Infisical Node.js SDK
If you’re working with Node.js, the official Infisical Node SDK package is the easiest way to fetch and work with secrets for your application.
Basic Usage
import express from "express";
import { InfisicalClient } from "@infisical/sdk";
const app = express();
const PORT = 3000;
const client = new InfisicalClient({
siteUrl: "https://app.infisical.com", // Optional, defaults to https://app.infisical.com
auth: {
universalAuth: {
clientId: "YOUR_CLIENT_ID",
clientSecret: "YOUR_CLIENT_SECRET"
}
}
});
app.get("/", async (req, res) => {
// Access the secret
const name = await client.getSecret({
environment: "dev",
projectId: "PROJECT_ID",
path: "/",
type: "shared",
secretName: "NAME"
});
res.send(`Hello! My name is: ${name.secretValue}`);
});
app.listen(PORT, async () => {
// initialize client
console.log(`App listening on port ${PORT}`);
});
This example demonstrates how to use the Infisical Node SDK with an Express application. The application retrieves a secret named “NAME” and responds to requests with a greeting that includes the secret value.
We do not recommend hardcoding your Machine Identity Tokens. Setting it as an environment variable would be best.
Installation
Run npm
to add @infisical/sdk
to your project.
$ npm install @infisical/sdk
Configuration
Import the SDK and create a client instance with your Machine Identity.
import { InfisicalClient, LogLevel } from "@infisical/sdk";
const client = new InfisicalClient({
auth: {
universalAuth: {
clientId: "YOUR_CLIENT_ID",
clientSecret: "YOUR_CLIENT_SECRET"
}
},
logLevel: LogLevel.Error
});
Parameters
Authentication
The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.
Universal Auth
Using environment variables
INFISICAL_UNIVERSAL_AUTH_CLIENT_ID
- Your machine identity client ID.INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET
- Your machine identity client secret.
Using the SDK directly
const client = new InfisicalClient({
auth: {
universalAuth: {
clientId: "YOUR_CLIENT_ID",
clientSecret: "YOUR_CLIENT_SECRET"
}
}
});
GCP ID Token Auth
Please note that this authentication method will only work if you’re running your application on Google Cloud Platform. Please read more about this authentication method.
Using environment variables
INFISICAL_GCP_AUTH_IDENTITY_ID
- Your Infisical Machine Identity ID.
Using the SDK directly
const client = new InfisicalClient({
auth: {
gcpIdToken: {
identityId: "YOUR_IDENTITY_ID"
}
}
});
GCP IAM Auth
Using environment variables
INFISICAL_GCP_IAM_AUTH_IDENTITY_ID
- Your Infisical Machine Identity ID.INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH
- The path to your GCP service account key file.
Using the SDK directly
const client = new InfisicalClient({
auth: {
gcpIam: {
identityId: "YOUR_IDENTITY_ID",
serviceAccountKeyFilePath: "./path/to/your/service-account-key.json"
}
}
});
AWS IAM Auth
Please note that this authentication method will only work if you’re running your application on AWS. Please read more about this authentication method.
Using environment variables
INFISICAL_AWS_IAM_AUTH_IDENTITY_ID
- Your Infisical Machine Identity ID.
Using the SDK directly
const client = new InfisicalClient({
auth: {
awsIam: {
identityId: "YOUR_IDENTITY_ID"
}
}
});
Azure Auth
Please note that this authentication method will only work if you’re running your application on Azure. Please read more about this authentication method.
Using environment variables
INFISICAL_AZURE_AUTH_IDENTITY_ID
- Your Infisical Machine Identity ID.
Using the SDK directly
const client = new InfisicalClient({
auth: {
azure: {
identityId: "YOUR_IDENTITY_ID"
}
}
});
Kubernetes Auth
Please note that this authentication method will only work if you’re running your application on Kubernetes. Please read more about this authentication method.
Using environment variables
INFISICAL_KUBERNETES_IDENTITY_ID
- Your Infisical Machine Identity ID.INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH_ENV_NAME
- The environment variable name that contains the path to the service account token. This is optional and will default to/var/run/secrets/kubernetes.io/serviceaccount/token
.
Using the SDK directly
const client = new InfisicalClient({
auth: {
kubernetes: {
identityId: "YOUR_IDENTITY_ID",
serviceAccountTokenPathEnvName: "/var/run/secrets/kubernetes.io/serviceaccount/token" // Optional
}
}
});
Caching
To reduce the number of API requests, the SDK temporarily stores secrets it retrieves. By default, a secret remains cached for 5 minutes after it’s first fetched. Each time it’s fetched again, this 5-minute timer resets. You can adjust this caching duration by setting the “cacheTtl” option when creating the client.
Working with Secrets
client.listSecrets(options)
const secrets = await client.listSecrets({
environment: "dev",
projectId: "PROJECT_ID",
path: "/foo/bar/",
includeImports: false
});
Retrieve all secrets within the Infisical project and environment that client is connected to
Parameters
client.getSecret(options)
const secret = await client.getSecret({
environment: "dev",
projectId: "PROJECT_ID",
secretName: "API_KEY",
path: "/",
type: "shared"
});
Retrieve a secret from Infisical.
By default, getSecret()
fetches and returns a shared secret.
Parameters
client.createSecret(options)
const newApiKey = await client.createSecret({
projectId: "PROJECT_ID",
environment: "dev",
secretName: "API_KEY",
secretValue: "SECRET VALUE",
path: "/",
type: "shared"
});
Create a new secret in Infisical.
client.updateSecret(options)
const updatedApiKey = await client.updateSecret({
secretName: "API_KEY",
secretValue: "NEW SECRET VALUE",
projectId: "PROJECT_ID",
environment: "dev",
path: "/",
type: "shared"
});
Update an existing secret in Infisical.
Parameters
client.deleteSecret(options)
const deletedSecret = await client.deleteSecret({
secretName: "API_KEY",
environment: "dev",
projectId: "PROJECT_ID",
path: "/",
type: "shared"
});
Delete a secret in Infisical.
Cryptography
Create a symmetric key
Create a base64-encoded, 256-bit symmetric key to be used for encryption/decryption.
const key = client.createSymmetricKey();
Returns (string)
key
(string): A base64-encoded, 256-bit symmetric key, that can be used for encryption/decryption purposes.
Encrypt symmetric
const { iv, tag, ciphertext } = await client.encryptSymmetric({
key: key,
plaintext: "Infisical is awesome!",
})
Parameters
Returns (object)
tag
(string): A base64-encoded, 128-bit authentication tag.
iv
(string): A base64-encoded, 96-bit initialization vector.
ciphertext
(string): A base64-encoded, encrypted ciphertext.
Decrypt symmetric
const decryptedString = await client.decryptSymmetric({
key: key,
iv: iv,
tag: tag,
ciphertext: ciphertext,
});
Parameters
Returns (string)
plaintext
(string): The decrypted plaintext.
Was this page helpful?