Skip to main content

Documentation Index

Fetch the complete documentation index at: https://infisical.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Description

Relay-related commands for Infisical. Relays are organization-deployed servers that route encrypted traffic between Infisical and your gateways. Relays are created via the Infisical dashboard (Networking → Relays → Create Relay) and then deployed using the CLI commands below.

Subcommands & flags

infisical relay start

Run the Infisical relay component. The relay handles network traffic routing between Infisical and your gateways.

Authentication

Relays support two enrollment methods. The enrollment method is set when creating the relay in the dashboard.
Token auth uses a one-time enrollment token (1 hour expiry) generated from the relay detail page. The token is exchanged for a long-lived access token on first start and stored on disk for subsequent restarts.The --host flag is not required — the host is stored server-side when the relay is created.
infisical relay start \
  --name=<name> \
  --enroll-method=token \
  --token=<enrollment-token> \
  --domain=<your-infisical-domain>
On subsequent starts with the same enrollment token, the relay skips enrollment and uses the stored access token.Token-method enrollment tokens are single-use and expire after 1 hour. If the token expires before deployment, click Show deploy command on the relay detail page to generate a new one.
AWS auth uses the host’s AWS credentials (instance role, env vars, or shared profile) to authenticate via STS GetCallerIdentity. A fresh token is minted on every start — no on-disk persistence needed.
infisical relay start \
  --name=<name> \
  --enroll-method=aws \
  --relay-id=<relay-id> \
  --domain=<your-infisical-domain>
The --relay-id is the relay’s UUID, visible on the relay detail page. The relay ID is persisted after first use so subsequent starts don’t need --relay-id again.

Flags

The name of the relay. Must match the name used when creating the relay in the dashboard.
The enrollment method to use. Supported values: token, aws.
The one-time enrollment token (required when --enroll-method=token). Generated from the relay detail page via Show deploy command.
The relay UUID (required when --enroll-method=aws). Visible on the relay detail page.
Domain of your Infisical instance. Required for self-hosted deployments.
Manage systemd service for the Infisical relay on Linux systems.

Requirements

  • Operating System: Linux only
  • Privileges: Root/sudo privileges required
  • Systemd: The system must be running systemd

Subcommands

Install and enable systemd service for the relay. See the authentication section above for install commands.After installation, start the service:
sudo systemctl start infisical-relay
sudo systemctl enable infisical-relay
To check status and logs:
sudo systemctl status infisical-relay
sudo journalctl -u infisical-relay -f
Uninstall and remove systemd service for the relay.
sudo infisical relay systemd uninstall