Skip to main content
Infisical provides comprehensive monitoring and telemetry capabilities to help you monitor the health, performance, and usage of your self-hosted instance. This guide covers setting up monitoring using Grafana with two different telemetry collection approaches.

Overview

Infisical exports metrics in OpenTelemetry (OTEL) format, which provides maximum flexibility for your monitoring infrastructure. While this guide focuses on Grafana, the OTEL format means you can easily integrate with:
  • Cloud-native monitoring: AWS CloudWatch, Google Cloud Monitoring, Azure Monitor
  • Observability platforms: Datadog, New Relic, Splunk, Dynatrace
  • Custom backends: Any system that supports OTEL ingestion
  • Traditional monitoring: Prometheus, Grafana (as covered in this guide)
Infisical supports two telemetry collection methods:
  1. Pull-based (Prometheus): Exposes metrics on a dedicated endpoint for Prometheus to scrape
  2. Push-based (OTLP): Sends metrics to an OpenTelemetry Collector via OTLP protocol
Both approaches provide the same metrics data in OTEL format, so you can choose the one that best fits your infrastructure and monitoring strategy.

Prerequisites

  • Self-hosted Infisical instance running
  • Access to deploy monitoring services (Prometheus, Grafana, etc.)
  • Basic understanding of Prometheus and Grafana

Setup

Environment Variables

Configure the following environment variables in your Infisical backend: 
# Enable telemetry collection
OTEL_TELEMETRY_COLLECTION_ENABLED=true

# Choose export type: "prometheus" or "otlp"
OTEL_EXPORT_TYPE=prometheus
  • Pull-based Monitoring (Prometheus)
  • Push-based Monitoring (OTLP)
This approach exposes metrics on port 9464 at the /metrics endpoint, allowing Prometheus to scrape the data. The metrics are exposed in Prometheus format but originate from OpenTelemetry instrumentation.

Configuration

1

Enable Prometheus export in Infisical

OTEL_TELEMETRY_COLLECTION_ENABLED=true
OTEL_EXPORT_TYPE=prometheus
2

Expose the metrics port

Expose the metrics port in your Infisical backend:
  • Docker: Expose port 9464
  • Kubernetes: Create a service exposing port 9464
  • Other: Ensure port 9464 is accessible to your monitoring stack
3

Create Prometheus configuration

Create prometheus.yml:
global:
  scrape_interval: 30s
  evaluation_interval: 30s

scrape_configs:
  - job_name: "infisical"
    scrape_interval: 30s
    static_configs:
      - targets: ["infisical-backend:9464"] # Adjust hostname/port based on your deployment
    metrics_path: "/metrics"
Replace infisical-backend:9464 with the actual hostname and port where your Infisical backend is running. This could be:
  • Docker Compose: infisical-backend:9464 (service name)
  • Kubernetes: infisical-backend.default.svc.cluster.local:9464 (service name)
  • Bare Metal: 192.168.1.100:9464 (actual IP address)
  • Cloud: your-infisical.example.com:9464 (domain name)

Deployment Options

Once you’ve configured Infisical to expose metrics, you’ll need to deploy Prometheus to scrape and store them. Below are examples for different deployment environments. Choose the option that matches your infrastructure.
  • Docker Compose
  • Kubernetes
  • Helm
services:
  prometheus:
    image: prom/prometheus:latest
    ports:
      - "9090:9090"
    volumes:
      - ./prometheus.yml:/etc/prometheus/prometheus.yml:ro
    command:
      - "--config.file=/etc/prometheus/prometheus.yml"

  grafana:
    image: grafana/grafana:latest
    ports:
      - "3000:3000"
    environment:
      - GF_SECURITY_ADMIN_USER=admin
      - GF_SECURITY_ADMIN_PASSWORD=admin

Available Metrics

Infisical exposes the following key metrics in OpenTelemetry format:

Core API Metrics

These metrics track all HTTP API requests to Infisical, including request counts, latency, and errors. Use these to monitor overall API health, identify performance bottlenecks, and track usage patterns across users and machine identities.
Metric Name: infisical.http.server.request.countType: CounterUnit: {request}Description: Total number of API requests to Infisical (covers both human users and machine identities)Attributes:
  • infisical.organization.id (string): Organization ID
  • infisical.organization.name (string): Organization name (e.g., “Platform Engineering Team”)
  • infisical.user.id (string, optional): User ID if human user
  • infisical.user.email (string, optional): User email (e.g., “[email protected]”)
  • infisical.identity.id (string, optional): Machine identity ID
  • infisical.identity.name (string, optional): Machine identity name (e.g., “prod-k8s-operator”)
  • infisical.auth.method (string, optional): Auth method used
  • http.request.method (string): HTTP method (GET, POST, PUT, DELETE)
  • http.route (string): API endpoint route pattern
  • http.response.status_code (int): HTTP status code
  • infisical.project.id (string, optional): Project ID
  • infisical.project.name (string, optional): Project name
  • user_agent.original (string, optional): User agent string
  • client.address (string, optional): IP address
Metric Name: infisical.http.server.request.durationType: HistogramUnit: s (seconds)Description: API request latencyBuckets: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]Attributes:
  • infisical.organization.id (string): Organization ID
  • infisical.organization.name (string): Organization name
  • infisical.user.id (string, optional): User ID if human user
  • infisical.user.email (string, optional): User email
  • infisical.identity.id (string, optional): Machine identity ID
  • infisical.identity.name (string, optional): Machine identity name
  • http.request.method (string): HTTP method
  • http.route (string): API endpoint route pattern
  • http.response.status_code (int): HTTP status code
  • infisical.project.id (string, optional): Project ID
  • infisical.project.name (string, optional): Project name
Metric Name: infisical.http.server.error.countType: CounterUnit: {error}Description: API errors grouped by actor (for identifying misconfigured services)Attributes:
  • infisical.organization.id (string): Organization ID
  • infisical.organization.name (string): Organization name
  • infisical.user.id (string, optional): User ID if human
  • infisical.user.email (string, optional): User email
  • infisical.identity.id (string, optional): Identity ID if machine
  • infisical.identity.name (string, optional): Identity name
  • http.route (string): API endpoint where error occurred
  • http.request.method (string): HTTP method
  • error.type (string): Error category/type (client_error, server_error, auth_error, rate_limit_error, etc.)
  • infisical.project.id (string, optional): Project ID
  • infisical.project.name (string, optional): Project name
  • client.address (string, optional): IP address
  • user_agent.original (string, optional): User agent information

Secret Operations Metrics

These metrics provide visibility into secret access patterns, helping you understand which secrets are being accessed, by whom, and from where. Essential for security auditing and access pattern analysis.
Metric Name: infisical.secret.read.countType: CounterUnit: {operation}Description: Number of secret read operationsAttributes:
  • infisical.organization.id (string): Organization ID
  • infisical.organization.name (string): Organization name
  • infisical.project.id (string): Project ID
  • infisical.project.name (string): Project name (e.g., “payment-service-secrets”)
  • infisical.environment (string): Environment (dev, staging, prod)
  • infisical.secret.path (string): Path to secrets (e.g., “/microservice-a/database”)
  • infisical.secret.name (string, optional): Name of secret
  • infisical.user.id (string, optional): User ID if human
  • infisical.user.email (string, optional): User email
  • infisical.identity.id (string, optional): Machine identity ID
  • infisical.identity.name (string, optional): Machine identity name
  • user_agent.original (string, optional): User agent/SDK information
  • client.address (string, optional): IP address

Authentication Metrics

These metrics track authentication attempts and outcomes, enabling you to monitor login success rates, detect potential security threats, and identify authentication issues.
Metric Name: infisical.auth.attempt.countType: CounterUnit: {attempt}Description: Authentication attempts (both successful and failed)Attributes:
  • infisical.organization.id (string): Organization ID
  • infisical.organization.name (string): Organization name
  • infisical.user.id (string, optional): User ID if human (if identifiable)
  • infisical.user.email (string, optional): User email (if identifiable)
  • infisical.identity.id (string, optional): Identity ID if machine (if identifiable)
  • infisical.identity.name (string, optional): Identity name (if identifiable)
  • infisical.auth.method (string): Authentication method attempted
  • infisical.auth.result (string): success or failure
  • error.type (string, optional): Reason for failure if failed (invalid_credentials, expired_token, invalid_token, etc.)
  • client.address (string): IP address
  • user_agent.original (string, optional): User agent/client information
  • infisical.auth.attempt.username (string, optional): Attempted username/email (if available)

Integration & Secret Sync Metrics

These metrics monitor secret synchronization operations between Infisical and external systems, helping you track sync health, identify integration failures, and troubleshoot connectivity issues.
Integration secret sync error count
  • Labels: version, integration, integrationId, type, status, name, projectId
  • Example: Monitor integration sync failures across different services
Secret sync operation error count
  • Labels: version, destination, syncId, projectId, type, status, name
  • Example: Track secret sync failures to external systems
Secret import operation error count
  • Labels: version, destination, syncId, projectId, type, status, name
  • Example: Monitor secret import failures
Secret removal operation error count
  • Labels: version, destination, syncId, projectId, type, status, name
  • Example: Track secret removal operation failures

System Metrics

These low-level HTTP metrics are automatically collected by OpenTelemetry’s instrumentation layer, providing baseline performance data for all HTTP traffic.
HTTP server request duration metrics (histogram buckets, count, sum)
HTTP client request duration metrics (histogram buckets, count, sum)

Troubleshooting

If your metrics are not showing up in Prometheus or your monitoring system, check the following:
  • Verify OTEL_TELEMETRY_COLLECTION_ENABLED=true is set in your Infisical environment variables
  • Ensure the correct OTEL_EXPORT_TYPE is set (prometheus or otlp)
  • Check network connectivity between Infisical and your monitoring services (Prometheus or OTLP collector)
  • For pull-based monitoring: Verify port 9464 is exposed and accessible
  • For push-based monitoring: Verify the OTLP endpoint URL is correct and reachable
  • Check Infisical backend logs for any errors related to metrics export
If you’re experiencing authentication errors with the OpenTelemetry Collector:
  • Verify basic auth credentials in your OTLP configuration match between Infisical and the collector
  • Check that OTEL_COLLECTOR_BASIC_AUTH_USERNAME and OTEL_COLLECTOR_BASIC_AUTH_PASSWORD match the credentials in your otel-collector-config.yaml
  • Ensure the htpasswd format in the collector configuration is correct
  • Test the collector endpoint manually using curl with the same credentials to verify they work