DEV Community

Alex Spinov
Alex Spinov

Posted on

Infisical Has a Free API That Manages Your Secrets Better Than .env Files

#infisical #secrets #security #devops

Infisical is the open-source secret management platform. Store API keys, database credentials, and tokens securely — then inject them into any app or CI/CD pipeline via API.

What Is Infisical?

Infisical replaces .env files with a centralized, encrypted secrets vault. Version history, access control, secret rotation — all built in.

Quick Start 

npm install @infisical/sdk
Enter fullscreen mode Exit fullscreen mode 
import { InfisicalClient } from '@infisical/sdk'

const client = new InfisicalClient({
  clientId: process.env.INFISICAL_CLIENT_ID!,
  clientSecret: process.env.INFISICAL_CLIENT_SECRET!,
})

// Get a secret
const secret = await client.getSecret({
  environment: 'production',
  projectId: 'proj-123',
  secretName: 'DATABASE_URL',
})

console.log(secret.secretValue) // postgresql://...
Enter fullscreen mode Exit fullscreen mode

REST API 

export INFISICAL_TOKEN="your-service-token"

# List secrets in an environment
curl -s 'https://app.infisical.com/api/v3/secrets/raw?environment=production&workspaceId=proj-123' \
  -H "Authorization: Bearer $INFISICAL_TOKEN" | jq '.secrets[] | {key: .secretKey, value: .secretValue}'

# Create a secret
curl -s -X POST 'https://app.infisical.com/api/v3/secrets/raw/NEW_API_KEY' \
  -H "Authorization: Bearer $INFISICAL_TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{"workspaceId": "proj-123", "environment": "production", "secretValue": "sk_live_abc123"}'

# Update a secret
curl -s -X PATCH 'https://app.infisical.com/api/v3/secrets/raw/DATABASE_URL' \
  -H "Authorization: Bearer $INFISICAL_TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{"workspaceId": "proj-123", "environment": "production", "secretValue": "postgresql://new-host/db"}'
Enter fullscreen mode Exit fullscreen mode

CLI Integration 

# Install CLI
brew install infisical/get-cli/infisical

# Login
infisical login

# Run app with injected secrets (replaces .env)
infisical run --env=production -- npm start

# Export to .env format
infisical export --env=production --format=dotenv > .env
Enter fullscreen mode Exit fullscreen mode

CI/CD Integration 

# GitHub Actions
- uses: Infisical/secrets-action@v1
  with:
    client-id: ${{ secrets.INFISICAL_CLIENT_ID }}
    client-secret: ${{ secrets.INFISICAL_CLIENT_SECRET }}
    project-id: proj-123
    env-slug: production
Enter fullscreen mode Exit fullscreen mode

Features

  • Encryption: AES-256-GCM, secrets encrypted at rest and in transit
  • Versioning: full history of every secret change
  • Rotation: automatic secret rotation for databases and APIs
  • Access control: RBAC per project, environment, folder
  • Audit logs: who accessed what, when
  • Integrations: GitHub, Vercel, Netlify, AWS, Docker, K8s

Free Tier

Feature Free Pro ($6/user/mo)
Team members 5 Unlimited
Projects Unlimited Unlimited
Environments Unlimited Unlimited
Secret versions Unlimited Unlimited
Integrations All All

Why Not Just .env?

.env files Infisical
Encrypted No Yes
Version history No Yes
Access control No Yes
Rotation Manual Automatic
CI/CD injection Manual Built-in
Audit log No Yes

Managing secrets for scraping infrastructure? Scrapfly handles proxy credentials and API keys securely. Email spinov001@gmail.com for secure scraping setups.

Top comments (0)