docs/documentation/platform/insights.mdx
On Infisical Cloud it is available on the Pro and Enterprise plans, If you're self-hosting Infisical, contact [email protected] to acquire a license. </Note>
Secret Insights is an observability dashboard for your Secrets Management project. It surfaces the questions you care about most — Which secrets are due for rotation? Which reminders are overdue? What hasn't been touched in months? Who's actually reading my secrets? — and links you straight to the secrets you need to act on.
The page is read-only. Every metric is computed from data already collected by Infisical (rotation schedules, reminders, secret modification times, access logs), so there's nothing to configure to start using it.
From a Secret Manager project, open the Insights tab in the project sidebar. The page is divided into four sections:
The page also includes an Audit Reports card for generating exportable compliance reports — see Audit Reports.
The three cards along the top of the page give you a quick read on what needs attention. Each card opens a popover with a table you can drill into; clicking a row jumps directly to the matching secret in the Overview page with the appropriate filters applied.
Counts secret rotations scheduled to run in the next 7 days.
A status badge on the card calls out failed rotations:
Click View Rotations (or View Failed Rotations) to see the full list. Each row shows the rotation name, environment, secret path, and a relative-time status (scheduled, in 3 days, retries in 1h, or failed). Click a row to open that rotation's secret in the Overview page filtered by rotation.
Counts secret reminders due in the next 7 days.
A status badge calls out overdue reminders:
Click View Upcoming Reminders (or View Overdue Reminders) to see the list. Each row shows the secret key, environment, path, and how soon it's due (or how long it's been overdue). Click a row to jump to that secret in the Overview page.
Counts secrets that haven't been modified in more than 90 days.
The card shows either All secrets up to date when nothing is stale, or {N} need(s) review when there are stale secrets to look at. The popover table is paginated 10 rows at a time and shows each secret's key, environment, path, and last-modified time. Click a row to open it in Overview.
Stale secrets aren't necessarily a problem — long-lived configuration values are normal. The list is meant as a prompt to review whether anything should be rotated, removed, or refreshed.
Audit Reports let you generate point-in-time compliance exports for a Secrets Management project — stale secrets, duplicate values, validation-rule violations, rotation status, upcoming reminders, and secret access history — and deliver them to one or more recipients as CSV attachments (one file per report type) in an email.
Where the rest of the Insights dashboard is a live, read-only view, an Audit Report is a snapshot you can hand to an auditor, attach to a ticket, or archive for SOC 2 / ISO 27001 evidence. You'll find it as the Audit Reports card on the Insights page.
<Warning> Audit reports can contain sensitive metadata — secret keys, paths, access patterns, and recipient emails. They are delivered by email to the addresses you specify; only send reports to recipients you trust, and treat the CSV as confidential. </Warning>The request is queued and generated in the background. When it finishes, every recipient receives an email with one CSV file attached per requested report. You can keep working — the report's status updates live in the history table.
<Note> Report generation is asynchronous. A project can have at most one report generating at once. </Note>The Audit Reports card lists previously requested reports, newest first, paginated (10 per page by default). Each row shows:
Use the trash icon on a row to delete a report from the history (requires the Delete permission).
| Status | Meaning |
|---|---|
| Pending | Queued, not yet started. |
| Generating | Currently being generated. |
| Completed | Generated and emailed successfully. |
| Partial | Delivered, but at least one report hit the row limit and was truncated. |
| Failed | Generation failed. Hover the badge for the error message. |
A single request can include any combination of the following. Each becomes its own labelled section in the CSV.
| Report | What it contains |
|---|---|
| Stale Secrets | Secrets not updated within the last 90 days, with their last-updated time and age in days. |
| Duplicate Secrets | Secrets that share the same value across environments and paths, grouped together. Requires the project's secret blind-index to be enabled. |
| Secret Validation Compliance | Stored secrets that violate a secret validation rule covering them — for example, a secret created before a rule existed, or one that no longer meets a length/regex/prefix constraint. |
| Upcoming Rotations | Secret rotations scheduled within the next 7 days. |
| Failed Rotations | Secret rotations currently in a failed state. |
| Upcoming Reminders | Secret reminders due within the next 7 days. |
| Secret Access Log | Who accessed secrets over the last 30 days (actor, event type, secret, environment, path, IP, timestamp). |
The calendar panel shows every upcoming rotation and reminder laid out on a month grid, so you can see the cadence of upcoming work at a glance.
Navigation. Use the chevrons in the panel header to move between months. The current day is highlighted with a colored border.
Event pills. Each day cell shows up to two events; when there are more, the second slot is replaced by a +N more pill that expands the rest. Pills are color-coded:
| Color | Event Type |
|---|---|
| Blue, with a refresh icon | Rotation |
| Orange, with a bell icon | Reminder |
Event details. Click a pill to view its details, then use the View in Overview button to jump to the corresponding secret in the project Overview with filters applied.
This panel shows how many times secrets have been read across the project over the past 7 days, plotted as a daily area chart.
Each point represents the total number of read requests on that day, regardless of which secret was read or how it was read (UI, CLI, SDK, API, agent, operator, etc.).
Below the chart, the Top actors row lists the up-to-five identities that issued the most read requests in the same 7-day window, along with their request counts. Actor entries are formatted as {type}: {name} ({count}) — for example, Service: ci-runner (5,234) or User: [email protected] (812).
Use this panel to spot unusual spikes, identify the heaviest consumers of your secrets, and confirm that traffic patterns match what you expect from your services.
This panel shows the distribution of authentication methods used to read secrets over the past 30 days, plotted as a donut chart with a breakdown table beside it.
Each slice represents an auth method (for example, Universal Auth, Kubernetes Auth, AWS Auth, Token Auth, JWT). The breakdown shows the method name, percentage of total reads, and absolute request count, with a Total row at the bottom.
You may see an Unknown bucket. This represents older read requests that were issued before Infisical began recording the auth method on each request. Only newer requests carry this metadata, so the Unknown share will shrink over time as historical data ages out of the 30-day window.
Use this panel to understand how your workloads are authenticating, spot identities still using older auth methods you'd like to retire, and verify that auth-method migrations are taking effect.