right) → notification settings, or go to /account/notifications. Toggling a switch saves immediately. Preferences are per-user and apply across every organization you belong to. All types are on by default.

Every email also includes a Manage which emails you receive link in its footer that leads to the same page.

Setup (self-hosted)

Sending uses Cloudflare Email Sending. The sender domain must be onboarded once (wrangler email sending enable <domain>), and the API worker configures EMAIL_FROM, EMAIL_FROM_NAME, and APP_BASE_URL. When the email binding is absent (for example in local development), notifications are simply skipped.