Infisical accepts all configurations via environment variables. For a minimal self-hosted instance, at least ENCRYPTION_KEY, AUTH_SECRET, DB_CONNECTION_URI and REDIS_URL must be defined. However, you can configure additional settings to activate more features as needed.

General platform

Used to configure platform-specific security and operational settings

ENCRYPTION_KEY
string
default: "none"required

Must be a random 16 byte hex string. Can be generated with openssl rand -hex 16

AUTH_SECRET
string
default: "none"required

Must be a random 32 byte base64 string. Can be generated with openssl rand -base64 32

SITE_URL
string
default: "none"

Must be an absolute URL including the protocol (e.g. https://app.infisical.com).

Data Layer

The platform utilizes Postgres to persist all of its data and Redis for caching and backgroud tasks

DB_CONNECTION_URI
string
default: ""required

Postgres database connection string.

DB_ROOT_CERT
string
default: ""

Configure the SSL certificate for securing a Postgres connection by first encoding it in base64. Use the command below to encode your certificate: echo "<certificate>" | base64

REDIS_URL
string
default: "none"required

Redis connection string.

Email service

Without email configuration, Infisical’s core functions like sign-up/login and secret operations work, but this disables multi-factor authentication, email invites for projects, alerts for suspicious logins, and all other email-dependent features.

SSO based login

By default, users can only login via email/password based login method. To login into Infisical with OAuth providers such as Google, configure the associated variables.

NEXT_PUBLIC_SAML_ORG_SLUG
string

Configure SAML organization slug to automatically redirect all users of your Infisical instance to the identity provider.

Native secret integrations

To help you sync secrets from Infisical to services such as Github and Gitlab, Infisical provides native integrations out of the box.