Read how to configure environment variables for self-hosted Infisical.
Infisical accepts all configurations via environment variables. For a minimal self-hosted instance, at least ENCRYPTION_KEY
, AUTH_SECRET
, DB_CONNECTION_URI
and REDIS_URL
must be defined.
However, you can configure additional settings to activate more features as needed.
Used to configure platform-specific security and operational settings
Must be a random 16 byte hex string. Can be generated with openssl rand -hex 16
Must be a random 32 byte base64 string. Can be generated with openssl rand -base64 32
Must be an absolute URL including the protocol (e.g. https://app.infisical.com).
The platform utilizes Postgres to persist all of its data and Redis for caching and backgroud tasks
Postgres database connection string.
Configure the SSL certificate for securing a Postgres connection by first encoding it in base64.
Use the command below to encode your certificate:
echo "<certificate>" | base64
Redis connection string.
Without email configuration, Infisical’s core functions like sign-up/login and secret operations work, but this disables multi-factor authentication, email invites for projects, alerts for suspicious logins, and all other email-dependent features.
Generic Configuration
Hostname to connect to for establishing SMTP connections
Credential to connect to host (e.g. team@infisical.com)
Credential to connect to host
Port to connect to for establishing SMTP connections
If true, use TLS when connecting to host. If false, TLS will be used if STARTTLS is supported
Email address to be used for sending emails
Name label to be used in From field (e.g. Team)
Twilio SendGrid
Remember that you will need to restart Infisical for this to work properly.
Mailgun
AWS SES
Create a verifed identity
This will be used to verify the email you are sending from.
If you AWS SES is under sandbox mode, you will only be able to send emails to verified identies.
Create an account and configure AWS SES
Create an IAM user for SMTP authentication and obtain SMTP credentials in SMTP settings > Create SMTP credentials
Set up your SMTP environment variables
With your AWS SES SMTP credentials, you can now set up your SMTP environment variables for your Infisical instance.
Remember that you will need to restart Infisical for this to work properly.
SocketLabs
The SMTP_FROM_ADDRESS
environment variable should be an email for an
authenticated domain under Configuration > Domain Management in SocketLabs.
For example, if you’re using SocketLabs in sandbox mode, then you may use an
email like team@sandbox.socketlabs.dev
.
Remember that you will need to restart Infisical for this to work properly.
Resend
Gmail
Create an account and enable “less secure app access” in Gmail Account Settings > Security. This will allow applications like Infisical to authenticate with Gmail via your username and password.
With your Gmail username and password, you can set your SMTP environment variables:
As per the notice by Google, you should note that using Gmail credentials for SMTP configuration will only work for Google Workspace or Google Cloud Identity customers as of May 30, 2022.
Put differently, the SMTP configuration is only possible with business (not personal) Gmail credentials.
Office365
Create an account and configure Office365 to send emails.
With your login credentials, you can now set up your SMTP environment variables:
Zoho Mail
Create an account and configure Zoho Mail to send emails.
With your email credentials, you can now set up your SMTP environment variables:
You can use either your personal Zoho email address like you@zohomail.com
or
a domain-based email address like you@yourdomain.com
. If using a
domain-based email address, then please make sure that you’ve configured and
verified it with Zoho Mail.
Remember that you will need to restart Infisical for this to work properly.
By default, users can only login via email/password based login method. To login into Infisical with OAuth providers such as Google, configure the associated variables.
Follow detailed guide to configure Google SSO
OAuth2 client ID for Google login
OAuth2 client secret for Google login
Github
Follow detailed guide to configure GitHub SSO
OAuth2 client ID for GitHub login
OAuth2 client secret for GitHub login
Gitlab
Follow detailed guide to configure GitLab SSO
OAuth2 client ID for GitLab login
OAuth2 client secret for GitLab login
URL of your self-hosted instance of GitLab where the OAuth application is registered
Okta SAML
Requires enterprise license. Please contact team@infisical.com to get more information.
Azure SAML
Requires enterprise license. Please contact team@infisical.com to get more information.
JumpCloud SAML
Requires enterprise license. Please contact team@infisical.com to get more information.
Configure SAML organization slug to automatically redirect all users of your Infisical instance to the identity provider.
To help you sync secrets from Infisical to services such as Github and Gitlab, Infisical provides native integrations out of the box.
Heroku
Vercel
Netlify
Github
Bitbucket
GCP Secrets Manager
Azure
Gitlab
Read how to configure environment variables for self-hosted Infisical.
Infisical accepts all configurations via environment variables. For a minimal self-hosted instance, at least ENCRYPTION_KEY
, AUTH_SECRET
, DB_CONNECTION_URI
and REDIS_URL
must be defined.
However, you can configure additional settings to activate more features as needed.
Used to configure platform-specific security and operational settings
Must be a random 16 byte hex string. Can be generated with openssl rand -hex 16
Must be a random 32 byte base64 string. Can be generated with openssl rand -base64 32
Must be an absolute URL including the protocol (e.g. https://app.infisical.com).
The platform utilizes Postgres to persist all of its data and Redis for caching and backgroud tasks
Postgres database connection string.
Configure the SSL certificate for securing a Postgres connection by first encoding it in base64.
Use the command below to encode your certificate:
echo "<certificate>" | base64
Redis connection string.
Without email configuration, Infisical’s core functions like sign-up/login and secret operations work, but this disables multi-factor authentication, email invites for projects, alerts for suspicious logins, and all other email-dependent features.
Generic Configuration
Hostname to connect to for establishing SMTP connections
Credential to connect to host (e.g. team@infisical.com)
Credential to connect to host
Port to connect to for establishing SMTP connections
If true, use TLS when connecting to host. If false, TLS will be used if STARTTLS is supported
Email address to be used for sending emails
Name label to be used in From field (e.g. Team)
Twilio SendGrid
Remember that you will need to restart Infisical for this to work properly.
Mailgun
AWS SES
Create a verifed identity
This will be used to verify the email you are sending from.
If you AWS SES is under sandbox mode, you will only be able to send emails to verified identies.
Create an account and configure AWS SES
Create an IAM user for SMTP authentication and obtain SMTP credentials in SMTP settings > Create SMTP credentials
Set up your SMTP environment variables
With your AWS SES SMTP credentials, you can now set up your SMTP environment variables for your Infisical instance.
Remember that you will need to restart Infisical for this to work properly.
SocketLabs
The SMTP_FROM_ADDRESS
environment variable should be an email for an
authenticated domain under Configuration > Domain Management in SocketLabs.
For example, if you’re using SocketLabs in sandbox mode, then you may use an
email like team@sandbox.socketlabs.dev
.
Remember that you will need to restart Infisical for this to work properly.
Resend
Gmail
Create an account and enable “less secure app access” in Gmail Account Settings > Security. This will allow applications like Infisical to authenticate with Gmail via your username and password.
With your Gmail username and password, you can set your SMTP environment variables:
As per the notice by Google, you should note that using Gmail credentials for SMTP configuration will only work for Google Workspace or Google Cloud Identity customers as of May 30, 2022.
Put differently, the SMTP configuration is only possible with business (not personal) Gmail credentials.
Office365
Create an account and configure Office365 to send emails.
With your login credentials, you can now set up your SMTP environment variables:
Zoho Mail
Create an account and configure Zoho Mail to send emails.
With your email credentials, you can now set up your SMTP environment variables:
You can use either your personal Zoho email address like you@zohomail.com
or
a domain-based email address like you@yourdomain.com
. If using a
domain-based email address, then please make sure that you’ve configured and
verified it with Zoho Mail.
Remember that you will need to restart Infisical for this to work properly.
By default, users can only login via email/password based login method. To login into Infisical with OAuth providers such as Google, configure the associated variables.
Follow detailed guide to configure Google SSO
OAuth2 client ID for Google login
OAuth2 client secret for Google login
Github
Follow detailed guide to configure GitHub SSO
OAuth2 client ID for GitHub login
OAuth2 client secret for GitHub login
Gitlab
Follow detailed guide to configure GitLab SSO
OAuth2 client ID for GitLab login
OAuth2 client secret for GitLab login
URL of your self-hosted instance of GitLab where the OAuth application is registered
Okta SAML
Requires enterprise license. Please contact team@infisical.com to get more information.
Azure SAML
Requires enterprise license. Please contact team@infisical.com to get more information.
JumpCloud SAML
Requires enterprise license. Please contact team@infisical.com to get more information.
Configure SAML organization slug to automatically redirect all users of your Infisical instance to the identity provider.
To help you sync secrets from Infisical to services such as Github and Gitlab, Infisical provides native integrations out of the box.
Heroku
Vercel
Netlify
Github
Bitbucket
GCP Secrets Manager
Azure
Gitlab