Infisical Connection - Infisical

Infisical supports connecting to a remote Infisical instance using a Machine Identity (Universal Auth). This enables you to sync secrets from one Infisical project to another — for example, from your cloud instance to a self-hosted deployment.

Setup Infisical Connection in Infisical

<Tabs> <Tab title="Infisical UI"> <Steps> <Step title="Navigate to the remote Infisical instance"> Open the **remote** Infisical instance (the one you want to sync secrets *to*) and navigate to **Organization** > **Access Control** > **Machine Identities**. ![Machine Identities Tab](/images/app-connections/external-infisical/machine-identities-tab.png) </Step> <Step title="Create a Machine Identity"> Create a new Machine Identity. Give it a descriptive name (e.g., `infisical-sync-identity`). ![Create Machine Identity](/images/app-connections/external-infisical/create-machine-identity.png) </Step> <Step title="Configure Universal Auth"> Select **Universal Auth** as the authentication method and create the identity. ![Configure Universal Auth](/images/app-connections/external-infisical/configure-universal-auth.png) </Step> <Step title="Copy the Client ID and create a Client Secret"> Copy the **Client ID**. Then click **Create Client Secret** and copy the generated secret. Store both values in a secure location — the secret will not be shown again. ![Copy Client Credentials](/images/app-connections/external-infisical/copy-client-credentials.png) </Step> <Step title="Add the Machine Identity to the target project"> Navigate to the project on the remote instance that you want to sync secrets to. Under **Project Settings** > **Access Control** > **Machine Identities**, add the Machine Identity you created and grant it a role with write permission on secrets (e.g. **Member** or a custom role with secret write access). ![Add Identity to Project](/images/app-connections/external-infisical/add-identity-to-project.png) </Step> <Step title="Navigate to App Connections in Infisical"> Switch back to your **source** Infisical instance. Navigate to **Organization** > **App Connections** and click **Add Connection**. ![App Connections Tab](/images/app-connections/general/add-connection.png) </Step> <Step title="Select the Infisical Connection option"> Choose the **Infisical** option from the connection list. ![Select Infisical Connection](/images/app-connections/external-infisical/select-external-infisical-connection-option.png) </Step> <Step title="Fill in the connection form"> Complete the connection form with the following details:

            - **Instance URL**: The base URL of the remote Infisical instance (e.g., `https://infisical.example.com`).
            - **Machine Identity Client ID**: The Client ID copied in a previous step.
            - **Machine Identity Client Secret**: The Client Secret copied in a previous step.

            ![Infisical Connection Form](/images/app-connections/external-infisical/external-infisical-connection-form.png)
        </Step>
        <Step title="Connection Created">
            Your **Infisical Connection** is now available for use in Secret Syncs.
            ![Connection Created](/images/app-connections/external-infisical/external-infisical-connection-created.png)
        </Step>
    </Steps>
</Tab>
<Tab title="API">
    To create an Infisical Connection, make an API request to the [Create Infisical Connection](/api-reference/endpoints/app-connections/external-infisical/create) API endpoint.

    ### Sample request

    ```bash Request
    curl    --request POST \
            --url https://app.infisical.com/api/v1/app-connections/external-infisical \
            --header 'Content-Type: application/json' \
            --data '{
                "name": "my-infisical-connection",
                "method": "machine-identity-universal-auth",
                "credentials": {
                    "instanceUrl": "https://infisical.example.com",
                    "machineIdentityClientId": "<client-id>",
                    "machineIdentityClientSecret": "<client-secret>"
                }
            }'
    ```

    ### Sample response

    ```bash Response
    {
        "appConnection": {
            "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
            "name": "my-infisical-connection",
            "version": 1,
            "orgId": "6f03caa1-a5de-43ce-b127-95a145d3464c",
            "createdAt": "2025-04-01T05:31:56Z",
            "updatedAt": "2025-04-01T05:31:56Z",
            "app": "external-infisical",
            "method": "machine-identity-universal-auth",
            "credentials": {
                "instanceUrl": "https://infisical.example.com",
                "machineIdentityClientId": "<client-id>"
            }
        }
    }
    ```
</Tab>

</Tabs>