DEV Community

Alex Spinov
Alex Spinov

Posted on

Infisical Has a Free API: Open-Source Secret Management That Replaces .env Files

#infisical #secrets #security #devops

Infisical is an open-source secret management platform. It replaces .env files with a centralized, encrypted store that has a REST API, CLI, SDKs, and native integrations with every major platform.

Why Infisical?

  • Open source — self-host or use cloud (5 users free)
  • Replaces .env — no more secrets in git
  • REST API — full CRUD for secrets programmatically
  • CLI — inject secrets into any command
  • Auto-sync — push to Vercel, AWS, GitHub, Kubernetes

Install CLI 

# macOS
brew install infisical/get-cli/infisical

# Linux
curl -1sLf 'https://dl.cloudsmith.io/public/infisical/infisical-cli/setup.deb.sh' | sudo bash
sudo apt install infisical

# Login
infisical login
Enter fullscreen mode Exit fullscreen mode

CLI Usage 

# Init project
infisical init

# Run command with secrets injected
infisical run -- npm start
infisical run -- python app.py
infisical run -- docker compose up

# Specific environment
infisical run --env=prod -- npm start

# Export secrets
infisical export --format=dotenv > .env
infisical export --format=json
infisical export --format=yaml

# Set a secret
infisical secrets set API_KEY=sk-123456

# Get a secret
infisical secrets get API_KEY

# List all secrets
infisical secrets
Enter fullscreen mode Exit fullscreen mode

REST API 

BASE="https://app.infisical.com/api"
TOKEN="your-service-token"

# List secrets
curl "$BASE/v3/secrets/raw?workspaceId=xxx&environment=prod" \
  -H "Authorization: Bearer $TOKEN"

# Get single secret
curl "$BASE/v3/secrets/raw/DATABASE_URL?workspaceId=xxx&environment=prod" \
  -H "Authorization: Bearer $TOKEN"

# Create secret
curl -X POST "$BASE/v3/secrets/raw/NEW_SECRET" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "workspaceId": "xxx",
    "environment": "dev",
    "secretValue": "my-secret-value"
  }'

# Update secret
curl -X PATCH "$BASE/v3/secrets/raw/NEW_SECRET" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "workspaceId": "xxx",
    "environment": "dev",
    "secretValue": "updated-value"
  }'

# Delete secret
curl -X DELETE "$BASE/v3/secrets/raw/NEW_SECRET" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"workspaceId": "xxx", "environment": "dev"}'
Enter fullscreen mode Exit fullscreen mode

Node.js SDK 

import InfisicalClient from '@infisical/sdk';

const client = new InfisicalClient({
  token: process.env.INFISICAL_TOKEN,
});

// Get all secrets
const secrets = await client.listSecrets({
  environment: 'prod',
  projectId: 'xxx',
});

// Get single secret
const dbUrl = await client.getSecret({
  environment: 'prod',
  projectId: 'xxx',
  secretName: 'DATABASE_URL',
});

console.log(dbUrl.secretValue);
Enter fullscreen mode Exit fullscreen mode

Integrations

Platform Sync Method
Vercel Auto-sync
AWS Parameter Store Auto-sync
GitHub Actions Auto-sync
Kubernetes Operator
Docker Compose CLI inject
Terraform Provider

Key Features

Feature Details
Encryption AES-256-GCM, E2E encrypted
Versioning Full secret history
Rotation Automatic secret rotation
RBAC Role-based access control
Audit Full audit logs
Free tier 5 team members

Resources

Need secrets management or automation? Check my Apify actors or email spinov001@gmail.com.

Top comments (0)