Infisical accepts all configurations via environment variables. For a minimal self-hosted instance, at least ENCRYPTION_KEY, AUTH_SECRET, DB_CONNECTION_URI and REDIS_URL must be defined. However, you can configure additional settings to activate more features as needed.

General platform

Used to configure platform-specific security and operational settings

ENCRYPTION_KEY
string
default:"none"
required

Must be a random 16 byte hex string. Can be generated with openssl rand -hex 16

AUTH_SECRET
string
default:"none"
required

Must be a random 32 byte base64 string. Can be generated with openssl rand -base64 32

SITE_URL
string
default:"none"
required

Must be an absolute URL including the protocol (e.g. https://app.infisical.com).

PORT
int
default:"8080"

Specifies the internal port on which the application listens.

HOST
string
default:"localhost"

Specifies the network interface Infisical will bind to when accepting incoming connections.

By default, Infisical binds to localhost, which restricts access to connections from the same machine.

To make the application accessible externally (e.g., for self-hosted deployments), set this to 0.0.0.0, which tells the server to listen on all network interfaces.

Example values:

  • localhost (default, same as 127.0.0.1)
  • 0.0.0.0 (all interfaces, accessible externally)
  • 192.168.1.100 (specific interface IP)
TELEMETRY_ENABLED
string
default:"true"

Telemetry helps us improve Infisical but if you want to disable it you may set this to false.

ALLOW_INTERNAL_IP_CONNECTIONS
bool
default:"false"

Determines whether App Connections and Dynamic Secrets are permitted to connect with internal/private IP addresses.

CORS

Cross-Origin Resource Sharing (CORS) is a security feature that allows web applications running on one domain to access resources from another domain. The following environment variables can be used to configure the Infisical Rest API to allow or restrict access to resources from different origins.

CORS_ALLOWED_ORIGINS
string

Specify a list of origins that are allowed to access the Infisical API.

An example value would be CORS_ALLOWED_ORIGINS=["https://example.com"].

Defaults to the same value as your SITE_URL environment variable.

CORS_ALLOWED_METHODS
string

Array of HTTP methods allowed for CORS requests.

Defaults to reflecting the headers specified in the request’s Access-Control-Request-Headers header.

Data Layer

The platform utilizes Postgres to persist all of its data and Redis for caching and backgroud tasks

PostgreSQL

Please note that the database user you create must be granted all privileges on the Infisical database. This includes the ability to create new schemas, create, update, delete, modify tables and indexes, etc.

DB_CONNECTION_URI
string
default:""
required

Postgres database connection string.

DB_ROOT_CERT
string
default:""

Configure the SSL certificate for securing a Postgres connection by first encoding it in base64. Use the following command to encode your certificate: echo "<certificate>" | base64

DB_READ_REPLICAS
string
default:""

Postgres database read replica connection strings. It accepts a JSON string.

DB_READ_REPLICAS=[{"DB_CONNECTION_URI":""}]

Redis

Redis is used for caching and background tasks. You can use either a standalone Redis instance or a Redis Sentinel setup.

REDIS_URL
string
default:"none"
required

Redis connection string.

Email Service

Without email configuration, Infisical’s core functions like sign-up/login and secret operations work, but this disables multi-factor authentication, email invites for projects, alerts for suspicious logins, and all other email-dependent features.

Authentication

By default, users can only login via email/password based login method. To login into Infisical with OAuth providers such as Google, configure the associated variables.

DEFAULT_SAML_ORG_SLUG
string

When set, all visits to the Infisical login page will automatically redirect users of your Infisical instance to the SAML identity provider associated with the specified organization slug.

App Connections

You can configure third-party app connections for re-use across Infisical Projects.

Native Secret Integrations

To help you sync secrets from Infisical to services such as Github and Gitlab, Infisical provides native integrations out of the box.

Secret Scanning

Observability

You can configure Infisical to collect and expose telemetry data for analytics and monitoring.

OTEL_TELEMETRY_COLLECTION_ENABLED
string
default:"false"

Whether or not to collect and expose telemetry data.

OTEL_EXPORT_TYPE
enum

Supported types are prometheus and otlp.

If export type is set to prometheus, metric data will be exposed in port 9464 in the /metrics path.

If export type is set to otlp, you will have to configure a value for OTEL_EXPORT_OTLP_ENDPOINT.

OTEL_EXPORT_OTLP_ENDPOINT
string

Where telemetry data would be pushed to for collection. This is only applicable when OTEL_EXPORT_TYPE is set to otlp.

OTEL_COLLECTOR_BASIC_AUTH_USERNAME
string

The username for authenticating with the telemetry collector.

OTEL_COLLECTOR_BASIC_AUTH_PASSWORD
string

The password for authenticating with the telemetry collector.