Infisical Has a Free API — Heres How to Manage Secrets Without HashiCorp Vault

Infisical is an open-source secret management platform — simpler than Vault, more powerful than .env files. End-to-end encrypted, with SDKs for every language.

Why Infisical?

• E2E encrypted: Secrets encrypted client-side
• Dashboard: Beautiful web UI for managing secrets
• Secret rotation: Auto-rotate database passwords, API keys
• Integrations: GitHub Actions, Vercel, AWS, Kubernetes
• Versioning: Full audit trail and version history
• CLI: Inject secrets into any process
• Free tier: Unlimited secrets for small teams

Self-Host

git clone https://github.com/Infisical/infisical.git
cd infisical
docker compose -f docker-compose.prod.yml up -d

Dashboard at http://localhost:8080

CLI: Inject Secrets

# Install CLI
brew install infisical/get-cli/infisical

# Login
infisical login

# Run any command with secrets injected
infisical run -- npm start
infisical run -- python app.py
infisical run -- docker compose up

Secrets are injected as environment variables — no code changes needed.

API: Get Secrets

curl https://app.infisical.com/api/v3/secrets/raw \
  -H 'Authorization: Bearer YOUR_TOKEN' \
  -G -d 'workspaceId=PROJECT_ID' \
  -d 'environment=production'

API: Create Secret

curl -X POST https://app.infisical.com/api/v3/secrets/raw/DATABASE_URL \
  -H 'Authorization: Bearer YOUR_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "workspaceId": "PROJECT_ID",
    "environment": "production",
    "secretValue": "postgres://user:pass@db:5432/mydb"
  }'

API: Update Secret

curl -X PATCH https://app.infisical.com/api/v3/secrets/raw/DATABASE_URL \
  -H 'Authorization: Bearer YOUR_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "workspaceId": "PROJECT_ID",
    "environment": "production",
    "secretValue": "postgres://user:newpass@db:5432/mydb"
  }'

Node.js SDK

import { InfisicalClient } from '@infisical/sdk';

const client = new InfisicalClient({
  siteUrl: 'https://app.infisical.com',
  auth: { universalAuth: { clientId: 'ID', clientSecret: 'SECRET' } },
});

const secrets = await client.listSecrets({
  projectId: 'PROJECT_ID',
  environment: 'production',
  path: '/',
});

const dbUrl = secrets.find(s => s.secretKey === 'DATABASE_URL')?.secretValue;

GitHub Actions Integration

steps:
  - uses: Infisical/secrets-action@v1
    with:
      token: ${{ secrets.INFISICAL_TOKEN }}
      projectId: your-project-id
      env: production
  - run: echo $DATABASE_URL # Available as env var

Secret Rotation

Infisical can auto-rotate:

• PostgreSQL passwords
• MySQL passwords
• AWS IAM keys
• SendGrid API keys

curl -X POST https://app.infisical.com/api/v1/secret-rotations \
  -H 'Authorization: Bearer YOUR_TOKEN' \
  -d '{
    "provider": "postgres",
    "interval": 30,
    "secretsMapping": {"username": "DB_USER", "password": "DB_PASS"}
  }'

Real-World Use Case

A startup had secrets in 15 .env files across dev, staging, and production. They moved to Infisical — one dashboard, one source of truth. A leaked API key was rotated in 10 seconds instead of updating 15 files across 5 repos.

---

Need to automate data collection? Check out my Apify actors for ready-made scrapers, or email spinov001@gmail.com for custom solutions.