docs/self-hosting/configuration/envars.mdx
Infisical accepts all configurations via environment variables. For a minimal self-hosted instance, at least ENCRYPTION_KEY, AUTH_SECRET, DB_CONNECTION_URI and REDIS_URL must be defined.
However, you can configure additional settings to activate more features as needed.
Used to configure platform-specific security and operational settings
<ParamField query="ENCRYPTION_KEY" type="string" default="none" required> Must be a random 16 byte hex string. Can be generated with `openssl rand -hex 16` </ParamField> <ParamField query="AUTH_SECRET" type="string" default="none" required> Must be a random 32 byte base64 string. Can be generated with `openssl rand -base64 32` </ParamField> <ParamField query="SITE_URL" type="string" default="none" required> Must be an absolute URL including the protocol (e.g. https://app.infisical.com). </ParamField> <ParamField query="PORT" type="int" default="8080" optional> Specifies the internal port on which the application listens. </ParamField> <ParamField query="HOST" type="string" default="localhost" optional> Specifies the network interface Infisical will bind to when accepting incoming connections.By default, Infisical binds to localhost, which restricts access to connections from the same machine.
To make the application accessible externally (e.g., for self-hosted deployments), set this to 0.0.0.0, which tells the server to listen on all network interfaces.
Example values:
localhost (default, same as 127.0.0.1)0.0.0.0 (all interfaces, accessible externally)192.168.1.100 (specific interface IP)<ParamField query="ALLOW_INTERNAL_IP_CONNECTIONS" type="bool" default="false" optional
Determines whether App Connections, Dynamic Secrets, and PKI Certificate Discovery jobs are permitted to connect with internal/private IP addresses. </ParamField>
<ParamField query="KUBERNETES_AUTO_FETCH_SERVICE_ACCOUNT_TOKEN" type="bool" default="false" optional
Determines whether your Infisical instance can automatically read the service account token of the pod it's running on. Used for features such as the IRSA auth method. </ParamField>
<ParamField query="TRUSTED_PROXY_CIDRS" type="string" optional> Comma-separated list of trusted reverse-proxy CIDRs or named ranges whose forwarded-IP headers (e.g. `X-Forwarded-For`) Infisical will honor.Accepted values are IPv4/IPv6 CIDR notation or the named aliases loopback, linklocal, and uniquelocal.
TRUSTED_PROXY_CIDRS=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
When set, only requests arriving from a socket address within this list will have their forwarded-IP headers respected. Requests from any other source fall back to using the raw socket IP. This prevents IP allowlist bypass via spoofed proxy headers.
When unset, Infisical trusts all forwarded-IP headers (legacy behavior, preserved for backwards compatibility with existing self-hosted deployments).
<Warning> If your deployment sits behind a reverse proxy (e.g. Nginx, AWS ALB, Cloudflare), you should set this to the CIDR range of your proxy to prevent clients from spoofing their source IP. Leaving this unset is only safe when Infisical is not reachable directly from the internet. </Warning> </ParamField>Cross-Origin Resource Sharing (CORS) is a security feature that allows web applications running on one domain to access resources from another domain. The following environment variables can be used to configure the Infisical Rest API to allow or restrict access to resources from different origins.
<ParamField query="CORS_ALLOWED_ORIGINS" type="string" optional>Specify a list of origins that are allowed to access the Infisical API.
An example value would be CORS_ALLOWED_ORIGINS=["https://example.com"].
Defaults to the same value as your SITE_URL environment variable.
Defaults to reflecting the headers specified in the request's Access-Control-Request-Headers header.
</ParamField>The platform utilizes Postgres to persist all of its data and Redis for caching and backgroud tasks
Many cloud providers provide a CA certificate for their data regions that you can use to secure your connection with SSL.
<AccordionGroup> <Accordion title="AWS RDS"> If you're hosting your database on AWS RDS, you can use their publicly available CA certificate as the database root certificate. You can find all the available CA certificates for AWS RDS on the official [AWS RDS documentation](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html).
As an example, if your RDS cluster is hosted in `us-east-1` _(US East, N. Virginia)_, you can use the following root certificate: https://truststore.pki.rds.amazonaws.com/us-east-1/us-east-1-bundle.pem.
All the available CA certificates can be found in the AWS RDS documentation linked above.
Remember to base64 encode the certificate before setting it as the `DB_ROOT_CERT` environment variable. `cat /path/to/certificate.pem | base64`.
```bash
DB_ROOT_CERT=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1 # .... (base64 encoded certificate)
DB_CONNECTION_URI=<rds-endpoint>?sslmode=verify-ca # or verify-full depending on your security policies
```
</Accordion>
If not provided it will use master SSL certificate.
</ParamField>
ClickHouse can be used as an alternative audit log storage backend for high-volume deployments. See the ClickHouse Setup Guide for more details.
<ParamField query="CLICKHOUSE_URL" type="string" optional> ClickHouse connection URL. Example: `http://user:password@host:8123/database` </ParamField> <ParamField query="CLICKHOUSE_AUDIT_LOG_ENABLED" type="string" default="true"> Enable inserting audit logs into ClickHouse. Defaults to `true` when `CLICKHOUSE_URL` is set. </ParamField> <ParamField query="CLICKHOUSE_AUDIT_LOG_TABLE_NAME" type="string" default="audit_logs"> ClickHouse table name for audit logs. </ParamField> <ParamField query="CLICKHOUSE_AUDIT_LOG_ENGINE" type="string" default="ReplacingMergeTree"> ClickHouse engine for the audit logs table, used during table creation. Example: `ReplacingMergeTree` or `SharedReplacingMergeTree('/clickhouse/tables/{uuid}/{shard}', '{replica}')`. </ParamField> <ParamField query="CLICKHOUSE_AUDIT_LOG_INSERT_SETTINGS" type="string" optional> ClickHouse insert settings as a JSON string. Applied when inserting audit logs.Default: {"async_insert":1,"wait_for_async_insert":0,"date_time_input_format":"best_effort"}
</ParamField>
Redis is used for caching and background tasks. You can use either a standalone Redis instance, Redis Sentinel, or Redis Cluster setup.
<Info> **Active-passive** setup is recommended for Redis. Infisical has not been tested with **Active-active** setup for Redis and may result in undocumented behavior. </Info> <Tabs> <Tab title="Redis Standalone"> <ParamField query="REDIS_URL" type="string" default="none" required> Redis connection string. For SSL/TLS connections, use the `rediss://` protocol (note the double 's'). Examples:
- Without SSL: `redis://localhost:6379`
- With SSL: `rediss://localhost:6379`
- With authentication: `redis://:password@localhost:6379`
- With SSL and authentication: `rediss://:password@localhost:6379`
</ParamField>
The paramters like username, password, tls, redis type of the primary instance will be inherited.
To connect to Redis with SSL/TLS, use the rediss:// protocol (note the double 's') in your connection string.
If your Redis server uses a certificate signed by a private CA or a self-signed certificate, set the NODE_EXTRA_CA_CERTS environment variable to the path of your CA certificate file:
REDIS_URL=rediss://your-redis-host:6379
NODE_EXTRA_CA_CERTS=/path/to/ca.crt
For Redis Sentinel or Cluster mode, use the REDIS_SENTINEL_ENABLE_TLS or REDIS_CLUSTER_ENABLE_TLS environment variables respectively.
Without email configuration, Infisical's core functions like sign-up/login and secret operations work, but this disables multi-factor authentication, email invites for projects, alerts for suspicious logins, and all other email-dependent features.
<Accordion title="Generic Configuration"> <ParamField query="SMTP_HOST" type="string" default="none" optional> Hostname to connect to for establishing SMTP connections </ParamField> <ParamField query="SMTP_PORT" type="string" default="587" optional> Port to connect to for establishing SMTP connections </ParamField> <ParamField query="SMTP_USERNAME" type="string" default="none" optional> Credential to connect to host (e.g. [email protected]) </ParamField> <ParamField query="SMTP_PASSWORD" type="string" default="none" optional> Credential to connect to host </ParamField> <ParamField query="SMTP_FROM_ADDRESS" type="string" default="none" optional> Email address to be used for sending emails </ParamField> <ParamField query="SMTP_FROM_NAME" type="string" default="none" optional> Name label to be used in From field (e.g. Team) </ParamField> <ParamField query="SMTP_HELO_HOST" type="string" default="none" optional> Hostname that Infisical announces in the SMTP `EHLO`/`HELO` greeting. When unset, the underlying mailer falls back to the operating system hostname. Inside containers (e.g. Cloud Run, Kubernetes) the OS hostname is typically a random container ID, which can be rejected by SMTP relays that validate the sender hostname (such as Gmail SMTP relay with sender-hostname checks). Set this to a valid FQDN that the relay accepts. </ParamField> <ParamField query="SMTP_IGNORE_TLS" type="bool" default="false" optional> If this is `true` and `SMTP_PORT` is not 465 then TLS is not used even if the server supports STARTTLS extension. </ParamField> <ParamField query="SMTP_REQUIRE_TLS" type="bool" default="true" optional> If this is `true` and `SMTP_PORT` is not 465 then Infisical tries to use STARTTLS even if the server does not advertise support for it. If the connection can not be encrypted then message is not sent. </ParamField><ParamField query="SMTP_TLS_REJECT_UNAUTHORIZED" type="bool" default="true" optional
If this is true, Infisical will validate the server's SSL/TLS certificate
and reject the connection if the certificate is invalid or not trusted. If set
to false, the client will accept the server's certificate regardless of its
validity, which can be useful in development or testing environments but is
not recommended for production use.
</ParamField>
This variable **must be a base64 encoded PEM certificate**. Use the following command to encode your certificate: `echo "<certificate>" | base64`
Infisical highly encourages the following variables be used alongside this one for maximum security:
- `SMTP_REQUIRE_TLS=true`
- `SMTP_TLS_REJECT_UNAUTHORIZED=true`
SMTP_HOST=smtp.sendgrid.net
SMTP_USERNAME=apikey
SMTP_PASSWORD=SG.rqFsfjxYPiqE1lqZTgD_lz7x8IVLx # your SendGrid API Key from step above
SMTP_PORT=587
[email protected] # your email address being used to send out emails
SMTP_FROM_NAME=Infisical
SMTP_HOST=smtp.mailgun.org # obtained from credentials page
[email protected] # obtained from credentials page
SMTP_PASSWORD=password # obtained from credentials page
SMTP_PORT=587
[email protected] # your email address being used to send out emails
SMTP_FROM_NAME=Infisical
</Step>
<Step title="Set up your SMTP environment variables">
With your AWS SES SMTP credentials, you can now set up your SMTP environment variables for your Infisical instance.
```
SMTP_HOST=email-smtp.ap-northeast-1.amazonaws.com # SMTP endpoint obtained from SMTP settings
SMTP_USERNAME=xxx # your SMTP username
SMTP_PASSWORD=xxx # your SMTP password
SMTP_PORT=465
[email protected] # your email address being used to send out emails
SMTP_FROM_NAME=Infisical
```
</Step>
SMTP_HOST=smtp.socketlabs.com
SMTP_USERNAME=username # obtained from your credentials
SMTP_PASSWORD=password # obtained from your credentials
SMTP_PORT=587
[email protected] # your email address being used to send out emails
SMTP_FROM_NAME=Infisical
{" "}
<Note> The `SMTP_FROM_ADDRESS` environment variable should be an email for an authenticated domain under Configuration > Domain Management in SocketLabs. For example, if you're using SocketLabs in sandbox mode, then you may use an email like `[email protected]`. </Note> <Info> Remember that you will need to restart Infisical for this to work properly. </Info> </Accordion> <Accordion title="Resend"> 1. Create an account on [Resend](https://resend.com). 2. Add a [Domain](https://resend.com/domains).SMTP_HOST=smtp.resend.com
SMTP_USERNAME=resend
SMTP_PASSWORD=YOUR_API_KEY
SMTP_PORT=587
[email protected] # your email address being used to send out emails
SMTP_FROM_NAME=Infisical
<Info>
Remember that you will need to restart Infisical for this to work properly.
</Info>
With your Gmail username and password, you can set your SMTP environment variables:
SMTP_HOST=smtp.gmail.com
[email protected] # your email
SMTP_PASSWORD=password # your password
SMTP_PORT=587
[email protected]
SMTP_FROM_NAME=Infisical
Put differently, the SMTP configuration is only possible with business (not personal) Gmail credentials.
</Warning> </Accordion> <Accordion title="Office365"> 1. Create an account and configure [Office365](https://www.office.com/) to send emails.SMTP_HOST=smtp.office365.com
[email protected] # your username
SMTP_PASSWORD=password # your password
SMTP_PORT=587
[email protected]
SMTP_FROM_NAME=Infisical
SMTP_HOST=smtp.zoho.com
SMTP_USERNAME=username # your email
SMTP_PASSWORD=password # your password
SMTP_PORT=587
[email protected] # your personal Zoho email or domain-based email linked to Zoho Mail
SMTP_FROM_NAME=Infisical
{" "}
<Note> You can use either your personal Zoho email address like `[email protected]` or a domain-based email address like `[email protected]`. If using a domain-based email address, then please make sure that you've configured and verified it with Zoho Mail. </Note> <Info> Remember that you will need to restart Infisical for this to work properly. </Info> </Accordion> <Accordion title="SMTP2Go"> 1. Create an account and configure [SMTP2Go](https://www.smtp2go.com/) to send emails. 2. Turn on SMTP authentication ``` SMTP_HOST=mail.smtp2go.com SMTP_PORT=You can use one of the following ports: 2525, 80, 25, 8025, or 587 SMTP_USERNAME=username #Your SMTP2GO account's SMTP username SMTP_PASSWORD=password #Your SMTP2GO account's SMTP password [email protected] # your email address being used to send out emails SMTP_FROM_NAME=Infisical ``` {" "} <Note> Optional (for TLS/SSL):TLS: Available on the same ports (2525, 80, 25, 8025, or 587) SSL: Available on ports 465, 8465, and 443
</Note> </Accordion>By default, users can only login via email/password based login method. To login into Infisical with OAuth providers such as Google, configure the associated variables.
<ParamField query="DEFAULT_SAML_ORG_SLUG" type="string">When set, all visits to the Infisical login page will automatically redirect users of your Infisical instance to the SAML identity provider associated with the specified organization slug.
</ParamField> <Accordion title="Google"> Follow detailed guide to configure [Google SSO](/documentation/platform/sso/google) <ParamField query="CLIENT_ID_GOOGLE_LOGIN" type="string" default="none" optional> OAuth2 client ID for Google login </ParamField> <ParamField query="CLIENT_SECRET_GOOGLE_LOGIN" type="string" default="none" optional> OAuth2 client secret for Google login </ParamField> </Accordion> <Accordion title="Github"> Follow detailed guide to configure [GitHub SSO](/documentation/platform/sso/github) <ParamField query="CLIENT_ID_GITHUB_LOGIN" type="string" default="none" optional> OAuth2 client ID for GitHub login </ParamField> <ParamField query="CLIENT_SECRET_GITHUB_LOGIN" type="string" default="none" optional> OAuth2 client secret for GitHub login </ParamField> </Accordion> <Accordion title="Gitlab"> Follow detailed guide to configure [GitLab SSO](/documentation/platform/sso/gitlab) <ParamField query="CLIENT_ID_GITLAB_LOGIN" type="string" default="none" optional> OAuth2 client ID for GitLab login </ParamField> <ParamField query="CLIENT_SECRET_GITLAB_LOGIN" type="string" default="none" optional> OAuth2 client secret for GitLab login </ParamField> <ParamField query="URL_GITLAB_LOGIN" type="string" default="https://gitlab.com" optional> URL of your self-hosted instance of GitLab where the OAuth application is registered </ParamField> </Accordion> <Accordion title="Okta SAML"> Requires enterprise license. Please contact [email protected] to get more information. </Accordion> <Accordion title="Azure SAML"> Requires enterprise license. Please contact [email protected] to get more information. </Accordion> <Accordion title="JumpCloud SAML"> Requires enterprise license. Please contact [email protected] to get more information. </Accordion>You can configure third-party app connections for re-use across Infisical Projects.
<Accordion title="AWS Assume Role Connection"> <ParamField query="INF_APP_CONNECTION_AWS_ACCESS_KEY_ID" type="string" default="none" optional> The AWS IAM User access key ID for assuming roles </ParamField><ParamField query="INF_APP_CONNECTION_AWS_SECRET_ACCESS_KEY" type="string" default="none" optional>
The AWS IAM User secret key for assuming roles
</ParamField>
<ParamField query="INF_APP_CONNECTION_GITHUB_APP_SLUG" type="string" default="none" optional>
The slug of the GitHub App
</ParamField>
<ParamField query="INF_APP_CONNECTION_GITHUB_APP_CLIENT_ID" type="string" default="none" optional>
The client ID for the GitHub App
</ParamField>
<ParamField query="INF_APP_CONNECTION_GITHUB_APP_CLIENT_SECRET" type="string" default="none" optional>
The client secret for the GitHub App
</ParamField>
<ParamField query="INF_APP_CONNECTION_GITHUB_APP_PRIVATE_KEY" type="string" default="none" optional>
The private key for the GitHub App
</ParamField>
<ParamField query="INF_APP_CONNECTION_GITHUB_RADAR_APP_SLUG" type="string" default="none" optional>
The slug of the GitHub Radar App
</ParamField>
<ParamField query="INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_ID" type="string" default="none" optional>
The client ID for the GitHub Radar App
</ParamField>
<ParamField query="INF_APP_CONNECTION_GITHUB_RADAR_APP_CLIENT_SECRET" type="string" default="none" optional>
The client secret for the GitHub Radar App
</ParamField>
<ParamField query="INF_APP_CONNECTION_GITHUB_RADAR_APP_PRIVATE_KEY" type="string" default="none" optional>
The private key for the GitHub Radar App
</ParamField>
<ParamField query="INF_APP_CONNECTION_GITHUB_RADAR_APP_WEBHOOK_SECRET" type="string" default="none" optional>
The webhook secret configured for payload verification in the GitHub Radar App
</ParamField>
<ParamField query="INF_APP_CONNECTION_GITHUB_OAUTH_CLIENT_SECRET" type="string" default="none" optional>
The OAuth2 client secret for GitHub OAuth Connection
</ParamField>
<ParamField query="INF_APP_CONNECTION_GITLAB_OAUTH_CLIENT_SECRET" type="string" default="none" optional>
The Secret of your GitLab OAuth application.
</ParamField>
<ParamField query="INF_APP_CONNECTION_HEROKU_OAUTH_CLIENT_SECRET" type="string" default="none" optional>
The Secret of your Heroku OAuth application.
</ParamField>
{" "}
<ParamField query="SECRET_SCANNING_GIT_APP_SLUG" type="string" default="none" optional
The slug of your GitHub App. </ParamField>
{" "}
<ParamField query="SECRET_SCANNING_PRIVATE_KEY" type="string" default="none" optional
A private key for your GitHub App. </ParamField>
<ParamField query="SECRET_SCANNING_WEBHOOK_SECRET" type="string" default="none" optional> The webhook secret of your GitHub App. </ParamField> </Accordion>You can configure Infisical to collect and expose telemetry data for analytics and monitoring.
<ParamField query="OTEL_TELEMETRY_COLLECTION_ENABLED" type="string" default="false"
Whether or not to collect and expose telemetry data. </ParamField>
<ParamField query="OTEL_EXPORT_TYPE" type="enum" optional> Supported types are `prometheus` and `otlp`.If export type is set to prometheus, metric data will be exposed in port 9464 in the /metrics path.
If export type is set to otlp, you will have to configure a value for OTEL_EXPORT_OTLP_ENDPOINT.
<ParamField query="IDENTITY_TLS_CERT_AUTH_CLIENT_CERTIFICATE_HEADER_KEY" type="string" default="x-identity-tls-cert-auth-client-cert"
The TLS header used to propagate the client certificate from the load balancer to the server. </ParamField>
If you can't directly access and modify environment variables, you can update them using the Server Admin Console.