Description
The CLI uses authentication to verify your identity. You can authenticate using:- Browser Login (default): Opens a browser for authentication
- Direct Login: Provide email and password via flags or environment variables for non-interactive workflows
- Interactive CLI Login: Use the
--interactiveflag to enter credentials via CLI prompts
- For user authentication with the
--plain --silentflags: outputs only the JWT access token (useful for scripting) - For machine identity authentication: an access token is always printed to the console
--plain flag to print only the token in plain text and the --silent flag to disable update alerts.Both flags are ideal for capturing the token in environment variables or CI/CD pipelines.Authentication Methods
The Infisical CLI supports two main categories of authentication: User Authentication and Machine Identity Authentication.User Authentication
User authentication is designed for individual developers and supports multiple login flows.User
User
- Browser Login (default): Opens a browser for authentication
- Direct Login: Provide credentials via flags or environment variables for CI/CD
- Interactive CLI Login: Enter credentials via CLI prompts using
--interactive
Browser Login (Default)
Browser Login (Default)
Direct Login (CI/CD)
Direct Login (CI/CD)
Interactive CLI Login
Interactive CLI Login
Plain Token Output (Useful for scripting and CI/CD)
Plain Token Output (Useful for scripting and CI/CD)
Machine Identity Authentication
Machine identity authentication methods are designed for automated systems, services, and CI/CD pipelines.Universal Auth
Universal Auth
Create a universal auth machine identity
Obtain an access token
login command with the following flags to obtain an access token:Native Kubernetes
Native Kubernetes
Create a Kubernetes machine identity
Obtain access an token
login command with the following flags to obtain an access token:Native Azure
Native Azure
Create an Azure machine identity
Obtain an access token
login command with the following flags to obtain an access token:Native GCP ID Token
Native GCP ID Token
Create a GCP machine identity
Obtain an access token
login command with the following flags to obtain an access token:GCP IAM
GCP IAM
Native AWS IAM
Native AWS IAM
Create an AWS machine identity
Obtain an access token
login command with the following flags to obtain an access token:OIDC Auth
OIDC Auth
Create an OIDC machine identity
Obtain an access token
login command with the following flags to obtain an access token:JWT Auth
JWT Auth
Obtain an access token
login command with the following flags to obtain an access token:Flags
The login command supports a number of flags that you can use for different authentication methods. Below is a list of all the flags that can be used with the login command.--method
--method
Valid values for the method flag are:
user: Login using email and password. (default)universal-auth: Login using a universal auth client ID and client secret.kubernetes: Login using a Kubernetes native auth.azure: Login using an Azure native auth.gcp-id-token: Login using a GCP ID token native auth.gcp-iam: Login using a GCP IAM.aws-iam: Login using an AWS IAM native auth.oidc-auth: Login using OIDC auth.jwt-auth: Login using a plain JWT token.
--organization-slug
--organization-slug
Description
This authenticates the machine identity against the specified sub-organization.--client-id
--client-id
Description
The client ID of the universal auth machine identity. This is required if the--method flag is set to universal-auth.--client-secret
--client-secret
Description
The client secret of the universal auth machine identity. This is required if the--method flag is set to universal-auth.--machine-identity-id
--machine-identity-id
Description
The ID of the machine identity. This is required if the--method flag is set to kubernetes, azure, gcp-id-token, gcp-iam, or aws-iam.--service-account-token-path
--service-account-token-path
Description
The path to the Kubernetes service account token to use for authentication. This is optional and will default to/var/run/secrets/kubernetes.io/serviceaccount/token.--service-account-key-file-path
--service-account-key-file-path
Description
The path to your GCP service account key file. This is required if the--method flag is set to gcp-iam.--email
Description
User email address. Required if you want to do a non-interactive login when the —method flag is set to user. Must be used together with the--password and --organization-id flag.--password
--password
Description
User password. Required if you want to do a non-interactive login when the —method flag is set to user. Must be used together with the--email and --organization-id flag.--organization-id
--organization-id
Description
User organization id. Required if you want to do a non-interactive login when the —method flag is set to user. Must be used together with the--email and --password flag.--interactive
--interactive
Description
Forces interactive CLI login where you’ll be prompted to enter your email, password, and select your organization in the terminal, instead of opening a browser.--plain
--plain
Description
When used with direct user login or machine identity authentication, outputs only the JWT access token without any additional formatting. This is useful for scripting and CI/CD pipelines where you need to capture the token.--jwt
--jwt
Description
The JWT provided by an identity provider for OIDC or plain JWT authentication. This is required if the--method flag is set to oidc-auth or jwt-auth.--domain
--domain
Description
Specifies the Infisical API URL for non-US Cloud instances. This flag is required when connecting to any instance other than US Cloud (e.g. EU Cloud or self-hosted).User Authentication Examples
The following examples demonstrate different ways to authenticate as a user with the Infisical CLI.Browser Login (Default)
Browser Login (Default)
infisical login without any flags opens your browser for authentication.Direct Login (Non-Interactive)
Direct Login (Non-Interactive)
Interactive CLI Login
Interactive CLI Login
- Email address
- Password
Sub-commands
infisical login status
infisical login status
--token flag.status calls the Infisical backend to verify that each credential is still valid — so revoked or rejected tokens are surfaced even when they look fine locally.Sources checked
- User session: the active login stored in your system keyring (or the configured vault).
- Machine identity environment variable:
INFISICAL_TOKEN. --tokenflag: a specific machine identity access token passed explicitly.
Exit codes
0: at least one session was reported and none are expired or rejected.1: no active session was found, or a reported session is expired or rejected by the backend.
Flags
--json
--json
--token
--token
--domain (or the INFISICAL_API_URL environment variable) must also be provided so the status reflects the correct Infisical instance.Examples
Check the active user session
Check the active user session
Check a machine identity token from the environment
Check a machine identity token from the environment
Inspect a specific token without changing the active session
Inspect a specific token without changing the active session
JSON output for scripts
JSON output for scripts
Machine Identity Authentication Quick Start
In this example we’ll be using theuniversal-auth method to login to obtain an Infisical access token, which we will then use to fetch secrets with.
Obtain an access token
INFISICAL_TOKEN environment variable, we can use the CLI to interact with Infisical. The CLI will automatically check for the presence of the INFISICAL_TOKEN environment variable and use it for authentication.Alternatively, if you would rather use the --token flag to pass the token directly, you can do so by running the following command:Fetch all secrets from an environment
dev environment in your project, including all secrets in subfolders.--recursive, and --env flag is optional and will fetch all secrets in subfolders. The default environment is dev if no --env flag is provided.