Infisical accepts all configurations via environment variables. For a minimal self-hosted instance, at least ENCRYPTION_KEY, AUTH_SECRET, DB_CONNECTION_URI and REDIS_URL must be defined. However, you can configure additional settings to activate more features as needed.

General platform

Used to configure platform-specific security and operational settings
ENCRYPTION_KEY
string
default:"none"
required
Must be a random 16 byte hex string. Can be generated with openssl rand -hex 16
AUTH_SECRET
string
default:"none"
required
Must be a random 32 byte base64 string. Can be generated with openssl rand -base64 32
SITE_URL
string
default:"none"
Must be an absolute URL including the protocol (e.g. https://app.infisical.com).

Data Layer

The platform utilizes Postgres to persist all of its data and Redis for caching and backgroud tasks
DB_CONNECTION_URI
string
default:""
required
Postgres database connection string.
DB_ROOT_CERT
string
default:""
Configure the SSL certificate for securing a Postgres connection by first encoding it in base64. Use the command below to encode your certificate: echo "<certificate>" | base64
REDIS_URL
string
default:"none"
required
Redis connection string.

Email service

Without email configuration, Infisical’s core functions like sign-up/login and secret operations work, but this disables multi-factor authentication, email invites for projects, alerts for suspicious logins, and all other email-dependent features.

SSO based login

By default, users can only login via email/password based login method. To login into Infisical with OAuth providers such as Google, configure the associated variables.
NEXT_PUBLIC_SAML_ORG_SLUG
string
Configure SAML organization slug to automatically redirect all users of your Infisical instance to the identity provider.

Native secret integrations

To help you sync secrets from Infisical to services such as Github and Gitlab, Infisical provides native integrations out of the box.