Built for the team that owns the AWS root.
Shared TOTP and SMS that works the way DevOps does — from the CLI, from CI, with audit trails the security team will accept.
Three patterns we keep hearing.
Somebody owns the SIM. Production goes down at 3am. They're on a flight.
Your deploy pipeline needs a 2FA code. Disable 2FA (no), share the seed in env vars (also no), or build something custom (you have better things to do).
Every time someone leaves, you should rotate every shared TOTP. You don't, because it's manual hell.
One platform, three concrete answers.
Provision a shared SMS number in your region. Inbound codes stream live to every authorized engineer. Mobile app pushes the code to whoever's on call.
Bind an API key to your GitHub Actions IP range. Scope it to tokens:code on a single token. Set it to expire after 24h. The CI run can no longer steal more than the one code it needed.
# .github/workflows/deploy.yml
- name: Get AWS root TOTP
run: |
CODE=$(curl -s https://api.kaito.io/v1/tokens/aws-prod/code \
-H "Authorization: Bearer ${{ secrets.KAITO_KEY }}" \
| jq -r .code)
echo "::add-mask::$CODE"
aws ... --token "$CODE"Mark a token 'rotate after this user leaves.' When you remove the user, every flagged token shows up in a single rotation queue. One-click rotate; old seed kept encrypted for 30 days as fallback.
Use the REST API or webhooks.
Native integrations (Slack, PagerDuty, Datadog/Splunk) are on the roadmap. Today the API is the integration surface — scoped keys, IP allow-list, webhooks, JSON responses.
GET /api/v1/tokens/:id/code with a scoped key. JSON in, JSON out.
Inbound SMS POSTs to your endpoint, signed for verification.