Updated: May 15, 2017


An SmartKey account is the top level container for security objects managed by the SmartKey. An account is generally associated with an organization, rather than an individual. Security objects, groups, and applications belong to exactly one account. Different accounts are fully isolated from each other.

When planning accounts, be aware that it is not possible to move security objects, groups, or applications between accounts. Therefore, create multiple accounts only when you are sure that there will not be a need to move objects between them.


Users are associated with an email address. A user can be a member of one or more accounts. For example, an employee might belong to an account for the corporate production environment, an account for the corporate test environment, and an account used for personal testing and development purposes.

Depending on permissions, users can:

  • perform management operations like adding or modifying users or groups
  • create security objects
  • change properties of security objects
  • review logs of SmartKey activity

Users are not able to perform cryptographic operations. Only applications can perform cryptographic operations.

Security Objects

A security object is any datum stored in SmartKey (e.g. a key, a certificate, a password, etc.). For asymmetric key pairs, both the private and public keys are stored in a single security object. It is also possible for a security object to hold a public key without the associated private key.

Each security object is assigned to exactly one group. Users and applications assigned to the group have permission to see the security object and to perform operations on it. See Authorization for more detail about the SmartKey authorization model.

Users and applications not assigned to a security object’s group cannot view or operate on that security object.


A group is a collection of related security objects. Access policies are set at the group level, so all security objects in a group share the same access policy. Any number of users and/or applications can be assigned to a group. Some examples of usage of groups are given in Authorization.


An application is a daemon, service, or other non-human client that uses SmartKey. Applications can authenticate to SmartKey using an API key (a secret token) or a TLS client certificate.

Depending on permissions, applications can:

  • create security objects
  • change properties of security objects
  • perform cryptographic operations using security objects

Applications cannot perform management operations like adding or modifying users and groups.

An application can be assigned to one or more groups. An application that is assigned to a group has permission to operate on all of the security objects in that group.