Infisical accepts all configurations via environment variables. For a minimal self-hosted instance, at least ENCRYPTION_KEY, AUTH_SECRET, DB_CONNECTION_URI and REDIS_URL must be defined. However, you can configure additional settings to activate more features as needed.

General platform

Used to configure platform-specific security and operational settings

ENCRYPTION_KEY
string
default: "none"required

Must be a random 16 byte hex string. Can be generated with openssl rand -hex 16

AUTH_SECRET
string
default: "none"required

Must be a random 32 byte base64 string. Can be generated with openssl rand -base64 32

SITE_URL
string
default: "none"required

Must be an absolute URL including the protocol (e.g. https://app.infisical.com).

PORT
int
default: "8080"

Specifies the internal port on which the application listens.

TELEMETRY_ENABLED
string
default: "true"

Telemetry helps us improve Infisical but if you want to disable it you may set this to false.

Data Layer

The platform utilizes Postgres to persist all of its data and Redis for caching and backgroud tasks

DB_CONNECTION_URI
string
default: ""required

Postgres database connection string. The format generally looks like this: postgresql://username:password@host:5432/database.

DB_ROOT_CERT
string
default: ""

Configure the SSL certificate for securing a Postgres connection by first encoding it in base64. Use the command below to encode your certificate: echo "<certificate>" | base64

REDIS_URL
string
default: "none"required

Redis connection string. The format generally looks like this: redis://host:6379.

DB_READ_REPLICAS
string
default: ""

Postgres database read replica connection strings. It accepts a JSON string.

DB_READ_REPLICAS=[{"DB_CONNECTION_URI":""}]

Email service

Without email configuration, Infisical’s core functions like sign-up/login and secret operations work, but this disables multi-factor authentication, email invites for projects, alerts for suspicious logins, and all other email-dependent features.

Authentication

By default, users can only login via email/password based login method. To login into Infisical with OAuth providers such as Google, configure the associated variables.

DEFAULT_SAML_ORG_SLUG
string

When set, all visits to the Infisical login page will automatically redirect users of your Infisical instance to the SAML identity provider associated with the specified organization slug.

Native secret integrations

To help you sync secrets from Infisical to services such as Github and Gitlab, Infisical provides native integrations out of the box.

Observability

You can configure Infisical to collect and expose telemetry data for analytics and monitoring.

OTEL_TELEMETRY_COLLECTION_ENABLED
string
default: "false"

Whether or not to collect and expose telemetry data.

OTEL_EXPORT_TYPE
enum

Supported types are prometheus and otlp.

If export type is set to prometheus, metric data will be exposed in port 9464 in the /metrics path.

If export type is set to otlp, you will have to configure a value for OTEL_EXPORT_OTLP_ENDPOINT.

OTEL_EXPORT_OTLP_ENDPOINT
string

Where telemetry data would be pushed to for collection. This is only applicable when OTEL_EXPORT_TYPE is set to otlp.

OTEL_COLLECTOR_BASIC_AUTH_USERNAME
string

The username for authenticating with the telemetry collector.

OTEL_COLLECTOR_BASIC_AUTH_PASSWORD
string

The password for authenticating with the telemetry collector.