ShrouDB Engine
Sigil
Issue and rotate every kind of credential.
Stop building yet another JWT service. Sigil issues and rotates JWTs, API keys, HMAC secrets, refresh tokens, and passwords from one envelope-encrypted store — with lifecycle hooks and pub/sub baked in.
ISSUEVERIFYREVOKEROTATEJWKS
Features
- Multiple credential types: JWTs, API keys, HMAC, refresh tokens, passwords
- Automatic rotation with configurable cadence
- JWKS endpoint for JWT verification
- Argon2id password hashing with pepper
- WAL-encrypted storage with per-keyspace HKDF
- Suspend and reinstate credentials without revoking
- Subscribe to lifecycle events via pub/sub
Quickstart (standalone)
sigil.toml
bind = ":7001"
[keyspaces.jwt]
type = "jwt"
algorithm = "ES256"
default_ttl = "1h"
rotation_days = 30
[keyspaces.api_key]
type = "api_key"
prefix = "sk_"
rotation_days = 90terminal
$ shroudb-sigil --config sigil.tomlCommand reference
| Command | Args | Description |
|---|---|---|
| ISSUE | <keyspace> [--ttl DUR] | Issue a new credential |
| VERIFY | <keyspace> <credential> | Verify a credential is active |
| REVOKE | <keyspace> <id> | Revoke a credential immediately |
| REFRESH | <refresh_token> | Exchange a refresh token |
| ROTATE | <keyspace> | Rotate signing keys |
| JWKS | <keyspace> | Expose JWKS for a keyspace |
| SUSPEND | <id> | Temporarily disable a credential |
| UNSUSPEND | <id> | Re-enable a suspended credential |
| PASSWORD_SET | <user> <password> | Argon2id hash and store |
| PASSWORD_VERIFY | <user> <password> | Constant-time verify |
Bundle into Moat
Drop Sigil into a unified Moat process and it inherits the shared auth layer, storage, and telemetry — no extra wiring.
moat.toml
[engines.sigil]
enabled = true
[engines.sigil.keyspaces.jwt]
type = "jwt"
algorithm = "ES256"
default_ttl = "1h"Run Sigil in production today
Free on ShrouDB Cloud up to 10k ops/month — no card required.