Skip to main content
When Infisical manages and rotates an account’s credentials, it becomes the source of truth for the current password. You can reveal the current password or private key from the account details page. Common use cases include:
  • Retrieving the current password managed by Infisical as the source of truth, e.g. after a rotation.
  • Entering credentials directly into systems or tooling that don’t connect through the Gateway.
On the account details page, public fields like username are always visible. To reveal sensitive fields like password or private key, click the View Credentials button. View Credentials Button View Credentials Revealed
The button only appears for account types that have sensitive fields. Accounts like SSH (certificate auth) and AWS IAM don’t have hidden credentials beyond what is already shown.

Access Controls

Revealing credentials is gated by a dedicated permission and optionally by MFA:
  • Permission: Requires the Read Credentials permission on PAM accounts. Without this permission, users with Read can still view account details and users with Access can still connect to resources through Infisical, but neither can see the raw password or private key. Add Read Credentials to the appropriate role in your project’s role settings.
  • MFA: Accounts with MFA enabled require users to complete MFA verification before credentials are revealed.
  • Audit Log: Every reveal is recorded as a pam-account-read-credentials event with the account ID, account name, resource ID, and resource type.