Read how to configure environment variables for self-hosted Infisical.
Infisical accepts all configurations via environment variables. For a minimal self-hosted instance, at least ENCRYPTION_KEY, AUTH_SECRET, DB_CONNECTION_URI and REDIS_URL must be defined.
However, you can configure additional settings to activate more features as needed.
The platform utilizes Postgres to persist all of its data and Redis for caching and backgroud tasks
DB_CONNECTION_URI
string
default: ""required
Postgres database connection string.
DB_ROOT_CERT
string
default: ""
Configure the SSL certificate for securing a Postgres connection by first encoding it in base64.
Use the command below to encode your certificate:
echo "<certificate>" | base64
REDIS_URL
string
default: "none"required
Redis connection string.
DB_READ_REPLICAS
string
default: ""
Postgres database read replica connection strings. It accepts a JSON string.
DB_READ_REPLICAS=[{"DB_CONNECTION_URI":""}]
DB_CONNECTION_URI
string
default: ""required
Postgres read replica connection string.
DB_ROOT_CERT
string
default: ""
Configure the SSL certificate for securing a Postgres replica connection by first encoding it in base64.
Use the command below to encode your certificate:
echo "<certificate>" | base64
If not provided it will use master SSL certificate.
Without email configuration, Infisical’s core functions like sign-up/login and secret operations work, but this disables multi-factor authentication, email invites for projects, alerts for suspicious logins, and all other email-dependent features.
SMTP_HOST
string
default: "none"
Hostname to connect to for establishing SMTP connections
SMTP_PORT
string
default: "587"
Port to connect to for establishing SMTP connections
If this is true and SMTP_PORT is not 465 then TLS is not used even if the
server supports STARTTLS extension.
SMTP_REQUIRE_TLS
bool
default: "true"
If this is true and SMTP_PORT is not 465 then Infisical tries to use
STARTTLS even if the server does not advertise support for it. If the
connection can not be encrypted then message is not sent.
SMTP_TLS_REJECT_UNAUTHORIZED
bool
default: "true"
If this is true, Infisical will validate the server’s SSL/TLS certificate and reject the connection if the certificate is invalid or not trusted. If set to false, the client will accept the server’s certificate regardless of its validity, which can be useful in development or testing environments but is not recommended for production use.
Create an account and configure SendGrid to send emails.
Create a SendGrid API Key under Settings > API Keys
Set a name for your API Key, we recommend using “Infisical,” and select the “Restricted Key” option. You will need to enable the “Mail Send” permission as shown below:
With the API Key, you can now set your SMTP environment variables:
SMTP_HOST=smtp.sendgrid.net
SMTP_USERNAME=apikey
SMTP_PASSWORD=SG.rqFsfjxYPiqE1lqZTgD_lz7x8IVLx # your SendGrid API Key from step above
SMTP_PORT=587
[email protected] # your email address being used to send out emails
SMTP_FROM_NAME=Infisical
Remember that you will need to restart Infisical for this to work properly.
Create an account and configure Mailgun to send emails.
Obtain your Mailgun credentials in Sending > Overview > SMTP
With your Mailgun credentials, you can now set up your SMTP environment variables:
SMTP_HOST=smtp.mailgun.org # obtained from credentials page
[email protected] # obtained from credentials page
SMTP_PASSWORD=password # obtained from credentials page
SMTP_PORT=587
[email protected] # your email address being used to send out emails
SMTP_FROM_NAME=Infisical
1
Create a verifed identity
This will be used to verify the email you are sending from.
If you AWS SES is under sandbox mode, you will only be able to send emails to verified identies.
2
Create an account and configure AWS SES
Create an IAM user for SMTP authentication and obtain SMTP credentials in SMTP settings > Create SMTP credentials
3
Set up your SMTP environment variables
With your AWS SES SMTP credentials, you can now set up your SMTP environment variables for your Infisical instance.
SMTP_HOST=email-smtp.ap-northeast-1.amazonaws.com # SMTP endpoint obtained from SMTP settings
SMTP_USERNAME=xxx # your SMTP username
SMTP_PASSWORD=xxx # your SMTP password
SMTP_PORT=465
[email protected] # your email address being used to send out emails
SMTP_FROM_NAME=Infisical
Remember that you will need to restart Infisical for this to work properly.
Create an account and configure SocketLabs to send emails.
From the dashboard, navigate to SMTP Credentials > SMTP & APIs > SMTP Credentials to obtain your SocketLabs SMTP credentials.
With your SocketLabs SMTP credentials, you can now set up your SMTP environment variables:
SMTP_HOST=smtp.socketlabs.com
SMTP_USERNAME=username # obtained from your credentials
SMTP_PASSWORD=password # obtained from your credentials
SMTP_PORT=587
[email protected] # your email address being used to send out emails
SMTP_FROM_NAME=Infisical
The SMTP_FROM_ADDRESS environment variable should be an email for an
authenticated domain under Configuration > Domain Management in SocketLabs.
For example, if you’re using SocketLabs in sandbox mode, then you may use an
email like [email protected].
Remember that you will need to restart Infisical for this to work properly.
With the API Key, you can now set your SMTP environment variables variables:
SMTP_HOST=smtp.resend.com
SMTP_USERNAME=resend
SMTP_PASSWORD=YOUR_API_KEY
SMTP_PORT=587
[email protected] # your email address being used to send out emails
SMTP_FROM_NAME=Infisical
Remember that you will need to restart Infisical for this to work properly.
Create an account and enable “less secure app access” in Gmail Account Settings > Security. This will allow
applications like Infisical to authenticate with Gmail via your username and password.
With your Gmail username and password, you can set your SMTP environment variables:
SMTP_HOST=smtp.gmail.com
[email protected] # your email
SMTP_PASSWORD=password # your password
SMTP_PORT=587
[email protected]
SMTP_FROM_NAME=Infisical
As per the notice by Google, you should note that using Gmail credentials for SMTP configuration
will only work for Google Workspace or Google Cloud Identity customers as of May 30, 2022.
Put differently, the SMTP configuration is only possible with business (not personal) Gmail credentials.
Create an account and configure Office365 to send emails.
With your login credentials, you can now set up your SMTP environment variables:
SMTP_HOST=smtp.office365.com
[email protected] # your username
SMTP_PASSWORD=password # your password
SMTP_PORT=587
[email protected]
SMTP_FROM_NAME=Infisical
Create an account and configure Zoho Mail to send emails.
With your email credentials, you can now set up your SMTP environment variables:
SMTP_HOST=smtp.zoho.com
SMTP_USERNAME=username # your email
SMTP_PASSWORD=password # your password
SMTP_PORT=587
[email protected] # your personal Zoho email or domain-based email linked to Zoho Mail
SMTP_FROM_NAME=Infisical
You can use either your personal Zoho email address like [email protected] or
a domain-based email address like [email protected]. If using a
domain-based email address, then please make sure that you’ve configured and
verified it with Zoho Mail.
Remember that you will need to restart Infisical for this to work properly.
Create an account and configure SMTP2Go to send emails.
Turn on SMTP authentication
SMTP_HOST=mail.smtp2go.com
SMTP_PORT=You can use one of the following ports: 2525, 80, 25, 8025, or 587
SMTP_USERNAME=username #Your SMTP2GO account's SMTP username
SMTP_PASSWORD=password #Your SMTP2GO account's SMTP password
[email protected] # your email address being used to send out emails
SMTP_FROM_NAME=Infisical
Optional (for TLS/SSL):
TLS: Available on the same ports (2525, 80, 25, 8025, or 587)
SSL: Available on ports 465, 8465, and 443
By default, users can only login via email/password based login method.
To login into Infisical with OAuth providers such as Google, configure the associated variables.
DEFAULT_SAML_ORG_SLUG
string
When set, all visits to the Infisical login page will automatically redirect users of your Infisical instance to the SAML identity provider associated with the specified organization slug.