infisical login


The CLI uses authentication to verify your identity. When you enter the correct email and password for your account, a token is generated and saved in your system Keyring to allow you to make future interactions with the CLI.

To change where the login credentials are stored, visit the vaults command.

If you have added multiple users, you can switch between the users by using the user command.

When you authenticate with any other method than user, an access token will be printed to the console upon successful login. This token can be used to authenticate with the Infisical API and the CLI by passing it in the --token flag when applicable.

Use flag --plain along with --silent to print only the token in plain text when using a machine identity auth method.


The login command supports a number of flags that you can use for different authentication methods. Below is a list of all the flags that can be used with the login command.

Authentication Methods

The Infisical CLI supports multiple authentication methods. Below are the available authentication methods, with their respective flags.

Machine Identity Authentication Quick Start

In this example we’ll be using the universal-auth method to login to obtain an Infisical access token, which we will then use to fetch secrets with.


Obtain an access token

  export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=<client-id> --client-secret=<client-secret> --silent --plain) # silent and plain is important to ensure only the token itself is printed, so we can easily set it as an environment variable.

Now that we’ve set the INFISICAL_TOKEN environment variable, we can use the CLI to interact with Infisical. The CLI will automatically check for the presence of the INFISICAL_TOKEN environment variable and use it for authentication.

Alternatively, if you would rather use the --token flag to pass the token directly, you can do so by running the following command:

  infisical [command] --token=<your-access-token> # The token output from the login command.

Fetch all secrets from an evironment

  infisical secrets --projectId=<your-project-id --env=dev --recursive

This command will fetch all secrets from the dev environment in your project, including all secrets in subfolders.

The --recursive, and --env flag is optional and will fetch all secrets in subfolders. The default environment is dev if no --env flag is provided.

And that’s it! Now you’re ready to start using the Infisical CLI to interact with your secrets, with the use of Machine Identities.