```
## Uninstall Operator
The managed secret created by the operator will not be deleted when the operator is uninstalled.
Uninstall Infisical Helm repository
```bash theme={"dark"}
helm uninstall
```
# PM2
Source: https://infisical.com/docs/integrations/platforms/pm2
How to use Infisical to inject environment variables and secrets with PM2 into a Node.js app
Prerequisites:
* Set up and add envars to [Infisical Cloud](https://app.infisical.com)
* [Install the CLI](/cli/overview)
## Initialize Infisical for your Node.js app
```bash theme={"dark"}
# navigate to the root of your of your project
cd /path/to/project
# then initialize infisical
infisical init
```
## Create a bash or js script
```bash infisical-run.sh theme={"dark"}
infisical run -- npm start
```
```js infisical-run.js theme={"dark"}
const spawn = require("child_process").spawn;
const infisical = spawn("infisical", ["run", "--", "npm", "start"]);
infisical.stdout.on("data", (data) => console.log(`${data}`));
infisical.stderr.on("data", (data) => console.error(`${data}`));
```
## Start your application as usual but with the script
```bash infisical-run.sh theme={"dark"}
pm2 start infisical-run.sh
```
```bash infisical-run.js theme={"dark"}
pm2 start infisical-run.js
```
# Secret rotations
Source: https://infisical.com/docs/integrations/secret-rotations
Browse and search through all available secret rotations for Infisical.
# Secret syncs
Source: https://infisical.com/docs/integrations/secret-syncs
Browse and search through all available secret syncs for Infisical.
# 1Password Sync
Source: https://infisical.com/docs/integrations/secret-syncs/1password
Learn how to configure a 1Password Sync for Infisical.
**Prerequisites:**
* Create an [1Password Connection](/integrations/app-connections/1password)
Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
![Select 1Password]()
Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **1Password Connection**: The 1Password Connection to authenticate with.
* **Vault**: The 1Password vault to sync secrets to.
* **Value Label**: The label of the 1Password item field that will hold your secret value.
Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Sync Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over 1Password when keys conflict.
* **Import Secrets (Prioritize 1Password)**: Imports secrets from the destination endpoint before syncing, prioritizing values from 1Password over Infisical when keys conflict.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
Configure the **Details** of your 1Password Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
Review your 1Password Sync configuration, then click **Create Sync**.
![Review Configuration]()
If enabled, your 1Password Sync will begin syncing your secrets to the destination endpoint.
![Sync Created]()
To create an **1Password Sync**, make an API request to the [Create 1Password Sync](/api-reference/endpoints/secret-syncs/1password/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/1password \
--header 'Content-Type: application/json' \
--data '{
"name": "my-1password-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"vaultId": "...",
"valueLabel": "value"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-1password-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "1password",
"name": "my-1password-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "1password",
"destinationConfig": {
"vaultId": "...",
"valueLabel": "value"
}
}
}
```
## FAQ
Infisical can only perform CRUD operations on the following item types:
* API Credentials
It's the label of the 1Password item field which will hold your secret value. For example, if you were to sync Infisical secret 'foo: bar', the 1Password item equivalent would have an item title of 'foo', and a field on that item 'value: bar'. The field label 'value' is what gets changed by this option.
# AWS Parameter Store Sync
Source: https://infisical.com/docs/integrations/secret-syncs/aws-parameter-store
Learn how to configure an AWS Parameter Store Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create an [AWS Connection](/integrations/app-connections/aws) with the required **Secret Sync** permissions
* Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
For workflows involving large amounts of secrets or frequent syncs, we recommend increasing your [AWS Parameter Store throughput quota](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-throughput.html) to avoid rate limiting.
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
2. Select the **AWS Parameter Store** option.
![Select AWS Parameter Store]()
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **AWS Connection**: The AWS Connection to authenticate with.
* **Region**: The AWS region to deploy secrets to.
* **Path**: The AWS Parameter Store path to deploy secrets to.
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Parameter Store when keys conflict.
* **Import Secrets (Prioritize AWS Parameter Store)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Parameter Store over Infisical when keys conflict.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **KMS Key**: The AWS KMS key ID or alias to encrypt parameters with.
* **Tags**: Optional resource tags to add to parameters synced by Infisical.
* **Sync Secret Metadata as Resource Tags**: If enabled, metadata attached to secrets will be added as resource tags to parameters synced by Infisical.
Manually configured tags from the **Tags** field will take precedence over secret metadata when tag keys conflict.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your Parameter Store Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
7. Review your Parameter Store Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
8. If enabled, your Parameter Store Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets]()
To create an **AWS Parameter Store Sync**, make an API request to the [Create AWS
Parameter Store Sync](/api-reference/endpoints/secret-syncs/aws-parameter-store/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/aws-parameter-store \
--header 'Content-Type: application/json' \
--data '{
"name": "my-parameter-store-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"region": "us-east-1",
"path": "/my-aws/path/"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-parameter-store-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "aws",
"name": "my-aws-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "aws-parameter-store",
"destinationConfig": {
"region": "us-east-1",
"path": "/my-aws/path/"
}
}
}
```
## FAQ
The path is required and will be prepended to the key schema. For example, if you have a path of `/demo/path/` and a key schema of `INFISICAL_{{secretKey}}`, then the result will be `/demo/path/INFISICAL_{{secretKey}}`.
# AWS Secrets Manager Sync
Source: https://infisical.com/docs/integrations/secret-syncs/aws-secrets-manager
Learn how to configure an AWS Secrets Manager Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create an [AWS Connection](/integrations/app-connections/aws) with the required **Secret Sync** permissions
* Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
2. Select the **AWS Secrets Manager** option.
![Select AWS Secrets Manager]()
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **AWS Connection**: The AWS Connection to authenticate with.
* **Region**: The AWS region to deploy secrets to.
* **Mapping Behavior**: Specify how Infisical should map secrets to AWS Secrets Manager:
* **One-To-One**: Each Infisical secret will be mapped to a separate AWS Secrets Manager secret.
* **Many-To-One**: All Infisical secrets will be mapped to a single AWS Secrets Manager secret.
* **Secret Name**: Specifies the name of the AWS Secret to map secrets to if **Many-To-One** mapping behavior is selected.
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Secrets Manager when keys conflict.
* **Import Secrets (Prioritize AWS Secrets Manager)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Secrets Manager over Infisical when keys conflict.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **KMS Key**: The AWS KMS key ID or alias to encrypt secrets with.
* **Tags**: Optional tags to add to secrets synced by Infisical.
* **Sync Secret Metadata as Tags**: If enabled, metadata attached to secrets will be added as tags to secrets synced by Infisical.
Manually configured tags from the **Tags** field will take precedence over secret metadata when tag keys conflict.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your Secrets Manager Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
7. Review your Secrets Manager Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
8. If enabled, your Secrets Manager Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets]()
To create an **AWS Secrets Manager Sync**, make an API request to the [Create AWS
Secrets Manager Sync](/api-reference/endpoints/secret-syncs/aws-secrets-manager/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/aws-secrets-manager \
--header 'Content-Type: application/json' \
--data '{
"name": "my-secrets-manager-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"region": "us-east-1",
"mappingBehavior": "one-to-one"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-secrets-manager-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "aws",
"name": "my-aws-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "aws-secrets-manager",
"destinationConfig": {
"region": "us-east-1",
"mappingBehavior": "one-to-one"
}
}
}
```
# Azure App Configuration Sync
Source: https://infisical.com/docs/integrations/secret-syncs/azure-app-configuration
Learn how to configure an Azure App Configuration Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create an [Azure App Configuration Connection](/integrations/app-connections/azure-app-configuration)
* Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
The Azure App Configuration Secret Sync requires the following permissions to be set on the user / service principal
for Infisical to sync secrets to Azure App Configuration: `Read Key-Value`, `Write Key-Value`, `Delete Key-Value`.
Any role with these permissions would work such as the **App Configuration Data Owner** role. Alternatively, you can use the **App Configuration Data Contributor** role for read/write access.
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
2. Select the **Azure App Configuration** option.
![Select Azure App Configuration]()
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Azure Connection**: The Azure Connection to authenticate with.
* **Configuration URL**: The URL of your Azure App Configuration.
* **Label**: An optional label to attach to all secrets created by Infisical inside your Azure App Configuration.
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Secrets Manager when keys conflict.
* **Import Secrets (Prioritize Azure App Configuration)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Secrets Manager over Infisical when keys conflict.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your Azure App Configuration Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
7. Review your Azure App Configuration Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
8. If enabled, your Azure App Configuration Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets]()
To create an **Azure App Configuration Sync**, make an API request to the [Create Azure App Configuration Sync](/api-reference/endpoints/secret-syncs/azure-app-configuration/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/azure-app-configuration \
--header 'Content-Type: application/json' \
--data '{
"name": "my-azure-app-configuration-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"configurationUrl": "https://my-azure-app-configuration.azconfig.io",
"label": "my-label"
}
}'
```
### Sample response
```json Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-azure-app-configuration-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "azure",
"name": "my-azure-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "azure-app-configuration",
"destinationConfig": {
"configurationUrl": "https://my-azure-app-configuration.azconfig.io",
"label": "my-label"
}
}
}
```
# Azure DevOps Sync
Source: https://infisical.com/docs/integrations/secret-syncs/azure-devops
Learn how to configure a Azure DevOps Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create an [Azure DevOps Connection](/integrations/app-connections/azure-devops)
* Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
2. Select the **Azure DevOps** option.
![Select Azure DevOps]()
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Azure DevOps Connection**: The Azure DevOps Connection to authenticate with.
* **Project**: The Azure DevOps project to deploy secrets to.
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
Azure Devops does not support importing secrets.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your Azure DevOps Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
7. Review your Azure DevOps Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
8. If enabled, your Azure DevOps Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets]()
To create a **Azure DevOps Sync**, make an API request to the [Create Azure DevOps Sync](/api-reference/endpoints/secret-syncs/azure-devops/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/azure-devops \
--header 'Content-Type: application/json' \
--data '{
"name": "my-devops-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"disableSecretDeletion": true
},
"destinationConfig": {
"devopsProjectId": "12345678-90ab-cdef-1234-567890abcdef",
"devopsProjectName": "example-project"
}
}'
```
### Sample response
```json Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-devops-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"keySchema": "PIPELINE_${secretKey}",
"disableSecretDeletion": true
},
"connection": {
"app": "azure-devops",
"name": "Production DevOps Organization",
"id": "8b92f5cc-3g77-5e80-6666-6ff57069385d"
},
"environment": {
"slug": "production",
"name": "Production Environment",
"id": "4f16j9gg-7k11-9i23-2222-2jj91403729h"
},
"folder": {
"id": "5a71e8dd-2f66-4d70-7777-7cc46958274c",
"path": "/devops/pipeline-secrets"
},
"destination": "azure-devops",
"destinationConfig": {
"devopsProjectId": "12345678-90ab-cdef-1234-567890abcdef",
"devopsProjectName": "example-project"
}
}
}
```
# Azure Key Vault Sync
Source: https://infisical.com/docs/integrations/secret-syncs/azure-key-vault
Learn how to configure a Azure Key Vault Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create an [Azure Key Vault Connection](/integrations/app-connections/azure-key-vault)
* Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
The Azure Key Vault Secret Sync requires the following secrets permissions to be set on the user / service principal
for Infisical to sync secrets to Azure Key Vault: `secrets/list`, `secrets/get`, `secrets/set`, `secrets/recover`.
Any role with these permissions would work such as the **Key Vault Secrets Officer** role.
Secrets in Infisical that contain an underscore (`_`) will be converted to a hyphen (`-`) when synced to Azure Key Vault.
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
2. Select the **Azure Key Vault** option.
![Select Key Vault]()
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Azure Connection**: The Azure Connection to authenticate with.
* **Vault Base URL**: The URL of your Azure Key Vault.
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Secrets Manager when keys conflict.
* **Import Secrets (Prioritize Azure Key Vault)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Secrets Manager over Infisical when keys conflict.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your Azure Key Vault Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
7. Review your Azure Key Vault Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
8. If enabled, your Azure Key Vault Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets]()
To create a **Azure Key Vault Sync**, make an API request to the [Create Key Vault Sync](/api-reference/endpoints/secret-syncs/azure-key-vault/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/azure-key-vault \
--header 'Content-Type: application/json' \
--data '{
"name": "my-key-vault-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"vaultBaseUrl": "https://my-key-vault.vault.azure.net"
}
}'
```
### Sample response
```json Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-key-vault-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "azure",
"name": "my-azure-key-vault-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "azure-key-vault",
"destinationConfig": {
"vaultBaseUrl": "https://my-key-vault.vault.azure.net"
}
}
}
```
# Bitbucket Sync
Source: https://infisical.com/docs/integrations/secret-syncs/bitbucket
Learn how to configure a Bitbucket Sync for Infisical.
**Prerequisites:**
* Create a [Bitbucket Connection](/integrations/app-connections/bitbucket)
Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
![Select Bitbucket]()
Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Bitbucket Connection**: The Bitbucket Connection to authenticate with.
* **Workspace**: The Bitbucket workspace to sync secrets to.
* **Repository**: The Bitbucket repository to sync secrets to.
* **Deployment Environment (Optional)**: The Bitbucket deployment environment to sync secrets to.
Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Sync Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
Bitbucket does not support importing secrets.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
Configure the **Details** of your Bitbucket Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
Review your Bitbucket Sync configuration, then click **Create Sync**.
![Review Configuration]()
If enabled, your Bitbucket Sync will begin syncing your secrets to the destination endpoint.
![Sync Created]()
To create a **Bitbucket Sync**, make an API request to the [Create Bitbucket Sync](/api-reference/endpoints/secret-syncs/bitbucket/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/bitbucket \
--header 'Content-Type: application/json' \
--data '{
"name": "my-bitbucket-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"workspaceSlug": "my-bitbucket-workspace",
"repositorySlug": "my-bitbucket-repository"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-bitbucket-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "bitbucket",
"name": "my-bitbucket-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "bitbucket",
"destinationConfig": {
"workspaceSlug": "my-bitbucket-workspace",
"repositorySlug": "my-bitbucket-repository"
}
}
}
```
# Camunda Sync
Source: https://infisical.com/docs/integrations/secret-syncs/camunda
Learn how to configure a Camunda Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create a [Camunda Connection](/integrations/app-connections/camunda)
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
2. Select the **Camunda** option.
![Select Camunda]()
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Camunda Connection**: The Camunda Connection to authenticate with.
* **Cluster**: The Camunda cluster to sync connector secrets to.
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Camunda when keys conflict.
* **Import Secrets (Prioritize Camunda)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Camunda over Infisical when keys conflict.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your Camunda Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
7. Review your Camunda Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
8. If enabled, your Camunda Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets]()
To create an **Camunda Sync**, make an API request to the [Create Camunda Sync](/api-reference/endpoints/secret-syncs/camunda/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/camunda \
--header 'Content-Type: application/json' \
--data '{
"name": "my-camunda-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"scope": "cluster",
"clusterUUID": "cc4c8dae-dce9-4f4c-9882-132b2bd65fa5"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-camunda-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "camunda",
"name": "my-camunda-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "camunda",
"destinationConfig": {
"scope": "cluster",
"clusterUUID": "cc4c8dae-dce9-4f4c-9882-132b2bd65fa5"
}
}
}
```
# Checkly Sync
Source: https://infisical.com/docs/integrations/secret-syncs/checkly
Learn how to configure a Checkly Sync for Infisical.
**Prerequisites:**
* Create a [Checkly Connection](/integrations/app-connections/checkly)
Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
![Select Checkly]()
Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Checkly Connection**: The Checkly Connection to authenticate with.
* **Account**: The Checkly account to sync secrets to.
* **Group**: The Checkly check group to sync secrets to (Optional).
Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
Checkly does not support importing secrets.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
Configure the **Details** of your Checkly Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
Review your Checkly Sync configuration, then click **Create Sync**.
![Review Configuration]()
If enabled, your Checkly Sync will begin syncing your secrets to the destination endpoint.
![Sync Created]()
To create a **Checkly Sync**, make an API request to the [Create Checkly Sync](/api-reference/endpoints/secret-syncs/checkly/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/checkly \
--header 'Content-Type: application/json' \
--data '{
"name": "my-checkly-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoSyncEnabled": true,
"disableSecretDeletion": false
},
"destinationConfig": {
"accountId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"accountName": "Example Company"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-checkly-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoSyncEnabled": true,
"disableSecretDeletion": false
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "checkly",
"name": "my-checkly-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "checkly",
"destinationConfig": {
"accountId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"accountName": "Example Company",
}
}
}
```
# Chef Sync
Source: https://infisical.com/docs/integrations/secret-syncs/chef
Learn how to configure a Chef Sync for Infisical.
Chef Sync is a paid feature.
If you're using Infisical Cloud, then it is available under the **Enterprise Tier**. If you're self-hosting Infisical,
then you should contact [team@infisical.com](mailto:team@infisical.com) to purchase an enterprise license to use it.
**Prerequisites:**
* Create a [Chef Connection](/integrations/app-connections/chef)
Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
![Select Chef]()
Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Chef Connection**: The Chef Connection to authenticate with.
* **Data Bag**: The Data Bag to sync secrets to.
* **Data Bag Item**: The Data Bag Item to sync secrets to.
Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Chef when keys conflict.
* **Import Secrets (Prioritize Chef)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Chef over Infisical when keys conflict.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
Configure the **Details** of your Chef Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
Review your Chef Sync configuration, then click **Create Sync**.
![Review Configuration]()
If enabled, your Chef Sync will begin syncing your secrets to the destination endpoint.
![Sync Created]()
To create a **Chef Sync**, make an API request to the [Create Chef Sync](/api-reference/endpoints/secret-syncs/chef/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/chef \
--header 'Content-Type: application/json' \
--data '{
"name": "my-chef-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "sync to chef site",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/",
"isEnabled": true,
"isAutoSyncEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"disableSecretDeletion": false
},
"destinationConfig": {
"dataBagName": "my-data-bag",
"dataBagItemName": "my-data-bag-item"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-chef-sync",
"description": "sync to chef site",
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2025-07-19T12:00:00Z",
"updatedAt": "2025-07-19T12:00:00Z",
"syncStatus": "succeeded",
"lastSyncJobId": "job-1234",
"lastSyncMessage": null,
"lastSyncedAt": "2025-07-19T12:00:00Z",
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"disableSecretDeletion": false
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "chef",
"name": "my-chef-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/"
},
"destination": "chef",
"destinationConfig": {
"dataBagName": "my-data-bag",
"dataBagItemName": "my-data-bag-item"
}
}
}
```
# CircleCI Sync
Source: https://infisical.com/docs/integrations/secret-syncs/circleci
Learn how to configure a CircleCI Sync for Infisical.
**Prerequisites:**
* Create a [CircleCI Connection](/integrations/app-connections/circleci)
Secrets with empty values will not be synced to CircleCI. This is due to CircleCI not supporting environment variables with empty values.
Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
![Select CircleCI]()
Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **CircleCI Connection**: The CircleCI Connection to authenticate with.
* **Organization**: The CircleCI organization to sync secrets to.
* **Project**: The CircleCI project to sync secrets to.
Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
CircleCI does not support importing secrets.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
Configure the **Details** of your CircleCI Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
Review your CircleCI Sync configuration, then click **Create Sync**.
![Review Configuration]()
If enabled, your CircleCI Sync will begin syncing your secrets to the destination endpoint.
![Sync Created]()
To create a **CircleCI Sync**, make an API request to the [Create CircleCI Sync](/api-reference/endpoints/secret-syncs/circleci/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/circleci \
--header 'Content-Type: application/json' \
--data '{
"name": "my-circleci-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoSyncEnabled": true,
"disableSecretDeletion": false
},
"destinationConfig": {
"orgName": "my-circleci-org",
"projectId": "",
"projectName": ""
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-circleci-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoSyncEnabled": true,
"disableSecretDeletion": false
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "circleci",
"name": "my-circleci-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "circleci",
"destinationConfig": {
"orgName": "my-circleci-org",
"projectName": "",
"projectId": ""
}
}
}
```
# Cloudflare Pages Sync
Source: https://infisical.com/docs/integrations/secret-syncs/cloudflare-pages
Learn how to configure a Cloudflare Pages Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create a [Cloudflare Connection](/integrations/app-connections/cloudflare)
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
2. Select the **Cloudflare Pages** option.
![Select Cloudflare Pages]()
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Cloudflare Connection**: The Cloudflare Connection to authenticate with.
* **Cloudflare Pages Project**: Choose the Cloudflare Pages project you want to sync secrets to.
* **Environment**: Select the deployment environment (preview or production).
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your Cloudflare Pages Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
7. Review your Cloudflare Pages Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
8. If enabled, your Cloudflare Pages Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets]()
To create a **Cloudflare Pages Sync**, make an API request to the [Create Cloudflare Pages Sync](/api-reference/endpoints/secret-syncs/cloudflare-pages/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/cloudflare-pages \
--header 'Content-Type: application/json' \
--data '{
"name": "my-cloudflare-pages-sync",
"projectId": "your-project-id",
"description": "an example sync",
"connectionId": "your-cloudflare-connection-id",
"environment": "production",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"projectId": "your-cloudflare-pages-project-id",
"projectName": "my-pages-project",
"environment": "production"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "your-sync-id",
"name": "my-cloudflare-pages-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "your-folder-id",
"connectionId": "your-cloudflare-connection-id",
"createdAt": "2024-05-01T12:00:00Z",
"updatedAt": "2024-05-01T12:00:00Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2024-05-01T12:00:00Z",
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "your-project-id",
"connection": {
"app": "cloudflare",
"name": "my-cloudflare-connection",
"id": "your-cloudflare-connection-id"
},
"environment": {
"slug": "production",
"name": "Production",
"id": "your-env-id"
},
"folder": {
"id": "your-folder-id",
"path": "/my-secrets"
},
"destination": "cloudflare-pages",
"destinationConfig": {
"projectId": "your-cloudflare-pages-project-id",
"projectName": "my-pages-project",
"environment": "production"
}
}
}
```
# Cloudflare Workers Sync
Source: https://infisical.com/docs/integrations/secret-syncs/cloudflare-workers
Learn how to configure a Cloudflare Workers Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create a [Cloudflare Connection](/integrations/app-connections/cloudflare)
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
2. Select the **Cloudflare Workers** option.
![Select Cloudflare Workers]()
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Cloudflare Connection**: The Cloudflare Connection to authenticate with.
* **Cloudflare Workers Script**: Choose the Cloudflare Workers script you want to sync secrets to.
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your Cloudflare Workers Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
7. Review your Cloudflare Workers Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
8. If enabled, your Cloudflare Workers Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets]()
To create a **Cloudflare Workers Sync**, make an API request to the [Create Cloudflare Workers Sync](/api-reference/endpoints/secret-syncs/cloudflare-workers/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/cloudflare-workers \
--header 'Content-Type: application/json' \
--data '{
"name": "my-cloudflare-workers-sync",
"projectId": "your-project-id",
"description": "an example sync",
"connectionId": "your-cloudflare-connection-id",
"environment": "production",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"scriptId": "my-workers-script"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "your-sync-id",
"name": "my-cloudflare-workers-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "your-folder-id",
"connectionId": "your-cloudflare-connection-id",
"createdAt": "2024-05-01T12:00:00Z",
"updatedAt": "2024-05-01T12:00:00Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2024-05-01T12:00:00Z",
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "your-project-id",
"connection": {
"app": "cloudflare",
"name": "my-cloudflare-connection",
"id": "your-cloudflare-connection-id"
},
"environment": {
"slug": "production",
"name": "Production",
"id": "your-env-id"
},
"folder": {
"id": "your-folder-id",
"path": "/my-secrets"
},
"destination": "cloudflare-workers",
"destinationConfig": {
"scriptId": "my-workers-script"
}
}
}
```
# Databricks Sync
Source: https://infisical.com/docs/integrations/secret-syncs/databricks
Learn how to configure a Databricks Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create a [Databricks Connection](/integrations/app-connections/databricks)
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
2. Select the **Databricks** option.
![Select Databricks]()
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Databricks Connection**: The Databricks Connection to authenticate with.
* **Scope**: The Databricks secret scope to sync secrets to.
You must create a secret scope in your Databricks workspace prior to configuration. Ensure your service principal has [Write permissions](https://docs.databricks.com/en/security/auth/access-control/index.html#secret-acls) for the specified secret scope.
Infisical recommends creating a designated Databricks secret scope for your sync to prevent removal of secrets not managed by Infisical.
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
Databricks does not support importing secrets.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your Databricks Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
7. Review your Databricks Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
8. If enabled, your Databricks Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets]()
To create an **Databricks Sync**, make an API request to the [Create Databricks Sync](/api-reference/endpoints/secret-syncs/databricks/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/databricks \
--header 'Content-Type: application/json' \
--data '{
"name": "my-databricks-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"scope": "my-scope"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-databricks-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "databricks",
"name": "my-databricks-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "databricks",
"destinationConfig": {
"scope": "my-scope"
}
}
}
```
# DigitalOcean App Platform Sync
Source: https://infisical.com/docs/integrations/secret-syncs/digital-ocean-app-platform
Learn how to configure a DigitalOcean App Platform Sync for Infisical.
**Prerequisites:**
* Create a [DigitalOcean Connection](/integrations/app-connections/digital-ocean)
Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
![Select DigitalOcean]()
Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **DigitalOcean Connection**: The DigitalOcean Connection to authenticate with.
* **App**: The App Platform app to sync secrets to.
Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
Digital Ocean App Platform does not support importing secrets.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
Configure the **Details** of your DigitalOcean Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
Review your DigitalOcean Sync configuration, then click **Create Sync**.
![Review Configuration]()
If enabled, your DigitalOcean Sync will begin syncing your secrets to the destination endpoint.
![Sync Created]()
To create a **DigitalOcean App Platform Sync**, make an API request to the [Create DigitalOcean Sync](/api-reference/endpoints/secret-syncs/digital-ocean-app-platform/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/digital-ocean-app-platform \
--header 'Content-Type: application/json' \
--data '{
"name": "my-digitalocean-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "sync to do app",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/app-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoSyncEnabled": true,
"disableSecretDeletion": false
},
"destinationConfig": {
"appId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"appName": "do-todo-app"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-digitalocean-sync",
"description": "sync to do app",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2025-07-19T12:00:00Z",
"updatedAt": "2025-07-19T12:00:00Z",
"syncStatus": "succeeded",
"lastSyncJobId": "job-5678",
"lastSyncMessage": null,
"lastSyncedAt": "2025-07-19T12:00:00Z",
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoSyncEnabled": true,
"disableSecretDeletion": false
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "digital-ocean",
"name": "my-digitalocean-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/app-secrets"
},
"destination": "digital-ocean",
"destinationConfig": {
"appId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"appName": "do-todo-app"
}
}
}
```
# Fly.io Sync
Source: https://infisical.com/docs/integrations/secret-syncs/flyio
Learn how to configure a Fly.io Sync for Infisical.
**Prerequisites:**
* Create a [Fly.io Connection](/integrations/app-connections/flyio)
Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
![Select Fly.io]()
Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Fly.io Connection**: The Fly.io Connection to authenticate with.
* **App**: The Fly.io app to sync secrets to.
Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Sync Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
Fly.io does not support importing secrets.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Auto Redeploy On Secret Change**: If enabled, Infisical will restart all app machines after syncing or removing secrets so they pick up the new values immediately.
Fly.io does not expose a way to mark secrets as "deployed". When using auto redeploy, the Fly.io dashboard may show secrets as **Staged** even though they are already applied to running machines (we force machine restarts to load the new secrets). To confirm deployment, check that your machines restarted after the sync (e.g. in the Fly.io Machines view or app logs).
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
Configure the **Details** of your Fly.io Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
Review your Fly.io Sync configuration, then click **Create Sync**.
![Review Configuration]()
If enabled, your Fly.io Sync will begin syncing your secrets to the destination endpoint.
![Sync Created]()
To create a **Fly.io Sync**, make an API request to the [Create Fly.io Sync](/api-reference/endpoints/secret-syncs/flyio/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/flyio \
--header 'Content-Type: application/json' \
--data '{
"name": "my-flyio-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoRedeploy": true
},
"destinationConfig": {
"appId": "..."
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-flyio-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoRedeploy": true
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "flyio",
"name": "my-flyio-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "flyio",
"destinationConfig": {
"appId": "..."
}
}
}
```
# GCP Secret Manager Sync
Source: https://infisical.com/docs/integrations/secret-syncs/gcp-secret-manager
Learn how to configure a GCP Secret Manager Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create a [GCP Connection](/integrations/app-connections/gcp) with the required **Secret Sync** permissions
* Enable **Cloud Resource Manager API**, **Secret Manager API**, and **Service Usage API** on your GCP project
![Secret Syncs Tab]()
![Secret Syncs Tab]()
![Secret Syncs Tab]()
* Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
2. Select the **GCP Secret Manager** option.
![Select GCP Secret Manager]()
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **GCP Connection**: The GCP Connection to authenticate with.
* **Project**: The GCP project to sync with.
* **Scope**: The GCP project scope that secrets should be synced to:
* **Global**: Secrets will be synced globally; available to all project regions.
* **Region**: Secrets will be synced to the specified region.
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over GCP Secret Manager when keys conflict.
* **Import Secrets (Prioritize GCP Secret Manager)**: Imports secrets from the destination endpoint before syncing, prioritizing values from GCP Secret Manager over Infisical when keys conflict.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your GCP Secret Manager Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
7. Review your Secret Manager Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
8. If enabled, your GCP Secret Manager Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets]()
To create a **GCP Secret Manager Sync**, make an API request to the [Create GCP
Secret Manager Sync](/api-reference/endpoints/secret-syncs/gcp-secret-manager/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/gcp-secret-manager \
--header 'Content-Type: application/json' \
--data '{
"destinationConfig": {
"scope": "global",
"projectId": "infisical-test-playground"
},
"name": "my-gcp-sync",
"description": "this is an example secret sync",
"secretPath": "/",
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"isAutoSyncEnabled": true,
"connectionId": "eec83609-5eb4-4d8d-9f6e-ded016984f0d",
"environment": "dev",
"projectId": "09eda1f8-85a3-47a9-8a6f-e27f133b2a36"
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "aee02c4a-4a5f-488c-82dd-0b3164772871",
"name": "my-gcp-sync",
"description": "this is an example secret sync",
"isAutoSyncEnabled": true,
"version": 1,
"projectId": "09eda1f8-85a3-47a9-8a6f-e27f133b2a36",
"folderId": "1447389e-16fb-49ba-96fd-361b5a2522af",
"connectionId": "eec83609-5eb4-4d8d-9f6e-ded016984f0d",
"createdAt": "2025-01-27T12:28:59.408Z",
"updatedAt": "2025-01-27T12:28:59.408Z",
"syncStatus": "pending",
"lastSyncJobId": null,
"lastSyncMessage": null,
"lastSyncedAt": null,
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"connection": {
"app": "gcp",
"name": "my-gcp-connection",
"id": "eec83609-5eb4-4d8d-9f6e-ded016984f0d"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "124e0392-4070-4b1c-900e-ced30cd55bf3"
},
"folder": {
"id": "1447389e-16fb-49ba-96fd-361b5a2522af",
"path": "/"
},
"destination": "gcp-secret-manager",
"destinationConfig": {
"projectId": "infisical-test-playground"
}
}
}
```
# GitHub Sync
Source: https://infisical.com/docs/integrations/secret-syncs/github
Learn how to configure a GitHub Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create a [GitHub Connection](/integrations/app-connections/github)
* Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
2. Select the **GitHub** option.
![Select GitHub]()
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **GitHub Connection**: The GitHub Connection to authenticate with.
* **Scope**: The GitHub secret scope to sync secrets to.
* **Organization**: Sync secrets to a specific organization.
* **Repository**: Sync secrets to a specific repository.
* **Repository Environment**: Sync secrets to a specific repository's environment.
The remaining fields are determined by the selected **Scope**:
* **Organization**: The organization to deploy secrets to.
* **Visibility**: Determines which organization repositories can access deployed secrets.
* **All Repositories**: All repositories of the organization. (Public repositories if not a Pro/Team account)
* **Private Repositories**: All private repositories of the organization. (Requires Pro/Team account)
* **Selected Repositories**: Only the selected Repositories.
* **Selected Repositories**: The selected repositories if **Visibility** is set to **Selected Repositories**.
* **Repository**: The repository to deploy secrets to.
* **Repository**: The repository to deploy secrets to.
* **Environment**: The repository's environment to deploy secrets to.
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
GitHub does not support importing secrets.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your GitHub Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
7. Review your GitHub Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
8. If enabled, your GitHub Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets]()
To create an **GitHub Sync**, make an API request to the [Create GitHub Sync](/api-reference/endpoints/secret-syncs/github/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/github \
--header 'Content-Type: application/json' \
--data '{
"name": "my-github-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"scope": "repository",
"owner": "my-github",
"repo": "my-repository"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-github-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "github",
"name": "my-github-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "github",
"destinationConfig": {
"scope": "repository",
"owner": "my-github",
"repo": "my-repository"
}
}
}
```
# GitLab Sync
Source: https://infisical.com/docs/integrations/secret-syncs/gitlab
Learn how to configure a GitLab Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create a [GitLab Connection](/integrations/app-connections/gitlab)
* Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
2. Select the **GitLab** option.
![Select GitLab]()
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **GitLab Connection**: The GitLab Connection to authenticate with.
* **Scope**: The GitLab scope to sync secrets to.
* **Project**: Sync secrets to a GitLab project.
* **Group**: Sync secrets to a GitLab group.
The remaining fields are determined by the selected **Scope**:
* **GitLab Project**: The project to deploy secrets to.
* **GitLab Environment Scope**: The environment scope to deploy secrets to (optional, defaults to "\*" for all environments).
* **Mark secrets as Protected**: If enabled, synced secrets will be marked as protected in GitLab.
* **Mark secrets as Masked**: If enabled, synced secrets will be masked in GitLab CI/CD logs.
* **Mark secrets as Hidden**: If enabled, synced secrets will be hidden from the GitLab UI.
* **GitLab Group**: The group to deploy secrets to.
* **GitLab Environment Scope**: The environment scope to deploy secrets to (optional, defaults to "\*" for all environments).
* **Mark secrets as Protected**: If enabled, synced secrets will be marked as protected in GitLab.
* **Mark secrets as Masked**: If enabled, synced secrets will be masked in GitLab CI/CD logs.
* **Mark secrets as Hidden**: If enabled, synced secrets will be hidden from the GitLab UI.
Be aware that GitLab only allows to mark secrets as hidden for new secrets. If you try to mark an existing secret as hidden, it produces an error.
If you enable **Mark secrets as Hidden**, Infisical will not be able to unhide/unmask secrets from the sync destination if you disable the option later. This is because GitLab does not allow to unhide/unmask existing secrets.
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
GitLab does not support importing secrets.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your GitLab Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
7. Review your GitLab Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
8. If enabled, your GitLab Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets]()
To create a **GitLab Sync**, make an API request to the [Create GitLab Sync](/api-reference/endpoints/secret-syncs/gitlab/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/gitlab \
--header 'Content-Type: application/json' \
--data '{
"name": "my-gitlab-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"scope": "project",
"projectId": "70998370",
"projectName": "test",
"targetEnvironment": "*",
"shouldProtectSecrets": true,
"shouldMaskSecrets": true,
"shouldHideSecrets": false
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-gitlab-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "gitlab",
"name": "my-gitlab-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "gitlab",
"destinationConfig": {
"scope": "project",
"projectId": "70998370",
"projectName": "test",
"targetEnvironment": "*",
"shouldProtectSecrets": true,
"shouldMaskSecrets": true,
"shouldHideSecrets": false
}
}
}
```
# Hashicorp Vault Sync
Source: https://infisical.com/docs/integrations/secret-syncs/hashicorp-vault
Learn how to configure a Hashicorp Vault Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create a [Hashicorp Vault Connection](/integrations/app-connections/hashicorp-vault)
Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
![Select Hashicorp Vault]()
Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
Configure the **Destination** to where secrets should be deployed.
![Configure Destination]()
* **Hashicorp Vault Connection**: The Vault Connection to authenticate with.
* **Secrets Engine Mount**: The secrets engine to sync secrets with (e.g., 'secret', 'kv').
* **Path**: The specific path within the secrets engine where secrets will be stored.
After configuring these parameters, click the **Next** button to continue to the Sync Options step.
If the **path** you provide does not exist in Vault, it will be created.
Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Hashicorp Vault when keys conflict.
* **Import Secrets (Prioritize Hashicorp Vault)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Hashicorp Vault over Infisical when keys conflict.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
Configure the **Details** of your Hashicorp Vault Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
Review your Hashicorp Vault Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
If enabled, your Hashicorp Vault Sync will begin syncing your secrets to the destination endpoint.
![Sync Created]()
To create an **Hashicorp Vault Sync**, make an API request to the [Create Hashicorp Vault Sync](/api-reference/endpoints/secret-syncs/hashicorp-vault/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/hashicorp-vault \
--header 'Content-Type: application/json' \
--data '{
"name": "my-vault-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"mount": "secret",
"path": "dev/nested"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-vault-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "hashicorp-vault",
"name": "my-vault-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/"
},
"destination": "hashicorp-vault",
"destinationConfig": {
"mount": "secret",
"path": "dev/nested"
}
}
}
```
# Heroku Sync
Source: https://infisical.com/docs/integrations/secret-syncs/heroku
Learn how to configure a Heroku Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create a [Heroku Connection](/integrations/app-connections/heroku)
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
2. Select the **Heroku** option.
![Select Heroku]()
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Heroku Connection**: The Heroku Connection to authenticate with.
* **Heroku App**: The Heroku application to sync secrets to.
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Import - Prefer values from Infisical**: Import secrets from Heroku to Infisical; if a secret with the same name already exists in Infisical, do nothing. Afterwards, sync secrets to Heroku.
* **Import - Prefer values from Heroku**: Import secrets from Heroku to Infisical; if a secret with the same name already exists in Infisical, replace its value with the one from Heroku. Afterwards, sync secrets to Heroku.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your Heroku Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
7. Review your Heroku Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
8. If enabled, your Heroku Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets]()
To create a **Heroku Sync**, make an API request to the [Create Heroku Sync](/api-reference/endpoints/secret-syncs/heroku/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/heroku \
--header 'Content-Type: application/json' \
--data '{
"name": "my-heroku-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"disableSecretDeletion": true
},
"destinationConfig": {
"app": "8dd25736052a4b50",
"appName": "my-app"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-heroku-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"disableSecretDeletion": true
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "heroku",
"name": "my-heroku-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "heroku",
"destinationConfig": {
"app": "8dd25736052a4b50",
"appName": "my-app"
}
}
}
```
# Humanitec Sync
Source: https://infisical.com/docs/integrations/secret-syncs/humanitec
Learn how to configure a Humanitec Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create a [Humanitec Connection](/integrations/app-connections/humanitec)
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
2. Select the **Humanitec** option.
![Select Humanitec]()
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Humanitec Connection**: The Humanitec Connection to authenticate with.
* **Scope**: The Humanitec secret scope to sync secrets to.
* **Application**: Sync secrets to a specific application.
* **Environment**: Sync secrets to a specific environment of an application.
The remaining fields are determined by the selected **Scope**:
* **Organization**: The organization to deploy secrets to.
* **App**: The application to deploy secrets to.
* **Organization**: The organization to deploy secrets to.
* **App**: The application to deploy secrets to.
* **Environment**: The environment to deploy secrets to.
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
Humanitec does not support importing secrets.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your Humanitec Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
7. Review your Humanitec Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
8. If enabled, your Humanitec Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets]()
To create an **Humanitec Sync**, make an API request to the [Create Humanitec Sync](/api-reference/endpoints/secret-syncs/humanitec/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/humanitec \
--header 'Content-Type: application/json' \
--data '{
"name": "my-humanitec-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"scope": "application",
"app": "my-app",
"environment": "development"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-humanitec-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "humanitec",
"name": "my-humanitec-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "humanitec",
"destinationConfig": {
"scope": "application",
"org": "my-organization",
"app": "my-app",
"env": "development"
}
}
}
```
# Laravel Forge Sync
Source: https://infisical.com/docs/integrations/secret-syncs/laravel-forge
Learn how to configure a Laravel Forge Sync for Infisical.
**Prerequisites:**
* Create a [Laravel Forge Connection](/integrations/app-connections/laravel-forge)
Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
![Select Laravel Forge]()
Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Laravel Forge Connection**: The Laravel Forge Connection to authenticate with.
* **Organization**: The Organization in which the server and site reside.
* **Server**: The Server on which the site resides.
* **Site**: The Site for which secrets should be synced.
Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Laravel Forge when keys conflict.
* **Import Secrets (Prioritize Laravel Forge)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Laravel Forge over Infisical when keys conflict.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
Configure the **Details** of your Laravel Forge Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
Review your Laravel Forge Sync configuration, then click **Create Sync**.
![Review Configuration]()
If enabled, your Laravel Forge Sync will begin syncing your secrets to the destination endpoint.
![Sync Created]()
To create a **Laravel Forge Sync**, make an API request to the [Create Laravel Forge Sync](/api-reference/endpoints/secret-syncs/laravel-forge/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/laravel-forge \
--header 'Content-Type: application/json' \
--data '{
"name": "my-laravel-forge-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "sync to laravel forge site",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/",
"isEnabled": true,
"isAutoSyncEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"disableSecretDeletion": false
},
"destinationConfig": {
"orgSlug": "org-abc123",
"serverId": "123",
"siteId": "site-abc123"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-laravel-forge-sync",
"description": "sync to laravel forge site",
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2025-07-19T12:00:00Z",
"updatedAt": "2025-07-19T12:00:00Z",
"syncStatus": "succeeded",
"lastSyncJobId": "job-1234",
"lastSyncMessage": null,
"lastSyncedAt": "2025-07-19T12:00:00Z",
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"disableSecretDeletion": false
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "laravel-forge",
"name": "my-laravel-forge-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/"
},
"destination": "laravel-forge",
"destinationConfig": {
"orgSlug": "org-abc123",
"serverId": "123",
"siteId": "site-abc123"
}
}
}
```
# Netlify Sync
Source: https://infisical.com/docs/integrations/secret-syncs/netlify
Learn how to configure a Netlify Sync for Infisical.
**Prerequisites:**
* Create a [Netlify Connection](/integrations/app-connections/netlify)
Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
![Select Netlify]()
Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Netlify Connection**: The Netlify Connection to authenticate with.
* **Account**: The Netlify Account to be used.
* **Site**: The Netlify site where secrets should be synced.
* **Context**: The Netlify deployment context where secrets should be created in.
Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Netlify when keys conflict.
* **Import Secrets (Prioritize Netlify)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Netlify over Infisical when keys conflict.
Netlify only supports importing non-secret values.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
Configure the **Details** of your Netlify Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
Review your Netlify Sync configuration, then click **Create Sync**.
![Review Configuration]()
If enabled, your Netlify Sync will begin syncing your secrets to the destination endpoint.
![Sync Created]()
To create a **Netlify Sync**, make an API request to the [Create Netlify Sync](/api-reference/endpoints/secret-syncs/netlify/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/netlify \
--header 'Content-Type: application/json' \
--data '{
"name": "my-netlify-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "sync to netlify site",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "production",
"secretPath": "/site-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoSyncEnabled": true,
"disableSecretDeletion": false
},
"destinationConfig": {
"siteId": "site-abc123",
"accountId": "account-abc123",
"context": "dev"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-netlify-sync",
"description": "sync to netlify site",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2025-07-19T12:00:00Z",
"updatedAt": "2025-07-19T12:00:00Z",
"syncStatus": "succeeded",
"lastSyncJobId": "job-1234",
"lastSyncMessage": null,
"lastSyncedAt": "2025-07-19T12:00:00Z",
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoSyncEnabled": true,
"disableSecretDeletion": false
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "netlify",
"name": "my-netlify-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "production",
"name": "Production",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/site-secrets"
},
"destination": "netlify",
"destinationConfig": {
"siteId": "site-abc123",
"accountId": "account-abc123",
"context": "dev"
}
}
}
```
# Northflank Sync
Source: https://infisical.com/docs/integrations/secret-syncs/northflank
Learn how to configure a Northflank Sync for Infisical.
**Prerequisites:**
* Create a [Northflank Connection](/integrations/app-connections/northflank)
Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
![Select Northflank]()
Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Northflank Connection**: The Northflank Connection to authenticate with.
* **Project**: The Northflank project to sync secrets to.
* **Secret Group**: The Northflank secret group to sync secrets to.
Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Sync Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Import Destination Secrets - Prioritize Infisical Values**: Imports any secrets present in the Northflank destination prior to syncing, prioritizing values from Infisical over Northflank when keys conflict.
* **Import Destination Secrets - Prioritize Northflank Values**: Imports any secrets present in the Northflank destination prior to syncing, prioritizing values from Northflank over Infisical when keys conflict.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
Configure the **Details** of your Northflank Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
Review your Northflank Sync configuration, then click **Create Sync**.
![Review Configuration]()
If enabled, your Northflank Sync will begin syncing your secrets to the destination endpoint.
![Sync Created]()
To create a **Northflank Sync**, make an API request to the [Create Northflank Sync](/api-reference/endpoints/secret-syncs/northflank/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/northflank \
--header 'Content-Type: application/json' \
--data '{
"name": "my-northflank-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isAutoSyncEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"keySchema": "INFISICAL_{{secretKey}}"
},
"destinationConfig": {
"projectId": "my-project-id",
"secretGroupId": "my-secret-group-id"
}
}'
```
### Sample response
```json Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-northflank-sync",
"description": "an example sync",
"isAutoSyncEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"keySchema": "INFISICAL_{{secretKey}}",
"disableSecretDeletion": false
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "northflank",
"name": "my-northflank-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "northflank",
"destinationConfig": {
"projectId": "my-project-id",
"secretGroupId": "my-secret-group-id"
}
}
}
```
# OCI Vault Sync
Source: https://infisical.com/docs/integrations/secret-syncs/oci-vault
Learn how to configure an Oracle Cloud Infrastructure Vault Sync for Infisical.
OCI Vault Sync is a paid feature.
If you're using Infisical Cloud, then it is available under the **Enterprise Tier**. If you're self-hosting Infisical,
then you should contact [team@infisical.com](mailto:team@infisical.com) to purchase an enterprise license to use it.
**Prerequisites:**
* Create an [OCI Connection](/integrations/app-connections/oci) with the required **Secret Sync** permissions
* [Create](https://docs.oracle.com/en-us/iaas/Content/Identity/compartments/To_create_a_compartment.htm) or use an existing OCI Compartment (which the OCI Connection is authorized to access)
* [Create](https://docs.oracle.com/en-us/iaas/Content/KeyManagement/Tasks/managingvaults_topic-To_create_a_new_vault.htm#createnewvault) or use an existing OCI Vault
* Ensure your network security policies allow incoming requests from Infisical to this secret sync provider, if network restrictions apply.
Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
![Select OCI Vault]()
Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **OCI Connection**: The OCI Connection to authenticate with.
* **Compartment**: The compartment where the vault is located.
* **Vault**: The vault to sync secrets to.
* **Encryption Key**: The encryption key to use when creating secrets in the vault.
Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Sync Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over OCI Vault when keys conflict.
* **Import Secrets (Prioritize OCI Vault)**: Imports secrets from the destination endpoint before syncing, prioritizing values from OCI Vault over Infisical when keys conflict.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
Configure the **Details** of your OCI Vault Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
Review your OCI Vault Sync configuration, then click **Create Sync**.
![Review Configuration]()
If enabled, your OCI Vault Sync will begin syncing your secrets to the destination endpoint.
![Sync Created]()
To create an **OCI Vault Sync**, make an API request to the [Create OCI Vault Sync](/api-reference/endpoints/secret-syncs/oci-vault/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/oci-vault \
--header 'Content-Type: application/json' \
--data '{
"name": "my-oci-vault-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"compartmentOcid": "...",
"vaultOcid": "...",
"keyOcid": "..."
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-oci-vault-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "oci",
"name": "my-oci-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "oci-vault",
"destinationConfig": {
"compartmentOcid": "...",
"vaultOcid": "...",
"keyOcid": "..."
}
}
}
```
## FAQ
When Infisical attempts to sync secrets, the sync will fail and attempt to re-sync if **any secret** has one of the following lifecycle states:
* SchedulingDeletion
* CancellingDeletion
* Deleting
* Creating
* Updating
We do this to prevent any desync issues.
In the case that a variable is created or updated while it's scheduled for deletion in OCI Vault, we cancel the deletion and update the variable. This action may take up to a minute since Infisical must wait for OCI to completely cancel the deletion and then update the variable.
# Octopus Deploy Sync
Source: https://infisical.com/docs/integrations/secret-syncs/octopus-deploy
Learn how to configure an Octopus Deploy Sync for Infisical.
**Prerequisites:**
* Create an [Octopus Deploy Connection](/integrations/app-connections/octopus-deploy)
Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
![Select Octopus Deploy]()
Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
Configure the **Destination** to where secrets should be deployed, then click **Next**.
The destination configuration is organized into two tabs:
**General Tab:**
![Configure Destination]()
* **Octopus Deploy Connection**: The Octopus Deploy Connection to authenticate with.
* **Space**: The Octopus Deploy Space to sync secrets to.
* **Project**: The Octopus Deploy Project within the Space to sync secrets to.
**Advanced Tab:**
![Configure Destination Advanced]()
The Advanced tab allows you to specify optional scope values to restrict where the synced variables are available within your Octopus Deploy project:
* **Environments**: Restrict variables to specific environments (e.g., Development, Staging, Production).
* **Target Tags**: Restrict variables to specific target tags (e.g., web-server, database).
* **Targets**: Restrict variables to specific deployment targets.
* **Processes**: Restrict variables to specific deployment processes.
* **Deployment Steps**: Restrict variables to specific deployment steps.
* **Channels**: Restrict variables to specific release channels.
Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
Octopus Deploy does not support importing secrets.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
Configure the **Details** of your Octopus Deploy Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
Review your Octopus Deploy Sync configuration, then click **Create Sync**.
![Review Configuration]()
If enabled, your Octopus Deploy Sync will begin syncing your secrets to the destination endpoint.
![Sync Created]()
To create an **Octopus Deploy Sync**, make an API request to the [Create Octopus Deploy Sync](/api-reference/endpoints/secret-syncs/octopus-deploy/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/octopus-deploy \
--header 'Content-Type: application/json' \
--data '{
"name": "my-octopus-deploy-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "sync to octopus deploy project",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/",
"isEnabled": true,
"isAutoSyncEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"disableSecretDeletion": false
},
"destinationConfig": {
"spaceId": "Spaces-1",
"scope": "project",
"projectId": "Projects-123",
"scopeValues": {
"environments": ["Environments-1", "Environments-2"],
"roles": ["web-server"],
"channels": ["Channels-1"]
}
}
}'
```
### Sample response
```json Response theme={"dark"}
{
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-octopus-deploy-secret-sync",
"description": null,
"isAutoSyncEnabled": true,
"version": 1,
"projectId": "1e812ad3-e5df-4f1b-839d-13b4ef201840",
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2025-12-12T09:44:59.023Z",
"updatedAt": "2025-12-12T09:44:59.023Z",
"syncStatus": "succeeded",
"lastSyncJobId": null,
"lastSyncMessage": null,
"lastSyncedAt": null,
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"disableSecretDeletion": false
},
"connection": {
"app": "octopus-deploy",
"name": "my-octopus-deploy-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "ad9c26ed-a7ee-41f4-b883-8dd25736052a",
"path": "/"
},
"destination": "octopus-deploy",
"destinationConfig": {
"spaceId": "Spaces-1",
"scope": "project",
"projectId": "Projects-1",
"scopeValues": {
"environments": [
"Environments-1",
"Environments-2"
],
"roles": [
"sample-app-server"
],
"machines": [
"Machines-1",
"Machines-2"
],
"processes": [
"Runbooks-1",
"Runbooks-2"
],
"actions": [
"3c90c3cc-0d44-4b50-8888-8dd25736052a",
"3c90c3cc-0d44-4b50-8888-8dd25736052a"
],
"channels": [
"Channels-2",
"Channels-1"
]
}
}
}
```
# Overview
Source: https://infisical.com/docs/integrations/secret-syncs/overview
Learn how to sync secrets to third-party services with Infisical.
Secret Syncs enable you to sync secrets from Infisical to third-party services using [App Connections](/integrations/app-connections/overview).
## Concept
Secret Syncs are a project-level resource used to sync secrets, via an [App Connection](/integrations/app-connections/overview), from a particular project environment and folder path (source)
to a third-party service (destination). Changes to the source will automatically be propagated to the destination, ensuring
your secrets are always up-to-date.
```mermaid theme={"dark"}
%%{init: {'flowchart': {'curve': 'linear'} } }%%
graph LR
A[App Connection]
B[Secret Sync]
C[Secret 1]
D[Secret 2]
E[Secret 3]
F[Third-Party Service]
G[Secret 1]
H[Secret 2]
I[Secret 3]
J[Project Source]
B --> A
C --> J
D --> J
E --> J
A --> F
F --> G
F --> H
F --> I
J --> B
classDef default fill:#ffffff,stroke:#666,stroke-width:2px,rx:10px,color:black
classDef connection fill:#FFF2B2,stroke:#E6C34A,stroke-width:2px,color:black,rx:15px
classDef secret fill:#E6F4FF,stroke:#0096D6,stroke-width:2px,color:black,rx:15px
classDef sync fill:#F4FFE6,stroke:#96D600,stroke-width:2px,color:black,rx:15px
classDef service fill:#E6E6FF,stroke:#6B4E96,stroke-width:2px,color:black,rx:15px
classDef project fill:#FFE6E6,stroke:#D63F3F,stroke-width:2px,color:black,rx:15px
class A connection
class B sync
class C,D,E,G,H,I secret
class F project
class J service
```
## Workflow
Configuring a Secret Sync requires three components: a source location to retrieve secrets from,
a destination endpoint to deploy secrets to, and configuration options to determine how your secrets
should be synced. Follow these steps to start syncing:
For step-by-step guides on syncing to a particular third-party service, refer to the Secret Syncs section in the Navigation Bar.
1. Create App Connection: If you have not already done so, create an [App Connection](/integrations/app-connections/overview)
via the UI or API for the third-party service you intend to sync secrets to.
2. Create Secret Sync: Configure a Secret Sync in the desired project by specifying the following parameters via the UI or API:
* Source: The project environment and folder path you wish to retrieve secrets from.
* Destination: The App Connection to utilize and the destination endpoint to deploy secrets to. These can vary between services.
* Options: Customize how secrets should be synced, such as whether or not secrets should be imported from the destination on the initial sync.
Secret Syncs are the source of truth for connected third-party services. Any secret,
including associated data, not present or imported in Infisical before syncing will be
overwritten, and changes made directly in the connected service outside of infisical may also
be overwritten by future syncs.
Some third-party services do not support importing secrets.
3. Utilize Sync: Any changes to the source location will now automatically be propagated to the destination endpoint.
Infisical is continuously expanding it's Secret Sync third-party service support. If the service you need isn't available,
you can contact us at [team@infisical.com](mailto:team@infisical.com) to make a request.
## Key Schemas
Key Schemas transform your secret keys by applying a prefix, suffix, or format pattern during sync to external destinations. This makes it clear which secrets are managed by Infisical and prevents accidental changes to unrelated secrets.
Any destination secrets which do not match the schema will not get deleted or updated by Infisical.
Key Schemas use handlebars syntax to define dynamic values. Here's a full list of available variables:
* `{{secretKey}}` - The key of the secret
* `{{environment}}` - The environment which the secret is in (e.g. dev, staging, prod)
**Example:**
* Infisical key: `SECRET_1`
* Schema: `INFISICAL_{{secretKey}}`
* Synced key: `INFISICAL_SECRET_1`
```mermaid theme={"dark"}
graph LR
A[Infisical: **SECRET_1**] -->|Apply Schema| B[Destination: **INFISICAL_SECRET_1**]
style B fill:#F4FFE6,stroke:#96D600,stroke-width:2px,color:black,rx:15px
style A fill:#E6F4FF,stroke:#0096D6,stroke-width:2px,color:black,rx:15px
```
When importing secrets from the destination into Infisical, the schema is stripped from imported secret keys.
# Railway Sync
Source: https://infisical.com/docs/integrations/secret-syncs/railway
Learn how to configure a Railway Sync for Infisical.
**Prerequisites:**
* Create a [Railway Connection](/integrations/app-connections/railway)
Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
![Select Railway]()
Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Railway Connection**: The Railway Connection to authenticate with.
* **Project**: The Railway project to sync secrets to.
* **Environment**: The Railway environment to sync secrets to.
* **Service**: The Service to sync secrets to.
* **If not provided**: Secrets will be synced as [shared variables](https://docs.railway.com/guides/variables#shared-variables) on Railway.
Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Railway when keys conflict.
* **Import Secrets (Prioritize Railway)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Railway over Infisical when keys conflict.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
Configure the **Details** of your Railway Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
Review your Railway Sync configuration, then click **Create Sync**.
![Review Configuration]()
If enabled, your Railway Sync will begin syncing your secrets to the destination endpoint.
![Sync Created]()
To create a **Railway Sync**, make an API request to the [Create Railway Sync](/api-reference/endpoints/secret-syncs/railway/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/railway \
--header 'Content-Type: application/json' \
--data '{
"name": "my-railway-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoSyncEnabled": true,
"disableSecretDeletion": false
},
"destinationConfig": {
"projectId": "dev-project-id",
"projectName": "Development Project",
"environmentId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environmentName": "Development",
"serviceId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"serviceName": "my-railway-service",
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-railway-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoSyncEnabled": true,
"disableSecretDeletion": false
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "railway",
"name": "my-railway-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "railway",
"destinationConfig": {
"projectId": "dev-project-id",
"projectName": "Development Project",
"environmentId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environmentName": "Development",
"serviceId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"serviceName": "my-railway-service",
}
}
}
```
# Render Sync
Source: https://infisical.com/docs/integrations/secret-syncs/render
Learn how to configure a Render Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create a [Render Connection](/integrations/app-connections/render)
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
2. Select the **Render** option.
![Select Render]()
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Render Connection**: The Render Connection to authenticate with.
* **Scope**: Select **Service** or **Environment Group**.
* **Service**: Choose the Render service you want to sync secrets to.
* **Environment Group**: Choose the Render environment group you want to sync secrets to.
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Import Secrets (Prioritize Infisical)**: Imports secrets from the Render service before syncing, prioritizing values from Infisical over Render when keys conflict.
* **Import Secrets (Prioritize Render)**: Imports secrets from the Render service before syncing, prioritizing values from Render over Infisical when keys conflict.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your Render Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
7. Review your Render Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
8. If enabled, your Render Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets]()
To create a **Render Sync**, make an API request to the [Create Render Sync](/api-reference/endpoints/secret-syncs/render/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/render \
--header 'Content-Type: application/json' \
--data '{
"name": "my-render-sync",
"projectId": "your-project-id",
"description": "an example sync",
"connectionId": "your-render-connection-id",
"environment": "production",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"scope": "service",
"serviceId": "your-render-service-id",
"type": "env"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "your-sync-id",
"name": "my-render-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "your-folder-id",
"connectionId": "your-render-connection-id",
"createdAt": "2024-05-01T12:00:00Z",
"updatedAt": "2024-05-01T12:00:00Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2024-05-01T12:00:00Z",
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "your-project-id",
"connection": {
"app": "render",
"name": "my-render-connection",
"id": "your-render-connection-id"
},
"environment": {
"slug": "production",
"name": "Production",
"id": "your-env-id"
},
"folder": {
"id": "your-folder-id",
"path": "/my-secrets"
},
"destination": "render",
"destinationConfig": {
"scope": "service",
"serviceId": "your-render-service-id",
"type": "env"
}
}
}
```
# Supabase Sync
Source: https://infisical.com/docs/integrations/secret-syncs/supabase
Learn how to configure a Supabase Sync for Infisical.
**Prerequisites:**
* Create a [Supabase Connection](/integrations/app-connections/supabase)
Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
![Select Supabase]()
Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Supabase Connection**: The Supabase Connection to authenticate with.
* **Project**: The Supabase project to sync secrets to.
Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
Supabase does not support importing secrets.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
Configure the **Details** of your Supabase Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
Review your Supabase Sync configuration, then click **Create Sync**.
![Review Configuration]()
If enabled, your Supabase Sync will begin syncing your secrets to the destination endpoint.
![Sync Created]()
To create a **Supabase Sync**, make an API request to the [Create Supabase Sync](/api-reference/endpoints/secret-syncs/supabase/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/supabase \
--header 'Content-Type: application/json' \
--data '{
"name": "my-supabase-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoSyncEnabled": true,
"disableSecretDeletion": false
},
"destinationConfig": {
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"projectName": "Example Project"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-supabase-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoSyncEnabled": true,
"disableSecretDeletion": false
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "supabase",
"name": "my-supabase-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "supabase",
"destinationConfig": {
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"projectName": "Example Project"
}
}
}
```
# TeamCity Sync
Source: https://infisical.com/docs/integrations/secret-syncs/teamcity
Learn how to configure a TeamCity Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create a [TeamCity Connection](/integrations/app-connections/teamcity) with the required **Secret Sync** permissions
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
2. Select the **TeamCity** option.
![Select TeamCity]()
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **TeamCity Connection**: The TeamCity Connection to authenticate with.
* **Project**: The TeamCity project to sync secrets to.
* **Build Configuration**: The build configuration to sync secrets to.
Not including a Build Configuration will sync secrets to the project.
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over TeamCity when keys conflict.
* **Import Secrets (Prioritize TeamCity)**: Imports secrets from the destination endpoint before syncing, prioritizing values from TeamCity over Infisical when keys conflict.
Infisical only syncs secrets from within the target scope; inherited secrets will not be imported.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your TeamCity Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
7. Review your TeamCity Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
8. If enabled, your TeamCity Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets]()
To create a **TeamCity Sync**, make an API request to the [Create TeamCity Sync](/api-reference/endpoints/secret-syncs/teamcity/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/teamcity \
--header 'Content-Type: application/json' \
--data '{
"name": "my-teamcity-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"project": "TestProject",
"buildConfig": "TestBuildConfig"
}
}'
```
The **Project** and **Build Config** parameters must use project and build configuration IDs, not their names.
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-teamcity-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "teamcity",
"name": "my-teamcity-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "teamcity",
"destinationConfig": {
"project": "TestProject",
"buildConfig": "TestBuildConfig"
}
}
}
```
# Terraform Cloud Sync
Source: https://infisical.com/docs/integrations/secret-syncs/terraform-cloud
Learn how to configure a Terraform Cloud Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create a [Terraform Cloud Connection](/integrations/app-connections/terraform-cloud)
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
2. Select the **Terraform Cloud** option.
![Select Terraform Cloud]()
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Terraform Cloud Connection**: The Terraform Cloud Connection to authenticate with.
* **Organization**: The Terraform Cloud organization to deploy secrets to.
* **Category**: The Terraform Cloud variable category to use on secrets syncs. Choose from:
* **Environment**: Sync secrets as environment variables.
* **Terraform**: Sync secrets as Terraform variables.
* **Scope**: The Terraform Cloud secret scope to sync secrets to.
* **Variable Set**: Sync secrets to a specific variable set.
* **Workspace**: Sync secrets to a specific workspace.
The remaining fields are determined by the selected **Scope**:
* **Variable Set**: The variable set to deploy secrets to.
* **Workspace**: The workspace to deploy secrets to.
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
Terraform Cloud does not support importing secrets.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your Terraform Cloud Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
7. Review your Terraform Cloud Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
8. If enabled, your Terraform Cloud Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets]()
To create an **Terraform Cloud Sync**, make an API request to the [Create Terraform Cloud Sync](/api-reference/endpoints/secret-syncs/terraform-cloud/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/terraform-cloud \
--header 'Content-Type: application/json' \
--data '{
"name": "my-terraform-cloud-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"scope": "variable-set",
"variableSetId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"variableSetName": "my-variable-set",
"org": "my-organization-id",
"category": "env"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-terraform-cloud-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "terraform-cloud",
"name": "my-terraform-cloud-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "terraform-cloud",
"destinationConfig": {
"scope": "workspace",
"workspaceId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"workspaceName": "my-workspace",
"org": "my-organization-id",
"category": "terraform"
}
}
}
```
# Vercel Sync
Source: https://infisical.com/docs/integrations/secret-syncs/vercel
Learn how to configure a Vercel Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create a [Vercel Connection](/integrations/app-connections/vercel)
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
2. Select the **Vercel** option.
![Select Vercel]()
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Vercel Connection**: The Vercel Connection to authenticate with.
* **Vercel App**: The application to deploy secrets to.
* **Vercel App Environment**: The environment to deploy secrets to.
* **Vercel Preview Branch (Optional)**: Specify a branch for preview deployments if needed.
After configuring these parameters, click the **Next** button to continue to the Sync Options step.
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Vercel when keys conflict.
* **Import Secrets (Prioritize Vercel)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Vercel over Infisical when keys conflict.
Vercel does not expose the values of [sensitive environment variables](https://vercel.com/docs/environment-variables/sensitive-environment-variables), so Infisical cannot import them during the initial sync. As a result, these secrets are created in Infisical with empty values. After the first sync, you'll need to manually re-enter their values in Infisical to ensure both platforms stay aligned.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your Vercel Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
7. Review your Vercel Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
8. If enabled, your Vercel Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets]()
To create an **Vercel Sync**, make an API request to the [Create Vercel Sync](/api-reference/endpoints/secret-syncs/vercel/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/vercel \
--header 'Content-Type: application/json' \
--data '{
"name": "my-vercel-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"app": "prj_bz7zgHvQETPvJWc5tmIr0tGRH9kE",
"env": "preview",
"branch": "test",
"appName": "nextjs-boilerplate",
"teamId": "team_0d444b5088888dd257"
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-vercel-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "vercel",
"name": "my-vercel-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "vercel",
"destinationConfig": {
"app": "prj_bz7zgHvQETPvJWc5tmIr0tGRH9kE",
"env": "preview",
"branch": "test",
"appName": "nextjs-boilerplate",
"teamId": "team_0d444b5088888dd257"
}
}
}
```
# Windmill Sync
Source: https://infisical.com/docs/integrations/secret-syncs/windmill
Learn how to configure a Windmill Sync for Infisical.
**Prerequisites:**
* Set up and add secrets to [Infisical Cloud](https://app.infisical.com)
* Create a [Windmill Connection](/integrations/app-connections/windmill) with the required **Secret Sync** permissions
1. Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
2. Select the **Windmill** option.
![Select Windmill]()
3. Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
4. Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Windmill Connection**: The Windmill Connection to authenticate with.
* **Workspace**: The Windmill workspace to sync secrets to.
* **Path**: The workspace path to sync secrets to.
Workspace path must conform to Windmill's [owner path convention](https://www.windmill.dev/docs/core_concepts/roles_and_permissions#path).
5. Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Windmill when keys conflict.
* **Import Secrets (Prioritize Windmill)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Windmill over Infisical when keys conflict.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
6. Configure the **Details** of your Windmill Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
7. Review your Windmill Sync configuration, then click **Create Sync**.
![Confirm Configuration]()
8. If enabled, your Windmill Sync will begin syncing your secrets to the destination endpoint.
![Sync Secrets]()
To create an **Windmill Sync**, make an API request to the [Create Windmill Sync](/api-reference/endpoints/secret-syncs/windmill/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/windmill \
--header 'Content-Type: application/json' \
--data '{
"name": "my-windmill-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"destinationConfig": {
"workspace": "my-workspace",
"path": "f/folder/path/"
}
}'
```
Workspace path must conform to Windmill's [owner path convention](https://www.windmill.dev/docs/core_concepts/roles_and_permissions#path).
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-windmill-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "windmill",
"name": "my-windmill-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "windmill",
"destinationConfig": {
"workspace": "my-workspace",
"path": "f/folder/path/"
}
}
}
```
# Zabbix Sync
Source: https://infisical.com/docs/integrations/secret-syncs/zabbix
Learn how to configure a Zabbix Sync for Infisical.
**Prerequisites:**
* Create a [Zabbix Connection](/integrations/app-connections/zabbix)
Navigate to **Project** > **Integrations** and select the **Secret Syncs** tab. Click on the **Add Sync** button.
![Secret Syncs Tab]()
![Select Zabbix]()
Configure the **Source** from where secrets should be retrieved, then click **Next**.
![Configure Source]()
* **Environment**: The project environment to retrieve secrets from.
* **Secret Path**: The folder path to retrieve secrets from.
If you need to sync secrets from multiple folder locations, check out [secret imports](/documentation/platform/secret-reference#secret-imports).
Configure the **Destination** to where secrets should be deployed, then click **Next**.
![Configure Destination]()
* **Zabbix Connection**: The Zabbix Connection to authenticate with.
* **Scope**: The Zabbix scope to sync secrets to.
* **Global**: Secrets will be synced globally.
* **Host**: Secrets will be synced to the specified host.
* **Macro Type**: The type of macro to use when syncing secrets to Zabbix. Currently only **Text** and **Secret** macros are supported.
The remaining fields are determined by the selected **Scope**:
- **Host**: The host to sync secrets to.
Configure the **Sync Options** to specify how secrets should be synced, then click **Next**.
![Configure Options]()
* **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
* **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
* **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Zabbix when keys conflict.
* **Import Secrets (Prioritize Zabbix)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Zabbix over Infisical when keys conflict.
* **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name and `{{environment}}` for the environment.
We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
* **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
* **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
Configure the **Details** of your Zabbix Sync, then click **Next**.
![Configure Details]()
* **Name**: The name of your sync. Must be slug-friendly.
* **Description**: An optional description for your sync.
Review your Zabbix Sync configuration, then click **Create Sync**.
![Review Configuration]()
If enabled, your Zabbix Sync will begin syncing your secrets to the destination endpoint.
![Sync Created]()
To create a **Zabbix Sync**, make an API request to the [Create Zabbix Sync](/api-reference/endpoints/secret-syncs/zabbix/create) API endpoint.
### Sample request
```bash Request theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/secret-syncs/zabbix \
--header 'Content-Type: application/json' \
--data '{
"name": "my-zabbix-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"environment": "dev",
"secretPath": "/my-secrets",
"isEnabled": true,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoSyncEnabled": true,
"disableSecretDeletion": false
},
"destinationConfig": {
"scope": "host",
"hostId": "my-zabbix-host",
"hostName": "my-zabbix-host",
"macroType": 0
}
}'
```
### Sample response
```bash Response theme={"dark"}
{
"secretSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-zabbix-sync",
"description": "an example sync",
"isEnabled": true,
"version": 1,
"folderId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-11-07T05:31:56Z",
"updatedAt": "2023-11-07T05:31:56Z",
"syncStatus": "succeeded",
"lastSyncJobId": "123",
"lastSyncMessage": null,
"lastSyncedAt": "2023-11-07T05:31:56Z",
"importStatus": null,
"lastImportJobId": null,
"lastImportMessage": null,
"lastImportedAt": null,
"removeStatus": null,
"lastRemoveJobId": null,
"lastRemoveMessage": null,
"lastRemovedAt": null,
"syncOptions": {
"initialSyncBehavior": "overwrite-destination",
"autoSyncEnabled": true,
"disableSecretDeletion": false
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connection": {
"app": "zabbix",
"name": "my-zabbix-connection",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"environment": {
"slug": "dev",
"name": "Development",
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a"
},
"folder": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"path": "/my-secrets"
},
"destination": "zabbix",
"destinationConfig": {
"scope": "host",
"hostId": "my-zabbix-host",
"hostName": "my-zabbix-host",
"macroType": 0
}
}
}
```
# User Authentication
Source: https://infisical.com/docs/integrations/user-authentication
Browse and search through all available user authentication methods for Infisical.
# Infisical Cloud
Source: https://infisical.com/docs/internals/architecture/cloud
Architecture overview of Infisical's US and EU cloud deployments
This document provides an overview of Infisical's cloud architecture for our US and EU deployments, detailing the core components and how they interact to provide security and infrastructure services.
## Overview
Infisical Cloud operates on AWS infrastructure using containerized services deployed via Amazon ECS (Elastic Container Service). Our US and EU deployments use identical architectural patterns to ensure consistency and reliability across regions.
![Infisical Cloud Architecture]()
## Components
A typical Infisical Cloud deployment consists of the following components:
### Application Services
* **Infisical Core**: Main application server running the Infisical backend API
* **License API**: Dedicated API service for license management with separate RDS instance (shared between US/EU)
* **Application Load Balancer**: Routes incoming traffic to application containers with SSL termination and host-based routing
### Data Layer
* **Amazon RDS (PostgreSQL)**:
* **Main RDS Instance**: Primary database for secrets, users, and metadata (Multi-AZ, encryption enabled)
* **License API RDS Instance**: Dedicated database for license management services
* **Amazon ElastiCache (Redis)**:
* **Main Redis Cluster**: Multi-AZ replication group for core application caching and queuing
* **License API Redis**: Dedicated cache for license services
* Redis 7 engine with CloudWatch logging and snapshot backups
### Infrastructure
* **ECS Fargate**: Serverless container platform running application services
* **AWS Global Accelerator**: Global traffic routing and performance optimization
* **Cloudflare**: DNS management and routing
* **AWS SSM Parameter Store**: Stores application configuration and secrets
* **CloudWatch**: Centralized logging and monitoring
## System Layout
### Service Architecture
The Infisical application runs as multiple containerized services on ECS:
* **Main Server**: Auto-scaling containerized application services
* **License API**: Dedicated service with separate infrastructure (shared globally)
* **Monitoring**: AWS OTel Collector and Datadog Agent sidecars
Container images are pulled from Docker Hub and managed via GitHub Actions for deployments.
### Network Configuration
Services are deployed in private subnets with the following connectivity:
* External traffic → Application Load Balancer → ECS Services
* Main server exposes port 8080
* License API exposes port 4000 (portal.infisical.com, license.infisical.com)
* Service-to-service communication via AWS Service Connect
### Data Flow
1. **DNS resolution** via Cloudflare routes traffic to AWS Global Accelerator
2. **Global Accelerator** optimizes routing to the nearest AWS region
3. **Client requests** are routed through the Application Load Balancer to ECS containers
4. **Application logic** processes requests in the Infisical Core service
5. **Data persistence** occurs via encrypted connections to RDS
6. **Caching** utilizes ElastiCache for performance optimization
7. **Configuration** is retrieved from AWS SSM Parameter Store
## Regional Deployments
Each region operates in a separate AWS account, providing strong isolation boundaries for security, compliance, and operational independence.
### US Cloud (us.infisical.com or app.infisical.com)
* **AWS Account**: Dedicated US AWS account
* **Infrastructure**: ECS-based containerized deployment
* **Monitoring**: Integrated with Datadog for observability and security monitoring
### EU Cloud (eu.infisical.com)
* **AWS Account**: Dedicated EU AWS account
* **Infrastructure**: ECS-based containerized deployment
* **Monitoring**: Integrated with Datadog for observability and security monitoring
## Configuration Management
Application configuration and secrets are managed through AWS SSM Parameter Store, with deployment automation handled via GitHub Actions.
## Monitoring and Observability
### Logging
* **CloudWatch**: 365-day retention for application logs
* **Health Checks**: HTTP endpoint monitoring for service health
### Metrics
* **AWS OTel Collector**: Prometheus metrics collection
* **Datadog Agent**: Application performance monitoring and infrastructure metrics
## Container Management
* **Images**: `infisical/staging_infisical` and `infisical/license-api` from Docker Hub
* **Deployment**: Automated via GitHub Actions updating SSM parameter for image tags
* **Registry Access**: Docker Hub credentials stored in AWS Secrets Manager
* **Platform**: ECS Fargate serverless container platform
## Security Overview
### Data Protection
* **Encryption**: All secrets encrypted at rest and in transit
* **Network Isolation**: Services deployed in private subnets with controlled access
* **Authentication**: API tokens and service accounts for secure access
* **Audit Logging**: Comprehensive audit trails for all secret operations
### Network Architecture
* **VPC Design**: Dedicated VPC with public and private subnets across multiple Availability Zones
* **NAT Gateway**: Controlled outbound connectivity from private subnets
* **Load Balancing**: Application Load Balancer with SSL termination and health checks
* **Security Groups**: Restrictive firewall rules and controlled network access
* **High Availability**: Multi-AZ deployment with automatic failover
* **Network Monitoring**: VPC Flow Logs with 365-day retention for traffic analysis
# Components
Source: https://infisical.com/docs/internals/architecture/components
Understand Infisical's core architectural components and how they work together.
## Overview
Infisical is architected around several key components that work in concert to provide a secure and streamlined secret management experience. These components span the client, API, and storage layers, ensuring that secrets are protected at every stage of their lifecycle.
## 1. API (Backend)
Infisical exposes a well-documented [REST API](https://infisical.com/docs/api-reference/overview/introduction) that enables programmatic interaction with the platform, enabling a wide range of use cases.
## 2. Storage Backend
Infisical relies on a robust storage backend to durably store secrets, users, and other platform data. Infisical's storage backend is [PostgreSQL](https://www.postgresql.org/).
## 3. Caching Layer
Infisical uses [Redis](https://redis.com) to enable more complex workflows including a queuing system to manage long-running asynchronous tasks, cron jobs, as well as reliable cache for frequently used resources.
## 4. Clients
Clients are interfaces through which users and applications interact with the Infisical API:
* **Web UI**: A browser-based portal providing a user-friendly interface for managing secrets, configurations, and performing administrative tasks.
* [**CLI**](https://infisical.com/docs/cli): A terminal-based tool for interacting with the Infisical API, enabling automation, scripting, and integration into CI/CD pipelines.
* **SDKs (Software Development Kits)**: Platform-specific libraries with method abstractions for working with secrets. Supported languages include [Node.js](https://infisical.com/docs/sdks/languages/node), [Python](https://infisical.com/docs/sdks/languages/python), [Java](https://infisical.com/docs/sdks/languages/java), [Golang](https://infisical.com/docs/sdks/languages/go), [Ruby](https://infisical.com/docs/sdks/languages/ruby) and [.NET](https://infisical.com/docs/sdks/languages/csharp).
* [**Kubernetes Operator**](https://infisical.com/docs/integrations/platforms/kubernetes): A Kubernetes-native component that facilitates the secure retrieval and management of secrets within a Kubernetes cluster. The operator supports multiple custom resource definitions (CRDs) for syncing secrets.
* [**Infisical Agent**](https://infisical.com/docs/integrations/platforms/infisical-agent): Daemon that automatically fetches and manages access tokens and secrets to be used in various client resources.
# Overview
Source: https://infisical.com/docs/internals/overview
Read how Infisical works under the hood.
This section covers the internals of Infisical including its technical underpinnings, architecture, and security properties.
Knowledge of this section is recommended but not required to use Infisical.
However, if you're operating Infisical, we recommend understanding the
internals.
## Learn More
Learn about the fundamental parts of Infisical.
Read about most common security-related topics and questions.
Learn best practices for utilizing Infisical service tokens. Please note
that service tokens are now deprecated and will be removed entirely in the
future.
# Migration Guide
Source: https://infisical.com/docs/internals/permissions/migration
Guide for migrating permissions in Infisical
# Migrating from Permission V1 to Permission V2
This guide provides instructions for upgrading from the legacy V1 permissions system to the more powerful V2 permissions system in Infisical.
## Why Upgrade to V2?
The V2 permissions system offers several advantages over V1:
* **More granular control**: Separate permissions for different secret-related resources
* **Explicit deny rules**: Support for permission inversion
* **Conditional permissions**: Apply permissions based on specific criteria
* **Array-based actions**: Cleaner syntax for multiple actions
## Migration Steps
When upgrading to V2 permissions (i.e., when moving from using the `permissions` to `permissions_v2` field in your Terraform configurations, or upgrading to the V2 permission API), you'll need to update your permission structure as follows:
### 1. Expand Secret Permissions
Any permissions for `secrets` should be expanded to include equivalent permissions for:
* `secret-imports`
* `secret-folders` (except for read permissions)
* `dynamic-secrets`
### 2. Map Dynamic Secret Actions
For dynamic secrets, the actions need to be mapped differently:
| V1 Action | V2 Action |
| --------- | ----------------------------------------------------- |
| `read` | `read-root-credential` |
| `create` | `create-root-credential` |
| `edit` | `edit-root-credential` (also adds `lease` permission) |
| `delete` | `delete-root-credential` |
### 3. Update Configuration Format
V2 permissions use a different syntax, with actions stored in arrays and an optional `inverted` flag:
```typescript theme={"dark"}
// V1 format (single action)
{
subject: "secrets",
action: "read"
}
// V2 format (array of actions)
{
subject: "secrets",
action: ["read"],
inverted: false // Optional, defaults to false
}
```
## Example Migration
Here's a complete example showing how to migrate a role from V1 to V2:
```hcl theme={"dark"}
# Old V1 configuration
resource "infisical_project_role" "example" {
name = "example"
permissions = [
{
subject = "secrets"
action = "read"
},
{
subject = "secrets"
action = "edit"
}
]
}
# New V2 configuration
resource "infisical_project_role" "example" {
name = "example"
permissions_v2 = [
# Original secrets permission
{
subject = "secrets"
action = ["read", "edit"]
inverted = false
},
# Add equivalent secret-imports permission
{
subject = "secret-imports"
action = ["read", "edit"]
inverted = false
},
# Add secret-folders permission (without read)
{
subject = "secret-folders"
action = ["edit"]
inverted = false
},
# Add dynamic-secrets permission with mapped actions
{
subject = "dynamic-secrets"
action = ["read-root-credential", "edit-root-credential", "lease"]
inverted = false
}
]
}
```
## Important Considerations
* When moving to V2 permissions, make sure to include all the necessary expanded permissions based on your original `secrets` permissions.
* V2 permissions give you the ability to use conditions and inversion, which are not available in V1.
* During migration, review your existing roles and consider if more granular permissions would better fit your security requirements.
* Test your migrated permissions thoroughly in a non-production environment before deploying to production.
# Organization Permissions
Source: https://infisical.com/docs/internals/permissions/organization-permissions
Comprehensive guide to Infisical's organization-level permissions
## Overview
Infisical's organization permissions system follows a role-based access control (RBAC) model built on a subject-action-object framework. At the organization level, these permissions determine what actions users/machines can perform on various resources across the entire organization.
Each permission consists of:
* **Subject**: The resource the permission applies to (e.g., project, members, billing)
* **Action**: The operation that can be performed (e.g., read, create, edit, delete)
Some organization-level resources—specifically `app-connections`—support conditional permissions and permission inversion for more granular access control.
## Available Organization Permissions
Below is a comprehensive list of all available organization-level subjects and their supported actions, organized by functional area.
### Project Management
#### Subject: `project` (formerly workspace)
| Action | Description |
| -------- | ------------------ |
| `create` | Create new project |
#### Subject: `sub-organization`
| Action | Description |
| --------------- | ----------------------------------------------------------------------------------------- |
| `create` | Create new sub-organizations under the root organization |
| `edit` | Modify existing sub-organizations (e.g., rename, change slug) |
| `delete` | Remove sub-organizations from the root organization |
| `direct-access` | Access and switch into sub-organizations the user has membership in |
| `link-group` | Link a root organization group to a sub-organization (and unlink it). Root org role only. |
### Role Management
#### Subject: `role`
| Action | Description |
| -------- | ------------------------------------------------------ |
| `read` | View organization roles and their assigned permissions |
| `create` | Create new organization roles |
| `edit` | Modify existing organization roles |
| `delete` | Remove organization roles |
### User Management
#### Subject: `member`
| Action | Description |
| -------- | ------------------------------------ |
| `read` | View organization members |
| `create` | Add new members to the organization |
| `edit` | Modify member details |
| `delete` | Remove members from the organization |
#### Subject: `groups`
| Action | Description |
| ------------------ | ------------------------------------------------ |
| `read` | View organization groups |
| `create` | Create new groups in the organization |
| `edit` | Modify existing groups |
| `delete` | Remove groups from the organization |
| `grant-privileges` | Change permission levels for organization groups |
| `add-members` | Add members to groups |
| `remove-members` | Remove members from groups |
#### Subject: `identity`
| Action | Description |
| ------------------ | --------------------------------------------------- |
| `read` | View organization identities |
| `create` | Add new identities to organization |
| `edit` | Modify organization identities |
| `delete` | Remove identities from organization |
| `grant-privileges` | Change permission levels of organization identities |
| `revoke-auth` | Revoke authentication for identities |
| `create-token` | Create new authentication tokens |
| `delete-token` | Delete authentication tokens |
| `get-token` | Retrieve authentication tokens |
### Security & Compliance
#### Subject: `secret-scanning`
| Action | Description |
| -------- | ----------------------------------------- |
| `read` | View secret scanning results and settings |
| `create` | Configure secret scanning |
| `edit` | Modify secret scanning settings |
| `delete` | Remove secret scanning configuration |
#### Subject: `settings`
| Action | Description |
| -------- | ----------------------------------------- |
| `read` | View organization settings |
| `create` | Setup and configure organization settings |
| `edit` | Modify organization settings |
| `delete` | Remove organization settings |
#### Subject: `incident-contact`
| Action | Description |
| -------- | -------------------------------- |
| `read` | View incident contacts |
| `create` | Set up new incident contacts |
| `edit` | Modify incident contact settings |
| `delete` | Remove incident contacts |
#### Subject: `audit-logs`
| Action | Description |
| ------ | ---------------------------- |
| `read` | View organization audit logs |
### Identity Provider Integration
#### Subject: `sso`
| Action | Description |
| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `read` | View Single Sign-On configurations |
| `create` | Set up new SSO integrations |
| `edit` | Modify existing SSO settings |
| `delete` | Remove SSO configurations |
| `bypass-sso-enforcement` | Bypass enforced SSO at login (break-glass) when the organization has "Allow admins to bypass SSO" enabled. Can be granted to custom roles to allow non-admin users to use break-glass access. |
#### Subject: `scim`
| Action | Description |
| -------- | ----------------------------- |
| `read` | View SCIM configurations |
| `create` | Set up new SCIM provisioning |
| `edit` | Modify existing SCIM settings |
| `delete` | Remove SCIM configurations |
#### Subject: `ldap`
| Action | Description |
| -------- | ----------------------------- |
| `read` | View LDAP configurations |
| `create` | Set up new LDAP integrations |
| `edit` | Modify existing LDAP settings |
| `delete` | Remove LDAP configurations |
### Billing & Subscriptions
#### Subject: `billing`
| Action | Description |
| ---------------- | ------------------------------------------------ |
| `read` | View billing information and subscription status |
| `manage-billing` | Manage billing details and subscription plans |
### Templates & Automation
#### Subject: `project-templates`
| Action | Description |
| -------- | --------------------------------- |
| `read` | View project templates |
| `create` | Create new project templates |
| `edit` | Modify existing project templates |
| `delete` | Remove project templates |
### Integrations
#### Subject: `app-connections`
Supports conditions and permission inversion
| Action | Description |
| --------- | ---------------------------------- |
| `read` | View app connection configurations |
| `create` | Create new app connections |
| `edit` | Modify existing app connections |
| `delete` | Remove app connections |
| `connect` | Use app connections |
### Key Management
#### Subject: `kms`
| Action | Description |
| -------- | ------------------------------------ |
| `read` | View organization KMS configurations |
| `create` | Set up new KMS configurations |
| `edit` | Modify KMS settings |
| `delete` | Remove KMS configurations |
#### Subject: `kmip`
| Action | Description |
| ------- | ---------------------------------- |
| `setup` | Configure KMIP server settings |
| `proxy` | Act as a proxy for KMIP operations |
### Admin Tools
#### Subject: `organization-admin-console`
| Action | Description |
| --------------------- | ------------------------------------------- |
| `access-all-projects` | Access all projects within the organization |
### Secure Share
#### Subject: `secret-share`
| Action | Description |
| ----------------- | ---------------------------- |
| `manage-settings` | Manage secret share settings |
### Gateway Management
#### Subject: `gateway`
| Action | Description |
| ----------------- | --------------------------------- |
| `list-gateways` | View all organization gateways |
| `create-gateways` | Add new gateways to organization |
| `edit-gateways` | Modify existing gateway settings |
| `delete-gateways` | Remove gateways from organization |
| `attach-gateways` | Attach gateways to resources |
#### Subject: `relay`
| Action | Description |
| --------------- | ------------------------------- |
| `list-relays` | View all organization relays |
| `create-relays` | Add new relays to organization |
| `edit-relays` | Modify existing relay settings |
| `delete-relays` | Remove relays from organization |
#### Subject: `machine-identity-auth-template`
| Action | Description |
| ------------------ | ---------------------------------------------- |
| `list-templates` | View identity auth templates |
| `create-templates` | Create new identity auth templates |
| `edit-templates` | Modify existing identity auth templates |
| `delete-templates` | Remove identity auth templates |
| `unlink-templates` | Unlink identity auth templates from identities |
| `attach-templates` | Attach identity auth templates to identities |
# Overview
Source: https://infisical.com/docs/internals/permissions/overview
Infisical's permissions system provides granular access control.
## Overview
The Infisical permissions system is based on a role-based access control (RBAC) model. The system allows you to define roles and assign them to users and machines. Each role has a set of permissions that define what actions a user can perform.
Permissions are built on a subject-action-object model. The subject is the resource the permission is being applied to, the action is what the permission allows.
An example of a subject/action combination would be `secrets/read`. This permission allows the subject to read secrets.
## Permission Scope Levels
Infisical's permission system operates at two distinct levels, providing comprehensive and flexible access control across your entire security infrastructure:
### Project Permissions
Project permissions control access to resources within a specific project, including secrets management, PKI, KMS, and SSH certificate functionality.
For a comprehensive list of all project-level subjects, actions, and detailed descriptions, please refer to the [Project Permissions](/internals/permissions/project-permissions) documentation.
### Organization Permissions
Organization permissions control access to organization-wide resources and settings such as workspaces, billing, identity providers, and more.
For a comprehensive list of all organization-level subjects, actions, and detailed descriptions, please refer to the [Organization Permissions](/internals/permissions/organization-permissions) documentation.
## Inversion
Permission inversion allows you to explicitly deny actions instead of allowing them. This is supported for the following subjects:
* secrets
* secret-folders
* secret-imports
* dynamic-secrets
* mcp-endpoints
When a permission is inverted, it changes from an "allow" rule to a "deny" rule. For example:
```typescript theme={"dark"}
// Regular permission - allows reading secrets
{
subject: "secrets",
action: ["read"]
}
// Inverted permission - denies reading secrets
{
subject: "secrets",
action: ["read"],
inverted: true
}
```
**Important:** The order of permissions matters when using inversion. For inverted (deny) permissions to be effective, there
typically needs to be a corresponding allow permission somewhere in the chain. Permissions are evaluated in sequence,
so the relative positioning of allow and deny rules determines the final access outcome.
## Conditions
Conditions allow you to create more granular permissions by specifying criteria that must be met for the permission to apply. This is supported for the following subjects:
* secrets
* secret-folders
* secret-imports
* dynamic-secrets
* mcp-endpoints
### Properties
Conditions can be applied to the following properties:
* `environment`: Control access based on environment slugs
* `secretPath`: Control access based on secret paths
* `secretName`: Control access based on secret names
* `secretTags`: Control access based on tags (only supports \$in operator)
### MCP Endpoint Properties
For `mcp-endpoints`, conditions can be applied to:
* `name`: Control access based on endpoint name (supports `$eq`, `$ne`, `$glob`, `$in`)
### Operators
The following operators are available for conditions:
| Operator | Description | Example |
| -------- | ---------------------------------- | ----------------------------------------------------- |
| `$eq` | Equal | `{ environment: { $eq: "production" } }` |
| `$ne` | Not equal | `{ environment: { $ne: "development" } }` |
| `$in` | Matches any value in array | `{ environment: { $in: ["staging", "production"] } }` |
| `$glob` | Pattern matching using glob syntax | `{ secretPath: { $glob: "/app/\*" } }` |
These details are especially useful if you're using the API to [create new project roles](/api-reference/endpoints/project-roles/create).
The rules outlined on this page, also apply when using our Terraform Provider to manage your Infisical project roles, or any other of our clients that manage project roles.
# Project Permissions
Source: https://infisical.com/docs/internals/permissions/project-permissions
Comprehensive guide to Infisical's project-level permissions
## Overview
Infisical's project permissions system follows a role-based access control (RBAC) model built on a subject-action-object framework. At the project level, these permissions determine what actions users/machines can perform on various resources within a specific project.
Each permission consists of:
* **Subject**: The resource the permission applies to (e.g., secrets, members, settings)
* **Action**: The operation that can be performed (e.g., read, create, edit, delete)
Some project-level resources—specifically `secrets`, `secret-folders`, `secret-imports`, `dynamic-secrets`, `secret-syncs`, `secret-rotation`, `identity`, `app-connections`, `mcp-endpoints`, and `pam-accounts`—support conditional permissions and permission inversion for more granular access control. Conditions allow you to specify criteria (like environment, secret path, tags, app connection ID, identity ID, resource name, or endpoint name) that must be met for the permission to apply.
## Available Project Permissions
Below is a comprehensive list of all available project-level subjects and their supported actions.
### Core Platform & Access Control
#### Subject: `role`
| Action | Description |
| -------- | ------------------------------------------------- |
| `read` | View project roles and their assigned permissions |
| `create` | Create new project roles |
| `edit` | Modify existing project roles |
| `delete` | Remove project roles |
#### Subject: `member`
Supports conditions for privilege delegation actions.
| Action | Description | Condition keys |
| ------------------------------ | --------------------------------------------------- | ---------------------------------------------------------------------- |
| `read` | View project members | |
| `create` | Add new members to the project | |
| `edit` | Modify member details | |
| `delete` | Remove members from the project | |
| `grant-privileges` | Legacy: Change permission levels of project members | `userEmail`, `assignableRole`, `assignableSubject`, `assignableAction` |
| `assign-role` | Assign or update roles for project members | `userEmail`, `assignableRole` |
| `assign-additional-privileges` | Grant additional privileges to project members | `userEmail`, `assignableSubject`, `assignableAction` |
| `assume-privileges` | Temporarily assume another user's privileges | |
#### Subject: `groups`
Supports conditions for privilege delegation actions.
| Action | Description | Condition keys |
| ------------------ | -------------------------------------------------- | ----------------------------- |
| `read` | View project groups | |
| `create` | Create new groups within the project | |
| `edit` | Modify existing groups | |
| `delete` | Remove groups from the project | |
| `grant-privileges` | Legacy: Change permission levels of project groups | `groupName`, `assignableRole` |
| `assign-role` | Assign or update roles for project groups | `groupName`, `assignableRole` |
#### Subject: `identity`
Supports conditions and permission inversion.
| Action | Description | Condition keys |
| ------------------------------ | ------------------------------------------------------ | ----------------------------------------------------------------------- |
| `read` | View project identities | `identityId` |
| `create` | Add new identities to project | `identityId` |
| `edit` | Modify project identities | `identityId` |
| `delete` | Remove identities from project | `identityId` |
| `grant-privileges` | Legacy: Change permission levels of project identities | `identityId`, `assignableRole`, `assignableSubject`, `assignableAction` |
| `assign-role` | Assign or update roles for project identities | `identityId`, `assignableRole` |
| `assign-additional-privileges` | Grant additional privileges to project identities | `identityId`, `assignableSubject`, `assignableAction` |
#### Subject: `settings`
| Action | Description |
| -------- | -------------------------------------- |
| `read` | View project settings |
| `create` | Add new project configuration settings |
| `edit` | Modify project settings |
| `delete` | Remove project settings |
#### Subject: `environments`
| Action | Description |
| -------- | ------------------------------------ |
| `read` | View project environments |
| `create` | Add new environments to the project |
| `edit` | Modify existing environments |
| `delete` | Remove environments from the project |
#### Subject: `tags`
| Action | Description |
| -------- | ---------------------------------------- |
| `read` | View project tags |
| `create` | Create new tags for organizing resources |
| `edit` | Modify existing tags |
| `delete` | Remove tags from the project |
#### Subject: `project`
| Action | Description |
| -------- | ------------------------- |
| `edit` | Modify workspace settings |
| `delete` | Delete the workspace |
#### Subject: `ip-allowlist`
| Action | Description |
| -------- | -------------------------------------------- |
| `read` | View IP allowlists |
| `create` | Add new IP addresses or ranges to allowlists |
| `edit` | Modify existing IP allowlist entries |
| `delete` | Remove IP addresses from allowlists |
#### Subject: `audit-logs`
| Action | Description |
| ------ | ------------------------------------------------------- |
| `read` | View audit logs of actions performed within the project |
#### Subject: `integrations`
| Action | Description |
| -------- | -------------------------------- |
| `read` | View configured integrations |
| `create` | Add new third-party integrations |
| `edit` | Modify integration settings |
| `delete` | Remove integrations |
#### Subject: `webhooks`
| Action | Description |
| -------- | ------------------------------------ |
| `read` | View webhook configurations |
| `create` | Add new webhooks |
| `edit` | Modify webhook endpoints or triggers |
| `delete` | Remove webhooks |
#### Subject: `service-tokens`
| Action | Description |
| -------- | ---------------------------------------- |
| `read` | View service tokens |
| `create` | Create new service tokens for API access |
| `edit` | Modify token properties |
| `delete` | Revoke or remove service tokens |
#### Subject: `app-connections`
Supports conditions and permission inversion.
| Action | Description | Condition keys |
| ------------------------- | ---------------------------------- | -------------- |
| `read-app-connections` | View app connection configurations | `connectionId` |
| `create-app-connections` | Create new app connections | `connectionId` |
| `edit-app-connections` | Modify existing app connections | `connectionId` |
| `delete-app-connections` | Remove app connections | `connectionId` |
| `connect-app-connections` | Use app connections | `connectionId` |
### Secrets Management
#### Subject: `secrets`
Supports conditions and permission inversion.
| Action | Description | Condition keys |
| ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------- |
| `read` | View secrets and their values. This action is the equivalent of granting both `describeSecret` and `readValue`. The `read` action is considered **legacy**. You should use the `describeSecret` and/or `readValue` actions instead. | `environment`, `secretPath`, `secretName`, `secretTags` |
| `describeSecret` | View secret details such as key, path, metadata, tags, and more. If you are using the API, you can pass `viewSecretValue: false` to the API call to retrieve secrets without their values. | `environment`, `secretPath`, `secretName`, `secretTags` |
| `readValue` | View the value of a secret. In order to read secret values, the `describeSecret` action must also be granted. | `environment`, `secretPath`, `secretName`, `secretTags` |
| `create` | Add new secrets to the project | `environment`, `secretPath`, `secretName`, `secretTags` |
| `edit` | Modify existing secret values | `environment`, `secretPath`, `secretName`, `secretTags` |
| `delete` | Remove secrets from the project | `environment`, `secretPath`, `secretName`, `secretTags` |
#### Subject: `secret-folders`
Supports conditions and permission inversion.
| Action | Description | Condition keys |
| -------- | ------------------------ | --------------------------- |
| `read` | View secret folders | `environment`, `secretPath` |
| `create` | Create new folders | `environment`, `secretPath` |
| `edit` | Modify folder properties | `environment`, `secretPath` |
| `delete` | Remove secret folders | `environment`, `secretPath` |
#### Subject: `secret-imports`
Supports conditions and permission inversion.
| Action | Description | Condition keys |
| -------- | --------------------- | --------------------------- |
| `read` | View secret imports | `environment`, `secretPath` |
| `create` | Create secret imports | `environment`, `secretPath` |
| `edit` | Modify secret imports | `environment`, `secretPath` |
| `delete` | Remove secret imports | `environment`, `secretPath` |
#### Subject: `secret-event-subscriptions`
| Action | Description |
| ------------------------------------- | ------------------------------------------------------------- |
| `subscribe-to-creation-events` | Subscribe to events when secrets are created |
| `subscribe-to-update-events` | Subscribe to events when secrets are updated |
| `subscribe-to-deletion-events` | Subscribe to events when secrets are deleted |
| `subscribe-to-import-mutation-events` | Subscribe to events when secrets are modified through imports |
#### Subject: `secret-rollback`
| Action | Description |
| -------- | ---------------------------------- |
| `read` | View secret versions and snapshots |
| `create` | Roll back secrets to snapshots |
#### Subject: `commits`
| Action | Description |
| ------------------ | --------------------------------------------------------------- |
| `read` | View commits and changes across folders |
| `perform-rollback` | Roll back commits changes and restore folders to previous state |
#### Subject: `secret-approval`
| Action | Description |
| --------------------- | ----------------------------------------------------------------------------------- |
| `read` | View approval policies and requests |
| `create` | Create new approval policies |
| `edit` | Modify approval policies |
| `delete` | Remove approval policies |
| `allow-change-bypass` | Allow request creators to merge changes without approval in break-glass situations |
| `allow-access-bypass` | Allow request creators to access secrets without approval in break-glass situations |
#### Subject: `secret-approval-request`
| Action | Description |
| ------ | --------------------------------------------------------- |
| `read` | List and view all secret approval requests in the project |
Project admins and users with **Secret Approval Requests** (`secret-approval-request`) **Read** can view all approval requests; others only see requests where they are committer or approver. Secret values in requests follow `secrets.readValue` for the secret's environment/path, or reviewer access.
#### Subject: `secret-rotation`
Supports conditions and permission inversion.
| Action | Description | Condition keys |
| ---------------------------- | ---------------------------------------------- | ------------------------------------------- |
| `read` | View secret rotation configurations | `environment`, `secretPath`, `connectionId` |
| `read-generated-credentials` | View the generated credentials of a rotation | `environment`, `secretPath`, `connectionId` |
| `create` | Set up secret rotation configurations | `environment`, `secretPath`, `connectionId` |
| `edit` | Modify secret rotation configurations | `environment`, `secretPath`, `connectionId` |
| `rotate-secrets` | Rotate the generated credentials of a rotation | `environment`, `secretPath`, `connectionId` |
| `delete` | Remove secret rotation configurations | `environment`, `secretPath`, `connectionId` |
#### Subject: `secret-syncs`
Supports conditions and permission inversion.
| Action | Description | Condition keys |
| ---------------- | -------------------------------------------------- | ------------------------------------------- |
| `read` | View secret synchronization configurations | `environment`, `secretPath`, `connectionId` |
| `create` | Create new sync configurations | `environment`, `secretPath`, `connectionId` |
| `edit` | Modify existing sync settings | `environment`, `secretPath`, `connectionId` |
| `delete` | Remove sync configurations | `environment`, `secretPath`, `connectionId` |
| `sync-secrets` | Execute synchronization of secrets between systems | `environment`, `secretPath`, `connectionId` |
| `import-secrets` | Import secrets from sync sources | `environment`, `secretPath`, `connectionId` |
| `remove-secrets` | Remove secrets from sync destinations | `environment`, `secretPath`, `connectionId` |
#### Subject: `dynamic-secrets`
Supports conditions and permission inversion.
| Action | Description | Condition keys |
| ------------------------ | ---------------------------------- | --------------------------------------- |
| `read-root-credential` | View dynamic secret configurations | `environment`, `secretPath`, `metadata` |
| `create-root-credential` | Create dynamic secrets | `environment`, `secretPath`, `metadata` |
| `edit-root-credential` | Edit dynamic secrets | `environment`, `secretPath`, `metadata` |
| `delete-root-credential` | Remove dynamic secrets | `environment`, `secretPath`, `metadata` |
| `lease` | Create dynamic secret leases | `environment`, `secretPath`, `metadata` |
### Key Management Service (KMS)
#### Subject: `kms`
| Action | Description |
| ------ | --------------------------- |
| `edit` | Modify project KMS settings |
#### Subject: `cmek`
| Action | Description |
| -------------------- | -------------------------------------------------------------------------- |
| `read` | View Customer-Managed Encryption Keys |
| `create` | Add new encryption keys |
| `edit` | Modify key properties |
| `delete` | Remove encryption keys |
| `encrypt` | Use keys for encryption operations |
| `decrypt` | Use keys for decryption operations |
| `sign` | Use keys for signing operations |
| `verify` | Use keys for signature verification operations |
| `export-private-key` | Export key material (private key for asymmetric, secret key for symmetric) |
### Public Key Infrastructure (PKI)
#### Subject: `certificate-authorities`
| Action | Description |
| -------- | ---------------------------------- |
| `read` | View certificate authorities |
| `create` | Create new certificate authorities |
| `edit` | Modify CA configurations |
| `delete` | Remove certificate authorities |
#### Subject: `certificates`
| Action | Description |
| ------------------ | ----------------------------- |
| `read` | View certificates |
| `read-private-key` | Read certificate private key |
| `create` | Issue new certificates |
| `delete` | Revoke or remove certificates |
#### Subject: `certificate-profiles`
| Action | Description |
| ------------ | ------------------------------- |
| `read` | View certificate profiles |
| `create` | Create new certificate profiles |
| `edit` | Modify profile configurations |
| `delete` | Remove certificate profiles |
| `issue-cert` | Issue new certificates |
#### Subject: `certificate-policies`
| Action | Description |
| -------- | ------------------------------- |
| `read` | View certificate policies |
| `create` | Create new certificate policies |
| `edit` | Modify policy configurations |
| `delete` | Remove certificate policies |
#### Subject: `pki-alerts`
| Action | Description |
| -------- | ------------------------------------------------------------ |
| `read` | View PKI alert configurations |
| `create` | Create new alerts for certificate expiry or other PKI events |
| `edit` | Modify alert settings |
| `delete` | Remove PKI alerts |
#### Subject: `pki-collections`
| Action | Description |
| -------- | --------------------------------------------------- |
| `read` | View PKI resource collections |
| `create` | Create new collections for organizing PKI resources |
| `edit` | Modify collection properties |
| `delete` | Remove PKI collections |
#### Subject: `pki-discovery`
| Action | Description |
| ---------- | ----------------------------------- |
| `read` | View PKI discovery configurations |
| `create` | Create new discovery jobs |
| `edit` | Modify discovery job configurations |
| `delete` | Remove discovery jobs |
| `run-scan` | Trigger discovery scans |
#### Subject: `pki-certificate-installations`
| Action | Description |
| -------- | -------------------------------- |
| `read` | View certificate installations |
| `edit` | Modify certificate installations |
| `delete` | Remove certificate installations |
### Secret Scanning
#### Subject: `secret-scanning-data-sources`
| Action | Description |
| ---------------------------- | -------------------------------- |
| `read-data-sources` | View Data Sources |
| `create-data-sources` | Create new Data Sources |
| `edit-data-sources` | Modify Data Sources |
| `delete-data-sources` | Remove Data Sources |
| `read-data-source-resources` | View Data Source Resources |
| `read-data-source-scans` | View Data Source Scans |
| `trigger-data-source-scans` | Trigger Data Source Secret Scans |
#### Subject: `secret-scanning-findings`
| Action | Description |
| ----------------- | ------------------------------- |
| `read-findings` | View Secret Scanning Findings |
| `update-findings` | Update Secret Scanning Findings |
#### Subject: `secret-scanning-configs`
| Action | Description |
| ---------------- | -------------------------------------------- |
| `read-configs` | View Secret Scanning Project Configuration |
| `update-configs` | Update Secret Scanning Project Configuration |
### Agent Sentinel
#### Subject: `mcp-endpoints`
Supports conditions and permission inversion.
| Action | Description | Condition keys |
| --------- | ----------------------------------- | -------------- |
| `read` | View MCP endpoints | `name` |
| `create` | Create new MCP endpoints | `name` |
| `edit` | Modify MCP endpoint configurations | `name` |
| `delete` | Remove MCP endpoints | `name` |
| `connect` | Connect AI clients to MCP endpoints | `name` |
### Privileged Access Management (PAM)
#### Subject: `pam-accounts`
Supports conditions and permission inversion.
| Action | Description | Condition keys |
| -------- | ------------------------------------------------ | ----------------------------- |
| `read` | View PAM accounts the identity is allowed to use | `resourceName`, `accountName` |
| `access` | Request or use access to PAM accounts | `resourceName`, `accountName` |
## Condition Operators
When defining conditions for permissions, you can use the following operators to match values:
| Operator | Description | Type |
| ------------ | ------------------------------------------------------ | ---------- |
| `$eq` | Equals (exact string match) | `string` |
| `$ne` | Not equals | `string` |
| `$in` | In array (matches any value in list) | `string[]` |
| `$glob` | Glob pattern matching (supports `*` and `?` wildcards) | `string` |
| `$elemMatch` | Element match for nested objects/arrays | `object` |
## Condition Keys Reference
The following condition keys can be used to restrict permissions. Each key is available only for specific subjects as indicated in the tables above.
| Condition key | Description | Type |
| ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
| `environment` | The environment slug (e.g., dev, staging, prod) | `string` |
| `secretPath` | The path within an environment (e.g., /app/config) | `string` |
| `secretName` | The name of a specific secret | `string` |
| `secretTags` | Tags associated with secrets | `string[]` |
| `metadata` | Key-value metadata pairs (use with `$elemMatch`) | `object` |
| `connectionId` | Connection identifier for rotations/syncs | `string` |
| `identityId` | Machine identity identifier | `string` |
| `name` | Resource name | `string` |
| `resourceName` | PAM resource name | `string` |
| `accountName` | PAM account name | `string` |
| `userEmail` | User email - The email address of the user whose roles are being updated | `string` |
| `groupName` | Group name - The name of the group whose roles are being updated | `string` |
| `assignableRole` | Assignable roles - The roles that can be assigned to other members | `string` |
| `assignableSubject` | Assignable subjects - The permission subjects that can be granted in additional privileges | `string` |
| `assignableAction` | Assignable actions - The permission actions that can be granted in additional privileges. Format: `subject:action` (e.g., `secrets:read`) | `string` |
## Usage Examples
These permission objects are used when creating or updating [custom project roles](/api-reference/endpoints/project-roles/create) via the API. Each permission in the `permissions` array defines what actions a role can perform on which resources.
### Creating a role with production-only secret access
Create a custom role that can only read secrets in the production environment:
```bash theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/projects/{projectId}/roles \
--header 'Authorization: Bearer ' \
--header 'Content-Type: application/json' \
--data '{
"slug": "production-reader",
"name": "Production Reader",
"permissions": [
{
"subject": "secrets",
"action": ["describeSecret", "readValue"],
"conditions": {
"environment": { "$eq": "production" }
}
}
]
}'
```
### Creating a role with path-scoped access
Create a role that can only manage secrets under `/app/config/`:
```bash theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/projects/{projectId}/roles \
--header 'Authorization: Bearer ' \
--header 'Content-Type: application/json' \
--data '{
"slug": "config-manager",
"name": "Config Manager",
"permissions": [
{
"subject": "secrets",
"action": ["describeSecret", "readValue", "edit"],
"conditions": {
"secretPath": { "$glob": "/app/config/**" }
}
}
]
}'
```
### Creating a role for PAM access to specific resources
Create a role that grants PAM access only to specific database resources:
```bash theme={"dark"}
curl --request POST \
--url https://app.infisical.com/api/v1/projects/{projectId}/roles \
--header 'Authorization: Bearer ' \
--header 'Content-Type: application/json' \
--data '{
"slug": "db-readonly-access",
"name": "Database Read-Only Access",
"permissions": [
{
"subject": "pam-accounts",
"action": ["read", "access"],
"conditions": {
"resourceName": { "$in": ["prod-db-1", "prod-db-2"] },
"accountName": { "$glob": "readonly-*" }
}
}
]
}'
```
# Security
Source: https://infisical.com/docs/internals/security
Infisical's security model includes many considerations and initiatives.
As a security infrastructure platform dealing with highly-sensitive data, Infisical follows a robust security model with the goal of ensuring the security and integrity of all its managed data and associated components.
As part of the security model, data at rest and in transit must be secure from eavesdropping or tampering, clients must be authenticated and authorized to access data, and all operations in the platform are audited and can be traced back to their source.
This page documents security measures used by [Infisical](https://github.com/Infisical/infisical), the software, and [Infisical Cloud](https://infisical.com/), a separate managed service offering for the software.
## Threat model
Infisical’s (the software) threat model spans communication, storage, response mechanisms, and more.
* Eavesdropping on communications: Infisical secures client communication with the server and from the server to the storage backend.
* Tampering with data (at rest or in transit): Infisical implements data integrity checks to detect tampering. If inconsistencies are found, Infisical aborts transactions and raises alerts.
* Unauthorized access (lacking authentication/authorization): Infisical mandates rigorous authentication and authorization checks for all inbound requests; it also offers multi-factor authentication and role/attribute-based access controls.
* Actions without accountability: Infisical logs events, including policy updates, queries/mutations applied to secrets, certificates, and more. Every event is timestamped and information about actor, source (i.e. IP address, user-agent, etc.), and relevant metadata is included.
* Breach of data storage confidentiality: Infisical encrypts all stored secrets using proven cryptographic techniques for symmetric encryption.
* Unrecognized suspicious activities: Infisical monitors for any anomalous activities such as authentication attempts from previously unseen sources.
* Unidentified system vulnerabilities: Infisical undergoes penetration tests and vulnerability assessments twice a year; we act on findings to bolster the system’s defense mechanisms.
Infisical (the software) does not consider the following as part of its threat model:
* Uncontrolled access to the storage mechanism: An attacker with unfettered access to the storage system can manipulate data in unpredictable ways, including erasing or tampering with stored secrets. Furthermore, the attacker could potentially implement state rollbacks to favor their objectives.
* Disclosure of secret presence: If an adversary gains read access to the storage backend, they might discern the existence of certain secrets, even if the actual contents remain encrypted and concealed.
* Runtime memory intrusion: An attacker with capabilities to probe the memory state of a live instance of Infisical can potentially compromise data confidentiality.
* Vulnerabilities in affiliated systems: Some functionality may rely on third-party services and dependencies. Security lapses in these dependencies can indirectly jeopardize the confidentiality or integrity of the secrets.
* Breaches via compromised clients: If a system or application accessing Infisical is compromised, and its credentials to the platform are exposed, an attacker might gain access at the privilege level of that compromised entity.
* Configuration tampering by administrators: Any configuration data, whether supplied through admin interfaces or configuration files, needs scrutiny. If an attacker can manipulate these configurations, it poses risks to data confidentiality and integrity.
* Physical access to deployment infrastructure: An attacker with physical access to the servers or infrastructure where Infisical is deployed can potentially compromise the system in ways that are challenging to guard against, such as direct hardware tampering or booting from malicious media.
* Social engineering attacks on personnel: Attacks that target personnel, tricking them into divulging sensitive information or performing compromising actions, fall outside the platform’s direct defensive purview.
Note that while these points fall outside the Infisical’s threat model, they remain considerations in the broader platform architecture.
## External threat overview
Infisical’s architecture consists of various systems which together we refer to as the Infisical platform:
* Server: The Infisical API that serves requests.
* Clients: The Web UI and other applications that send requests to the server.
* Storage backend: PostgreSQL used by the server to persist data.
* Redis: Used by Infisical for caching, queueing and cron job scheduling.
The server requires clients to be authenticated and authorized for every inbound request. If using [Infisical Cloud](https://infisical.com/), all traffic is routed through [Cloudflare](https://www.cloudflare.com/) which enforces TLS and requires a minimum of TLS 1.2.
The server mandates that each request includes a valid token (issued for a user or machine identity) used to identify the client before performing any actions on the platform. Clients without a valid token can only access login endpoints with the exception of a few intentionally unauthenticated endpoints. For tokens issued for machine identities, Infisical provides significant configuration, including support for native authentication methods (e.g. [AWS](https://infisical.com/docs/documentation/platform/identities/aws-auth), [Azure](https://infisical.com/docs/documentation/platform/identities/azure-auth), [Kubernetes](https://infisical.com/docs/documentation/platform/identities/kubernetes-auth), etc.); custom TTLs to restrict token lifespan; IP restrictions to enforce network-based access controls; and usage caps to limit the maximum number of times that a token can be used.
When accessing Infisical via web browser, JWT tokens are stored in browser memory and appended to outbound requests requiring authentication; refresh tokens are stored in HttpOnly cookies and included in requests as part of token renewal. Note also that Infisical utilizes the latest HTTP security headers and employs a strict Content-Security-Policy to mitigate XSS.
To mitigate abuse and enhance system stability, the server enforces configurable rate limiting on read, write, and secrets operations. This prevents excessive API requests from impacting system performance while ensuring fair usage across clients.
Once traffic enters the server, any sensitive data (e.g. secrets, certificates entering the server), where applicable, is encrypted using a 256-bit [Advanced Encryption Standard (AES)](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) cipher in the [Galois Counter Mode (GCM)](https://en.wikipedia.org/wiki/Galois/Counter_Mode) with 96-bit nonces prior to being persisted in the storage backend. Encryption is an integral part of Infisical’s platform-wide cryptographic architecture, which also supports seal-wrapping with external KMS and HSMs. Before responding to a client request, the server securely retrieves and decrypts requested data from the storage backend. Each decryption operation includes integrity verification to ensure data has not been altered or tampered with.
## Internal threat overview
Within Infisical, an internal threat and critical security concern is an attacker gaining access to sensitive data that they are not permitted to, especially if they are able to authenticate with some degree of access to the system.
Before a client can perform any actions on the platform, it must authenticate with the server using a supported authentication method such as username-password, SAML, SSO, LDAP, AWS/GCP/Azure, OIDC, or Kubernetes authentication. A successful authentication results in the issuance of a client (JWT) token containing a reference to the user or machine identity bound to it.
When a client uses the token to make authenticated requests against the server, Infisical validates the token and maps the bound-identity to access control policies that exist at the organization and project level, both types of namespaces within the platform. The access control policies are configured by operators of Infisical ahead of time and may involve role-based, attribute-based, and one-off “additional privilege” resource constraints. Given the robustness of the access control system, we recommend reading the full documentation for it.
For example, an operator of Infisical may define the following constraints to restrict client access to particular resources:
* Read and write access to a secret resource via an additional privilege attached to the bound-identity.
* Read-only access to a secret resource via one or multiple roles attached to the bound-identity.
* Read-only access to a secret resource via a group membership for which the associated bound-identity is part of; the group itself is assigned one or multiple roles with access to the secret resource.
## Cryptography
### Overview
All symmetric encryption operations in Infisical, with the exception of those proxied through [External KMS](/documentation/platform/kms-configuration/overview#external-kms) and [HSM](/documentation/platform/kms/hsm-integration) systems, use a software-backed 256-bit Advanced Encryption Standard (AES) cipher in Galois Counter Mode (GCM) with 96-bit nonces, **AES-256-GCM**. This authenticated encryption scheme provides both confidentiality and integrity guarantees for all encrypted data.
Infisical employs a multilayer encryption architecture where keys are organized hierarchically. Each layer encrypts the layer below it, ensuring that accessing any sensitive data requires both server configuration (the root encryption key) and data from the storage backend. This defense-in-depth approach means that compromising the database alone is insufficient to decrypt sensitive data.
### Key Hierarchy
The following diagram illustrates Infisical's key hierarchy, showing how encryption keys are organized and how they protect data at different levels of the platform.
```mermaid theme={"dark"}
%%{init: {
'theme': 'base',
'themeVariables': {
'primaryColor': '#ECF26D',
'primaryTextColor': '#000000',
'primaryBorderColor': '#000000',
'lineColor': '#000000',
'secondaryColor': '#F5F5F5',
'tertiaryColor': '#FFFFFF',
'background': '#FFFFFF',
'mainBkg': '#FFFFFF',
'nodeBorder': '#000000',
'clusterBkg': '#FAFAFA',
'clusterBorder': '#000000',
'titleColor': '#000000',
'edgeLabelBackground': '#FFFFFF'
}
}}%%
flowchart LR
subgraph INSTANCE["Infisical Instance"]
direction LR
subgraph LAYER1[" "]
ROOT["Root Encryption Key
256-bit AES
Environment Variable"]
end
subgraph LAYER2[" "]
INTERNAL["Internal KMS Root Key
Created on first startup"]
end
subgraph LAYER3["Tenant Keys"]
direction TB
ORG["Organization Data Key
One per organization"]
PROJ["Project Data Key
One per project"]
end
subgraph LAYER4["Encrypted Data"]
direction TB
ORGDATA["Organization Data
SSO, SCIM, Settings"]
PROJDATA["Project Data
Secrets, Certs, Creds"]
end
ROOT -->|"encrypts"| INTERNAL
INTERNAL -->|"encrypts"| ORG
INTERNAL -->|"encrypts"| PROJ
ORG -->|"encrypts"| ORGDATA
PROJ -->|"encrypts"| PROJDATA
end
classDef rootKey fill:#ECF26D,stroke:#000000,stroke-width:2px,color:#000000
classDef internalKey fill:#E2E89E,stroke:#000000,stroke-width:2px,color:#000000
classDef entityKey fill:#F0F4C3,stroke:#000000,stroke-width:1px,color:#000000
classDef data fill:#FAFAFA,stroke:#000000,stroke-width:1px,color:#000000
classDef invisible fill:none,stroke:none
class ROOT rootKey
class INTERNAL internalKey
class ORG,PROJ entityKey
class ORGDATA,PROJDATA data
class LAYER1,LAYER2 invisible
```
#### Root Encryption Key
The root encryption key is a 256-bit AES key provided by the operator as an environment variable. This key is the foundation of Infisical's encryption architecture and never leaves the server's memory during operation.
**Key characteristics:**
* **Size**: 256-bit AES key, provided as an environment variable
* **Source**: Operator-provided environment variable
* **Purpose**: Encrypts the Internal KMS Root Key
* **Storage**: Exists as an environment variable accessible by the Infisical runtime.
The root encryption key can alternatively be sourced from an external Hardware Security Module (HSM) such as [Thales Luna HSM](https://cpl.thalesgroup.com/encryption/data-protection-on-demand/services/luna-cloud-hsm) or [AWS CloudHSM](https://aws.amazon.com/cloudhsm/), providing additional security guarantees, and removing the need for the operator to store the root encryption key in an environment variable.
#### Internal KMS Root Key
The Internal KMS Root Key is automatically generated when an Infisical instance starts for the first time. This key serves as an intermediate layer between the operator-provided root key and tenant-specific data keys.
**Key characteristics:**
* **Size**: 256-bit AES
* **Generation**: Cryptographically secure random bytes via Node.js's core cryptographic library.
* **Purpose**: Encrypts all organization and project data keys
* **Storage**: Encrypted at rest using the Root Encryption Key and stored in the database
This separation ensures that the operator-provided root key is only used to protect a single key (the Internal KMS Root Key), limiting its exposure during cryptographic operations.
#### Organization & Project Data Keys
Data keys are the encryption keys that directly protect sensitive data within Infisical. Each organization and each project has its own dedicated data key, providing cryptographic isolation between tenants.
**Organization Data Keys** protect organization-level sensitive data, including:
* SSO and SAML configurations
* Machine Identities
* SCIM provisioning settings
* Organization-level integrations and credentials
**Project Data Keys** protect project-level sensitive data, including:
* Secrets and dynamic secret credentials
* Certificates and private keys
* Database credentials and connection strings
* API keys and authentication tokens
**Key characteristics:**
* **Size**: 256-bit AES
* **Generation**: Cryptographically secure random bytes via Node.js's core cryptographic library
* **Scope**: One key per organization, one key per project
* **Storage**: Encrypted at rest using the Internal KMS Root Key and stored in the database
Project data keys can optionally be managed by an external KMS instead of the Internal KMS Root Key, allowing organizations to maintain control over their encryption keys. See [External KMS Integration](#external-kms-integration) for more details.
### Encryption Operations
When sensitive data needs to be stored, Infisical performs the following operations:
1. **Key Retrieval**: The appropriate data key (organization or project) is retrieved from the database in its encrypted form.
2. **Key Decryption**: The encrypted data key is decrypted using the Internal KMS Root Key.
3. **Data Encryption**: The plaintext data is encrypted using the decrypted data key with AES-256-GCM and a randomly generated 96-bit nonce.
4. **Storage**: The ciphertext, along with the nonce and authentication tag, is stored in the database.
When sensitive data needs to be retrieved, Infisical performs the following operations:
1. **Key Retrieval**: The appropriate data key (organization or project) is retrieved from the database in its encrypted form.
2. **Key Decryption**: The encrypted data key is decrypted using the Internal KMS Root Key.
3. **Data Retrieval**: The ciphertext, nonce, and authentication tag are retrieved from the database.
4. **Data Decryption**: The ciphertext is decrypted using the decrypted data key with AES-256-GCM, the stored nonce, and the authentication tag. The GCM authentication tag ensures that any tampering with the ciphertext is detected during decryption.
When a project is configured to use an [External KMS](/documentation/platform/kms-configuration/overview), the encryption flow differs slightly:
Instead of the Internal KMS Root Key decrypting the project data key, the encrypted data key is sent to the external KMS provider (e.g., AWS KMS, GCP KMS) for decryption. The external KMS performs the key unwrapping operation and returns the plaintext data key, which is then used for the AES-256-GCM encryption/decryption of the actual data. This approach ensures that the project's root of trust lies with the external KMS, giving organizations full control over key access policies and audit logging at the KMS level.
### Key Generation
All cryptographic keys in Infisical are generated using Node.js's core cryptographic library, which provides cryptographically secure pseudo-random data. When FIPS mode is enabled, this library is guaranteed to use FIPS-validated cryptographic implementations.
### External KMS Integration
For organizations with specific compliance requirements or those who need to maintain control over their encryption keys, Infisical supports integration with external Key Management Systems. When configured, project data keys can be encrypted by an external KMS instead of the Internal KMS Root Key.
Supported external KMS providers include:
* [AWS KMS](/documentation/platform/kms-configuration/aws-kms)
* [AWS CloudHSM](/documentation/platform/kms-configuration/aws-hsm)
* [GCP KMS](/documentation/platform/kms-configuration/gcp-kms)
For detailed configuration instructions, see the [KMS Configuration documentation](/documentation/platform/kms-configuration/overview).
### FIPS Compliance
Infisical can be deployed in a FIPS-compliant configuration, using FIPS 140-3 validated cryptographic modules for all encryption operations within the FIPS boundary. When FIPS mode is enabled:
* All cryptographic operations within the FIPS boundary use FIPS-validated implementations
* Key generation uses FIPS-approved random number generators
* External HSM integration is available for root key protection
For detailed information on deploying Infisical in FIPS mode, see the [FIPS documentation](/self-hosting/guides/production-hardening#fips-140-3-compliance) *(Enterprise Only)*.
## Infrastructure & High availability (Infisical Cloud)
Infisical Cloud uses a number of strategies to keep services running smoothly and ensure data stays available, even during failures; we document these strategies below:
* Multi-AZ AWS RDS: Infisical Cloud runs AWS Relational Database Service (RDS) with Multi-AZ deployments to improve availability and durability. This setup keeps a standby replica in a different Availability Zone (AZ) and automatically fails over if the primary instance goes down. Continuous backups and replication help protect data and minimize interruptions.
* Multi-AZ ElastiCache (Redis): For caching, Infisical Cloud runs Amazon ElastiCache (Redis) in a Multi-AZ setup. This means data is replicated across different AZs, so if one goes down, the system can automatically fail over to a healthy node. This helps keep response times low and ensures caching stays reliable.
* Multi-AZ ECS for Container Orchestration: Infisical Cloud runs on Amazon Elastic Container Service (ECS) across multiple availability zones, making sure containers stay available even if an AZ fails. If one zone has an issue, traffic automatically shifts to healthy instances in other zones, keeping downtime to a minimum.
Infisical Cloud utilizes several strategies to ensure high availability, leveraging AWS services to maintain continuous operation and data integrity.
## Cross-Region Replication for Disaster Recovery (Infisical Cloud)
To handle regional failures, Infisical Cloud keeps backups both within AWS and across cloud providers in GCP updated and ready to take over when needed.
* ElastiCache (Redis): Data is replicated across regions using AWS Global Datastore, keeping cached data consistent and available even if a primary region goes down.
* RDS (PostgreSQL): Cross-region read replicas ensure database data is available in multiple AWS locations, with additional replication to GCP for multi-cloud disaster recovery, allowing for failover in case of a regional outage or cloud provider issues.
## Penetration testing
Infisical hires external third parties to perform regular security assessment and penetration testing of the platform.
Most recently, Infisical commissioned cybersecurity firm [Cure53](https://cure53.de/) to perform a full-coverage, gray box penetration test against the platform's entire attack surface to identify vulnerabilities according to industry standards (OWASP, ASVS, WSTG, TOP-10, etc.).
Please email [security@infisical.com](mailto:security@infisical.com) to request any reports including a letter of attestation for the conducted penetration test.
## Employee data access
Whether or not Infisical or your employees can access data in the Infisical instance and/or storage backend depends on many factors how you use Infisical:
* Infisical Self-Hosted: Self-hosting Infisical is common amongst organizations that prefer to keep data on their own infrastructure usually to adhere to strict regulatory and compliance requirements. In this option, organizations retain full control over their data and therefore govern the data access policy of their Infisical instance and storage backend.
* Infisical Cloud: Using Infisical's managed service, [Infisical Cloud](https://app.infisical.com) means delegating data oversight and management to Infisical. Under our policy controls, employees are only granted access to parts of infrastructure according to principle of least privilege; this is especially relevant to customer data can only be accessed currently by executive management of Infisical. Moreover, any changes to sensitive customer data is prohibited without explicit customer approval.
It should be noted that, even on Infisical Cloud, it is physically impossible for employees of Infisical to view the values of secrets if users have not explicitly granted Infisical access to their project (i.e. opted out of zero-knowledge).
Please email [security@infisical.com](mailto:security@infisical.com) if you have any specific inquiries about employee data and security policies.
# Service tokens
Source: https://infisical.com/docs/internals/service-tokens
Understanding service tokens and their best practices.
Many clients use service tokens to authenticate and read/write secrets from/to Infisical; they can be created in your project settings.
## Anatomy
A service token in Infisical consists of the token itself, a `string`, and a corresponding document in the storage backend containing its
properties and metadata.
### Database model
The storage backend model for a token contains the following information:
* ID: The token identifier.
* Expiration: The date at which point the token is invalid.
* Project: The project that the token is part of.
* Scopes: The project environments and paths that the token has access to.
* Encrypted project key: An encrypted copy of the project key.
### Token
A service token itself consist of two parts used for authentication and decryption, separated by the delimiter `.`.
Consider the token `st.abc.def.ghi`. Here, `st.abc.def` can be used to authenticate with the API, by including it in the `Authorization` header under `Bearer st.abc.def`, and retrieve (encrypted) secrets as well as a project key back. Meanwhile, `ghi`, a hex-string, can be used to decrypt the project key used to decrypt the secrets.
Note that when using service tokens via select client methods like SDK or CLI, cryptographic operations are abstracted for you that is the token is parsed and encryption/decryption operations are handled. If using service tokens with the REST API and end-to-end encryption enabled, then you will have to handle the encryption/decryption operations yourself.
## Recommendations
### Issuance
When creating a new service token, it’s important to consider the principle of least privilege(PoLP) when setting its scope and expiration date. For example, if the client using the token only requires access to a staging environment, then you should scope the token to that environment only; you can further scope tokens to path(s) within environment(s) if you happen to use path-based secret storage. Likewise, if the client does not intend to access secrets indefinitely, then you may consider setting a finite lifetime for the token such as 6 months or 1 year from now. Finally, you should consider carefully whether or not your client requires the ability to read and/or write secrets from/to Infisical.
### Network access
We recommend configuring the IP whitelist settings of each project to allow either single IP addresses or CIDR-notated range of addresses to read/write secrets to Infisical. With this feature, you can specify the IP range of your client servers to restrict access to your project in Infisical.
### Storage
Since service tokens grant access to your secrets, we recommend storing them securely across your development cycle whether it be in a .env file in local development or as an environment variable of your deployment platform.
### Rotation
We recommend periodically rotating the service token, even in the absence of compromise. Since service tokens are capable of decrypting project keys used to decrypt secrets, all of which use AES-256-GCM encryption, they should be rotated before approximately 2^32 encryptions have been performed; this follows the guidance set forth by [NIST publication 800-38D](https://csrc.nist.gov/pubs/sp/800/38/d/final).
Note that Infisical keeps track of the number of times that service tokens are used and will alert you when you have reached 90% of the recommended capacity.
# Infisical C++ SDK
Source: https://infisical.com/docs/sdks/languages/cpp
If you're working with C++, the official Infisical C++ SDK package is the easiest way to fetch and work with secrets for your application.
## Compatible with C++ 17 and later
The Infisical C++ SDK is compatible with C++ 17 capable compilers. This implies GCC 8 or newer, and clang 3.8 or newer. Earlier versions of C++ are unsupported.
## Dependencies
* `cURL`: Used internally for crafting HTTP requests.
## CMake Installation
```bash theme={"dark"}
cmake_minimum_required(VERSION 3.14)
project(InfisicalTest)
set(CMAKE_CXX_STANDARD 17)
set(CMAKE_CXX_STANDARD_REQUIRED ON)
set(CMAKE_PREFIX_PATH ${CMAKE_BINARY_DIR})
find_package(OpenSSL REQUIRED)
include(FetchContent)
FetchContent_Declare(
infisical
GIT_REPOSITORY https://github.com/Infisical/infisical-cpp-sdk.git
GIT_TAG 1.0.0 # Replace with the desired version
)
FetchContent_MakeAvailable(infisical)
FetchContent_GetProperties(infisical)
# Example usage. This will differ based on your project structure.
add_executable(my_app src/main.cpp)
target_link_libraries(my_app PRIVATE infisical OpenSSL::SSL OpenSSL::Crypto)
target_include_directories(my_app PRIVATE ${infisical_SOURCE_DIR}/include)
```
## Manual Installation
If you're unable to use the recommended CMake installation approach, you can choose to manually build the library and use it in your project.
```bash theme={"dark"}
mkdir build
cd build
cmake ..
make
```
## Quick-Start Example
Below you'll find an example that uses the Infisical SDK to fetch a secret with the key `API_KEY` using [Machine Identity Universal Auth](https://infisical.com/docs/documentation/platform/identities/universal-auth)
More examples can be found in the [/examples](https://github.com/Infisical/infisical-cpp-sdk/tree/main/examples) folder.
```cpp theme={"dark"}
#include
#include
int main() {
try {
Infisical::InfisicalClient client(
Infisical::ConfigBuilder()
.withHostUrl("https://app.infisical.com") // Optionally change this to your custom Infisical instance URL.
.withAuthentication(
Infisical::AuthenticationBuilder()
.withUniversalAuth("", "")
.build())
.build());
const auto getSecretOptions = Infisical::Input::GetSecretOptionsBuilder()
.withEnvironment("") // dev, staging, prod, etc
.withProjectId("")
.withSecretKey("API_KEY")
.build();
const auto apiKeySecret = client.secrets().getSecret(getSecretOptions);
printf("Secret retrieved, [key=%s] [value=%s]\n", apiKeySecret.getSecretKey().c_str(), apiKeySecret.getSecretValue().c_str());
} catch (const Infisical::InfisicalError &e) {
std::cerr << "Error: " << e.what() << std::endl;
return 1;
}
return 0;
}
```
## JSON Serialization
The SDK uses [nlohmann/json](https://github.com/nlohmann/json) internally to serialize/deserialize JSON data. This SDK makes no assumptions about which JSON library you use in your project, and you aren't constrained to `nlohmann/json` in any way. Data returned by the SDK is returned as a class, which exposes Getter methods for getting fields such as the secret value or secret key.
## Documentation
The Infisical C++ SDK follows a builder pattern for all types of input. Below is a detailed documentation of our currently support methods.
Everything related to the Infisical SDK lives inside the `Infisical` namespace.
### InfisicalClient Class
`InfisicalClient(Config &config)`
```cpp theme={"dark"}
Infisical::InfisicalClient client(
Infisical::ConfigBuilder()
.withHostUrl("https://app.infisical.com")
.withAuthentication(
Infisical::AuthenticationBuilder()
.withUniversalAuth(clientId, clientSecret)
.build())
.build());
```
Config is created through the `ConfigBuilder` class. See below for more details
### Config Class
`Config` defines the configuration of the Infisical Client itself, such as authentication.
```cpp theme={"dark"}
Infisical::Config config = Infisical::ConfigBuilder()
.withHostUrl("https://app.infisical.com")
.withAuthentication(
Infisical::AuthenticationBuilder()
.withUniversalAuth(clientId, clientSecret)
.build())
.build();
Infisical::InfisicalClient client(config);
```
* `withHostUrl(string)` *(optional)*: Specify a custom Infisical host URL, pointing to your Infisical instance. Defaults to `https://app.infisical.com`
* `withAuthentication(Infisical::Authentication)`: Configure the authentication that will be used by the SDK. See [Authentication Class](#authentication-class) for more details.
* `build()`: Returns the `Config` object with the options you configured.
### Authentication Class
```cpp theme={"dark"}
Infisical::Authentication auth = Infisical::AuthenticationBuilder()
.withUniversalAuth(clientId, clientSecret)
.build();
Infisical::Config config = Infisical::ConfigBuilder()
.withAuthentication(std::move(auth)) // Or use inline declaration
.build();
```
* `withUniversalAuth(string, string)`: Specify the Universal Auth Client ID and Client Secret that will be used for authentication.
* `build()`: Returns the `Authentication` object with the options you specified.
### TSecret Class
The `TSecret` class is the class that's returned by all secret methods (get/list/delete/update/create). It can come in the form of a `std::vector` or a single instance.
**Available getter methods:**
* `getId(): std::string`: Returns the ID of the secret.
* `getWorkspace(): std::string`: Returns the project ID of the secret.
* `getEnvironment(): std::string`: Returns the environment slug of the secret.
* `getVersion(): unsigned int`: Gets the version of the secret. By default this will always be the latest version unless specified otherwise with `withVersion()`
* `getType(): std::string`: Returns the type of the secret. Can only be `shared` or `personal`. Shared secrets are available to everyone with access to the secret. Personal secrets are personal overwrites of the secret, mainly intended for local development purposes.
* `getSecretKey(): std::string`: Returns the secret key.
* `getSecretValue(): std::string` Returns the secret value.
* `getRotationId(): std::string`: If the secret is a rotation secret, this will return the rotation ID of the secret. If it's a regular secret, this will return an empty string.
* `getSecretPath(): std::string`: Returns the secret path of the secret.
* `getSkipMultilineEncoding(): bool`: Returns whether or not skip multiline encoding is enabled for the secret or not.
`getIsRotatedSecret(): bool`: Returns wether or not the secret is a rotated secret. If `true`, then `getRotationId()` returns the ID of the rotation.
### Secrets
#### Create Secret
```cpp theme={"dark"}
const auto createSecretOptions = Infisical::Input::CreateSecretOptionsBuilder()
.withEnvironment("")
.withProjectId("")
.withSecretKey("SECRET_KEY_TO_CREATE")
.withSecretValue("VALUE_TO_CREATE")
.withSecretComment("Secret comment to attach") // Optional
.withSecretPath("/path/where/to/create/secret") // Optional, defaults to /
.withTagIds({"tag-id-1", "tag-id-2"}) // Optional
.build();
const auto secret = client.secrets().createSecret(createSecretOptions);
```
**Parameters**:
* `withEnvironment(string)`: Specify the slug of the environment to create the secret in.
* `withProjectId(string)`: Specify the ID of the project to create the secret in.
* `withSecretPath(string)`: Specify the secret path to create the secret in. Defaults to `/`
* `withSecretKey(string)`: The secret key to be created.
* `withSecretValue(string)`: The value of the secret to create.
* `withSecretComment(string)` *(optional)*: Optionally add a comment to the secret.
* `withTagIds(std::vector>)` *(optional)*: A list of ID's of tags to attach to the secret.
* `build()`: Returns the `CreateSecretOptions` class that can be passed into the `createSecret()` method.
**Returns**:
* Returns the created secret as a `TSecret` class. Read more in the [TSecret Class](#tsecret-class) documentation.
#### Update Secret
```cpp theme={"dark"}
const auto updateSecretOptions = Infisical::Input::UpdateSecretOptionsBuilder()
.withEnvironment("")
.withProjectId("")
.withSecretKey("")
.withNewSecretKey("") // Optional
.withSecretValue("") // Optional
.withSecretComment("Updated comment") // Optional
.withSecretReminderNote("Updated reminder note") // Optional
.withSecretReminderRepeatDays(1) // Optional
.withType("shared") // Optional
.withTagIds({"tag-id-3", "tag-id-4"}) // Optional
.build();
const auto updatedSecret = client.secrets().updateSecret(updateSecretOptions);
```
**Parameters**:
* `withEnvironment(string)`: Specify the slug of the environment where the secret lives in.
* `withProjectId(string)`: Specify the ID of the project where the secret to update lives in.
* `withSecretPath(string)`: Specify the secret path of the secret to update. Defaults to `/`.
* `withType("shared" | "personal")`: *(optional)*: The type of secret to update. Defaults to `shared`.
* `withSecretKey(string)`: The key of the secret you wish to update.
* `withNewSecretKey(string)` *(optional)*: The new key of the secret you wish to update.
* `withSecretValue(string)` *(optional)*: The new value of the secret.
* `withSecretReminderNote(string)` *(optional)*: Update the secret reminder note attached to the secret.
* `withSecretReminderRepeatDays(unsigned int)` *(optional)*: Update the secret reminder repeat days attached to the secret.
* `withTagIds(std::vector>)` *(optional)*: A list of ID's of tags to attach to the secret.
* `build()`: Returns the `UpdateSecretOptions` class that can be passed into the `updateSecret()` method.
**Returns**:
* Returns the updated secret as a `TSecret` class. Read more in the [TSecret Class](#tsecret-class) documentation.
#### Get Secret
```cpp theme={"dark"}
const auto getSecretOptions = Infisical::Input::GetSecretOptionsBuilder()
.withEnvironment("")
.withProjectId("")
.withSecretKey("")
.withType("shared")
.withVersion(2)
.withExpandSecretReferences(true)
.build();
const auto secret = client.secrets().getSecret(getSecretOptions);
```
**Parameters**:
* `withEnvironment(string)`: Specify the slug of the environment where the secret lives in.
* `withProjectId(string)`: Specify the ID of the project where the secret lives in.
* `withSecretPath(string)`: Specify the secret path of the secret to get. Defaults to `/`
* `withType("shared" | "personal")`: *(optional)*: The type of secret to get. Defaults to `shared`.
* `withSecretKey(string)`: The key of the secret to get.
* `withExpandSecretReferences(bool)` *(optional)*: Whether or not to expand secret references automatically. Defaults to `true`.
* `withVersion(unsigned int)` *(optional)*: Optionally fetch a specific version of the secret. If not defined, the latest version of the secret is returned.
* `build()`: Returns the `GetSecretOptions` class that can be passed into the `getSecret()` method.
**Returns**:
* Returns the secret as a `TSecret` class. Read more in the [TSecret Class](#tsecret-class) documentation.
#### Delete Secret
```cpp theme={"dark"}
const auto deleteSecretOptions = Infisical::Input::DeleteSecretOptionsBuilder()
.withEnvironment("")
.withProjectId("")
.withSecretKey("")
.withType("shared")
.withSecretPath("")
.build();
const auto deletedSecret = client.secrets().deleteSecret(deleteSecretOptions);
```
**Parameters**:
* `withEnvironment(string)`: Specify the slug of the environment where the secret to delete lives in.
* `withProjectId(string)`: Specify the ID of the project where the secret to delete lives in.
* `withSecretPath(string)`: Specify the secret path of the secret to delete. Defaults to `/`
* `withType("shared" | "personal")`: *(optional)*: The type of secret to delete. Defaults to `shared`.
* `withSecretKey(string)`: The key of the secret to delete.
* `build()` Returns the `DeleteSecretOptions` class that can be passed into the `deleteSecret()` method.
**Returns**:
* Returns the deleted secret as a `TSecret` class. Read more in the [TSecret Class](#tsecret-class) documentation.
#### List Secrets
```cpp theme={"dark"}
const auto listSecretsOptions = Infisical::Input::ListSecretOptionsBuilder()
.withProjectId(projectId)
.withEnvironment(environment)
.withSecretPath("/")
.withRecursive(false)
.withAddSecretsToEnvironmentVariables(false)
.build();
const auto secrets = client.secrets().listSecrets(listSecretsOptions);
```
**Parameters**:
* `withEnvironment(string)`: Specify the slug of the environment to list secrets from.
* `withProjectId(string)`: Specify the ID of the project to fetch secrets from.
* `withSecretPath(string)`: Specify the secret path to fetch secrets from. Defaults to `/`
* `withExpandSecretReferences(bool)` *(optional)*: Whether or not to expand secret references automatically. Defaults to `true`.
* `withRecursive(bool)` *(optional)*: Wether or not to recursively fetch secrets from sub-folders. If set to true, all secrets from the secret path specified with `withSecretPath()` and downwards will be fetched.
* `withAddSecretsToEnvironmentVariables(bool)` *(optional)*: If set to true, the fetched secrets will be automatically set as environment variables, making them accessible with `std::getenv` or equivalent by secret key.
* `build()`: Returns the `ListSecretsOptions` class that can be passed into the `listSecrets()` method.
**Returns**:
* Returns the listed secrets as `std::vector`. Read more in the [TSecret Class](#tsecret-class) documentation.
# Infisical .NET SDK
Source: https://infisical.com/docs/sdks/languages/dotnet
If you're working with .NET, the official Infisical .NET SDK package is the easiest way to fetch and work with secrets for your application.
## Installation
```bash theme={"dark"}
dotnet add package Infisical.Sdk
```
## Getting Started (.NET)
```csharp theme={"dark"}
namespace Example;
using Infisical.Sdk;
using Infisical.Sdk.Model;
public class Program {
public static void Main(string[] args) {
var settings = new InfisicalSdkSettingsBuilder()
.WithHostUri("http://localhost:8080") // Optional. Will default to https://app.infisical.com
.Build();
var infisicalClient = new InfisicalClient(settings);
var _ = infisicalClient.Auth().UniversalAuth().LoginAsync("", "").Result;
var options = new ListSecretsOptions
{
SetSecretsAsEnvironmentVariables = true,
EnvironmentSlug = "",
SecretPath = "/",
ProjectId = "",
};
var secrets = infisicalClient.Secrets().ListAsync(options).Result;
if (secrets == null)
{
throw new Exception("Failed to fetch secrets, returned null response");
}
foreach (var secret in secrets)
{
Console.WriteLine($"{secret.SecretKey}: {secret.SecretValue}");
}
}
}
```
## Getting Started (Visual Basic)
```vb theme={"dark"}
Imports Infisical.Sdk
Imports Infisical.Sdk.Model
Module Program
Sub Main(args As String())
Dim settings = New InfisicalSdkSettingsBuilder() _
.WithHostUri("https://app.infisical.com") _
.Build()
Dim infisicalClient As New InfisicalClient(settings)
Dim authResult = infisicalClient.Auth().UniversalAuth() _
.LoginAsync("", "machine-identity-universal-auth-client-secret").Result
Dim options As New ListSecretsOptions With {
.SetSecretsAsEnvironmentVariables = True,
.EnvironmentSlug = "",
.SecretPath = "/",
.ProjectId = ""
}
Dim secrets = infisicalClient.Secrets().ListAsync(options).Result
For Each secret In secrets
Console.WriteLine(secret.SecretKey)
if Environment.GetEnvironmentVariable(secret.SecretKey) IsNot Nothing Then
Console.WriteLine("{0} found on environment variables", secret.SecretKey)
End If
Next
End Sub
End Module
```
## Core Methods
The SDK methods are organized into the following high-level categories:
1. `Auth()`: Handles authentication methods.
2. `Secrets()`: Manages CRUD operations for secrets.
3. `Pki()`: Programmatically interact with the Infisical PKI.
* `Subscribers()`: Manage PKI Subscribers.
### `Auth()`
The `Auth()` component provides methods for authentication:
### Universal Auth
#### Authenticating
```cs theme={"dark"}
var _ = await sdk.Auth().UniversalAuth().LoginAsync(
"CLIENT_ID",
"CLIENT_SECRET"
);
```
**Parameters:**
* `clientId` (string): The client ID of your Machine Identity.
* `clientSecret` (string): The client secret of your Machine Identity.
### LDAP Auth
#### Authenticating
```cs theme={"dark"}
var _ = await sdk.Auth().LdapAuth().LoginAsync(
"IDENTITY_ID",
"USERNAME",
"PASSWORD"
);
```
**Parameters:**
* `identityId` (string): The ID of your Machine Identity .
* `username` (string): The LDAP username for authentication.
* `password` (string): The LDAP password for authentication.
### `Secrets()`
The `Secrets()` sub-class handles operations related to the Infisical secrets management product.
#### List Secrets
```cs theme={"dark"}
Task ListAsync(ListSecretsOptions options);
throws InfisicalException
```
```csharp theme={"dark"}
var options = new ListSecretsOptions
{
SetSecretsAsEnvironmentVariables = true,
EnvironmentSlug = "dev",
SecretPath = "/test",
Recursive = true,
ExpandSecretReferences = true,
ProjectId = projectId,
ViewSecretValue = true,
};
Secret[] secrets = await sdk.Secrets().ListAsync(options);
```
**ListSecretsOptions:**
* `ProjectId` (string): The ID of your project.
* `EnvironmentSlug` (string): The environment in which to list secrets (e.g., "dev").
* `SecretPath` (string): The path to the secrets.
* `ExpandSecretReferences` (boolean): Whether to expand secret references.
* `Recursive` (boolean): Whether to list secrets recursively.
* `SetSecretsAsEnvironmentVariables` (boolean): Set the retrieved secrets as environment variables.
**Returns:**
* `Task`: The response containing the list of secrets.
#### Create Secret
```cs theme={"dark"}
public Task CreateAsync(CreateSecretOptions options);
throws InfisicalException
```
```cs theme={"dark"}
var options = new CreateSecretOptions
{
SecretName = "SECRET_NAME",
SecretValue = "SECRET_VALUE",
EnvironmentSlug = "",
SecretPath = "/",
ProjectId = "",
Metadata = new SecretMetadata[] {
new SecretMetadata {
Key = "metadata-key",
Value = "metadata-value"
}
}
};
Task newSecret = await sdk.Secrets().CreateAsync(options);
```
**Parameters:**
* `SecretName` (string): The name of the secret to create
* `SecretValue` (string): The value of the secret.
* `ProjectId` (string): The ID of your project.
* `EnvironmentSlug` (string): The environment in which to create the secret.
* `SecretPath` (string, optional): The path to the secret.
* `Metadata` (object, optional): Attach metadata to the secret.
* `SecretComment` (string, optional): Attach a secret comment to the secret.
* `SecretReminderNote` (string, optional): Attach a secret reminder note to the secret.
* `SecretReminderRepeatDays` (int, optional): Set the reminder repeat days on the secret.
* `SkipMultilineEncoding` (bool, optional): Whether or not to skip multiline encoding for the secret's value. Defaults to `false`.
**Returns:**
* `Task`: The created secret.
#### Update Secret
```cs theme={"dark"}
public Task UpdateAsync(UpdateSecretOptions options);
throws InfisicalException
```
```cs theme={"dark"}
var updateSecretOptions = new UpdateSecretOptions
{
SecretName = "EXISTING_SECRET_NAME",
EnvironmentSlug = "",
SecretPath = "/",
NewSecretName = "NEW_SECRET_NAME",
NewSecretValue = "new-secret-value",
ProjectId = "",
};
Task updatedSecret = await sdk.Secrets().UpdateAsync(updateSecretOptions);
```
**Parameters:**
* `SecretName` (string): The name of the secret to update.\`
* `ProjectId` (string): The ID of your project.
* `EnvironmentSlug` (string): The environment in which to update the secret.
* `SecretPath` (string): The path to the secret.
* `NewSecretValue` (string, optional): The new value of the secret.
* `NewSecretName` (string, optional): A new name for the secret.
* `NewMetadata` (object, optional): New metadata to attach to the secret.
**Returns:**
* `Task`: The updated secret.
#### Get Secret by Name
```cs theme={"dark"}
public Task GetAsync(GetSecretOptions options);
throws InfisicalException
```
```cs theme={"dark"}
var getSecretOptions = new GetSecretOptions
{
SecretName = "SECRET_NAME",
EnvironmentSlug = "",
SecretPath = "/",
ProjectId = "",
};
Secret secret = await sdk.Secrets().GetAsync(getSecretOptions);
```
**Parameters:**
* `SecretName` (string): The name of the secret to get\`
* `ProjectId` (string): The ID of your project.
* `EnvironmentSlug` (string): The environment in which to retrieve the secret.
* `SecretPath` (string): The path to the secret.
* `ExpandSecretReferences` (boolean, optional): Whether to expand secret references.
* `Type` (SecretType, optional): The type of secret to fetch. Defaults to `Shared`.
**Returns:**
* `Task`: The fetched secret.
#### Delete Secret by Name
```cs theme={"dark"}
public Secret DeleteAsync(DeleteSecretOptions options);
throws InfisicalException
```
```cs theme={"dark"}
var options = new DeleteSecretOptions
{
SecretName = "SECRET_TO_DELETE",
EnvironmentSlug = "",
SecretPath = "/",
ProjectId = "",
};
Secret deletedSecret = await sdk.Secrets().DeleteAsync(options);
```
**Parameters:**
* `SecretName` (string): The name of the secret to delete.
* `ProjectId` (string): The ID of your project.
* `EnvironmentSlug` (string): The environment in which to delete the secret.
* `SecretPath` (string, optional): The path to the secret.
**Returns:**
* `Task`: The deleted secret.
### `Pki().Subscribers()`
The `Pki().Subscribers()` sub-class is used to programmatically interact with the Infisical PKI product line. Currently only issuing new certificates and retrieving the latest certificate bundle from a subscriber is supported. More widespread support for the PKI product is coming to the .NET SDK in the near future.
#### Issue a new certificate
```cs theme={"dark"}
public async Task IssueCertificateAsync(IssueCertificateOptions options);
throws InfisicalException
```
```cs theme={"dark"}
var options = new IssueCertificateOptions
{
SubscriberName = "",
ProjectId = "",
};
SubscriberIssuedCertificate newCertificate = await sdk.Pki().Subscribers().IssueCertificateAsync(options);
```
**Parameters:**
* `SubscriberName` (string): The name of the subscriber to create a certificate for.
* `ProjectId` (string): The ID of PKI project.
**Returns:**
* `Task`: The newly issued certificate along with it's credentials for the specified subscriber.
#### Retrieve latest certificate bundle
```cs theme={"dark"}
public async Task RetrieveLatestCertificateBundleAsync(RetrieveLatestCertificateBundleOptions options)
throws InfisicalException
```
```cs theme={"dark"}
var options = new RetrieveLatestCertificateBundleOptions
{
SubscriberName = "",
ProjectId = "",
};
CertificateBundle latestCertificate = await sdk.Pki().Subscribers().RetrieveLatestCertificateBundleAsync(options);
```
**Parameters:**
* `SubscriberName` (string): The name of the subscriber to retrieve the latest certificate bundle for
* `ProjectId` (string): The ID of PKI project.
**Returns:**
* `Task`: The latest certificate bundle for the specified subscriber.
# Infisical Go SDK
Source: https://infisical.com/docs/sdks/languages/go
If you're working with Go, the official Infisical Go SDK package is the easiest way to fetch and work with secrets for your application.
* [Package](https://pkg.go.dev/github.com/infisical/go-sdk)
* [Github Repository](https://github.com/infisical/go-sdk)
# Basic Usage
```go theme={"dark"}
package main
import (
"fmt"
"os"
"context"
infisical "github.com/infisical/go-sdk"
)
func main() {
client := infisical.NewInfisicalClient(context.Background(), infisical.Config{
SiteUrl: "https://app.infisical.com", // Optional, default is https://app.infisical.com
AutoTokenRefresh: true, // Wether or not to let the SDK handle the access token lifecycle. Defaults to true if not specified.
})
_, err := client.Auth().UniversalAuthLogin("YOUR_CLIENT_ID", "YOUR_CLIENT_SECRET")
if err != nil {
fmt.Printf("Authentication failed: %v", err)
os.Exit(1)
}
apiKeySecret, err := client.Secrets().Retrieve(infisical.RetrieveSecretOptions{
SecretKey: "API_KEY",
Environment: "dev",
ProjectID: "YOUR_PROJECT_ID",
SecretPath: "/",
})
if err != nil {
fmt.Printf("Error: %v", err)
os.Exit(1)
}
fmt.Printf("API Key Secret: %v", apiKeySecret)
}
```
This example demonstrates how to use the Infisical Go SDK in a simple Go application. The application retrieves a secret named `API_KEY` from the `dev` environment of the `YOUR_PROJECT_ID` project.
We do not recommend hardcoding your [Machine Identity
Tokens](/documentation/platform/identities/machine-identities). Setting it as
an environment variable would be best.
# Installation
```console theme={"dark"}
$ go get github.com/infisical/go-sdk
```
# Configuration
Import the SDK and create a client instance.
```go theme={"dark"}
client := infisical.NewInfisicalClient(context.Background(), infisical.Config{
SiteUrl: "https://app.infisical.com", // Optional, default is https://api.infisical.com
})
```
### Configuration Options
The URL of the Infisical API..
Optionally set the user agent that will be used for HTTP requests. *(Not recommended)*
Whether or not to let the SDK handle the access token lifecycle. Defaults to true if not specified.
Whether or not to suppress logs such as warnings from the token refreshing process. Defaults to false if not specified.
Defines how long certain responses should be cached in memory, in seconds. When set to a positive value, responses from specific methods (like secret fetching) will be cached for this duration. Set to 0 to disable caching.
Allows you to pass custom headers to the HTTP requests made by the SDK. Expected format is a map of `Header1: Value1, Header2: Value 2`.
# Automatic token refreshing
The Infisical Go SDK supports automatic token refreshing. After using one of the auth methods such as Universal Auth, the SDK will automatically renew and re-authenticate when needed.
This behavior is enabled by default, but you can opt-out by setting `AutoTokenRefresh` to `false` in the client settings.
```go theme={"dark"}
client := infisical.NewInfisicalClient(context.Background(), infisical.Config{
AutoTokenRefresh: false, // <- Disable automatic token refreshing
})
```
When using automatic token refreshing it's important to understand how your application uses the Infiiscal client. If you are instantiating new instances of the client often, it's important to cancel the context when the client is no longer needed to avoid the token refreshing process from running indefinitely.
```go theme={"dark"}
ctx, cancel := context.WithCancel(context.Background())
defer cancel() // Cancel the context when the client is no longer needed
client := infisical.NewInfisicalClient(ctx, infisical.Config{
AutoTokenRefresh: true,
})
// Use the client
```
This is only necessary if you are creating multiple instances of the client, and those instances are deleted or otherwise removed throughout the application lifecycle.
If you are only creating one instance of the client, and it will be used throughout the lifetime of your application, you don't need to worry about this.
# Authentication
The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.
#### Universal Auth
**Using environment variables**
Call `.Auth().UniversalAuthLogin()` with empty arguments to use the following environment variables:
* `INFISICAL_UNIVERSAL_AUTH_CLIENT_ID` - Your machine identity client ID.
* `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` - Your machine identity client secret.
**Using the SDK directly**
```go theme={"dark"}
_, err := client.Auth().UniversalAuthLogin("CLIENT_ID", "CLIENT_SECRET")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
```
#### GCP ID Token Auth
Please note that this authentication method will only work if you're running
your application on Google Cloud Platform. Please [read
more](/documentation/platform/identities/gcp-auth) about this authentication
method.
**Using environment variables**
Call `.Auth().GcpIdTokenAuthLogin()` with empty arguments to use the following environment variables:
* `INFISICAL_GCP_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
**Using the SDK directly**
```go theme={"dark"}
_, err := client.Auth().GcpIdTokenAuthLogin("YOUR_MACHINE_IDENTITY_ID")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
```
#### GCP IAM Auth
**Using environment variables**
Call `.Auth().GcpIamAuthLogin()` with empty arguments to use the following environment variables:
* `INFISICAL_GCP_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
* `INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH` - The path to your GCP service account key file.
**Using the SDK directly**
```go theme={"dark"}
_, err = client.Auth().GcpIamAuthLogin("MACHINE_IDENTITY_ID", "SERVICE_ACCOUNT_KEY_FILE_PATH")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
```
#### AWS IAM Auth
Please note that this authentication method will only work if you're running
your application on AWS. Please [read
more](/documentation/platform/identities/aws-auth) about this authentication
method.
**Using environment variables**
Call `.Auth().AwsIamAuthLogin()` with empty arguments to use the following environment variables:
* `INFISICAL_AWS_IAM_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
**Using the SDK directly**
```go theme={"dark"}
_, err = client.Auth().AwsIamAuthLogin("MACHINE_IDENTITY_ID")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
```
#### Azure Auth
Please note that this authentication method will only work if you're running
your application on Azure. Please [read
more](/documentation/platform/identities/azure-auth) about this authentication
method.
**Using environment variables**
Call `.Auth().AzureAuthLogin()` with empty arguments to use the following environment variables:
* `INFISICAL_AZURE_AUTH_IDENTITY_ID` - Your Infisical Machine Identity ID.
**Using the SDK directly**
```go theme={"dark"}
_, err = client.Auth().AzureAuthLogin("MACHINE_IDENTITY_ID")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
```
#### Kubernetes Auth
Please note that this authentication method will only work if you're running
your application on Kubernetes. Please [read
more](/documentation/platform/identities/kubernetes-auth) about this
authentication method.
**Using environment variables**
Call `.Auth().KubernetesAuthLogin()` with empty arguments to use the following environment variables:
* `INFISICAL_KUBERNETES_IDENTITY_ID` - Your Infisical Machine Identity ID.
* `INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH_ENV_NAME` - The environment variable name that contains the path to the service account token. This is optional and will default to `/var/run/secrets/kubernetes.io/serviceaccount/token`.
**Using the SDK directly**
```go theme={"dark"}
// Service account token path will default to /var/run/secrets/kubernetes.io/serviceaccount/token if empty value is passed
_, err = client.Auth().KubernetesAuthLogin("MACHINE_IDENTITY_ID", "SERVICE_ACCOUNT_TOKEN_PATH")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
```
#### JWT Auth
Please note that this authentication method requires a valid JWT token from
your JWT issuer. Please [read
more](/documentation/platform/identities/jwt-auth) about this authentication
method.
**Using the SDK**
```go theme={"dark"}
credential, err := client.Auth().JwtAuthLogin("MACHINE_IDENTITY_ID", "JWT_TOKEN")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
```
#### LDAP Auth
Please note that this authentication method requires LDAP credentials. Please
[read more](/documentation/platform/identities/ldap-auth/general) about this
authentication method.
**Using environment variables**
You can set the `INFISICAL_LDAP_AUTH_IDENTITY_ID` environment variable and pass empty string for the identity ID:
```go theme={"dark"}
credential, err := client.Auth().LdapAuthLogin("", "LDAP_USERNAME", "LDAP_PASSWORD")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
```
**Using the SDK directly**
```go theme={"dark"}
credential, err := client.Auth().LdapAuthLogin("MACHINE_IDENTITY_ID", "LDAP_USERNAME", "LDAP_PASSWORD")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
```
#### OCI Auth
Please note that this authentication method will only work if you're running
your application on Oracle Cloud Infrastructure. Please [read
more](/documentation/platform/identities/oci-auth) about this authentication
method.
**Using environment variables**
You can set the `INFISICAL_OCI_AUTH_IDENTITY_ID` environment variable and omit the `IdentityID` field:
```go theme={"dark"}
credential, err := client.Auth().OciAuthLogin(infisical.OciAuthLoginOptions{
UserID: "USER_OCID",
TenancyID: "TENANCY_OCID",
Fingerprint: "FINGERPRINT",
PrivateKey: "PRIVATE_KEY",
Region: "REGION",
})
if err != nil {
fmt.Println(err)
os.Exit(1)
}
```
**Using the SDK directly**
```go theme={"dark"}
credential, err := client.Auth().OciAuthLogin(infisical.OciAuthLoginOptions{
IdentityID: "MACHINE_IDENTITY_ID",
UserID: "USER_OCID",
TenancyID: "TENANCY_OCID",
Fingerprint: "FINGERPRINT",
PrivateKey: "PRIVATE_KEY",
Region: "REGION",
Passphrase: nil, // Optional: pointer to string if your private key has a passphrase
})
if err != nil {
fmt.Println(err)
os.Exit(1)
}
```
**OciAuthLoginOptions fields:**
* `IdentityID` (string) - Your Infisical Machine Identity ID. Can be set via `INFISICAL_OCI_AUTH_IDENTITY_ID` environment variable.
* `UserID` (string) - Your OCI user OCID.
* `TenancyID` (string) - Your OCI tenancy OCID.
* `Fingerprint` (string) - Your OCI API key fingerprint.
* `PrivateKey` (string) - Your OCI private key (PEM format).
* `Region` (string) - Your OCI region (e.g., `us-ashburn-1`).
* `Passphrase` (\*string) - Optional: pointer to passphrase string if your private key is encrypted.
## Organization Authentication
All SDK authentication methods support logging into a sub-organization that your machine identity has access to. This is optional and only necessary when attempting to authenticate into a sub-organization using an identity created at the root organization.
Use the `.Auth().WithOrganizationSlug("")` method to specify which organization to authenticate against:
```go theme={"dark"}
_, err := client.Auth().WithOrganizationSlug("ORGANIZATION_SLUG").UniversalAuthLogin("CLIENT_ID", "CLIENT_SECRET")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
```
If no organization slug is provided, the authentication session defaults to
the organization where the machine identity was originally created.
## Secrets
### List Secrets
`client.Secrets().List(options)`
Retrieve all secrets within the Infisical project and environment that client is connected to.
```go theme={"dark"}
secrets, err := client.Secrets().List(infisical.ListSecretsOptions{
ProjectID: "PROJECT_ID",
Environment: "dev",
SecretPath: "/foo/bar",
AttachToProcessEnv: false,
})
```
#### Parameters
The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
The project ID where the secret lives in.
The path from where secrets should be fetched from.
Whether or not to set the fetched secrets to the process environment. If true, you can access the secrets like so `System.getenv("SECRET_NAME")`.
Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
Whether or not to fetch secrets recursively from the specified path. Please note that there's a 20-depth limit for recursive fetching.
Whether or not to expand secret references in the fetched secrets. Read about [secret reference](/documentation/platform/secret-reference)
###
### Retrieve Secret
`client.Secrets().Retrieve(options)`
Retrieve a secret from Infisical. By default `Secrets().Retrieve()` fetches and returns a shared secret.
```go theme={"dark"}
secret, err := client.Secrets().Retrieve(infisical.RetrieveSecretOptions{
SecretKey: "API_KEY",
ProjectID: "PROJECT_ID",
Environment: "dev",
})
```
#### Parameters
The key of the secret to retrieve.
The project ID where the secret lives in.
The slug name (dev, prod, etc) of the environment from where secrets
should be fetched from.
The path from where secret should be fetched from.
The type of the secret. Valid options are "shared" or "personal". If not
specified, the default value is "shared".
The version of the secret to retrieve.
###
### Create Secret
`client.Secrets().Create(options)`
Create a new secret in Infisical.
```go theme={"dark"}
secret, err := client.Secrets().Create(infisical.CreateSecretOptions{
ProjectID: "PROJECT_ID",
Environment: "dev",
SecretKey: "NEW_SECRET_KEY",
SecretValue: "NEW_SECRET_VALUE",
SecretComment: "This is a new secret",
})
```
#### Parameters
The key of the secret to create.
The value of the secret.
A comment for the secret.
The project ID where the secret lives in.
The slug name (dev, prod, etc) of the environment from where secrets
should be fetched from.
The path from where secret should be created.
The type of the secret. Valid options are "shared" or "personal". If not
specified, the default value is "shared".
###
### Update Secret
`client.Secrets().Update(options)`
Update an existing secret in Infisical.
```go theme={"dark"}
secret, err := client.Secrets().Update(infisical.UpdateSecretOptions{
ProjectID: "PROJECT_ID",
Environment: "dev",
SecretKey: "NEW_SECRET_KEY",
NewSecretValue: "NEW_SECRET_VALUE",
NewSkipMultilineEncoding: false,
})
```
#### Parameters
The key of the secret to update.
The new value of the secret.
Whether or not to skip multiline encoding for the new secret value.
The project ID where the secret lives in.
The slug name (dev, prod, etc) of the environment from where secrets
should be fetched from.
The path from where secret should be updated.
The type of the secret. Valid options are "shared" or "personal". If not
specified, the default value is "shared".
###
### Delete Secret
`client.Secrets().Delete(options)`
Delete a secret in Infisical.
```go theme={"dark"}
secret, err := client.Secrets().Delete(infisical.DeleteSecretOptions{
ProjectID: "PROJECT_ID",
Environment: "dev",
SecretKey: "SECRET_KEY",
})
```
#### Parameters
The key of the secret to update.
The project ID where the secret lives in.
The slug name (dev, prod, etc) of the environment from where secrets
should be fetched from.
The path from where secret should be deleted.
The type of the secret. Valid options are "shared" or "personal". If not
specified, the default value is "shared".
### Batch Create Secrets
`client.Secrets().Batch().Create(options)`
Create multiple secrets in Infisical.
```go theme={"dark"}
createdSecrets, err := client.Secrets().Batch().Create(infisical.BatchCreateSecretsOptions{
Environment: "",
SecretPath: "",
ProjectID: "",
Secrets: []infisical.BatchCreateSecret{
{
SecretKey: "SECRET-1",
SecretValue: "test-value-1",
},
{
SecretKey: "SECRET-2",
SecretValue: "test-value-2",
},
},
})
```
#### Parameters
The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
The project ID where the secret lives in.
The path from where secret should be created.
The key of the secret to create.
The value of the secret.
The comment to add to the secret.
Whether or not to skip multiline encoding for the secret value.
The tag IDs to associate with the secret.
The key of the metadata.
The value of the metadata.
## Folders
###
### List Folders
`client.Folders().List(options)`
Retrieve all within the Infisical project and environment that client is connected to.
```go theme={"dark"}
folders, err := client.Folders().List(infisical.ListFoldersOptions{
ProjectID: "PROJECT_ID",
Environment: "dev",
Path: "/",
})
```
#### Parameters
The slug name (dev, prod, etc) of the environment from where folders should be fetched from.
The project ID where the folder lives in.
The path from where folders should be fetched from.
###
### Create Folder
`client.Folders().Create(options)`
Create a new folder in Infisical.
```go theme={"dark"}
folder, err := client.Folders().Create(infisical.CreateFolderOptions{
ProjectID: "PROJECT_ID",
Name: "new=folder-name",
Environment: "dev",
Path: "/",
})
```
#### Parameters
The ID of the project where the folder will be created.
The slug name (dev, prod, etc) of the environment where the folder will be
created.
The path to create the folder in. The root path is `/`.
The name of the folder to create.
###
### Update Folder
`client.Folders().Update(options)`
Update an existing folder in Infisical.
```go theme={"dark"}
folder, err := client.Folders().Update(infisical.UpdateFolderOptions{
ProjectID: "PROJECT_ID",
Environment: "dev",
Path: "/",
FolderID: "FOLDER_ID_TO_UPDATE",
NewName: "new-folder-name",
})
```
#### Parameters
The ID of the project where the folder will be updated.
The slug name (dev, prod, etc) of the environment from where the folder
lives in.
The path from where the folder should be updated.
The ID of the folder to update.
The new name of the folder.
###
### Delete Folder
`client.Folders().Delete(options)`
Delete a folder in Infisical.
```go theme={"dark"}
deletedFolder, err := client.Folders().Delete(infisical.DeleteFolderOptions{
// Either folder ID or folder name is required.
FolderName: "name-of-folder-to-delete",
FolderID: "folder-id-to-delete",
ProjectID: "PROJECT_ID",
Environment: "dev",
Path: "/",
})
```
#### Parameters
The name of the folder to delete. Note that either `FolderName` or `FolderID` is required.
The ID of the folder to delete. Note that either `FolderName` or `FolderID` is required.
The ID of the project where the folder lives in.
The slug name (dev, prod, etc) of the environment from where the folder lives in.
The path from where the folder should be deleted.
## KMS
### Create Key
`client.Kms().Keys().Create(options)`
Create a new key in Infisical.
```go theme={"dark"}
newKey, err := client.Kms().Keys().Create(infisical.KmsCreateKeyOptions{
KeyUsage: "|",
Description: "",
Name: "",
EncryptionAlgorithm: "|||",
ProjectId: "",
})
```
#### Parameters
The usage of the key. Valid options are `sign-verify` or `encrypt-decrypt`.
The usage dictates what the key can be used for.
The description of the key.
The name of the key.
The encryption algorithm of the key.
Valid options for Signing/Verifying keys are:
* `rsa-4096`
* `ecc-nist-p256`
Valid options for Encryption/Decryption keys are:
* `aes-256-gcm`
* `aes-128-gcm`
The ID of the project where the key will be created.
#### Return (object)
The ID of the key that was created.
The name of the key that was created.
The description of the key that was created.
Whether or not the key is disabled.
The ID of the organization that the key belongs to.
The ID of the project that the key belongs to.
The intended usage of the key that was created.
The encryption algorithm of the key that was created.
The version of the key that was created.
### Delete Key
`client.Kms().Keys().Delete(options)`
Delete a key in Infisical.
```go theme={"dark"}
deletedKey, err = client.Kms().Keys().Delete(infisical.KmsDeleteKeyOptions{
KeyId: "",
})
```
#### Parameters
The ID of the key to delete.
#### Return (object)
The ID of the key that was deleted
The name of the key that was deleted.
The description of the key that was deleted.
Whether or not the key is disabled.
The ID of the organization that the key belonged to.
The ID of the project that the key belonged to.
The intended usage of the key that was deleted.
The encryption algorithm of the key that was deleted.
The version of the key that was deleted.
### Signing Data
`client.Kms().Signing().Sign(options)`
Sign data in Infisical.
```go theme={"dark"}
res, err := client.Kms().Signing().SignData(infisical.KmsSignDataOptions{
KeyId: "",
Data: "", // Must be a base64 encoded string.
SigningAlgorithm: "", // The signing algorithm that will be used to sign the data.
})
```
#### Parameters
The ID of the key to sign the data with.
The data to sign. Must be a base64 encoded string.
Whether the data is already digested or not.
The signing algorithm to use. You must use a signing algorithm that matches the key usage.
If you are unsure about which signing algorithms are available for your key, you can use the `client.Kms().Signing().ListSigningAlgorithms()` method. It will return an array of signing algorithms that are available for your key.
Valid options for `RSA 4096` keys are:
* `RSASSA_PSS_SHA_512`
* `RSASSA_PSS_SHA_384`
* `RSASSA_PSS_SHA_256`
* `RSASSA_PKCS1_V1_5_SHA_512`
* `RSASSA_PKCS1_V1_5_SHA_384`
* `RSASSA_PKCS1_V1_5_SHA_256`
Valid options for `ECC NIST P256` keys are:
* `ECDSA_SHA_512`
* `ECDSA_SHA_384`
* `ECDSA_SHA_256`
#### Return (\[]byte)
The signature of the data that was signed.
### Verifying Data
`client.Kms().Signing().Verify(options)`
Verify data in Infisical.
```go theme={"dark"}
res, err := client.Kms().Signing().Verify(infisical.KmsVerifyDataOptions{
KeyId: "",
Data: "", // Must be a base64 encoded string.
SigningAlgorithm: "", // The signing algorithm that was used to sign the data.
})
```
#### Parameters
The ID of the key to verify the data with.
The data to verify. Must be a base64 encoded string.
Whether the data is already digested or not.
The signing algorithm that was used to sign the data.
#### Return (object)
Whether or not the data is valid.
The ID of the key that was used to verify the data.
The signing algorithm that was used to verify the data.
### List Signing Algorithms
`client.Kms().Signing().ListSigningAlgorithms(options)`
List signing algorithms in Infisical.
```go theme={"dark"}
res, err := client.Kms().Signing().ListSigningAlgorithms(infisical.KmsListSigningAlgorithmsOptions{
KeyId: "",
})
```
#### Parameters
The ID of the key to list signing algorithms for.
#### Return (\[]string)
The signing algorithms that are available for the key.
### Get Public Key
This method is only available for keys with key usage `sign-verify`. If you
attempt to use this method on a key that is intended for
encryption/decryption, it will return an error.
`client.Kms().Signing().GetPublicKey(options)`
Get the public key in Infisical.
```go theme={"dark"}
publicKey, err := client.Kms().Signing().GetPublicKey(infisical.KmsGetPublicKeyOptions{
KeyId: "",
})
```
#### Parameters
The ID of the key to get the public key for.
#### Return (string)
The public key for the key.
### Encrypt Data
`client.Kms().Encryption().Encrypt(options)`
Encrypt data with a key in Infisical KMS.
```go theme={"dark"}
res, err := client.Kms().EncryptData(infisical.KmsEncryptDataOptions{
KeyId: "",
Plaintext: "",
})
```
#### Parameters
The ID of the key to encrypt the data with.
#### Return (string)
The encrypted data.
### Decrypt Data
`client.Kms().DecryptData(options)`
Decrypt data with a key in Infisical KMS.
```go theme={"dark"}
res, err := client.Kms().DecryptData(infisical.KmsDecryptDataOptions{
KeyId: "",
Ciphertext: "",
})
```
#### Parameters
The ID of the key to decrypt the data with.
The encrypted data to decrypt.
#### Return (string)
The decrypted data.
# Infisical Java SDK
Source: https://infisical.com/docs/sdks/languages/java
If you're working with Java, the official Infisical Java SDK package is the easiest way to fetch and work with secrets for your application.
## Installation
Replace `{version}` with the version of the SDK you wish to use. This documentation covers version >=3.0.0.
### Maven
```xml theme={"dark"}
com.infisical
sdk
{version}
```
### Gradle
```gradle theme={"dark"}
implementation group: 'com.infisical', name: 'sdk', version: '{version}'
```
### Others
For other build tools, please check our [package snippets](https://central.sonatype.com/artifact/com.infisical/sdk), and select the build tool you're using for your project.
## Getting Started
```java theme={"dark"}
package com.example.example;
import com.infisical.sdk.InfisicalSdk;
import com.infisical.sdk.SdkConfig;
public class Example {
public static void main(String[] args) {
var sdk = new InfisicalSdk(
new SdkConfig.Builder()
// Optional, will default to https://app.infisical.com
.withSiteUrl("https://your-infisical-instance.com")
.build()
);
sdk.Auth().UniversalAuthLogin(
"CLIENT_ID",
"CLIENT_SECRET"
);
var secret = sdk.Secrets().GetSecret(
"",
"",
"",
"",
null, // Expand Secret References (boolean, optional)
null, // Include Imports (boolean, optional)
null // Secret Type (shared/personal, defaults to shared, optional)
);
System.out.println(secret);
}
}
```
## Core Methods
The SDK methods are organized into the following high-level categories:
1. `Auth()`: Handles authentication methods.
2. `Secrets()`: Manages CRUD operations for secrets.
### `Auth`
The `Auth` component provides methods for authentication:
### Universal Auth
#### Authenticating
```java theme={"dark"}
public void UniversalAuthLogin(
String clientId,
String clientSecret
)
throws InfisicalException
```
```java theme={"dark"}
sdk.Auth().UniversalAuthLogin(
"CLIENT_ID",
"CLIENT_SECRET"
);
```
**Parameters:**
* `clientId` (string): The client ID of your Machine Identity.
* `clientSecret` (string): The client secret of your Machine Identity.
#### Revoking
```java theme={"dark"}
// No-arg: revokes the current session token stored in the SDK
public void RevokeToken()
throws InfisicalException
// Explicit: revokes a specific access token
public void RevokeToken(
String accessToken
)
throws InfisicalException
```
The recommended approach is to call `RevokeToken()` without arguments, which revokes the token currently stored in the SDK session:
```java theme={"dark"}
sdk.Auth().RevokeToken();
```
Alternatively, you can pass an explicit access token to revoke:
```java theme={"dark"}
sdk.Auth().RevokeToken("ACCESS_TOKEN");
```
**Parameters (explicit variant):**
* `accessToken` (String): The access token to revoke.
### AWS Auth
```java theme={"dark"}
public void AwsAuthLogin(
String identityId
)
throws InfisicalException
```
```java theme={"dark"}
sdk.Auth().AwsAuthLogin("");
```
**Parameters:**
* `identityId` (String): The ID of the machine identity to authenticate with.
### LDAP Auth
```java theme={"dark"}
public void LdapAuthLogin(
LdapAuthLoginInput input
)
throws InfisicalException
```
```java theme={"dark"}
var input = LdapAuthLoginInput
.builder()
.identityId("")
.username("")
.password("")
.build();
sdk.Auth().LdapAuthLogin(input);
```
**Parameters:**
* `input` (LdapAuthLoginInput): The input for authenticating with LDAP.
* `identityId` (String): The ID of the machine identity to authenticate with.
* `username` (String): The LDAP username.
* `password` (String): The LDAP password.
### Access Token Auth
#### Authenticating
```java theme={"dark"}
public void SetAccessToken(
String accessToken
)
throws InfisicalException
```
```java theme={"dark"}
sdk.Auth().SetAccessToken("ACCESS_TOKEN");
```
**Parameters:**
* `accessToken` (string): The access token you want to use for authentication.
### `Secrets`
This sub-class handles operations related to secrets:
#### List Secrets
```java theme={"dark"}
public List ListSecrets(
String projectId,
String environmentSlug,
String secretPath,
Boolean expandSecretReferences,
Boolean recursive,
Boolean includeImports,
Boolean setSecretsOnSystemProperties
)
throws InfisicalException
```
```java theme={"dark"}
List secrets = sdk.Secrets().ListSecrets(
"",
"", // dev, prod, staging, etc.
"/secret/path", // `/` is the root folder
false, // Should expand secret references
false, // Should get secrets recursively from sub folders
false, // Should include imports
false // Should set the fetched secrets as key/value pairs on the system properties. Makes the secrets accessible as System.getProperty("")
);
```
**Parameters:**
* `projectId` (string): The ID of your project.
* `environmentSlug` (string): The environment in which to list secrets (e.g., "dev").
* `secretPath` (string): The path to the secrets.
* `expandSecretReferences` (boolean): Whether to expand secret references.
* `recursive` (boolean): Whether to list secrets recursively.
* `includeImports` (boolean): Whether to include imported secrets.
* `setSecretsOnSystemProperties` (boolean): Set the retrieved secrets as key/value pairs on the system properties, making them accessible through `System.getProperty("")`
**Returns:**
* `List`: The response containing the list of secrets.
#### Create Secret
```java theme={"dark"}
public Secret CreateSecret(
String secretName,
String secretValue,
String projectId,
String environmentSlug,
String secretPath
)
throws InfisicalException
```
```java theme={"dark"}
Secret newSecret = sdk.Secrets().CreateSecret(
"NEW_SECRET_NAME",
"secret-value",
"",
"", // dev, prod, staging, etc.
"/secret/path", // `/` is the root folder
);
```
**Parameters:**
* `secretName` (string): The name of the secret to create
* `secretValue` (string): The value of the secret.
* `projectId` (string): The ID of your project.
* `environmentSlug` (string): The environment in which to create the secret.
* `secretPath` (string, optional): The path to the secret.
**Returns:**
* `Secret`: The created secret.
#### Update Secret
```java theme={"dark"}
public Secret UpdateSecret(
String secretName,
String projectId,
String environmentSlug,
String secretPath,
String newSecretValue,
String newSecretName
)
throws InfisicalException
```
```java theme={"dark"}
Secret updatedSecret = sdk.Secrets().UpdateSecret(
"SECRET_NAME",
"",
"", // dev, prod, staging, etc.
"/secret/path", // `/` is the root folder
"NEW_SECRET_VALUE", // nullable
"NEW_SECRET_NAME" // nullable
);
```
**Parameters:**
* `secretName` (string): The name of the secret to update.
* `projectId` (string): The ID of your project.
* `environmentSlug` (string): The environment in which to update the secret.
* `secretPath` (string): The path to the secret.
* `newSecretValue` (string, nullable): The new value of the secret.
* `newSecretName` (string, nullable): A new name for the secret.
**Returns:**
* `Secret`: The updated secret.
#### Get Secret by Name
```java theme={"dark"}
public Secret GetSecret(
String secretName,
String projectId,
String environmentSlug,
String secretPath,
Boolean expandSecretReferences,
Boolean includeImports,
String secretType
)
throws InfisicalException
```
```java theme={"dark"}
Secret secret = sdk.Secrets().GetSecret(
"SECRET_NAME",
"",
"", // dev, prod, staging, etc.
"/secret/path", // `/` is the root folder
false, // Should expand secret references
false, // Should get secrets recursively from sub folders
false, // Should include imports
"shared" // Optional Secret Type (defaults to "shared")
);
```
**Parameters:**
* `secretName` (string): The name of the secret to get\`
* `projectId` (string): The ID of your project.
* `environmentSlug` (string): The environment in which to retrieve the secret.
* `secretPath` (string): The path to the secret.
* `expandSecretReferences` (boolean, optional): Whether to expand secret references.
* `includeImports` (boolean, optional): Whether to include imported secrets.
* `secretType` (personal | shared, optional): The type of secret to fetch.
**Returns:**
* `Secret`: The fetched secret.
#### Delete Secret by Name
```java theme={"dark"}
public Secret DeleteSecret(
String secretName,
String projectId,
String environmentSlug,
String secretPath
)
throws InfisicalException
```
```java theme={"dark"}
Secret deletedSecret = sdk.Secrets().DeleteSecret(
"SECRET_NAME",
"",
"", // dev, prod, staging, etc.
"/secret/path", // `/` is the root folder
);
```
**Parameters:**
* `secretName` (string): The name of the secret to delete.
* `projectId` (string): The ID of your project.
* `environmentSlug` (string): The environment in which to delete the secret.
* `secretPath` (string, optional): The path to the secret.
**Returns:**
* `Secret`: The deleted secret.
### `Folders`
#### Get Folder By Name
```java theme={"dark"}
public Folder Get(
String folderId
);
throws InfisicalException
```
```java theme={"dark"}
Folder folder = sdk.Folders().Get("");
```
**Parameters:**
* `folderId` (String): The ID of the folder to retrieve.
**Returns:**
* `Folder`: The retrieved folder.
#### List Folders
```java theme={"dark"}
public List List(
ListFoldersInput input
)
throws InfisicalException
```
```java theme={"dark"}
ListFoldersInput input = ListFoldersInput
.builder()
.projectId("")
.environmentSlug("")
.folderPath("/")
.recursive(false)
.build();
List folders = sdk.Folders().List(input);
```
**Parameters:**
* `input` (ListFoldersInput): The input for listing folders.
* `projectId` (String): The ID of the project to list folders from.
* `environmentSlug` (String): The slug of the environment to list folders from.
* `folderPath` (String): The path to list folders from. Defaults to `/`.
* `recursive` (Boolean): Whether or not to list sub-folders recursively from the specified folder path and downwards. Defaults to `false`.
**Returns:**
* `List`: The retrieved folders.
#### Create Folder
```java theme={"dark"}
public Folder Create(
CreateFolderInput input
)
throws InfisicalException
```
```java theme={"dark"}
var input = CreateFolderInput
.builder()
.projectId("")
.environmentSlug("")
.folderName("")
.folderPath("/")
.description("Optional folder description")
.build();
Folder createdFolder = sdk.Folders().Create(input);
```
**Parameters:**
* `input` (CreateFolderInput): The input for creating a folder.
* `projectId` (String): The ID of the project to create the folder in.
* `environmentSlug` (String): The slug of the environment to create the folder in.
* `folderPath` (String): The path to create the folder in. Defaults to `/`.
* `folderName` (String): The name of the folder to create.
* `description` (String): The description of the folder to create. This is optional.
**Returns:**
* `Folder`: The created folder.
#### Update Folder
```java theme={"dark"}
public Folder Update(
UpdateFolderInput input
)
throws InfisicalException
```
```java theme={"dark"}
var input = UpdateFolderInput
.builder()
.projectId("")
.environmentSlug("")
.folderId("")
.newFolderName("")
.folderPath("/")
.build();
Folder updatedFolder = sdk.Folders().Update(input);
```
**Parameters:**
* `input` (UpdateFolderInput): The input for updating a folder.
* `projectId` (String): The ID of the project where the folder exists.
* `environmentSlug` (String): The slug of the environment where the folder exists.
* `folderPath` (String): The path of the folder to update.
* `folderId` (String): The ID of the folder to update.
* `newFolderName` (String): The new folder name.
**Returns:**
* `Folder`: The updated folder.
#### Delete Folder
```java theme={"dark"}
public Folder Delete(
DeleteFolderInput input
)
throws InfisicalException
```
```java theme={"dark"}
var input = DeleteFolderInput
.builder()
.folderId("")
.environmentSlug("")
.projectId("