Introduction
Infisical’s Public (REST) API provides users an alternative way to programmatically access and manage secrets via HTTPS requests. This can be useful for automating tasks, such as rotating credentials, or for integrating secret management into a larger system.
With the Public API, users can create, read, update, and delete secrets, as well as manage access control, query audit logs, and more.
We highly recommend using one of the available SDKs when working with the Infisical API.
If you decide to make your own requests using the API reference instead, be prepared for a steeper learning curve and more manual work.
In April 2023, we added the capability for users to query for secrets by name to improve the user experience of Infisical. If your project was created prior to April 2023, please read and follow the section on blind indices and how to enable them for better usage of Infisical.
Concepts
Using Infisical’s API to manage secrets requires a basic understanding of the system and its underlying cryptography detailed here. A few key points:
- Each user has a public/private key pair that is stored with the platform; private keys are encrypted locally by protected keys that are encrypted by keys derived from Argon2id applied to the user’s password before being sent off to the server during the account signup process.
- Each (encrypted) secret belongs to a project and environment.
- Each project has an (encrypted) project key used to encrypt the secrets within that project; Infisical stores copies of the project key, for each member of that project, encrypted under each member’s public key.
- Secrets are encrypted symmetrically by your copy of the project key belonging to the project containing.
- Infisical Tokens contain a symmetric key that can be used to decrypt a copy of a project key from the call to get the Infisical Token data.
- Infisical uses AES256-GCM and TweetNaCl.js for symmetric and asymmetric encryption/decryption operations.
Infisical’s system requires that secrets be encrypted/decrypted on the client-side to maintain E2EE. We strongly recommend you read up on the system prior to using the Infisical API. The (opt-in) ability to retrieve secrets back in decrypted format if you choose to share secrets with Infisical is on our roadmap.