docs/cli/commands/login.mdx
infisical login
The CLI uses authentication to verify your identity. You can authenticate using:
--interactive flag to enter credentials via CLI promptsWhen authenticated, a token is generated and saved in your system Keyring to allow you to make future interactions with the CLI.
To change where the login credentials are stored, visit the vaults command.
If you have added multiple users, you can switch between the users by using the user command.
<Info>
**JWT Token Output:**
- For **user authentication** with the `--plain --silent` flags: outputs only the JWT access token (useful for scripting)
- For **machine identity authentication**: an access token is always printed to the console
Use the `--plain` flag to print only the token in plain text and the `--silent` flag to disable update alerts.
Both flags are ideal for capturing the token in environment variables or CI/CD pipelines.
</Info>
The Infisical CLI supports two main categories of authentication: User Authentication and Machine Identity Authentication.
User authentication is designed for individual developers and supports multiple login flows.
<AccordionGroup> <Accordion title="User"> The User authentication method allows you to log in with your email and password. This method supports three different login flows:--interactive # Or using environment variables
export INFISICAL_EMAIL="[email protected]"
export INFISICAL_PASSWORD="your-password"
export INFISICAL_ORGANIZATION_ID="your-organization-id"
infisical login
```
</Accordion>
<Accordion title="Interactive CLI Login">
```bash
infisical login --interactive
```
</Accordion>
<Accordion title="Plain Token Output (Useful for scripting and CI/CD)">
```bash
export INFISICAL_TOKEN=$(infisical login [email protected] --password=your-password --organization-id=your-organization-id --plain --silent)
```
</Accordion>
</AccordionGroup>
Machine identity authentication methods are designed for automated systems, services, and CI/CD pipelines.
<AccordionGroup> <Accordion title="Universal Auth"> The Universal Auth method is a simple and secure way to authenticate with Infisical. It requires a client ID and a client secret to authenticate with Infisical.<ParamField query="Flags">
<Expandable title="properties">
<ParamField query="client-id" type="string" required>
Your machine identity client ID.
</ParamField>
<ParamField query="client-secret" type="string" required>
Your machine identity client secret.
</ParamField>
</Expandable>
```bash
infisical login --method=universal-auth --client-id=<client-id> --client-secret=<client-secret>
```
</Step>
<ParamField query="Flags">
<Expandable title="properties">
<ParamField query="machine-identity-id" type="string" required>
Your machine identity ID.
</ParamField>
<ParamField query="service-account-token-path" type="string" optional>
Path to the Kubernetes service account token to use. Default: `/var/run/secrets/kubernetes.io/serviceaccount/token`.
</ParamField>
</Expandable>
```bash
# --service-account-token-path is optional, and will default to '/var/run/secrets/kubernetes.io/serviceaccount/token' if not provided.
infisical login --method=kubernetes --machine-identity-id=<machine-identity-id> --service-account-token-path=<service-account-token-path>
```
</Step>
<ParamField query="Flags">
<Expandable title="properties">
<ParamField query="machine-identity-id" type="string" required>
Your machine identity ID.
</ParamField>
</Expandable>
</ParamField>
<Steps>
<Step title="Create an Azure machine identity">
To create an Azure machine identity, follow the step by step guide outlined [here](/documentation/platform/identities/azure-auth).
</Step>
<Step title="Obtain an access token">
Run the `login` command with the following flags to obtain an access token:
```bash
infisical login --method=azure --machine-identity-id=<machine-identity-id>
```
</Step>
</Steps>
<ParamField query="Flags">
<Expandable title="properties">
<ParamField query="machine-identity-id" type="string" required>
Your machine identity ID.
</ParamField>
</Expandable>
</ParamField>
<Steps>
<Step title="Create a GCP machine identity">
To create a GCP machine identity, follow the step by step guide outlined [here](/documentation/platform/identities/gcp-auth).
</Step>
<Step title="Obtain an access token">
Run the `login` command with the following flags to obtain an access token:
```bash
infisical login --method=gcp-id-token --machine-identity-id=<machine-identity-id>
```
</Step>
</Steps>
<ParamField query="Flags">
<Expandable title="properties">
<ParamField query="machine-identity-id" type="string" required>
Your machine identity ID.
</ParamField>
<ParamField query="service-account-key-file-path" type="string" required>
Path to your GCP service account key file _(Must be in JSON format!)_
</ParamField>
</Expandable>
</ParamField>
<Steps>
<Step title="Create a GCP machine identity">
To create a GCP machine identity, follow the step by step guide outlined [here](/documentation/platform/identities/gcp-auth).
</Step>
<Step title="Obtain an access token">
Run the `login` command with the following flags to obtain an access token:
```bash
infisical login --method=gcp-iam --machine-identity-id=<machine-identity-id> --service-account-key-file-path=<service-account-key-file-path>
```
</Step>
</Steps>
<ParamField query="Flags">
<Expandable title="properties">
<ParamField query="machine-identity-id" type="string" required>
Your machine identity ID.
</ParamField>
</Expandable>
</ParamField>
<Steps>
<Step title="Create an AWS machine identity">
To create an AWS machine identity, follow the step by step guide outlined [here](/documentation/platform/identities/aws-auth).
</Step>
<Step title="Obtain an access token">
Run the `login` command with the following flags to obtain an access token:
```bash
infisical login --method=aws-iam --machine-identity-id=<machine-identity-id>
```
</Step>
</Steps>
<ParamField query="Flags">
<Expandable title="properties">
<ParamField query="machine-identity-id" type="string" required>
Your machine identity ID.
</ParamField>
<ParamField query="jwt" type="string" required>
The OIDC JWT from the identity provider.
</ParamField>
</Expandable>
</ParamField>
<Steps>
<Step title="Create an OIDC machine identity">
To create an OIDC machine identity, follow the step by step guide outlined [here](/documentation/platform/identities/oidc-auth/general).
</Step>
<Step title="Obtain an access token">
Run the `login` command with the following flags to obtain an access token:
```bash
infisical login --method=oidc-auth --machine-identity-id=<machine-identity-id> --jwt=<oidc-jwt>
```
</Step>
</Steps>
<ParamField query="Flags">
<Expandable title="properties">
<ParamField query="jwt" type="string" required>
The JWT token to use for authentication.
</ParamField>
<ParamField query="machine-identity-id" type="string" required>
Your machine identity ID.
</ParamField>
</Expandable>
</ParamField>
<Steps>
<Step title="Obtain an access token">
Run the `login` command with the following flags to obtain an access token:
```bash
infisical login --method=jwt-auth --jwt=<jwt-token> --machine-identity-id=<machine-identity-id>
```
</Step>
</Steps>
The login command supports a number of flags that you can use for different authentication methods. Below is a list of all the flags that can be used with the login command.
<AccordionGroup> <Accordion title="--method"> ```bash infisical login --method=<auth-method> # Optional, will default to 'user'. ```#### Valid values for the `method` flag are:
- `user`: Login using email and password. (default)
- `universal-auth`: Login using a universal auth client ID and client secret.
- `kubernetes`: Login using a Kubernetes native auth.
- `azure`: Login using an Azure native auth.
- `gcp-id-token`: Login using a GCP ID token native auth.
- `gcp-iam`: Login using a GCP IAM.
- `aws-iam`: Login using an AWS IAM native auth.
- `oidc-auth`: Login using OIDC auth.
- `jwt-auth`: Login using a plain JWT token.
<Tip>
The `organization-slug` flag can be substituted with the `INFISICAL_AUTH_ORGANIZATION_SLUG` environment variable.
</Tip>
<Info>
If no organization slug is provided, the authentication session defaults to the organization where the machine identity was originally created.
</Info>
#### Description
The client ID of the universal auth machine identity. This is required if the `--method` flag is set to `universal-auth`.
<Tip>
The `client-id` flag can be substituted with the `INFISICAL_UNIVERSAL_AUTH_CLIENT_ID` environment variable.
</Tip>
<Tip>
The `client-secret` flag can be substituted with the `INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET` environment variable.
</Tip>
#### Description
The ID of the machine identity. This is required if the `--method` flag is set to `kubernetes`, `azure`, `gcp-id-token`, `gcp-iam`, or `aws-iam`.
<Tip>
The `machine-identity-id` flag can be substituted with the `INFISICAL_MACHINE_IDENTITY_ID` environment variable.
</Tip>
#### Description
The path to the Kubernetes service account token to use for authentication.
This is optional and will default to `/var/run/secrets/kubernetes.io/serviceaccount/token`.
<Tip>
The `service-account-token-path` flag can be substituted with the `INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH` environment variable.
</Tip>
#### Description
The path to your GCP service account key file. This is required if the `--method` flag is set to `gcp-iam`.
<Tip>
The `service-account-key-path` flag can be substituted with the `INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH` environment variable.
</Tip>
#### Description
User email address. Required if you want to do a non-interactive login when the **--method** flag is set to **user**. Must be used together with the `--password` and `--organization-id` flag.
<Tip>
You can omit the **--method=user** if you want as it's the default method.
</Tip>
<Tip>
The `email` flag can be substituted with the `INFISICAL_EMAIL` environment variable.
</Tip>
#### Description
User password. Required if you want to do a non-interactive login when the **--method** flag is set to **user**. Must be used together with the `--email` and `--organization-id` flag.
<Warning>
For security in CI/CD environments, prefer using the `INFISICAL_PASSWORD` environment variable instead of passing the password as a command-line flag.
</Warning>
<Tip>
You can omit the **--method=user** if you want as it's the default method.
</Tip>
<Tip>
The `password` flag can be substituted with the `INFISICAL_PASSWORD` environment variable.
</Tip>
#### Description
User organization id. Required if you want to do a non-interactive login when the **--method** flag is set to **user**. Must be used together with the `--email` and `--password` flag.
<Tip>
You can omit the **--method=user** if you want as it's the default method.
</Tip>
<Tip>
The `organization-id` flag can be substituted with the `INFISICAL_ORGANIZATION_ID` environment variable.
</Tip>
#### Description
Forces interactive CLI login where you'll be prompted to enter your email, password, and select your organization in the terminal, instead of opening a browser.
#### Description
When used with direct user login or machine identity authentication, outputs only the JWT access token without any additional formatting. This is useful for scripting and CI/CD pipelines where you need to capture the token.
```bash
# Example: Capture token in a variable
export INFISICAL_TOKEN=$(infisical login --email=<email> --password=<password> --organization-id=<organization-id> --plain --silent)
```
<Tip>
Use it alongside the `silent` flag to disable all messages in the console except from the access token.
</Tip>
#### Description
The JWT provided by an identity provider for OIDC or plain JWT authentication. This is required if the `--method` flag is set to `oidc-auth` or `jwt-auth`.
<Tip>
The `jwt` flag can be substituted with the `INFISICAL_JWT` environment variable.
</Tip>
#### Description
Specifies the Infisical API URL for non-US Cloud instances. This flag is required when connecting to any instance other than US Cloud (e.g. EU Cloud or self-hosted).
```bash
# Example for EU Cloud
infisical login --domain="https://eu.infisical.com"
# Example for localhost
infisical login --domain="http://localhost:8080"
# Example for self-hosted
infisical login --domain="https://your-self-hosted-infisical.com"
```
<Warning>
**Critical:** If you use `--domain` during login, you must also include it on **all subsequent CLI commands** (e.g., `infisical secrets`, `infisical export`, etc.). Alternatively, set the `INFISICAL_API_URL` environment variable to avoid having to use `--domain` on every command. Refer to the [Domain Configuration](/cli/usage#domain-configuration) section for more details.
</Warning>
The following examples demonstrate different ways to authenticate as a user with the Infisical CLI.
<AccordionGroup> <Accordion title="Browser Login (Default)"> By default, running `infisical login` without any flags opens your browser for authentication.```bash
# Opens browser for authentication
infisical login
```
The browser will open to the Infisical login page, and upon successful authentication, the CLI will be automatically authenticated.
#### Using Command-Line Flags
```bash
# Basic direct login (defaults to US Cloud)
infisical login --email [email protected] --password "your-password" --organization-id "your-organization-id"
# Basic direct login (EU Cloud)
infisical login --domain https://eu.infisical.com --email [email protected] --password "your-password" --organization-id "your-organization-id"
# Basic direct login (Self-hosted Instance)
infisical login --domain https://your-self-hosted-infisical.com --email [email protected] --password "your-password" --organization-id "your-organization-id"
# Output only JWT token for scripting
export INFISICAL_TOKEN=$(infisical login --email [email protected] --password "your-password" --organization-id "your-organization-id" --plain --silent)
```
#### Using Environment Variables (Recommended for CI/CD)
```bash
# Set credentials as environment variables
export INFISICAL_EMAIL="[email protected]"
export INFISICAL_PASSWORD="your-password"
export INFISICAL_ORGANIZATION_ID="your-organization-id"
# Login without additional flags
infisical login
# Or with plain output for token capture
export INFISICAL_TOKEN=$(infisical login --plain --silent)
```
<Warning>
**For non-US Cloud instances:** If you're using EU Cloud or a self-hosted instance, you must set `INFISICAL_API_URL` before login or use `--domain` on all commands. Refer to the [Domain Configuration](/cli/usage#domain-configuration) section for more details.
</Warning>
```bash
# Force interactive CLI login
infisical login --interactive
```
You'll be prompted to enter:
- Email address
- Password
After the prompt, you will be shown a list of organizations to choose from.
In this example we'll be using the universal-auth method to login to obtain an Infisical access token, which we will then use to fetch secrets with.
<Warning>
**For non-US Cloud instances:** If you're using EU Cloud or a self-hosted instance, you must set `INFISICAL_API_URL` before login or use `--domain` on all commands. Refer to the [Domain Configuration](/cli/usage#domain-configuration) section for more details.
</Warning>
Now that we've set the `INFISICAL_TOKEN` environment variable, we can use the CLI to interact with Infisical. The CLI will automatically check for the presence of the `INFISICAL_TOKEN` environment variable and use it for authentication.
Alternatively, if you would rather use the `--token` flag to pass the token directly, you can do so by running the following command:
```bash
infisical [command] --token=<your-access-token> # The token output from the login command.
```
</Step>
<Step title="Fetch all secrets from an environment">
```bash
infisical secrets --projectId=<your-project-id> --env=dev --recursive
```
This command will fetch all secrets from the `dev` environment in your project, including all secrets in subfolders.
<Info>
The `--recursive`, and `--env` flag is optional and will fetch all secrets in subfolders. The default environment is `dev` if no `--env` flag is provided.
</Info>
</Step>