Skip to main content
The CLI is designed for a variety of secret management applications ranging from local development to CI/CD and production scenarios.
  • Local development
  • Staging, production & all other use cases
In the following steps, we explore how to use the Infisical CLI to fetch back environment variables from Infisical and inject them into your local development process.
If you prefer learning by watching, you can follow along our step-by-step video tutorial here.
1

Log in with the CLI

Start by running the infisical login command to authenticate with Infisical.
infisical login
If you are in a containerized environment such as WSL 2 or Codespaces, run infisical login -i to avoid browser based login
2

Initialize Infisical for your project

Next, navigate to your project and initialize Infisical.
# navigate to your project
cd /path/to/project

# initialize infisical
infisical init
The infisical init command creates a .infisical.json file, containing local project settings, at the location where the command is executed.
The .infisical.json file does not contain any sensitive data, so you may commit it to your git repository.
3

Inject environment variables

Finally, pass environment variables from Infisical into your application.
  • Feed secrets to your application
  • Feed secrets via custom aliases (advanced)
infisical run --env=dev --path=/apps/firefly -- [your application start command] # e.g. npm run dev

# example with node (nodemon)
infisical run --env=staging --path=/apps/spotify -- nodemon index.js

# example with flask
infisical run --env=prod --path=/apps/backend -- flask run

# example with spring boot - maven
infisical run --env=dev --path=/apps/ -- ./mvnw spring-boot:run --quiet
View all available options for run command here
Starting with CLI version v0.4.0, you can now choose to log in via Infisical Cloud (US/EU) or your own self-hosted instance by simply running infisical login and following the on-screen instructions — no need to manually set the INFISICAL_API_URL environment variable.For versions prior to v0.4.0, the CLI defaults to US Cloud. To connect to EU Cloud or a self-hosted instance, set the INFISICAL_API_URL environment variable to https://eu.infisical.com or your custom URL.

Domain Configuration

Important: If you’re not using interactive login, you must configure the domain for all CLI commands.The CLI defaults to US Cloud (https://app.infisical.com). To connect to EU Cloud (https://eu.infisical.com) or a self-hosted instance, you must configure the domain in one of the following ways:
  • Use the INFISICAL_API_URL environment variable
  • Use the --domain flag on every command

Custom Request Headers

The Infisical CLI supports custom HTTP headers for requests to servers protected by authentication services such as Cloudflare Access. Configure these headers using the INFISICAL_CUSTOM_HEADERS environment variable:
# Syntax: headername1=headervalue1 headername2=headervalue2
export INFISICAL_CUSTOM_HEADERS="Access-Client-Id=your-client-id Access-Client-Secret=your-client-secret"

# Execute Infisical commands after setting the environment variable
infisical secrets
This functionality enables secure interaction with Infisical instances that require specific authentication headers.

History

Your terminal keeps a history with the commands you run. When you create Infisical secrets directly from your terminal, they’ll stay there for a while. For security and privacy concerns, we recommend you to configure your terminal to ignore those specific Infisical commands.
  • Unix/Linux
  • Windows
$HOME/.profile is pretty common but, you could place it under $HOME/.profile.d/infisical.sh or any profile file run at login
cat <<EOF >> $HOME/.profile && source $HOME/.profile

# Ignoring specific Infisical CLI commands
DEFAULT_HISTIGNORE=$HISTIGNORE
export HISTIGNORE="*infisical secrets set*:$DEFAULT_HISTIGNORE"
EOF

FAQ

Yes. The CLI is set to connect to Infisical US Cloud by default, but if you’re using EU Cloud or a self-hosted instance you can configure the domain for all CLI commands.

Method 1: Use the updated CLI (v0.4.0+)

Beginning with CLI version V0.4.0, you can choose between logging in through Infisical US Cloud, EU Cloud, or your own self-hosted instance. Simply execute the infisical login command and follow the on-screen instructions.

Method 2: Export environment variable

You can point the CLI to the self-hosted Infisical instance by exporting the environment variable INFISICAL_API_URL in your terminal.
  • Linux/MacOs
  • Windows Powershell
# Set the API URL
export INFISICAL_API_URL="https://your-self-hosted-infisical.com"

# For EU Cloud
export INFISICAL_API_URL="https://eu.infisical.com"

# Remove the setting
unset INFISICAL_API_URL

Method 3: Set manually on every command

If you prefer not to use an environment variable, you must include the --domain flag on every CLI command you run:
# Login with domain
infisical login --domain="https://your-domain.infisical.com" --method=oidc-auth --jwt $JWT

# All subsequent commands must also include --domain
infisical secrets --domain="https://your-self-hosted-infisical.com" --projectId <id> --env dev
infisical export --domain="https://your-self-hosted-infisical.com" --format=dotenv-export
Best Practice: Use INFISICAL_API_URL environment variable (Method 2) to avoid having to remember the --domain flag on every command. This is especially important in CI/CD pipelines and automation scripts.
To use Infisical for non local development scenarios, please create a service token. The service token will allow you to authenticate and interact with Infisical. Once you have created a service token with the required permissions, you’ll need to feed the token to the CLI.
  infisical export --token=<service-token>
  infisical secrets --token=<service-token>
  infisical run --token=<service-token> -- npm run dev

Pass via shell environment variable

The CLI is configured to look for an environment variable named INFISICAL_TOKEN. If set, it’ll attempt to use it for authentication.
  export INFISICAL_TOKEN=<service-token>