Infisical Agent is a client daemon that simplifies the adoption of Infisical by providing a more scalable and user-friendly approach for applications to interact with Infisical. It eliminates the need to modify application logic by enabling clients to decide how they want their secrets rendered through the use of templates.

Key features:

  • Token renewal: Automatically authenticates with Infisical and deposits renewed access tokens at specified path for applications to consume
  • Templating: Renders secrets via user provided templates to desired formats for applications to consume

Token renewal

The Infisical agent can help manage the life cycle of access tokens. The token renewal process is split into two main components: a Method, which is the authentication process suitable for your current setup, and Sinks, which are the places where the agent deposits the new access token whenever it receives updates.

When the Infisical Agent is started, it will attempt to obtain a valid access token using the authentication method you have configured. If the agent is unable to fetch a valid token, the agent will keep trying, increasing the time between each attempt.

Once a access token is successfully fetched, the agent will make sure the access token stays valid, continuing to renew it before it expires.

Every time the agent successfully retrieves a new access token, it writes the new token to the Sinks you’ve configured.

Access tokens can be utilized with Infisical SDKs or directly in API requests to retrieve secrets from Infisical


The Infisical agent can help deliver formatted secrets to your application in a variety of environments. To achieve this, the agent will retrieve secrets from Infisical, format them using a specified template, and then save these formatted secrets to a designated file path.

Templating process is done through the use of Go language’s text/template feature. Multiple template definitions can be set in the agent configuration file to generate a variety of formatted secret files.

When the agent is started and templates are defined in the agent configuration file, the agent will attempt to acquire a valid access token using the set authentication method outlined in the agent’s configuration. If this initial attempt is unsuccessful, the agent will momentarily pauses before continuing to make more attempts.

Once the agent successfully obtains a valid access token, the agent proceeds to fetch the secrets from Infisical using it. It then formats these secrets using the user provided templates and writes the formatted data to configured file paths.

Agent configuration file

To set up the authentication method for token renewal and to define secret templates, the Infisical agent requires a YAML configuration file containing properties defined below. While specifying an authentication method is mandatory to start the agent, configuring sinks and secret templates are optional.

infisical.addressThe URL of the Infisical service. Default: "".
auth.typeThe type of authentication method used. Only "universal-auth" type is currently available
auth.config.client-idThe file path where the universal-auth client id is stored.
auth.config.client-secretThe file path where the universal-auth client secret is stored.
auth.config.remove_client_secret_on_readThis will instruct the agent to remove the client secret from disk.
sinks[].typeThe type of sink in a list of sinks. Each item specifies a sink type. Currently, only "file" type is available.
sinks[].config.pathThe file path where the access token should be stored for each sink in the list.
templates[].source-pathThe path to the template file that should be used to render secrets.
templates[].destination-pathThe path where the rendered secrets from the source template will be saved to.

Quick start Infisical Agent

To install the Infisical agent, you must first install the Infisical CLI in the desired environment where you’d like the agent to run. This is because the Infisical agent is a sub-command of the Infisical CLI.

Once you have the CLI installed, you will need to provision programmatic access for the agent via Universal Auth. To obtain a Client ID and a Client Secret, follow the step by step guide outlined here.

Next, create agent config file as shown below.

  address: ""
  type: "universal-auth"
    client-id: "./client-id"
    client-secret: "./client-secret"
    remove_client_secret_on_read: false
  - type: "file"
      path: "/some/path/to/store/access-token/file-name"
  - source-path: my-dot-ev-secret-template
    destination-path: /some/path/.env

Above is an example agent configuration file that defines the token authentication method, one sink location (where to deposit access tokens after renewal) and a secret template.

{{- with secret "6553ccb2b7da580d7f6e7260" "dev" "/" }}
{{- range . }}
{{ .Key }}={{ .Value }}
{{- end }}
{{- end }}

The secret template above will be used to render the secrets where the key and the value are separated by = sign. You’ll notice that a custom function named secret is used to fetch the secrets. This function takes the following arguments: secret "<project-id>" "<environment-slug>" "<secret-path>".

infisical agent --config example-agent-config-file.yaml

After defining the agent configuration file, run the command above pointing to the path where the agent configuration is located.

Was this page helpful?