Infisical Python SDK

If you’re working with Python, the official infisical-python package is the easiest way to fetch and work with secrets for your application.

Basic Usage

from flask import Flask
from infisical_client import ClientSettings, InfisicalClient, GetSecretOptions

app = Flask(__name__)

client = InfisicalClient(ClientSettings(
    client_id="MACHINE_IDENTITY_CLIENT_ID",
    client_secret="MACHINE_IDENTITY_CLIENT_SECRET",
))

@app.route("/")
def hello_world():
    # access value

    name = client.getSecret(options=GetSecretOptions(
       environment="dev",
       project_id="PROJECT_ID",
       secret_name="NAME"
    ))

    return f"Hello! My name is: {name.secret_value}"

This example demonstrates how to use the Infisical Python SDK with a Flask application. The application retrieves a secret named “NAME” and responds to requests with a greeting that includes the secret value.

We do not recommend hardcoding your Machine Identity Tokens. Setting it as an environment variable would be best.

Installation

Run pip to add infisical-python to your project

$ pip install infisical-python

Note: You need Python 3.7+.

Configuration

Import the SDK and create a client instance with your Machine Identity.

from infisical_client import ClientSettings, InfisicalClient

client = InfisicalClient(ClientSettings(
    client_id="MACHINE_IDENTITY_CLIENT_ID",
    client_secret="MACHINE_IDENTITY_CLIENT_SECRET",
))

Parameters

options

object

Show properties

client_id

string

Your Infisical Client ID.

client_secret

string

Your Infisical Client Secret.

access_token

string

If you want to directly pass an access token obtained from the authentication endpoints, you can do so.

cache_ttl

number

default:"300"

Time-to-live (in seconds) for refreshing cached secrets. If manually set to 0, caching will be disabled, this is not recommended.

site_url

string

default:"https://app.infisical.com"

Your self-hosted absolute site URL including the protocol (e.g. https://app.infisical.com)

Caching

To reduce the number of API requests, the SDK temporarily stores secrets it retrieves. By default, a secret remains cached for 5 minutes after it’s first fetched. Each time it’s fetched again, this 5-minute timer resets. You can adjust this caching duration by setting the “cache_ttl” option when creating the client.

Working with Secrets

client.listSecrets(options)

client.listSecrets(options=ListSecretsOptions(
    environment="dev",
    project_id="PROJECT_ID"
))

Retrieve all secrets within the Infisical project and environment that client is connected to

Parameters

object

Show properties

environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

project_id

string

required

The project ID where the secret lives in.

path

string

The path from where secrets should be fetched from.

attach_to_process_env

boolean

default:"false"

Whether or not to set the fetched secrets to the process environment. If true, you can access the secrets like so process.env["SECRET_NAME"].

include_imports

boolean

default:"false"

Whether or not to include imported secrets from the current path. Read about secret import

client.getSecret(options)

secret = client.getSecret(options=GetSecretOptions(
    environment="dev",
    project_id="PROJECT_ID",
    secret_name="API_KEY"
))
value = secret.secret_value # get its value

By default, getSecret() fetches and returns a shared secret. If not found, it returns a personal secret.

Parameters

object

Show properties

secret_name

string

required

The key of the secret to retrieve

environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

project_id

string

required

The project ID where the secret lives in.

path

string

The path from where secret should be fetched from.

type

string

The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “personal”.

include_imports

boolean

default:"false"

Whether or not to include imported secrets from the current path. Read about secret import

client.createSecret(options)

api_key = client.createSecret(options=CreateSecretOptions(
    secret_name="API_KEY",
    secret_value="Some API Key",
    environment="dev",
    project_id="PROJECT_ID"
))

Create a new secret in Infisical.

Parameters

object

Show properties

secret_name

string

required

The key of the secret to create.

secret_value

string

required

The value of the secret.

project_id

string

required

The project ID where the secret lives in.

environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

path

string

The path from where secret should be created.

type

string

The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “shared”.

client.updateSecret(options)

client.updateSecret(options=UpdateSecretOptions(
    secret_name="API_KEY",
    secret_value="NEW_VALUE",
    environment="dev",
    project_id="PROJECT_ID"
))

Update an existing secret in Infisical.

Parameters

object

Show properties

secret_name

string

required

The key of the secret to update.

secret_value

string

required

The new value of the secret.

project_id

string

required

The project ID where the secret lives in.

environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

path

string

The path from where secret should be updated.

type

string

The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “shared”.

client.deleteSecret(options)

client.deleteSecret(options=DeleteSecretOptions(
    environment="dev",
    project_id="PROJECT_ID",
    secret_name="API_KEY"
))

Delete a secret in Infisical.

Parameters

object

Show properties

secret_name

string

The key of the secret to update.

project_id

string

required

The project ID where the secret lives in.

environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

path

string

The path from where secret should be deleted.

type

string

The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “shared”.

Cryptography

Create a symmetric key

Create a base64-encoded, 256-bit symmetric key to be used for encryption/decryption.

key = client.createSymmetricKey()

Returns (string)

key (string): A base64-encoded, 256-bit symmetric key, that can be used for encryption/decryption purposes.

Encrypt symmetric

encryptOptions = EncryptSymmetricOptions(
    key=key,
    plaintext="Infisical is awesome!"
)

encryptedData = client.encryptSymmetric(encryptOptions)

Parameters

object

required

Show properties

plaintext

string

The plaintext you want to encrypt.

key

string

required

The symmetric key to use for encryption.

Returns (object)

tag (string): A base64-encoded, 128-bit authentication tag. iv (string): A base64-encoded, 96-bit initialization vector. ciphertext (string): A base64-encoded, encrypted ciphertext.

Decrypt symmetric

decryptOptions = DecryptSymmetricOptions(
    ciphertext=encryptedData.ciphertext,
    iv=encryptedData.iv,
    tag=encryptedData.tag,
    key=key
)

decryptedString = client.decryptSymmetric(decryptOptions)

Parameters

object

required

Show properties

ciphertext

string

The ciphertext you want to decrypt.

key

string

required

The symmetric key to use for encryption.

string

required

The initialization vector to use for decryption.

tag

string

required

The authentication tag to use for decryption.

Returns (string)

plaintext (string): The decrypted plaintext.

Node.js Java

On this page

Basic Usage
Installation
Configuration
Parameters
Caching
Working with Secrets
client.listSecrets(options)
Parameters
client.getSecret(options)
Parameters
client.createSecret(options)
Parameters
client.updateSecret(options)
Parameters
client.deleteSecret(options)
Parameters
Cryptography
Create a symmetric key
Returns (string)
Encrypt symmetric
Parameters
Returns (object)
Decrypt symmetric
Parameters
Returns (string)

If you’re working with Python, the official infisical-python package is the easiest way to fetch and work with secrets for your application.

Basic Usage

from flask import Flask
from infisical_client import ClientSettings, InfisicalClient, GetSecretOptions

app = Flask(__name__)

client = InfisicalClient(ClientSettings(
    client_id="MACHINE_IDENTITY_CLIENT_ID",
    client_secret="MACHINE_IDENTITY_CLIENT_SECRET",
))

@app.route("/")
def hello_world():
    # access value

    name = client.getSecret(options=GetSecretOptions(
       environment="dev",
       project_id="PROJECT_ID",
       secret_name="NAME"
    ))

    return f"Hello! My name is: {name.secret_value}"

We do not recommend hardcoding your Machine Identity Tokens. Setting it as an environment variable would be best.

Installation

Run pip to add infisical-python to your project

$ pip install infisical-python

Note: You need Python 3.7+.

Configuration

Import the SDK and create a client instance with your Machine Identity.

from infisical_client import ClientSettings, InfisicalClient

client = InfisicalClient(ClientSettings(
    client_id="MACHINE_IDENTITY_CLIENT_ID",
    client_secret="MACHINE_IDENTITY_CLIENT_SECRET",
))

Parameters

options

object

Show properties

client_id

string

Your Infisical Client ID.

client_secret

string

Your Infisical Client Secret.

access_token

string

If you want to directly pass an access token obtained from the authentication endpoints, you can do so.

cache_ttl

number

default:"300"

Time-to-live (in seconds) for refreshing cached secrets. If manually set to 0, caching will be disabled, this is not recommended.

site_url

string

default:"https://app.infisical.com"

Your self-hosted absolute site URL including the protocol (e.g. https://app.infisical.com)

Caching

Working with Secrets

client.listSecrets(options)

client.listSecrets(options=ListSecretsOptions(
    environment="dev",
    project_id="PROJECT_ID"
))

Retrieve all secrets within the Infisical project and environment that client is connected to

Parameters

object

Show properties

environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

project_id

string

required

The project ID where the secret lives in.

path

string

The path from where secrets should be fetched from.

attach_to_process_env

boolean

default:"false"

Whether or not to set the fetched secrets to the process environment. If true, you can access the secrets like so process.env["SECRET_NAME"].

include_imports

boolean

default:"false"

Whether or not to include imported secrets from the current path. Read about secret import

client.getSecret(options)

secret = client.getSecret(options=GetSecretOptions(
    environment="dev",
    project_id="PROJECT_ID",
    secret_name="API_KEY"
))
value = secret.secret_value # get its value

By default, getSecret() fetches and returns a shared secret. If not found, it returns a personal secret.

Parameters

object

Show properties

secret_name

string

required

The key of the secret to retrieve

environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

project_id

string

required

The project ID where the secret lives in.

path

string

The path from where secret should be fetched from.

type

string

The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “personal”.

include_imports

boolean

default:"false"

Whether or not to include imported secrets from the current path. Read about secret import

client.createSecret(options)

api_key = client.createSecret(options=CreateSecretOptions(
    secret_name="API_KEY",
    secret_value="Some API Key",
    environment="dev",
    project_id="PROJECT_ID"
))

Create a new secret in Infisical.

Parameters

object

Show properties

secret_name

string

required

The key of the secret to create.

secret_value

string

required

The value of the secret.

project_id

string

required

The project ID where the secret lives in.

environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

path

string

The path from where secret should be created.

type

string

The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “shared”.

client.updateSecret(options)

client.updateSecret(options=UpdateSecretOptions(
    secret_name="API_KEY",
    secret_value="NEW_VALUE",
    environment="dev",
    project_id="PROJECT_ID"
))

Update an existing secret in Infisical.

Parameters

object

Show properties

secret_name

string

required

The key of the secret to update.

secret_value

string

required

The new value of the secret.

project_id

string

required

The project ID where the secret lives in.

environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

path

string

The path from where secret should be updated.

type

string

The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “shared”.

client.deleteSecret(options)

client.deleteSecret(options=DeleteSecretOptions(
    environment="dev",
    project_id="PROJECT_ID",
    secret_name="API_KEY"
))

Delete a secret in Infisical.

Parameters

object

Show properties

secret_name

string

The key of the secret to update.

project_id

string

required

The project ID where the secret lives in.

environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

path

string

The path from where secret should be deleted.

type

string

The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “shared”.

Cryptography

Create a symmetric key

Create a base64-encoded, 256-bit symmetric key to be used for encryption/decryption.

key = client.createSymmetricKey()

Returns (string)

key (string): A base64-encoded, 256-bit symmetric key, that can be used for encryption/decryption purposes.

Encrypt symmetric

encryptOptions = EncryptSymmetricOptions(
    key=key,
    plaintext="Infisical is awesome!"
)

encryptedData = client.encryptSymmetric(encryptOptions)

Parameters

object

required

Show properties

plaintext

string

The plaintext you want to encrypt.

key

string

required

The symmetric key to use for encryption.

Returns (object)

tag (string): A base64-encoded, 128-bit authentication tag. iv (string): A base64-encoded, 96-bit initialization vector. ciphertext (string): A base64-encoded, encrypted ciphertext.

Decrypt symmetric

decryptOptions = DecryptSymmetricOptions(
    ciphertext=encryptedData.ciphertext,
    iv=encryptedData.iv,
    tag=encryptedData.tag,
    key=key
)

decryptedString = client.decryptSymmetric(decryptOptions)

Parameters

object

required

Show properties

ciphertext

string

The ciphertext you want to decrypt.

key

string

required

The symmetric key to use for encryption.

string

required

The initialization vector to use for decryption.

tag

string

required

The authentication tag to use for decryption.

Returns (string)

plaintext (string): The decrypted plaintext.

Node.js Java

On this page

Basic Usage
Installation
Configuration
Parameters
Caching
Working with Secrets
client.listSecrets(options)
Parameters
client.getSecret(options)
Parameters
client.createSecret(options)
Parameters
client.updateSecret(options)
Parameters
client.deleteSecret(options)
Parameters
Cryptography
Create a symmetric key
Returns (string)
Encrypt symmetric
Parameters
Returns (object)
Decrypt symmetric
Parameters
Returns (string)

​Basic Usage

​Installation

​Configuration

​Parameters

​Caching

​Working with Secrets

​client.listSecrets(options)

​Parameters

​client.getSecret(options)

​Parameters

​client.createSecret(options)

​Parameters

​client.updateSecret(options)

​Parameters

​client.deleteSecret(options)

​Parameters

​Cryptography

​Create a symmetric key

​Returns (string)

​Encrypt symmetric

​Parameters

​Returns (object)

​Decrypt symmetric

​Parameters

​Returns (string)

SDK's

​Basic Usage

​Installation

​Configuration

​Parameters

​Caching

​Working with Secrets

​client.listSecrets(options)

​Parameters

​client.getSecret(options)

​Parameters

​client.createSecret(options)

​Parameters

​client.updateSecret(options)

​Parameters

​client.deleteSecret(options)

​Parameters

​Cryptography

​Create a symmetric key

​Returns (string)

​Encrypt symmetric

​Parameters

​Returns (object)

​Decrypt symmetric

​Parameters

​Returns (string)

Basic Usage

Installation

Configuration

Parameters

Caching

Working with Secrets

client.listSecrets(options)

Parameters

client.getSecret(options)

Parameters

client.createSecret(options)

Parameters

client.updateSecret(options)

Parameters

client.deleteSecret(options)

Parameters

Cryptography

Create a symmetric key

Returns (string)

Encrypt symmetric

Parameters

Returns (object)

Decrypt symmetric

Parameters

Returns (string)

Basic Usage

Installation

Configuration

Parameters

Caching

Working with Secrets

client.listSecrets(options)

Parameters

client.getSecret(options)

Parameters

client.createSecret(options)

Parameters

client.updateSecret(options)

Parameters

client.deleteSecret(options)

Parameters

Cryptography

Create a symmetric key

Returns (string)

Encrypt symmetric

Parameters

Returns (object)

Decrypt symmetric

Parameters

Returns (string)