E2EE Enabled

E2EE enabled mode only works with Service Tokens and cannot be used with Identities.

Using Infisical’s API to read/write secrets with E2EE enabled allows you to create, update, and retrieve secrets but requires you to perform client-side encryption/decryption operations. For this reason, we recommend using one of the available SDKs instead.

Retrieve secrets

Retrieve all secrets for an Infisical project and environment.

const crypto = require('crypto');
const axios = require('axios');

const BASE_URL = 'https://app.infisical.com';
const ALGORITHM = 'aes-256-gcm';

const decrypt = ({ ciphertext, iv, tag, secret}) => {
	const decipher = crypto.createDecipheriv(
		ALGORITHM,
		secret,
		Buffer.from(iv, 'base64')
	);
	decipher.setAuthTag(Buffer.from(tag, 'base64'));

    let cleartext = decipher.update(ciphertext, 'base64', 'utf8');
    cleartext += decipher.final('utf8');

    return cleartext;
}

const getSecrets = async () => {
	const serviceToken = 'your_service_token';
	const serviceTokenSecret = serviceToken.substring(serviceToken.lastIndexOf('.') + 1);

    // 1. Get your Infisical Token data
    const { data: serviceTokenData } = await axios.get(
       `${BASE_URL}/api/v2/service-token`,
        {
            headers: {
                Authorization: `Bearer ${serviceToken}`
            }
        }
    );

    // 2. Get secrets for your project and environment
    const { data } = await axios.get(
       `${BASE_URL}/api/v3/secrets?${new URLSearchParams({
            environment: serviceTokenData.environment,
            workspaceId: serviceTokenData.workspace
        })}`,
        {
            headers: {
                Authorization: `Bearer ${serviceToken}`
            }
        }
    );

    const encryptedSecrets = data.secrets;

    // 3. Decrypt the (encrypted) project key with the key from your Infisical Token
    const projectKey = decrypt({
        ciphertext: serviceTokenData.encryptedKey,
        iv: serviceTokenData.iv,
        tag: serviceTokenData.tag,
        secret: serviceTokenSecret
    });

	// 4. Decrypt the (encrypted) secrets
    const secrets = encryptedSecrets.map((secret) => {
        const secretKey = decrypt({
          ciphertext: secret.secretKeyCiphertext,
          iv: secret.secretKeyIV,
          tag: secret.secretKeyTag,
          secret: projectKey
        });

        const secretValue = decrypt({
          ciphertext: secret.secretValueCiphertext,
          iv: secret.secretValueIV,
          tag: secret.secretValueTag,
          secret: projectKey
        });

        return ({
            secretKey,
            secretValue
        });
    });

    console.log('secrets: ', secrets);
}

getSecrets();

Create secret

Create a secret in Infisical.

const crypto = require('crypto');
const axios = require('axios');
const nacl = require('tweetnacl');

const BASE_URL = 'https://app.infisical.com';
const ALGORITHM = 'aes-256-gcm';
const BLOCK_SIZE_BYTES = 16;

const encrypt = ({ text, secret }) => {
    const iv = crypto.randomBytes(BLOCK_SIZE_BYTES);
    const cipher = crypto.createCipheriv(ALGORITHM, secret, iv);

    let ciphertext = cipher.update(text, 'utf8', 'base64');
    ciphertext += cipher.final('base64');
    return {
        ciphertext,
        iv: iv.toString('base64'),
        tag: cipher.getAuthTag().toString('base64')
    };
}

const decrypt = ({ ciphertext, iv, tag, secret}) => {
	const decipher = crypto.createDecipheriv(
		ALGORITHM,
		secret,
		Buffer.from(iv, 'base64')
	);
	decipher.setAuthTag(Buffer.from(tag, 'base64'));

	let cleartext = decipher.update(ciphertext, 'base64', 'utf8');
	cleartext += decipher.final('utf8');

	return cleartext;
}

const createSecrets = async () => {
    const serviceToken = '';
    const serviceTokenSecret = serviceToken.substring(serviceToken.lastIndexOf('.') + 1);
    
    const secretType = 'shared'; // 'shared' or 'personal'
    const secretKey = 'some_key';
    const secretValue = 'some_value';
    const secretComment = 'some_comment';

    // 1. Get your Infisical Token data
    const { data: serviceTokenData } = await axios.get(
       `${BASE_URL}/api/v2/service-token`,
        {
            headers: {
                Authorization: `Bearer ${serviceToken}`
            }
        }
    );

    // 2. Decrypt the (encrypted) project key with the key from your Infisical Token
    const projectKey = decrypt({
        ciphertext: serviceTokenData.encryptedKey,
        iv: serviceTokenData.iv,
        tag: serviceTokenData.tag,
        secret: serviceTokenSecret
    });
    
	// 3. Encrypt your secret with the project key
    const {
        ciphertext: secretKeyCiphertext,
        iv: secretKeyIV,
        tag: secretKeyTag
    } = encrypt({
        text: secretKey,
        secret: projectKey
    });

    const {
        ciphertext: secretValueCiphertext,
        iv: secretValueIV,
        tag: secretValueTag
    } = encrypt({
        text: secretValue,
        secret: projectKey
    });

    const {
        ciphertext: secretCommentCiphertext,
        iv: secretCommentIV,
        tag: secretCommentTag
    } = encrypt({
        text: secretComment,
        secret: projectKey
    });

	// 4. Send (encrypted) secret to Infisical
    await axios.post(
        `${BASE_URL}/api/v3/secrets/${secretKey}`,
        {
            workspaceId: serviceTokenData.workspace,
            environment: serviceTokenData.environment,
            type: secretType,
            secretKeyCiphertext,
            secretKeyIV,
            secretKeyTag,
            secretValueCiphertext,
            secretValueIV,
            secretValueTag,
            secretCommentCiphertext,
            secretCommentIV,
            secretCommentTag
        },
        {
            headers: {
                Authorization: `Bearer ${serviceToken}`
            }
        }
    );
}

createSecrets();

Retrieve secret

Retrieve a secret from Infisical.

const crypto = require('crypto');
const axios = require('axios');

const BASE_URL = 'https://app.infisical.com';
const ALGORITHM = 'aes-256-gcm';

const decrypt = ({ ciphertext, iv, tag, secret}) => {
	const decipher = crypto.createDecipheriv(
		ALGORITHM,
		secret,
		Buffer.from(iv, 'base64')
	);
	decipher.setAuthTag(Buffer.from(tag, 'base64'));

    let cleartext = decipher.update(ciphertext, 'base64', 'utf8');
    cleartext += decipher.final('utf8');

    return cleartext;
}

const getSecret = async () => {
	const serviceToken = 'your_service_token';
	const serviceTokenSecret = serviceToken.substring(serviceToken.lastIndexOf('.') + 1);
    
    const secretType = 'shared' // 'shared' or 'personal'
    const secretKey = 'some_key';

    // 1. Get your Infisical Token data
    const { data: serviceTokenData } = await axios.get(
       `${BASE_URL}/api/v2/service-token`,
        {
            headers: {
                Authorization: `Bearer ${serviceToken}`
            }
        }
    );

    // 2. Get the secret from your project and environment
    const { data } = await axios.get(
       `${BASE_URL}/api/v3/secrets/${secretKey}?${new URLSearchParams({
            environment: serviceTokenData.environment,
            workspaceId: serviceTokenData.workspace,
            type: secretType // optional, defaults to 'shared'
        })}`,
        {
            headers: {
                Authorization: `Bearer ${serviceToken}`
            }
        }
    );

    const encryptedSecret = data.secret;

    // 3. Decrypt the (encrypted) project key with the key from your Infisical Token
    const projectKey = decrypt({
        ciphertext: serviceTokenData.encryptedKey,
        iv: serviceTokenData.iv,
        tag: serviceTokenData.tag,
        secret: serviceTokenSecret
    });

	// 4. Decrypt the (encrypted) secret value

    const secretValue = decrypt({
        ciphertext: encryptedSecret.secretValueCiphertext,
        iv: encryptedSecret.secretValueIV,
        tag: encryptedSecret.secretValueTag,
        secret: projectKey
    });

    console.log('secret: ', ({
        secretKey,
        secretValue
    }));
}

getSecret();

Update secret

Update an existing secret in Infisical.

const crypto = require('crypto');
const axios = require('axios');

const BASE_URL = 'https://app.infisical.com';
const ALGORITHM = 'aes-256-gcm';
const BLOCK_SIZE_BYTES = 16;

const encrypt = ({ text, secret }) => {
    const iv = crypto.randomBytes(BLOCK_SIZE_BYTES);
    const cipher = crypto.createCipheriv(ALGORITHM, secret, iv);

    let ciphertext = cipher.update(text, 'utf8', 'base64');
    ciphertext += cipher.final('base64');
    return {
        ciphertext,
        iv: iv.toString('base64'),
        tag: cipher.getAuthTag().toString('base64')
    };
}

const decrypt = ({ ciphertext, iv, tag, secret}) => {
	const decipher = crypto.createDecipheriv(
		ALGORITHM,
		secret,
		Buffer.from(iv, 'base64')
	);
	decipher.setAuthTag(Buffer.from(tag, 'base64'));

	let cleartext = decipher.update(ciphertext, 'base64', 'utf8');
	cleartext += decipher.final('utf8');

	return cleartext;
}

const updateSecrets = async () => {
    const serviceToken = 'your_service_token';
    const serviceTokenSecret = serviceToken.substring(serviceToken.lastIndexOf('.') + 1);
    
    const secretType = 'shared' // 'shared' or 'personal'
    const secretKey = 'some_key';
    const secretValue = 'updated_value';
    const secretComment = 'updated_comment';

    // 1. Get your Infisical Token data
    const { data: serviceTokenData } = await axios.get(
       `${BASE_URL}/api/v2/service-token`,
        {
            headers: {
                Authorization: `Bearer ${serviceToken}`
            }
        }
    );

    // 2. Decrypt the (encrypted) project key with the key from your Infisical Token
    const projectKey = decrypt({
        ciphertext: serviceTokenData.encryptedKey,
        iv: serviceTokenData.iv,
        tag: serviceTokenData.tag,
        secret: serviceTokenSecret
    });
    
	// 3. Encrypt your updated secret with the project key
    const {
        ciphertext: secretKeyCiphertext,
        iv: secretKeyIV,
        tag: secretKeyTag
    } = encrypt({
        text: secretKey,
        secret: projectKey
    });

    const {
        ciphertext: secretValueCiphertext,
        iv: secretValueIV,
        tag: secretValueTag
    } = encrypt({
        text: secretValue,
        secret: projectKey
    });

    const {
        ciphertext: secretCommentCiphertext,
        iv: secretCommentIV,
        tag: secretCommentTag
    } = encrypt({
        text: secretComment,
        secret: projectKey
    });
	
	// 4. Send (encrypted) updated secret to Infisical
    await axios.patch(
        `${BASE_URL}/api/v3/secrets/${secretKey}`,
        {
            workspaceId: serviceTokenData.workspace,
            environment: serviceTokenData.environment,
            type: secretType,
            secretValueCiphertext,
            secretValueIV,
            secretValueTag,
            secretCommentCiphertext,
            secretCommentIV,
            secretCommentTag
        },
        {
            headers: {
                Authorization: `Bearer ${serviceToken}`
            }
        }
    );
}

updateSecrets();

Delete secret

Delete a secret in Infisical.

const axios = require('axios'); 
const BASE_URL = 'https://app.infisical.com';

const deleteSecrets = async () => {
  const serviceToken = 'your_service_token';
  const secretType = 'shared' // 'shared' or 'personal'
  const secretKey = 'some_key'
  
  // 1. Get your Infisical Token data
  const { data: serviceTokenData } = await axios.get(
      `${BASE_URL}/api/v2/service-token`,
      {
          headers: {
              Authorization: `Bearer ${serviceToken}`
          }
      }
  );

  // 2. Delete secret from Infisical
  await axios.delete(
    `${BASE_URL}/api/v3/secrets/${secretKey}`,
    {
      workspaceId: serviceTokenData.workspace,
      environment: serviceTokenData.environment,
      type: secretType
    },
    {
      headers: {
        Authorization: `Bearer ${serviceToken}`
      },
    }
  );
};

deleteSecrets();

If using an API_KEY to authenticate with the Infisical API, then you should include it in the X_API_KEY header.

Overview

Endpoints