Sealrepo
Sign inStart free
Collaborate

Hand someone a key that expires

You need this page the first time someone other than you has to read your sealed code. An access code is a one-time string a contractor or teammate types into the CLI to unlock the vault (your encrypted repo) for a window of time you choose. Revoke any time, and Strict Mode means it never even hits their disk in plaintext.

What an access code actually is
A 12-character code (like BX72-PQ4M-LQ9T) that authorizes one specific person to unlock one specific project until a deadline. It is not a copy of your master key. Revoking it on the dashboard kills it for everyone, instantly.
New in 1.0 — no more passphrase swap
From the CLI, run sealrepo share --email [email protected]and the CLI wraps the project master key to that user's published pubkey. When they run sealrepo redeem <code> on their laptop, the CLI unwraps the key locally, auto-unlocks the project, and starts a watcher daemon — all in one step, with no passphrase ever changing hands. Use Strict Mode to make killing the watcher (or going offline) immediately re-lock their plaintext, and to opt into exfiltration alerts when suspicious file activity is detected.

  1. Create the code on the dashboard

    On your project page, click Create access code. You set:

    sealrepo.dev/app/projects/acme-billing

    Create temporary access

    Give a contractor a code they redeem in their CLI.

    For (label)
    alex — freelance audit
    Expires in
    7 days
    Auto-lock after
    2 hours of inactivity
    Mode
    Strict (RAM only)
    Generate code

    The dashboard returns a code like BX72-PQ4M-LQ9T. Copy it, send it to the contractor over whatever channel you trust (Signal, 1Password, email). Whoever has the code + has been added to the project can unlock for the window you specified.

  2. The contractor redeems it

    On their machine, after they've installed and signed in with their own free account (sign-in is how revocation knows whose access to cut):

    Their terminal
    $git clone [email protected]:acme/billing.git
    $cd billing
    $sealrepo unlock --code BX72-PQ4M-LQ9T
    Validating code with sealrepo.dev ⠋
    Code accepted — granted by [email protected]
    expires: 2026-05-26T01:00:00Z (in 7 days)
    auto-lock: 2h of inactivity
    mode: Strict — no plaintext written to disk
    decrypting (137) vendor/_01/_8a3f9c1e2d4b ⠋
    unlocked 137 files (in-memory overlay mounted at .sealrepo/run/)
    Use './.sealrepo/run/' as your working copy.
    Run 'sealrepo lock' or close the shell to wipe.
    Strict Mode in human terms
    With Strict Mode on, decrypted files live in a temp filesystem (tmpfs on Linux, in-memory volume on macOS / Windows). When the shell closes, the auto-lock timer fires, or they Ctrl-C — the files are gone. Nothing ever hits permanent disk in plaintext.

  3. Revoke instantly when the job's done

    Back on the dashboard, every active access code shows up on the project page. Click Revoke:

    sealrepo.dev/app/projects/acme-billing
    Active access codes
    alex — freelance audit
    expires in 6d 13hStrict

    The next time the contractor's CLI checks in (which it does silently every few minutes, and immediately on any sealrepo unlock), it will:

    What the contractor sees, post-revoke
    $sealrepo unlock
    Access revoked by project owner.
    All decrypted files in this session have been wiped.

  4. Panic-lock (revoke everyone, right now)

    If a laptop is lost or a contractor goes rogue, you don't need to think about which codes are active. Click Lock down on the project page (or run sealrepo lockdown):

    Lockdown revokes every active access code for this project in one transaction. Every connected watcher re-locks its plaintext within about a second. (To revoke a paired CLI device, use Settings → CLI devices; to kill a CI token, the CI tokens page.)
Next
Invite real team members (not just contractors)