The Infisical SDK provides a convenient way to interact with the Infisical API.
npm install @infisical/sdk
import { InfisicalSDK } from '@infisical/sdk'
const client = new InfisicalSDK({
siteUrl: "your-infisical-instance.com" // Optional, defaults to https://app.infisical.com
});
// Authenticate with Infisical
await client.auth().universalAuth.login({
clientId: "<machine-identity-client-id>",
clientSecret: "<machine-identity-client-secret>"
});
const allSecrets = await client.secrets().listSecrets({
environment: "dev", // stg, dev, prod, or custom environment slugs
projectId: "<your-project-id>"
});
console.log("Fetched secrets", allSecrets)
The SDK methods are organized into the following high-level categories:
-
auth
: Handles authentication methods. -
secrets
: Manages CRUD operations for secrets.
The Auth
component provides methods for authentication:
await client.auth().universalAuth.login({
clientId: "<machine-identity-client-id>",
clientSecret: "<machine-identity-client-secret>"
});
Parameters:
-
options
(object):-
clientId
(string): The client ID of your Machine Identity. -
clientSecret
(string): The client secret of your Machine Identity.
-
By default, when you run a successful .login()
method call, the access token returned will be auto set for the client instance. However, if you wish to set the access token manually, you may use this method.
client.auth().accessToken("<your-access-token>")
Parameters:
-
accessToken
(string): The access token to be used for authentication. This should not include "Bearer".
[!NOTE]
AWS IAM auth only works when the SDK is being used from within an AWS service, such as Lambda, EC2, etc.
await client.auth().awsIamAuth.login({
identityId: "<your-identity-id>"
})
Parameters:
-
options
(object):-
identityId
(string): The ID of your identity
-
This sub-class handles operations related to secrets:
const allSecrets = await client.secrets().listSecrets({
environment: "dev",
projectId: "<your-project-id>",
expandSecretReferences: true,
includeImports: false,
recursive: false,
secretPath: "/foo/bar"
});
Parameters:
-
projectId
(string): The ID of your project. -
environment
(string): The environment in which to list secrets (e.g., "dev"). -
secretPath
(str): The path to the secrets. -
expandSecretReferences
(bool): Whether to expand secret references. -
recursive
(bool): Whether to list secrets recursively. -
includeImports
(bool): Whether to include imported secrets. -
tagFilters
(string[]): Tags to filter secrets.
Returns:
-
ApiV3SecretsRawGet200Response
: The response containing the list of secrets.
const newSecret = await client.secrets().createSecret("SECRET_NAME", {
environment: "dev",
projectId: "<your-project-id>",
secretValue: "SECRET_VALUE",
secretComment: "This is a new secret", // Optional
secretPath: "/foo/bar", // Optional
secretReminderNote: "This is a reminder note", // Optional
secretReminderRepeatDays: 7, // Optional
skipMultilineEncoding: false, // Optional
tagIds: ["tagId1", "tagId2"], // Optional
type: "personal" // Optional
});
Parameters:
-
secretName
(string): The name of the secret to create -
options
(object):-
projectId
(string): The ID of your project. -
environment
(str): The environment in which to create the secret. -
secretValue
(str): The value of the secret. -
secretPath
(string, optional): The path to the secret. -
secretComment
(str, optional): A comment associated with the secret. -
skipMultilineEncoding
(bool, optional): Whether to skip encoding for multiline secrets. -
secretReminderNote
(string, optional): A note for the secret reminder. -
secretReminderRepeatDays
(number, optional): Number of days after which to repeat secret reminders. -
tagIds
(string[], optional): Array of tags to assign to the new secret. -
type
(personal | shared, optional): Which type of secret to create.
-
Returns:
-
ApiV3SecretsRawSecretNamePost200Response
: The response after creating the secret.
const updatedSecret = await client.secrets().updateSecret("SECRET_TO_UPDATE", {
environment: "dev",
projectId: "<your-project-id>",
secretValue: "UPDATED_SECRET_VALUE",
newSecretName: "NEW_SECRET_NAME2", // Optional
secretComment: "This is an updated secret", // Optional
secretPath: "/foo/bar", // Optional
secretReminderNote: "This is an updated reminder note", // Optional
secretReminderRepeatDays: 14, // Optional
skipMultilineEncoding: false, // Optional
tagIds: ["tagId1", "tagId2"], // Optional
type: "personal", // Optional
metadata: { // Optional
extra: "metadata"
}
});
Parameters:
-
secretName
(string): The name of the secret to update.` -
options
(object):-
environment
(str): The environment in which to update the secret. -
projectId
(str): The ID of your project. -
secretValue
(str, optional): The new value of the secret. -
newSecretName
(str, optional): A new name for the secret. -
secretComment
(str, optional): An updated comment associated with the secret. -
secretPath
(str): The path to the secret. -
secretReminderNote
(str, optional): An updated note for the secret reminder. -
secretReminderRepeatDays
(number, optional): Updated number of days after which to repeat secret reminders. -
skipMultilineEncoding
(bool, optional): Whether to skip encoding for multiline secrets. -
tagIds
(string[], optional): Array of tags to assign to the secret. -
type
(personal | shared, optional): Which type of secret to create. -
metadata
(object, optional): Assign additional details to the secret, accessible through the API.
-
Returns:
-
ApiV3SecretsRawSecretNamePost200Response
: The response after updating the secret.
const singleSecret = await client.secrets().getSecret({
environment: "dev",
projectId: "<your-project-id>",
secretName: "DATABASE_URL",
expandSecretReferences: true, // Optional
includeImports: true, // Optional
secretPath: "/foo/bar", // Optional
type: "shared", // Optional
version: 1 // Optional
});
Parameters:
-
environment
(str): The environment in which to retrieve the secret. -
projectId
(str): The ID of your project. -
secretName
(str): The name of the secret. -
secretPath
(str, optional): The path to the secret. -
expandSecretReferences
(bool, optional): Whether to expand secret references. -
includeImports
(bool): Whether to include imported secrets. -
version
(str, optional): The version of the secret to retrieve. Fetches the latest by default. -
type
(personal | shared, optional): The type of secret to fetch.
Returns:
-
ApiV3SecretsRawSecretNameGet200Response
: The response containing the secret.
const deletedSecret = await client.secrets().deleteSecret("SECRET_TO_DELETE", {
environment: "dev",
projectId: "<your-project-id>",
secretPath: "/foo/bar", // Optional
type: "personal" // Optional
});
Parameters:
-
secretName
(string): The name of the secret to delete. -
options
(object):-
projectId
(str): The ID of your project. -
environment
(str): The environment in which to delete the secret. -
secret_path
(str, optional): The path to the secret. -
type
(personal | shared, optional): The type of secret to delete.
-
Returns:
-
ApiV3SecretsRawSecretNamePost200Response
: The response after deleting the secret.
Creating a new dynamic secret can be done by using the .dynamicSecrets().create({})
function. More details below.
The input for creating new dynamic secret varies greatly between secret types. For a more in-depth description of each input type for each dynamic secret type, please refer to our API documentation
import { InfisicalSDK, DynamicSecretProviders } from "@infisical/sdk";
const client = new InfisicalSDK();
await client.auth().universalAuth.login({
// For localhost
clientId: "CLIENT_ID",
clientSecret: "CLIENT_SECRET"
});
const dynamicSecret = await client.dynamicSecrets().create({
provider: {
type: DynamicSecretProviders.Redis,
inputs: {
host: "<redis-host>",
port: 6479,
username: "<redis-username>",
password: "<redis-password>", // Only required if your Redis instance uses authentication (recommended)
creationStatement: "ACL SETUSER {{username}} on >{{password}} ~* &* +@all",
revocationStatement: "ACL DELUSER {{username}}"
}
},
defaultTTL: "1h",
maxTTL: "24h",
name: "dynamic-secret-name",
projectSlug: "project-slug",
environmentSlug: "dev"
});
console.log(dynamicSecret);
Returns:
-
ApiV1DynamicSecretsPost200Response['dynamicSecret']
: The response after creating the dynamic secret
Note: Deleting a dynamic secret will also delete it's associated leases.
const deletedDynamicSecret = await client.dynamicSecrets().delete("dynamic-secret-name", {
environmentSlug: "dev",
projectSlug: "project-slug"
});
Parameters:
-
secretName
(string): The ID of the dynamic secret to delete -
options
(object):-
projectSlug
(str): The ID of your project. -
environment
(str): The environment in which to delete the secret.
-
Returns:
-
ApiV1DynamicSecretsDelete200Response['dynamicSecret']
: The response after deleting the dynamic secret
In this section you'll learn how to work with dynamic secret leases
const lease = await client.dynamicSecrets().leases.create({
dynamicSecretName: "dynamic-secret-name",
environmentSlug: "dev",
projectSlug: "your-project-slug",
path: "/foo/bar",
ttl: "5m" // Optional
});
console.log(lease);
Your dynamic secret credentials will be contained user lease.data
in this example.
Parameters:
-
dynamicSecretName
(string): The name of the dynamic secret you wish to create a lease for. -
projectSlug
(string): The slug of the project where the secret is located. -
environmentSlug
(string): The environment where the dynamic secret is located. -
path
(string, optional): The path of where the dynamic secret is located. -
ttl
(string, optional): A vercel/ms encoded string representation of how long the lease credentials should be valid for. This will default to the dynamic secret's default TTL if not specified.
Returns:
-
ApiV1DynamicSecretsLeasesPost200Response
: The dynamic secret lease result.
const deletedLease = await client.dynamicSecrets().leases.delete(newLease.lease.id, {
environmentSlug: "dev",
projectSlug: "test-zb-3a",
path: "/foo/bar",
isForced: false // Wether or not to forcefully delete the lease. This can't guarantee that the lease will be deleted from the external provider.
});
Parameters:
-
leaseId
(string): The ID of the lease you want to delete. - options:
-
projectSlug
(string): The slug of the project where the secret is located. -
environmentSlug
(string): The environment where the dynamic secret is located. -
path
(string, optional): The path of where the dynamic secret is located. -
isForced
(bool, optional): Wether or not to forcefully delete the lease. This can't guarantee that the lease will be deleted from the external provider, and is potentially unsafe for sensitive dynamic secrets.
-
Returns:
-
ApiV1DynamicSecretsLeasesLeaseIdDelete200Response
: The deleted lease result.
Please note that renewals must happen before the lease has fully expired. After renewing the lease, you won't be given new credentials. Instead the existing credentials will continue to live for the specified TTL
const renewedLease = await client.dynamicSecrets().leases.renew(newLease.lease.id, {
environmentSlug: "dev",
projectSlug: "project-slug",
path: "/foo/bar", // Optional
ttl: "10m" // Optional
});
Parameters:
-
leaseId
(string): The ID of the lease you want to delete. -
options
(object):-
projectSlug
(string): The slug of the project where the secret is located. -
environmentSlug
(string): The environment where the dynamic secret is located. -
path
(string, optional): The path of where the dynamic secret is located. -
ttl
(string, optional): A vercel/ms encoded string representation of how long the lease credentials should be valid for. This will default to the dynamic secret's default TTL if not specified.
-
Returns:
-
ApiV1DynamicSecretsLeasesLeaseIdDelete200Response
: The renewed lease response (doesn't contain new credentials).