docs/sdks/languages/go.mdx
If you're working with Go, the official Infisical Go SDK package is the easiest way to fetch and work with secrets for your application.
package main
import (
"fmt"
"os"
"context"
infisical "github.com/infisical/go-sdk"
)
func main() {
client := infisical.NewInfisicalClient(context.Background(), infisical.Config{
SiteUrl: "https://app.infisical.com", // Optional, default is https://app.infisical.com
AutoTokenRefresh: true, // Wether or not to let the SDK handle the access token lifecycle. Defaults to true if not specified.
})
_, err := client.Auth().UniversalAuthLogin("YOUR_CLIENT_ID", "YOUR_CLIENT_SECRET")
if err != nil {
fmt.Printf("Authentication failed: %v", err)
os.Exit(1)
}
apiKeySecret, err := client.Secrets().Retrieve(infisical.RetrieveSecretOptions{
SecretKey: "API_KEY",
Environment: "dev",
ProjectID: "YOUR_PROJECT_ID",
SecretPath: "/",
})
if err != nil {
fmt.Printf("Error: %v", err)
os.Exit(1)
}
fmt.Printf("API Key Secret: %v", apiKeySecret)
}
This example demonstrates how to use the Infisical Go SDK in a simple Go application. The application retrieves a secret named API_KEY from the dev environment of the YOUR_PROJECT_ID project.
$ go get github.com/infisical/go-sdk
Import the SDK and create a client instance.
client := infisical.NewInfisicalClient(context.Background(), infisical.Config{
SiteUrl: "https://app.infisical.com", // Optional, default is https://api.infisical.com
})
<ParamField query="UserAgent" type="string">
Optionally set the user agent that will be used for HTTP requests. _(Not recommended)_
</ParamField>
<ParamField query="AutoTokenRefresh" type="boolean" default={true} optional>
Whether or not to let the SDK handle the access token lifecycle. Defaults to true if not specified.
</ParamField>
<ParamField query="SilentMode" type="boolean" default={false} optional>
Whether or not to suppress logs such as warnings from the token refreshing process. Defaults to false if not specified.
</ParamField>
<ParamField query="CacheExpiryInSeconds" type="number" default={0} optional>
Defines how long certain responses should be cached in memory, in seconds. When set to a positive value, responses from specific methods (like secret fetching) will be cached for this duration. Set to 0 to disable caching.
</ParamField>
<ParamField query="CustomHeaders" type="map[string]string" optional>
Allows you to pass custom headers to the HTTP requests made by the SDK. Expected format is a map of `Header1: Value1, Header2: Value 2`.
</ParamField>
</Expandable>
The Infisical Go SDK supports automatic token refreshing. After using one of the auth methods such as Universal Auth, the SDK will automatically renew and re-authenticate when needed.
This behavior is enabled by default, but you can opt-out by setting AutoTokenRefresh to false in the client settings.
client := infisical.NewInfisicalClient(context.Background(), infisical.Config{
AutoTokenRefresh: false, // <- Disable automatic token refreshing
})
When using automatic token refreshing it's important to understand how your application uses the Infiiscal client. If you are instantiating new instances of the client often, it's important to cancel the context when the client is no longer needed to avoid the token refreshing process from running indefinitely.
ctx, cancel := context.WithCancel(context.Background())
defer cancel() // Cancel the context when the client is no longer needed
client := infisical.NewInfisicalClient(ctx, infisical.Config{
AutoTokenRefresh: true,
})
// Use the client
This is only necessary if you are creating multiple instances of the client, and those instances are deleted or otherwise removed throughout the application lifecycle. If you are only creating one instance of the client, and it will be used throughout the lifetime of your application, you don't need to worry about this.
The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.
Using environment variables
Call .Auth().UniversalAuthLogin() with empty arguments to use the following environment variables:
INFISICAL_UNIVERSAL_AUTH_CLIENT_ID - Your machine identity client ID.INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET - Your machine identity client secret.Using the SDK directly
_, err := client.Auth().UniversalAuthLogin("CLIENT_ID", "CLIENT_SECRET")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
Using environment variables
Call .Auth().GcpIdTokenAuthLogin() with empty arguments to use the following environment variables:
INFISICAL_GCP_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.Using the SDK directly
_, err := client.Auth().GcpIdTokenAuthLogin("YOUR_MACHINE_IDENTITY_ID")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
Using environment variables
Call .Auth().GcpIamAuthLogin() with empty arguments to use the following environment variables:
INFISICAL_GCP_IAM_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH - The path to your GCP service account key file.Using the SDK directly
_, err = client.Auth().GcpIamAuthLogin("MACHINE_IDENTITY_ID", "SERVICE_ACCOUNT_KEY_FILE_PATH")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
Using environment variables
Call .Auth().AwsIamAuthLogin() with empty arguments to use the following environment variables:
INFISICAL_AWS_IAM_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.Using the SDK directly
_, err = client.Auth().AwsIamAuthLogin("MACHINE_IDENTITY_ID")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
Using environment variables
Call .Auth().AzureAuthLogin() with empty arguments to use the following environment variables:
INFISICAL_AZURE_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.Using the SDK directly
_, err = client.Auth().AzureAuthLogin("MACHINE_IDENTITY_ID")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
Using environment variables
Call .Auth().KubernetesAuthLogin() with empty arguments to use the following environment variables:
INFISICAL_KUBERNETES_IDENTITY_ID - Your Infisical Machine Identity ID.INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH_ENV_NAME - The environment variable name that contains the path to the service account token. This is optional and will default to /var/run/secrets/kubernetes.io/serviceaccount/token.Using the SDK directly
// Service account token path will default to /var/run/secrets/kubernetes.io/serviceaccount/token if empty value is passed
_, err = client.Auth().KubernetesAuthLogin("MACHINE_IDENTITY_ID", "SERVICE_ACCOUNT_TOKEN_PATH")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
Using the SDK
credential, err := client.Auth().JwtAuthLogin("MACHINE_IDENTITY_ID", "JWT_TOKEN")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
Using environment variables
You can set the INFISICAL_LDAP_AUTH_IDENTITY_ID environment variable and pass empty string for the identity ID:
credential, err := client.Auth().LdapAuthLogin("", "LDAP_USERNAME", "LDAP_PASSWORD")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
Using the SDK directly
credential, err := client.Auth().LdapAuthLogin("MACHINE_IDENTITY_ID", "LDAP_USERNAME", "LDAP_PASSWORD")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
Using environment variables
You can set the INFISICAL_OCI_AUTH_IDENTITY_ID environment variable and omit the IdentityID field:
credential, err := client.Auth().OciAuthLogin(infisical.OciAuthLoginOptions{
UserID: "USER_OCID",
TenancyID: "TENANCY_OCID",
Fingerprint: "FINGERPRINT",
PrivateKey: "PRIVATE_KEY",
Region: "REGION",
})
if err != nil {
fmt.Println(err)
os.Exit(1)
}
Using the SDK directly
credential, err := client.Auth().OciAuthLogin(infisical.OciAuthLoginOptions{
IdentityID: "MACHINE_IDENTITY_ID",
UserID: "USER_OCID",
TenancyID: "TENANCY_OCID",
Fingerprint: "FINGERPRINT",
PrivateKey: "PRIVATE_KEY",
Region: "REGION",
Passphrase: nil, // Optional: pointer to string if your private key has a passphrase
})
if err != nil {
fmt.Println(err)
os.Exit(1)
}
OciAuthLoginOptions fields:
IdentityID (string) - Your Infisical Machine Identity ID. Can be set via INFISICAL_OCI_AUTH_IDENTITY_ID environment variable.UserID (string) - Your OCI user OCID.TenancyID (string) - Your OCI tenancy OCID.Fingerprint (string) - Your OCI API key fingerprint.PrivateKey (string) - Your OCI private key (PEM format).Region (string) - Your OCI region (e.g., us-ashburn-1).Passphrase (*string) - Optional: pointer to passphrase string if your private key is encrypted.All SDK authentication methods support logging into a sub-organization that your machine identity has access to. This is optional and only necessary when attempting to authenticate into a sub-organization using an identity created at the root organization.
Use the .Auth().WithOrganizationSlug("<organization-slug>") method to specify which organization to authenticate against:
_, err := client.Auth().WithOrganizationSlug("ORGANIZATION_SLUG").UniversalAuthLogin("CLIENT_ID", "CLIENT_SECRET")
if err != nil {
fmt.Println(err)
os.Exit(1)
}
client.Secrets().List(options)
Retrieve all secrets within the Infisical project and environment that client is connected to.
secrets, err := client.Secrets().List(infisical.ListSecretsOptions{
ProjectID: "PROJECT_ID",
Environment: "dev",
SecretPath: "/foo/bar",
AttachToProcessEnv: false,
})
<ParamField query="ProjectID" type="string">
The project ID where the secret lives in.
</ParamField>
<ParamField query="SecretPath" type="string" optional>
The path from where secrets should be fetched from.
</ParamField>
<ParamField query="AttachToProcessEnv" type="boolean" default="false" optional>
Whether or not to set the fetched secrets to the process environment. If true, you can access the secrets like so `System.getenv("SECRET_NAME")`.
</ParamField>
<ParamField query="IncludeImports" type="boolean" default="false" optional>
Whether or not to include imported secrets from the current path. Read about [secret import](/documentation/platform/secret-reference)
</ParamField>
<ParamField query="Recursive" type="boolean" default="false" optional>
Whether or not to fetch secrets recursively from the specified path. Please note that there's a 20-depth limit for recursive fetching.
</ParamField>
<ParamField query="ExpandSecretReferences" type="boolean" default="true" optional>
Whether or not to expand secret references in the fetched secrets. Read about [secret reference](/documentation/platform/secret-reference)
</ParamField>
</Expandable>
client.Secrets().Retrieve(options)
Retrieve a secret from Infisical. By default Secrets().Retrieve() fetches and returns a shared secret.
secret, err := client.Secrets().Retrieve(infisical.RetrieveSecretOptions{
SecretKey: "API_KEY",
ProjectID: "PROJECT_ID",
Environment: "dev",
})
client.Secrets().Create(options)
Create a new secret in Infisical.
secret, err := client.Secrets().Create(infisical.CreateSecretOptions{
ProjectID: "PROJECT_ID",
Environment: "dev",
SecretKey: "NEW_SECRET_KEY",
SecretValue: "NEW_SECRET_VALUE",
SecretComment: "This is a new secret",
})
client.Secrets().Update(options)
Update an existing secret in Infisical.
secret, err := client.Secrets().Update(infisical.UpdateSecretOptions{
ProjectID: "PROJECT_ID",
Environment: "dev",
SecretKey: "NEW_SECRET_KEY",
NewSecretValue: "NEW_SECRET_VALUE",
NewSkipMultilineEncoding: false,
})
client.Secrets().Delete(options)
Delete a secret in Infisical.
secret, err := client.Secrets().Delete(infisical.DeleteSecretOptions{
ProjectID: "PROJECT_ID",
Environment: "dev",
SecretKey: "SECRET_KEY",
})
client.Secrets().Batch().Create(options)
Create multiple secrets in Infisical.
createdSecrets, err := client.Secrets().Batch().Create(infisical.BatchCreateSecretsOptions{
Environment: "<environment-slug>",
SecretPath: "<secret-path>",
ProjectID: "<project-id>",
Secrets: []infisical.BatchCreateSecret{
{
SecretKey: "SECRET-1",
SecretValue: "test-value-1",
},
{
SecretKey: "SECRET-2",
SecretValue: "test-value-2",
},
},
})
<ParamField query="SecretMetadata" type="object" optional>
<Expandable>
<ParamField query="Key" type="string" required>
The key of the metadata.
</ParamField>
<ParamField query="Value" type="string" required>
The value of the metadata.
</ParamField>
</Expandable>
</ParamField>
</Expandable>
</ParamField>
client.Folders().List(options)
Retrieve all within the Infisical project and environment that client is connected to.
folders, err := client.Folders().List(infisical.ListFoldersOptions{
ProjectID: "PROJECT_ID",
Environment: "dev",
Path: "/",
})
<ParamField query="ProjectID" type="string">
The project ID where the folder lives in.
</ParamField>
<ParamField query="Path" type="string" optional>
The path from where folders should be fetched from.
</ParamField>
</Expandable>
client.Folders().Create(options)
Create a new folder in Infisical.
folder, err := client.Folders().Create(infisical.CreateFolderOptions{
ProjectID: "PROJECT_ID",
Name: "new=folder-name",
Environment: "dev",
Path: "/",
})
client.Folders().Update(options)
Update an existing folder in Infisical.
folder, err := client.Folders().Update(infisical.UpdateFolderOptions{
ProjectID: "PROJECT_ID",
Environment: "dev",
Path: "/",
FolderID: "FOLDER_ID_TO_UPDATE",
NewName: "new-folder-name",
})
client.Folders().Delete(options)
Delete a folder in Infisical.
deletedFolder, err := client.Folders().Delete(infisical.DeleteFolderOptions{
// Either folder ID or folder name is required.
FolderName: "name-of-folder-to-delete",
FolderID: "folder-id-to-delete",
ProjectID: "PROJECT_ID",
Environment: "dev",
Path: "/",
})
<ParamField query="ProjectID" type="string" required>
The ID of the project where the folder lives in.
</ParamField>
<ParamField query="Environment" type="string" required>
The slug name (dev, prod, etc) of the environment from where the folder lives in.
</ParamField>
<ParamField query="Path" type="string" optional>
The path from where the folder should be deleted.
</ParamField>
</Expandable>
client.Kms().Keys().Create(options)
Create a new key in Infisical.
newKey, err := client.Kms().Keys().Create(infisical.KmsCreateKeyOptions{
KeyUsage: "<sign-verify>|<encrypt-decrypt>",
Description: "<key-description>",
Name: "<key-name>",
EncryptionAlgorithm: "<rsa-4096>|<ecc-nist-p256>|<aes-256-gcm>|<aes-128-gcm>",
ProjectId: "<project-id>",
})
Valid options for Signing/Verifying keys are:
- `rsa-4096`
- `ecc-nist-p256`
Valid options for Encryption/Decryption keys are:
- `aes-256-gcm`
- `aes-128-gcm`
</ParamField>
<ParamField query="ProjectId" type="string" required>
The ID of the project where the key will be created.
</ParamField>
client.Kms().Keys().Delete(options)
Delete a key in Infisical.
deletedKey, err = client.Kms().Keys().Delete(infisical.KmsDeleteKeyOptions{
KeyId: "<key-id>",
})
client.Kms().Signing().Sign(options)
Sign data in Infisical.
res, err := client.Kms().Signing().SignData(infisical.KmsSignDataOptions{
KeyId: "<key-id>",
Data: "<data-to-sign>", // Must be a base64 encoded string.
SigningAlgorithm: "<signing-algorithm>", // The signing algorithm that will be used to sign the data.
})
<Note>
If you are unsure about which signing algorithms are available for your key, you can use the `client.Kms().Signing().ListSigningAlgorithms()` method. It will return an array of signing algorithms that are available for your key.
</Note>
Valid options for `RSA 4096` keys are:
- `RSASSA_PSS_SHA_512`
- `RSASSA_PSS_SHA_384`
- `RSASSA_PSS_SHA_256`
- `RSASSA_PKCS1_V1_5_SHA_512`
- `RSASSA_PKCS1_V1_5_SHA_384`
- `RSASSA_PKCS1_V1_5_SHA_256`
Valid options for `ECC NIST P256` keys are:
- `ECDSA_SHA_512`
- `ECDSA_SHA_384`
- `ECDSA_SHA_256`
</ParamField>
client.Kms().Signing().Verify(options)
Verify data in Infisical.
res, err := client.Kms().Signing().Verify(infisical.KmsVerifyDataOptions{
KeyId: "<key-id>",
Data: "<data-to-verify>", // Must be a base64 encoded string.
SigningAlgorithm: "<signing-algorithm>", // The signing algorithm that was used to sign the data.
})
client.Kms().Signing().ListSigningAlgorithms(options)
List signing algorithms in Infisical.
res, err := client.Kms().Signing().ListSigningAlgorithms(infisical.KmsListSigningAlgorithmsOptions{
KeyId: "<key-id>",
})
client.Kms().Signing().GetPublicKey(options)
Get the public key in Infisical.
publicKey, err := client.Kms().Signing().GetPublicKey(infisical.KmsGetPublicKeyOptions{
KeyId: "<key-id>",
})
client.Kms().Encryption().Encrypt(options)
Encrypt data with a key in Infisical KMS.
res, err := client.Kms().EncryptData(infisical.KmsEncryptDataOptions{
KeyId: "<key-id>",
Plaintext: "<data-to-encrypt>",
})
client.Kms().DecryptData(options)
Decrypt data with a key in Infisical KMS.
res, err := client.Kms().DecryptData(infisical.KmsDecryptDataOptions{
KeyId: "<key-id>",
Ciphertext: "<encrypted-data>",
})