How Mintlify Solved Secrets Before They Became a Problem

Secrets management is just like any other infrastructure: the longer you rely on your old method, the more painful the eventual migration. Secrets migrations often take months. During these, the engineering team simultaneously maintains the old, error-prone infrastructure and implements a new solution.

To avoid future issues, Mintlify adopted Infisical early. Hahnbee Lee’s (Mintlify’s co-founder) team briefly shared environment variables between founders and early hires through links and shared files. But she had seen where that leads.

“I wouldn’t want to do a secret migration later, when the stakes are a lot higher,” she said. During her time in large companies’ engineering organizations, Hahnbee had seen the inefficiency of secrets scattered across different places and the painful migrations once better management was required.

As Mintlify grew, security became a more pressing concern across the whole industry. “So many organizations are suffering attacks now,” Hahnbee said. “Employees are a frequent attack vector. One team member gets targeted, and suddenly a lot of infrastructure is compromised.” Any team using .env files or slacking secrets to one another can see a single leaked set of environment variables snowball into a major breach.

Mintlify made a deliberate choice as a startup: get secrets management right the first time, when there are few credentials and you still have an overview.

When Mintlify adopted Infisical Cloud, the lack of friction stood out.

“It was just too easy,” Hahnbee said. “Especially for startups, it’s a just-do-it kind of thing.” The developer-friendly UI and CLI made both adopting and using Infisical easy. Mintlify evaluated alternatives like Doppler, but preferred Infisical’s developer experience. Infisical worked for the fast-moving startup because it accelerated every part of the secrets workflow.

Mintlify chose Infisical Cloud to not burden their own team with maintaining infrastructure, which was especially important as a startup. “It’s not worth our time to self-host it,” Hahnbee noted. The team could focus on building their product instead of dedicating engineering resources to run secrets management.

Infisical was simple enough to adopt on day one and flexible enough to grow with them. Multiple years and funding rounds later, Infisical is still a core part of every engineering workflow. “You literally can’t run dev without it, or prod,” Hahnbee said. It sits inside their Docker build, installing Infisical and injecting secrets at build time, and it runs through the Infisical SDK in their ECS-based infrastructure.

Infisical powers every single build, but secrets management isn’t a hot topic at Mintlify. Quite the opposite. “You know a security tool is doing its job well when no one’s really talking about it,” Hahnbee said. When they do bring it up, it’s usually positive: “But people actually talk about Infisical positively. Every single engineer loves it, even the ones who are kind of curmudgeons and have lots of opinions about their tools. We’re divided between Cursor and Codex, but I don’t know a single person who hates Infisical.”

This often starts with onboarding. While engineers at many companies spend their first day filling out access requests, a new Mintlify engineer needs exactly two things to get the codebase running on day one: GitHub and Infisical. They don’t have to hunt down .env files or wait for a senior engineer two timezones over to share an access token.

Since adopting Infisical, Mintlify has grown from three people to a Series B company with a team of about 60. Infisical has remained the backbone of their engineering org. “It’s a core part of our engineering team and our tech stack. Very, very critical.” Ownership matured naturally: a security-focused engineer now stewards the setup, while every engineer adds the secrets they need, and Hahnbee retains admin access.

Infisical also let Mintlify extend secure access beyond their own team. Using role-based access controls, they built a dev-only role without production access. Non-engineers and outside vendors use this role to get revocable, tightly scoped access and avoid potential compromises of highly privileged tokens.

Mintlify achieved a variety of outcomes by adopting Infisical as early as they did:

The best security infrastructure is the kind you set up once and stop thinking about. If security is a constant nuisance, people will optimize for convenience and compromise security. If it’s an effortless process that fades into the background, you’ll have better security and your engineering org will move faster. Mintlify got that by adopting Infisical early. The same system that was simple enough for two founders now powers a Series B engineering team that serves 20,000 companies with 100 million end users.