Environment Variables
Read how to configure environment variables for self-hosted Infisical.
Infisical accepts all configurations via environment variables. For a minimal self-hosted instance, at least ENCRYPTION_KEY
, AUTH_SECRET
, DB_CONNECTION_URI
and REDIS_URL
must be defined.
However, you can configure additional settings to activate more features as needed.
General platform
Used to configure platform-specific security and operational settings
Must be a random 16 byte hex string. Can be generated with openssl rand -hex 16
Must be a random 32 byte base64 string. Can be generated with openssl rand -base64 32
Must be an absolute URL including the protocol (e.g. https://app.infisical.com).
Specifies the internal port on which the application listens.
Specifies the network interface Infisical will bind to when accepting incoming connections.
By default, Infisical binds to localhost
, which restricts access to connections from the same machine.
To make the application accessible externally (e.g., for self-hosted deployments), set this to 0.0.0.0
, which tells the server to listen on all network interfaces.
Example values:
localhost
(default, same as127.0.0.1
)0.0.0.0
(all interfaces, accessible externally)192.168.1.100
(specific interface IP)
Telemetry helps us improve Infisical but if you want to disable it you may set
this to false
.
Determines whether App Connections and Dynamic Secrets are permitted to connect with internal/private IP addresses.
Determines whether your Infisical instance can automatically read the service account token of the pod it’s running on. Used for features such as the IRSA auth method.
CORS
Cross-Origin Resource Sharing (CORS) is a security feature that allows web applications running on one domain to access resources from another domain. The following environment variables can be used to configure the Infisical Rest API to allow or restrict access to resources from different origins.
Specify a list of origins that are allowed to access the Infisical API.
An example value would be CORS_ALLOWED_ORIGINS=["https://example.com"]
.
Defaults to the same value as your SITE_URL
environment variable.
Array of HTTP methods allowed for CORS requests.
Defaults to reflecting the headers specified in the request’s Access-Control-Request-Headers header.
Data Layer
The platform utilizes Postgres to persist all of its data and Redis for caching and backgroud tasks
PostgreSQL
Please note that the database user you create must be granted all privileges on the Infisical database. This includes the ability to create new schemas, create, update, delete, modify tables and indexes, etc.
Postgres database connection string.
Configure the SSL certificate for securing a Postgres connection by first encoding it in base64.
Use the following command to encode your certificate: echo "<certificate>" | base64
Postgres database read replica connection strings. It accepts a JSON string.
Redis
Redis is used for caching and background tasks. You can use either a standalone Redis instance or a Redis Sentinel setup.
Redis connection string.
Redis connection string.
Comma-separated list of Sentinel host:port pairs. 192.168.65.254:26379,192.168.65.254:26380
The name of the Redis master set monitored by Sentinel
Whether to use TLS/SSL for Redis Sentinel connection
Authentication username for Redis Sentinel
Authentication password for Redis Sentinel
Email Service
Without email configuration, Infisical’s core functions like sign-up/login and secret operations work, but this disables multi-factor authentication, email invites for projects, alerts for suspicious logins, and all other email-dependent features.
Generic Configuration
Generic Configuration
Hostname to connect to for establishing SMTP connections
Port to connect to for establishing SMTP connections
Credential to connect to host (e.g. [email protected])
Credential to connect to host
Email address to be used for sending emails
Name label to be used in From field (e.g. Team)
If this is true
and SMTP_PORT
is not 465 then TLS is not used even if the
server supports STARTTLS extension.
If this is true
and SMTP_PORT
is not 465 then Infisical tries to use
STARTTLS even if the server does not advertise support for it. If the
connection can not be encrypted then message is not sent.
If this is true
, Infisical will validate the server’s SSL/TLS certificate
and reject the connection if the certificate is invalid or not trusted. If set
to false
, the client will accept the server’s certificate regardless of its
validity, which can be useful in development or testing environments but is
not recommended for production use.
If your SMTP server uses a certificate signed by a custom Certificate Authority, you should set this variable so that Infisical can trust the custom CA.
This variable must be a base64 encoded PEM certificate. Use the following command to encode your certificate: echo "<certificate>" | base64
Infisical highly encourages the following variables be used alongside this one for maximum security:
SMTP_REQUIRE_TLS=true
SMTP_TLS_REJECT_UNAUTHORIZED=true
Twilio SendGrid
Twilio SendGrid
- Create an account and configure SendGrid to send emails.
- Create a SendGrid API Key under Settings > API Keys
- Set a name for your API Key, we recommend using “Infisical,” and select the “Restricted Key” option. You will need to enable the “Mail Send” permission as shown below:
- With the API Key, you can now set your SMTP environment variables:
Remember that you will need to restart Infisical for this to work properly.
Mailgun
Mailgun
- Create an account and configure Mailgun to send emails.
- Obtain your Mailgun credentials in Sending > Overview > SMTP
- With your Mailgun credentials, you can now set up your SMTP environment variables:
AWS SES
AWS SES
Create a verifed identity
This will be used to verify the email you are sending from.
If you AWS SES is under sandbox mode, you will only be able to send emails to verified identies.
Create an account and configure AWS SES
Create an IAM user for SMTP authentication and obtain SMTP credentials in SMTP settings > Create SMTP credentials
Set up your SMTP environment variables
With your AWS SES SMTP credentials, you can now set up your SMTP environment variables for your Infisical instance.
Remember that you will need to restart Infisical for this to work properly.
SocketLabs
SocketLabs
- Create an account and configure SocketLabs to send emails.
- From the dashboard, navigate to SMTP Credentials > SMTP & APIs > SMTP Credentials to obtain your SocketLabs SMTP credentials.
- With your SocketLabs SMTP credentials, you can now set up your SMTP environment variables:
The SMTP_FROM_ADDRESS
environment variable should be an email for an
authenticated domain under Configuration > Domain Management in SocketLabs.
For example, if you’re using SocketLabs in sandbox mode, then you may use an
email like [email protected]
.
Remember that you will need to restart Infisical for this to work properly.
Resend
Resend
Gmail
Gmail
Create an account and enable “less secure app access” in Gmail Account Settings > Security. This will allow applications like Infisical to authenticate with Gmail via your username and password.
With your Gmail username and password, you can set your SMTP environment variables:
As per the notice by Google, you should note that using Gmail credentials for SMTP configuration will only work for Google Workspace or Google Cloud Identity customers as of May 30, 2022.
Put differently, the SMTP configuration is only possible with business (not personal) Gmail credentials.
Office365
Office365
-
Create an account and configure Office365 to send emails.
-
With your login credentials, you can now set up your SMTP environment variables:
Zoho Mail
Zoho Mail
-
Create an account and configure Zoho Mail to send emails.
-
With your email credentials, you can now set up your SMTP environment variables:
You can use either your personal Zoho email address like [email protected]
or
a domain-based email address like [email protected]
. If using a
domain-based email address, then please make sure that you’ve configured and
verified it with Zoho Mail.
Remember that you will need to restart Infisical for this to work properly.
SMTP2Go
SMTP2Go
- Create an account and configure SMTP2Go to send emails.
- Turn on SMTP authentication
Optional (for TLS/SSL):
TLS: Available on the same ports (2525, 80, 25, 8025, or 587) SSL: Available on ports 465, 8465, and 443
Authentication
By default, users can only login via email/password based login method. To login into Infisical with OAuth providers such as Google, configure the associated variables.
When set, all visits to the Infisical login page will automatically redirect users of your Infisical instance to the SAML identity provider associated with the specified organization slug.
Google
Follow detailed guide to configure Google SSO
OAuth2 client ID for Google login
OAuth2 client secret for Google login
Github
Github
Follow detailed guide to configure GitHub SSO
OAuth2 client ID for GitHub login
OAuth2 client secret for GitHub login
Gitlab
Gitlab
Follow detailed guide to configure GitLab SSO
OAuth2 client ID for GitLab login
OAuth2 client secret for GitLab login
URL of your self-hosted instance of GitLab where the OAuth application is registered
Okta SAML
Okta SAML
Requires enterprise license. Please contact [email protected] to get more information.
Azure SAML
Azure SAML
Requires enterprise license. Please contact [email protected] to get more information.
JumpCloud SAML
JumpCloud SAML
Requires enterprise license. Please contact [email protected] to get more information.
App Connections
You can configure third-party app connections for re-use across Infisical Projects.
AWS Assume Role Connection
AWS Assume Role Connection
GitHub App Connection
GitHub App Connection
The ID of the GitHub App
The slug of the GitHub App
The client ID for the GitHub App
The client secret for the GitHub App
The private key for the GitHub App
GitHub Radar App Connection
GitHub Radar App Connection
The ID of the GitHub Radar App
The slug of the GitHub Radar App
The client ID for the GitHub Radar App
The client secret for the GitHub Radar App
The private key for the GitHub Radar App
The webhook secret configured for payload verification in the GitHub Radar App
GitHub OAuth Connection
GitHub OAuth Connection
GitLab OAuth Connection
GitLab OAuth Connection
Native Secret Integrations
To help you sync secrets from Infisical to services such as Github and Gitlab, Infisical provides native integrations out of the box.
Heroku
Heroku
Vercel
Vercel
Netlify
Netlify
Github
Github
Bitbucket
Bitbucket
GCP Secrets Manager
GCP Secrets Manager
AWS Integration
AWS Integration
Azure
Azure
Gitlab
Gitlab
Secret Scanning
GitHub
GitHub
The App ID of your GitHub App.
The slug of your GitHub App.
A private key for your GitHub App.
The webhook secret of your GitHub App.
Observability
You can configure Infisical to collect and expose telemetry data for analytics and monitoring.
Whether or not to collect and expose telemetry data.
Supported types are prometheus
and otlp
.
If export type is set to prometheus
, metric data will be exposed in port 9464 in the /metrics
path.
If export type is set to otlp
, you will have to configure a value for OTEL_EXPORT_OTLP_ENDPOINT
.
Where telemetry data would be pushed to for collection. This is only
applicable when OTEL_EXPORT_TYPE
is set to otlp
.
The username for authenticating with the telemetry collector.
The password for authenticating with the telemetry collector.
Identity Auth Method
The TLS header used to propagate the client certificate from the load balancer to the server.
Environment Variable Overrides
If you can’t directly access and modify environment variables, you can update them using the Server Admin Console.