Configuration
A slug (lowercase letters, numbers, hyphens) that identifies the service, such as
stripe-api. Names are unique within a folder.One or more comma-separated patterns describing which hosts this service applies to. See Host Patterns below.
Toggle a service off without deleting it. A disabled service is skipped entirely: its placeholder environment variables are not set, no credentials are applied, and traffic to its hosts falls back to the unmatched host policy.
Host Patterns
A host pattern routes requests to the right service. Each pattern is ahost[:port][/path], and multiple patterns can be combined with commas:
- A
*.wildcard matches exactly one label:*.github.commatchesapi.github.combut nota.b.github.comor baregithub.com. - Host matching is case-insensitive. A pattern without a port matches any port.
- Do not include a scheme (
https://); patterns are hosts, not URLs.
- Exact host beats wildcard host.
- A pattern with a specific port beats one that matches any port.
- The longest matching path prefix wins.
- If still tied, the service whose name sorts first alphabetically wins.
Host patterns are for routing only. Proxied services are also scoped to their folder: an agent connected with
--env=prod --path=/ai-agents only ever matches services defined in that folder, so the same hostname can be configured differently in different folders, environments, or projects.Header Rewriting
Header rewriting adds or replaces an HTTP header on the outbound request. The agent does not need to send any credential; if it sends a made-up one, the header is overwritten with the real value. This covers most APIs:| Auth style | Configuration | Resulting header |
|---|---|---|
| Bearer token | Header name Authorization, prefix Bearer, one secret | Authorization: Bearer <secret> |
| API key header | Header name x-api-key, no prefix, one secret | x-api-key: <secret> |
| Basic auth | Two secrets, one as Username and one as Password | Authorization: Basic base64(username:password) |
| Custom | Any header name and optional prefix | <name>: <prefix> <secret> |
Credential Substitution
With credential substitution, the agent is handed a dummy placeholder value and the agent proxy swaps it for the real credential wherever it appears in the request. It is useful in two situations:- The API carries the credential somewhere other than a header. Telegram, for example, puts the bot token in the URL path:
api.telegram.org/bot<token>/sendMessage. - The agent has to see a value before it will make the call at all, headers included. Some HTTP clients validate that a credential is set, and agents often refuse to attempt a request without a real-looking key. The placeholder satisfies them, and the proxy swaps in the real value on the way out.
The environment variable name the agent receives, such as
TELEGRAM_BOT_TOKEN. When an agent connects, infisical secrets agent-proxy connect sets this variable to the placeholder, so the agent uses it like a normal credential.The dummy value that appears on the wire. A distinctive random string is generated for you, but you can override it, for example when the agent’s HTTP client validates the credential’s format.
The request surfaces the agent proxy scans for the placeholder:
path, query, header, and/or body. Scoping is the security boundary: the proxy only substitutes in the surfaces you list.The secret (from the same folder) whose real value replaces the placeholder.
- Replacement is a literal string swap of every occurrence of the placeholder in the selected surfaces.
- Request bodies are scanned up to 10 MiB; larger bodies, and bodies with a
Content-Encoding(compressed payloads), are forwarded unchanged without substitution. - WebSocket traffic is not supported; substitution applies to regular HTTP(S) requests.
If a placeholder environment variable has the same name as a regular secret the agent can read, the real secret value wins and the CLI logs a warning. Rename one of the two to avoid the ambiguity.
Using Secrets
A proxied service uses secrets by key name, from its own folder. This keeps the relationship self-healing:- At creation time, Infisical validates that each secret exists and that you can read its value, so typos are caught the moment you save.
- If a secret is later renamed or deleted, the proxied service skips it (the agent proxy logs a warning and the request still goes through, just without that value). Recreating the secret with the same key restores it automatically.
- Deleting the folder deletes the proxied services in it.
Creating or updating a proxied service requires Read Value permission on each secret it uses. This prevents someone with edit access to proxied services from wiring in a secret they are not allowed to read and exfiltrating it through the proxy.
Reusing secrets from other folders and environments
You cannot point a proxied service at another folder directly, but you can bring an outside value into its folder so the service can use it. There are two ways, both using features that already exist in Infisical:| Approach | What you do | Example |
|---|---|---|
| Imported secret | Import another folder into the service’s folder, then use the imported key by name | Import /shared-creds, then use its SHARED_API_KEY from the service’s folder |
| Composed with references | Create a secret whose value is one or more secret references, then use that secret. Lets you combine several secrets, including ones from different environments | A secret set to ${dev.gateway.KEY}.${staging.gateway.KEY}.${prod.gateway.KEY} resolves to the three values joined together |
Example: API Request
Proxied services can also be managed via the API. For example, creating the Telegram service described above:"role": "header-rewrite" with headerName and an optional headerPrefix, or headerPurpose (username/password) for basic auth.