Alt text The Infisical Gateway provides secure access to private resources within your network without needing direct inbound connections to your environment. This method keeps your resources fully protected from external access while enabling Infisical to securely interact with resources like databases. Common use cases include generating dynamic credentials or rotating credentials for private databases.
Note: Gateway is a paid feature. - Infisical Cloud users: Gateway is available under the Enterprise Tier. - Self-Hosted Infisical: Please contact [email protected] to purchase an enterprise license.

How It Works

The Gateway serves as a secure intermediary that facilitates direct communication between the Infisical server and your private network. It’s a lightweight daemon packaged within the Infisical CLI, making it easy to deploy and manage. Once set up, the Gateway establishes a connection with a relay server, ensuring that all communication between Infisical and your Gateway is fully end-to-end encrypted. This setup guarantees that only the platform and your Gateway can decrypt the transmitted information, keeping communication with your resources secure, private and isolated.

Deployment

The Infisical Gateway is seamlessly integrated into the Infisical CLI under the gateway command, making it simple to deploy and manage. You can install the Gateway in all the same ways you install the Infisical CLI—whether via npm, Docker, or a binary. For detailed installation instructions, refer to the Infisical CLI Installation instructions. To function, the Gateway must authenticate with Infisical. This requires a machine identity configured with the appropriate permissions to create and manage a Gateway. Once authenticated, the Gateway establishes a secure connection with Infisical to allow your private resources to be reachable.

Get started

1

Create a Gateway Identity

  1. Navigate to Organization Access Control in your Infisical dashboard.
  2. Create a dedicated machine identity for your Gateway.
  3. Best Practice: Assign a unique identity to each Gateway for better security and management. Create Gateway Identity
2

Configure Authentication Method

You’ll need to choose an authentication method to initiate communication with Infisical. View the available machine identity authentication methods here.
3

Deploy the Gateway

Use the Infisical CLI to deploy the Gateway. You can run it directly or install it as a systemd service for production:
For production deployments on Linux, install the Gateway as a systemd service:
sudo infisical gateway install --token <your-machine-identity-token> --domain <your-infisical-domain>
sudo systemctl start infisical-gateway
This will install and start the Gateway as a secure systemd service that:
  • Runs with restricted privileges:
    • Runs as root user (required for secure token management)
    • Restricted access to home directories
    • Private temporary directory
  • Automatically restarts on failure
  • Starts on system boot
  • Manages token and domain configuration securely in /etc/infisical/gateway.conf
The install command requires:
  • Linux operating system
  • Root/sudo privileges
  • Systemd
For detailed information about the gateway command and its options, see the gateway command documentation.
Ensure the deployed Gateway has network access to the private resources you intend to connect with Infisical.
4

Verify Gateway Deployment

To confirm your Gateway is working, check the deployment status by looking for the message “Gateway started successfully” in the Gateway logs. This indicates the Gateway is running properly. Next, verify its registration by opening your Infisical dashboard, navigating to Organization Access Control, and selecting the Gateways tab. Your newly deployed Gateway should appear in the list. Gateway List