This guide provides configuration options for self-hosted Infisical deployments. Proper configuration is critical as Infisical serves as the central secret source for CI/CD pipelines and applications. Misconfiguration can cause platform-wide outages.
Current Version: v0.158.5 (February 2026)
| Variable | Description | Example | Generation |
|---|---|---|---|
SITE_URL |
Public URL of your Infisical instance (absolute URL with protocol) | https://infisical.example.com |
Manual |
ENCRYPTION_KEY |
32-character hex key for AES-GCM-256 encryption | a1b2c3d4e5f6... |
openssl rand -hex 16 |
AUTH_SECRET |
Base64-encoded secret for JWT signing | randomBase64String... |
openssl rand -base64 32 |
DB_CONNECTION_URI |
PostgreSQL connection string | postgres://user:pass@host:5432/db |
Manual |
REDIS_URL |
Redis connection URL | redis://host:6379 |
Manual |
# PostgreSQL Connection
POSTGRES_USER=infisical
POSTGRES_PASSWORD=your-secure-password
POSTGRES_DB=infisical
DB_CONNECTION_URI=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
# For external managed PostgreSQL with SSL
DB_CONNECTION_URI=postgres://user:pass@managed-db.example.com:5432/infisical?sslmode=require
DB_ROOT_CERT=/path/to/ca-cert.pem
# Read replicas for high availability (JSON array)
DB_READ_REPLICAS='[{"DB_CONNECTION_URI":"postgresql://user:pass@replica1:5432/db?sslmode=require"},{"DB_CONNECTION_URI":"postgresql://user:pass@replica2:5432/db?sslmode=require"}]'
# Basic Redis
REDIS_URL=redis://redis:6379
# Redis with authentication
REDIS_URL=redis://:password@redis:6379
# Redis with TLS
REDIS_URL=rediss://user:password@redis:6380
# Redis Sentinel
REDIS_SENTINEL_HOSTS=192.168.65.254:26379,192.168.65.254:26380
REDIS_SENTINEL_MASTER_NAME=mymaster
REDIS_SENTINEL_ENABLE_TLS=true
REDIS_SENTINEL_USERNAME=sentinel_user
REDIS_SENTINEL_PASSWORD=sentinel_password
# Authentication token lifetime (default: 15 minutes)
JWT_AUTH_LIFETIME=15m
# Refresh token lifetime (default: 24 hours)
JWT_REFRESH_LIFETIME=24h
# Service/machine token lifetime (default: 1 hour)
JWT_SERVICE_LIFETIME=1h
# Machine identity token lifetime
JWT_MACHINE_IDENTITY_LIFETIME=24h
# Force HTTPS
HTTPS_ENABLED=true
# HSTS header (in seconds)
HSTS_MAX_AGE=31536000
# Trusted proxies (comma-separated)
TRUSTED_PROXIES=127.0.0.1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
# Allowed origins (JSON array)
CORS_ALLOWED_ORIGINS=["https://app.example.com","https://admin.example.com"]
# Allow credentials
CORS_ALLOW_CREDENTIALS=true
# Allowed methods
CORS_ALLOWED_METHODS=["GET","POST","PUT","DELETE","PATCH"]
# Allowed headers
CORS_ALLOWED_HEADERS=["Content-Type","Authorization","x-infisical-token"]
# Expose headers
CORS_EXPOSED_HEADERS=["x-infisical-version"]
# Max age for preflight cache
CORS_MAX_AGE=86400
# Disable user signups (recommended for production)
DISABLE_SIGN_UPS=true
# Password requirements
PASSWORD_MIN_LENGTH=12
PASSWORD_REQUIRE_UPPERCASE=true
PASSWORD_REQUIRE_LOWERCASE=true
PASSWORD_REQUIRE_NUMBERS=true
PASSWORD_REQUIRE_SPECIAL=true
# Session timeout (in seconds)
SESSION_TIMEOUT=3600
# MFA enforcement
MFA_ENFORCED=true
MFA_GRACE_PERIOD_DAYS=7
# Enable rate limiting
RATE_LIMIT_ENABLED=true
# Requests per minute
RATE_LIMIT_POINTS=100
# Rate limit duration (seconds)
RATE_LIMIT_DURATION=60
# Block duration for exceeded limits (seconds)
RATE_LIMIT_BLOCK_DURATION=300
SMTP_HOST=smtp.example.com
SMTP_PORT=587
SMTP_USERNAME=noreply@example.com
SMTP_PASSWORD=your-smtp-password
SMTP_FROM_ADDRESS=noreply@example.com
SMTP_FROM_NAME=Infisical
# TLS settings
SMTP_REQUIRE_TLS=true
SMTP_IGNORE_TLS=false
SMTP_SECURE_ENABLED=false # Set true for port 465
# SMTP service type (for templates)
SMTP_SERVICE=gmail # gmail, sendgrid, mailgun, custom
# Custom headers
SMTP_CUSTOM_HEADERS={"X-Priority":"1","X-Mailer":"Infisical"}
# Reply-to address
SMTP_REPLY_TO_ADDRESS=support@example.com
SMTP_REPLY_TO_NAME=Support Team
# Instance name (displayed in UI)
INSTANCE_NAME="My Company Infisical"
# Custom instance banner (for regulated industries)
INSTANCE_BANNER={"text":"Authorized Personnel Only","color":"#dc3545","enabled":true}
# Logo URL
INSTANCE_LOGO_URL=https://example.com/logo.png
# Default language
DEFAULT_LANGUAGE=en
# Timezone
INSTANCE_TIMEZONE=UTC
# Enable/disable features
FEATURE_SSO_ENABLED=true
FEATURE_MFA_ENABLED=true
FEATURE_AUDIT_LOGS_ENABLED=true
FEATURE_APPROVAL_WORKFLOWS_ENABLED=true
FEATURE_SECRET_SYNC_ENABLED=true
FEATURE_PKI_ENABLED=true
FEATURE_SSH_MANAGEMENT_ENABLED=true
# Disable telemetry (recommended for production)
TELEMETRY_ENABLED=false
# Error reporting
ERROR_REPORTING_ENABLED=false
SENTRY_DSN=
# Analytics
ANALYTICS_ENABLED=false
# Kubernetes operator settings
K8S_OPERATOR_ENABLED=true
K8S_OPERATOR_NAMESPACE=infisical-system
# CSI driver settings
CSI_DRIVER_ENABLED=true
CSI_DRIVER_NAMESPACE=kube-system
# AWS OIDC
AWS_OIDC_ENABLED=true
AWS_OIDC_ISSUER_URL=https://infisical.example.com
# Azure OIDC
AZURE_OIDC_ENABLED=true
AZURE_TENANT_ID=your-tenant-id
# GCP Workload Identity
GCP_WORKLOAD_IDENTITY_ENABLED=true
GCP_SERVICE_ACCOUNT=infisical@project.iam.gserviceaccount.com
# Gateway configuration
GATEWAY_ENABLED=true
GATEWAY_PORT=8443
GATEWAY_TLS_CERT=/path/to/gateway-cert.pem
GATEWAY_TLS_KEY=/path/to/gateway-key.pem
# Application log level
LOG_LEVEL=info # debug, info, warn, error
# Log format
LOG_FORMAT=json # json, pretty
# Log output
LOG_OUTPUT=stdout # stdout, file, both
LOG_FILE_PATH=/var/log/infisical/app.log
LOG_FILE_MAX_SIZE=100 # MB
LOG_FILE_MAX_FILES=5
# Enable audit logging
AUDIT_LOG_ENABLED=true
# Audit log retention (days)
AUDIT_LOG_RETENTION_DAYS=365
# Export audit logs
AUDIT_LOG_EXPORT_ENABLED=true
AUDIT_LOG_EXPORT_PATH=/var/log/infisical/audit/
AUDIT_LOG_EXPORT_FORMAT=json
# SIEM integration
AUDIT_LOG_SIEM_ENABLED=true
AUDIT_LOG_SIEM_ENDPOINT=https://siem.example.com/api/logs
AUDIT_LOG_SIEM_TOKEN=your-siem-token
# Backup schedule (cron format)
BACKUP_SCHEDULE=0 2 * * *
# Backup retention
BACKUP_RETENTION_DAYS=30
# Backup location
BACKUP_PATH=/var/backups/infisical
# Encryption for backups
BACKUP_ENCRYPTION_ENABLED=true
BACKUP_ENCRYPTION_KEY=your-backup-encryption-key
# Recovery point objective (hours)
RPO_HOURS=24
# Recovery time objective (hours)
RTO_HOURS=4
# Emergency contact
RECOVERY_CONTACT_EMAIL=security@example.com
# Database connection pool
DB_POOL_MIN=2
DB_POOL_MAX=20
DB_POOL_IDLE_TIMEOUT=30000
DB_POOL_ACQUIRE_TIMEOUT=30000
# Redis connection pool
REDIS_POOL_MIN=1
REDIS_POOL_MAX=10
# Cache TTL (seconds)
CACHE_TTL=300
# Secret cache TTL
SECRET_CACHE_TTL=60
# User session cache TTL
SESSION_CACHE_TTL=3600
# Node.js memory limit
NODE_OPTIONS=--max-old-space-size=2048
# Max request body size (bytes)
MAX_REQUEST_SIZE=52428800
# Request timeout (ms)
REQUEST_TIMEOUT=60000
Organize projects by application or team:
├── Project: E-Commerce Platform
│ ├── Environment: development
│ ├── Environment: staging
│ └── Environment: production
├── Project: Mobile App
│ ├── Environment: development
│ ├── Environment: production
│ └── Environment: shared
└── Project: Infrastructure
├── Environment: kubernetes
├── Environment: terraform
└── Environment: ci-cd
| Role | Permissions | Use Case |
|---|---|---|
| Admin | Full access to all secrets, users, and settings | Platform administrators |
| Developer | Read/write secrets in dev/staging | Development team |
| Operator | Read secrets in production, no write | SRE/Operations team |
| Auditor | Read-only access to secrets and audit logs | Compliance/Security team |
| Service Account | Programmatic access to specific secrets | CI/CD, applications |
# Example rotation policy configuration
rotation_policies:
- name: Database Credentials
secret_path: /production/database
rotation_interval: 30d
notification_before: 7d
auto_rotate: false
approvers:
- dba-team
- name: API Keys
secret_path: /production/api-keys
rotation_interval: 90d
notification_before: 14d
auto_rotate: true
rotation_handler: webhook
webhook_url: https://hooks.example.com/rotate
# Create test script
cat > test-config.sh << 'EOF'
#!/bin/bash
set -e
echo "Testing Infisical configuration..."
# Check required variables
required_vars=("SITE_URL" "ENCRYPTION_KEY" "AUTH_SECRET" "DB_CONNECTION_URI" "REDIS_URL")
for var in "${required_vars[@]}"; do
if [ -z "${!var}" ]; then
echo "❌ Missing required variable: $var"
exit 1
fi
echo "✓ $var is set"
done
# Test database connection
echo "Testing database connection..."
psql "$DB_CONNECTION_URI" -c "SELECT 1;" > /dev/null
echo "✓ Database connection successful"
# Test Redis connection
echo "Testing Redis connection..."
redis-cli -u "$REDIS_URL" ping | grep -q "PONG"
echo "✓ Redis connection successful"
echo "All configuration tests passed!"
EOF
chmod +x test-config.sh
# Test API health
curl -s https://infisical.example.com/api/status | jq
# Expected response
{
"status": "ok",
"version": "0.93.1",
"uptime": 86400,
"database": "connected",
"redis": "connected"
}
Any questions?
Feel free to contact us. Find all contact information on our contact page.