Configurations

Infisical accepts all configurations via environment variables. For a minimal self-hosted instance, at least ENCRYPTION_KEY, AUTH_SECRET, DB_CONNECTION_URI and REDIS_URL must be defined. However, you can configure additional settings to activate more features as needed.

General platform

Used to configure platform-specific security and operational settings

ENCRYPTION_KEY

string

default:"none"

required

Must be a random 16 byte hex string. Can be generated with openssl rand -hex 16

AUTH_SECRET

string

default:"none"

required

Must be a random 32 byte base64 string. Can be generated with openssl rand -base64 32

SITE_URL

string

default:"none"

Must be an absolute URL including the protocol (e.g. https://app.infisical.com).

Data Layer

The platform utilizes Postgres to persist all of its data and Redis for caching and backgroud tasks

DB_CONNECTION_URI

string

default:""

required

Postgres database connection string.

DB_ROOT_CERT

string

default:""

Configure the SSL certificate for securing a Postgres connection by first encoding it in base64. Use the command below to encode your certificate: echo "<certificate>" | base64

REDIS_URL

string

default:"none"

required

Redis connection string.

Email service

Without email configuration, Infisical’s core functions like sign-up/login and secret operations work, but this disables multi-factor authentication, email invites for projects, alerts for suspicious logins, and all other email-dependent features.

Generic Configuration

Twilio SendGrid

Create an account and configure SendGrid to send emails.
Create a SendGrid API Key under Settings > API Keys
Set a name for your API Key, we recommend using “Infisical,” and select the “Restricted Key” option. You will need to enable the “Mail Send” permission as shown below:

With the API Key, you can now set your SMTP environment variables:

SMTP_HOST=smtp.sendgrid.net
SMTP_USERNAME=apikey
SMTP_PASSWORD=SG.rqFsfjxYPiqE1lqZTgD_lz7x8IVLx # your SendGrid API Key from step above
SMTP_PORT=587
SMTP_SECURE=true
SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
SMTP_FROM_NAME=Infisical

Remember that you will need to restart Infisical for this to work properly.

Mailgun

Create an account and configure Mailgun to send emails.
Obtain your Mailgun credentials in Sending > Overview > SMTP

With your Mailgun credentials, you can now set up your SMTP environment variables:

SMTP_HOST=smtp.mailgun.org # obtained from credentials page
SMTP_USERNAME=postmaster@example.mailgun.org # obtained from credentials page
SMTP_PASSWORD=password # obtained from credentials page
SMTP_PORT=587
SMTP_SECURE=true
SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
SMTP_FROM_NAME=Infisical

AWS SES

Create a verifed identity

This will be used to verify the email you are sending from. Create SES identity

If you AWS SES is under sandbox mode, you will only be able to send emails to verified identies.

Create an account and configure AWS SES

Create an IAM user for SMTP authentication and obtain SMTP credentials in SMTP settings > Create SMTP credentials opening AWS SES console

Set up your SMTP environment variables

With your AWS SES SMTP credentials, you can now set up your SMTP environment variables for your Infisical instance.

SMTP_HOST=email-smtp.ap-northeast-1.amazonaws.com # SMTP endpoint obtained from SMTP settings
SMTP_USERNAME=xxx # your SMTP username
SMTP_PASSWORD=xxx # your SMTP password
SMTP_PORT=587
SMTP_SECURE=false
SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
SMTP_FROM_NAME=Infisical

Remember that you will need to restart Infisical for this to work properly.

SocketLabs

Create an account and configure SocketLabs to send emails.
From the dashboard, navigate to SMTP Credentials > SMTP & APIs > SMTP Credentials to obtain your SocketLabs SMTP credentials.

With your SocketLabs SMTP credentials, you can now set up your SMTP environment variables:

SMTP_HOST=smtp.socketlabs.com
SMTP_USERNAME=username # obtained from your credentials
SMTP_PASSWORD=password # obtained from your credentials
SMTP_PORT=587
SMTP_SECURE=true
SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
SMTP_FROM_NAME=Infisical

The SMTP_FROM_ADDRESS environment variable should be an email for an authenticated domain under Configuration > Domain Management in SocketLabs. For example, if you’re using SocketLabs in sandbox mode, then you may use an email like team@sandbox.socketlabs.dev.

Remember that you will need to restart Infisical for this to work properly.

Resend

Create an account on Resend.
Add a Domain.

Create an API Key.

Go to the SMTP page and copy the values.

With the API Key, you can now set your SMTP environment variables variables:

SMTP_HOST=smtp.resend.com
SMTP_USERNAME=resend
SMTP_PASSWORD=YOUR_API_KEY
SMTP_PORT=587
SMTP_SECURE=true
SMTP_FROM_ADDRESS=hey@example.com # your email address being used to send out emails
SMTP_FROM_NAME=Infisical

Remember that you will need to restart Infisical for this to work properly.

Gmail

Create an account and enable “less secure app access” in Gmail Account Settings > Security. This will allow applications like Infisical to authenticate with Gmail via your username and password. Gmail secure app access

With your Gmail username and password, you can set your SMTP environment variables:

SMTP_HOST=smtp.gmail.com
SMTP_USERNAME=hey@gmail.com # your email
SMTP_PASSWORD=password # your password
SMTP_PORT=587
SMTP_SECURE=true
SMTP_FROM_ADDRESS=hey@gmail.com
SMTP_FROM_NAME=Infisical

As per the notice by Google, you should note that using Gmail credentials for SMTP configuration will only work for Google Workspace or Google Cloud Identity customers as of May 30, 2022.Put differently, the SMTP configuration is only possible with business (not personal) Gmail credentials.

Office365

Create an account and configure Office365 to send emails.
With your login credentials, you can now set up your SMTP environment variables:

SMTP_HOST=smtp.office365.com
SMTP_USERNAME=username@yourdomain.com # your username
SMTP_PASSWORD=password # your password
SMTP_PORT=587
SMTP_SECURE=true
SMTP_FROM_ADDRESS=username@yourdomain.com
SMTP_FROM_NAME=Infisical

Zoho Mail

Create an account and configure Zoho Mail to send emails.
With your email credentials, you can now set up your SMTP environment variables:

SMTP_HOST=smtp.zoho.com
SMTP_USERNAME=username # your email
SMTP_PASSWORD=password # your password
SMTP_PORT=587
SMTP_SECURE=true
SMTP_FROM_ADDRESS=hey@example.com # your personal Zoho email or domain-based email linked to Zoho Mail
SMTP_FROM_NAME=Infisical

You can use either your personal Zoho email address like you@zohomail.com or a domain-based email address like you@yourdomain.com. If using a domain-based email address, then please make sure that you’ve configured and verified it with Zoho Mail.

Remember that you will need to restart Infisical for this to work properly.

By default, users can only login via email/password based login method. To login into Infisical with OAuth providers such as Google, configure the associated variables.

Google

Github

Gitlab

Okta SAML

Azure SAML

JumpCloud SAML

NEXT_PUBLIC_SAML_ORG_SLUG

string

Configure SAML organization slug to automatically redirect all users of your Infisical instance to the identity provider.

Native secret integrations

To help you sync secrets from Infisical to services such as Github and Gitlab, Infisical provides native integrations out of the box.

Heroku

Vercel

Netlify

Github

Bitbucket

GCP Secrets Manager

Azure

Gitlab

Getting Started

Platform

Authentication Methods

Self-host Infisical

Internals

Contributing

General platform

Data Layer

Email service

Native secret integrations

Getting Started

Platform

Authentication Methods

Self-host Infisical

Internals

Contributing

​General platform

​Data Layer

​Email service

​SSO based login

​Native secret integrations

General platform

Data Layer

Email service

SSO based login

Native secret integrations