If you’re working with Node.js, the official infisical-node package is the easiest way to fetch and work with secrets for your application.
Basic Usage import express from "express" ; import { InfisicalClient , LogLevel } from "@infisical/sdk" ; const app = express ( ) ; const PORT = 3000 ; const client = new InfisicalClient ( { clientId : "YOUR_CLIENT_ID" ,
clientSecret : "YOUR_CLIENT_SECRET" ,
logLevel : LogLevel . Error
} ) ; app. get ( "/" , async ( req, res ) => {
const name = await client. getSecret ( {
environment : "dev" ,
projectId : "PROJECT_ID" ,
path : "/" ,
type : "shared" ,
secretName : "NAME"
} ) ;
res. send ( ` Hello! My name is: ${ name. secretValue } ` ) ;
} ) ; app. listen ( PORT , async ( ) => {
console . log ( ` App listening on port ${ PORT } ` ) ;
} ) ; This example demonstrates how to use the Infisical Node SDK with an Express application. The application retrieves a secret named “NAME” and responds to requests with a greeting that includes the secret value.
Installation Run npm to add @infisical/sdk to your project.
$ npm install @infisical/sdk
Configuration Import the SDK and create a client instance with your Machine Identity .
import { InfisicalClient , LogLevel } from "@infisical/sdk" ; const client = new InfisicalClient ( { clientId : "YOUR_CLIENT_ID" ,
clientSecret : "YOUR_CLIENT_SECRET" ,
logLevel : LogLevel . Error
} ) ; Parameters Your machine identity client ID.
Your machine identity client secret.
An access token obtained from the machine identity login endpoint.
Time-to-live (in seconds) for refreshing cached secrets.
If manually set to 0, caching will be disabled, this is not recommended.
string
default: "https://app.infisical.com" Your self-hosted absolute site URL including the protocol (e.g. https://app.infisical.com)
The level of logs you wish to log The logs are derived from Rust, as we have written our base SDK in Rust.
Caching To reduce the number of API requests, the SDK temporarily stores secrets it retrieves. By default, a secret remains cached for 5 minutes after it’s first fetched. Each time it’s fetched again, this 5-minute timer resets. You can adjust this caching duration by setting the “cacheTtl” option when creating the client.
Working with Secrets client.listSecrets(options) const secrets = await client. listSecrets ( { environment : "dev" ,
projectId : "PROJECT_ID" ,
path : "/foo/bar/" ,
includeImports : false
} ) ; Retrieve all secrets within the Infisical project and environment that client is connected to
Parameters The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
The project ID where the secret lives in.
The path from where secrets should be fetched from.
Whether or not to set the fetched secrets to the process environment. If true, you can access the secrets like so process.env["SECRET_NAME"].
Whether or not to include imported secrets from the current path. Read about secret import
client.getSecret(options) const secret = await client. getSecret ( { environment : "dev" ,
projectId : "PROJECT_ID" ,
secretName : "API_KEY" ,
path : "/" ,
type : "shared"
} ) ; Retrieve a secret from Infisical.
By default, getSecret() fetches and returns a shared secret.
Parameters The key of the secret to retrieve.
The project ID where the secret lives in.
The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
The path from where secret should be fetched from.
The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “shared”.
client.createSecret(options) const newApiKey = await client. createSecret ( { projectId : "PROJECT_ID" ,
environment : "dev" ,
secretName : "API_KEY" ,
secretValue : "SECRET VALUE" ,
path : "/" ,
type : "shared"
} ) ; Create a new secret in Infisical.
The key of the secret to create.
The project ID where the secret lives in.
The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
The path from where secret should be created.
The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “shared”.
client.updateSecret(options) const updatedApiKey = await client. updateSecret ( { secretName : "API_KEY" ,
secretValue : "NEW SECRET VALUE" ,
projectId : "PROJECT_ID" ,
environment : "dev" ,
path : "/" ,
type : "shared"
} ) ; Update an existing secret in Infisical.
Parameters The key of the secret to update.
The new value of the secret.
The project ID where the secret lives in.
The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
The path from where secret should be updated.
The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “shared”.
client.deleteSecret(options) const deletedSecret = await client. deleteSecret ( { secretName : "API_KEY" ,
environment : "dev" ,
projectId : "PROJECT_ID" ,
path : "/" ,
type : "shared"
} ) ; Delete a secret in Infisical.
The key of the secret to update.
The project ID where the secret lives in.
The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.
The path from where secret should be deleted.
The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “shared”.
Cryptography Create a symmetric key Create a base64-encoded, 256-bit symmetric key to be used for encryption/decryption.
const key = client. createSymmetricKey ( ) ; Returns (string) key (string): A base64-encoded, 256-bit symmetric key, that can be used for encryption/decryption purposes.
Encrypt symmetric const { iv, tag, ciphertext } = await client. encryptSymmetric ( { key : key,
plaintext : "Infisical is awesome!" ,
} ) Parameters The plaintext you want to encrypt.
The symmetric key to use for encryption.
Returns (object) tag (string): A base64-encoded, 128-bit authentication tag.
iv (string): A base64-encoded, 96-bit initialization vector.
ciphertext (string): A base64-encoded, encrypted ciphertext.
Decrypt symmetric const decryptedString = await client. decryptSymmetric ( { key : key,
iv : iv,
tag : tag,
ciphertext : ciphertext,
} ) ; Parameters The ciphertext you want to decrypt.
The symmetric key to use for encryption.
The initialization vector to use for decryption.
The authentication tag to use for decryption.
Returns (string) plaintext (string): The decrypted plaintext.
