### Install Infisical Node.js SDK Source: https://context7.com/infisical/node-sdk-v2/llms.txt Use npm to install the Infisical Node.js SDK. ```bash npm install @infisical/sdk ``` -------------------------------- ### Handle Infisical SDK Errors Source: https://context7.com/infisical/node-sdk-v2/llms.txt This example demonstrates how to catch and differentiate between `InfisicalSDKRequestError` (for HTTP failures) and `InfisicalSDKError` (for general SDK issues). Inspect the error message for details like URL, method, and status code. ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); try { const secret = await client.secrets().getSecret({ secretName: "NONEXISTENT_SECRET", projectId: "proj_abc123", environment: "production", }); } catch (err) { if (err.name === "InfisicalSDKRequestError") { // HTTP error — message includes URL, method, status code console.error(err.message); // => "[URL=https://app.infisical.com/api/v3/secrets/raw/NONEXISTENT_SECRET] // [Method=GET] [StatusCode=404] Secret not found" } else if (err.name === "InfisicalSDKError") { // General SDK error (auth, validation, etc.) console.error(err.message); // => "Identity ID is required for AWS IAM authentication" } } ``` -------------------------------- ### Get KMS Key by Name Source: https://context7.com/infisical/node-sdk-v2/llms.txt Retrieves a KMS key's metadata by its human-readable name and project ID. ```APIDOC ## `kms().keys().getByName(options)` — Get a KMS key by name Retrieves a KMS key's metadata by its human-readable name and project ID. ### Parameters #### Path Parameters - **projectId** (string) - Required - The ID of the project. #### Query Parameters - **name** (string) - Required - The name of the KMS key. ### Request Example ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); const key = await client.kms().keys().getByName({ name: "my-encryption-key", projectId: "proj_abc123", }); console.log(key.id); // => "kmskey_abc" console.log(key.version); // => 1 ``` ``` -------------------------------- ### Retrieve Access Token with Infisical SDK Source: https://context7.com/infisical/node-sdk-v2/llms.txt Get the current access token after authentication. Returns null if not yet authenticated. ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); console.log(client.auth().getAccessToken()); // => null await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); const token = client.auth().getAccessToken(); console.log(token); // => "eyJhbGciOiJI..." ``` -------------------------------- ### Get KMS Key by Name Source: https://context7.com/infisical/node-sdk-v2/llms.txt Retrieves a KMS key's metadata by its human-readable name and project ID. Ensure you are authenticated before calling this method. ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); const key = await client.kms().keys().getByName({ name: "my-encryption-key", projectId: "proj_abc123", }); console.log(key.id); // => "kmskey_abc" console.log(key.version); // => 1 ``` -------------------------------- ### Initialize the SDK client Source: https://context7.com/infisical/node-sdk-v2/llms.txt Creates the top-level SDK instance. You can specify a `siteUrl` to connect to a self-hosted Infisical instance. ```APIDOC ## `new InfisicalSDK(options?)` — Initialize the SDK client Creates the top-level SDK instance. The optional `siteUrl` parameter lets you point the client at a self-hosted Infisical instance; it defaults to `https://app.infisical.com`. ```typescript import { InfisicalSDK } from "@infisical/sdk"; // Cloud (default) const client = new InfisicalSDK(); // Self-hosted instance const selfHostedClient = new InfisicalSDK({ siteUrl: "https://infisical.example.com", }); ``` ``` -------------------------------- ### Initialize Infisical SDK Client Source: https://context7.com/infisical/node-sdk-v2/llms.txt Instantiate the InfisicalSDK client. Use the `siteUrl` option to connect to a self-hosted Infisical instance. ```typescript import { InfisicalSDK } from "@infisical/sdk"; // Cloud (default) const client = new InfisicalSDK(); // Self-hosted instance const selfHostedClient = new InfisicalSDK({ siteUrl: "https://infisical.example.com", }); ``` -------------------------------- ### environments().create(options) Source: https://context7.com/infisical/node-sdk-v2/llms.txt Creates a new environment (e.g., `production`, `staging`) within an existing project. Requires the project ID and environment details. ```APIDOC ## `environments().create(options)` — Create a project environment Creates a new environment (e.g., `production`, `staging`) within an existing project. ### Parameters #### Options - **name** (string) - Required - The name of the environment. - **slug** (string) - Required - The slug of the environment. - **projectId** (string) - Required - The ID of the project the environment belongs to. - **position** (number) - Optional - The ordering position of the environment. ### Request Example ```typescript await client.environments().create({ name: "Staging", slug: "staging", projectId: "proj_abc123", position: 2, // optional: ordering position }); ``` ### Response #### Success Response (200) - **id** (string) - The unique identifier of the created environment. - **name** (string) - The name of the created environment. - **slug** (string) - The slug of the created environment. - **projectId** (string) - The ID of the project the environment belongs to. ``` -------------------------------- ### projects().create(options) Source: https://context7.com/infisical/node-sdk-v2/llms.txt Creates a new Infisical project (workspace) under the authenticated identity's organization. Supports providing a custom slug, description, KMS key, and project template. ```APIDOC ## `projects().create(options)` — Create a new project Creates a new Infisical project (workspace) under the authenticated identity's organization. Supports providing a custom slug, description, KMS key, and project template. ### Parameters #### Options - **projectName** (string) - Required - The name of the new project. - **type** (string) - Required - The type of the project (e.g., "secretsManager"). - **projectDescription** (string) - Optional - A description for the project. - **slug** (string) - Optional - A custom URL slug for the project. - **kmsKeyId** (string) - Optional - The ID of a custom KMS key for encryption. ### Request Example ```typescript await client.projects().create({ projectName: "My New Service", type: "secretsManager", // project type projectDescription: "Backend API secrets", slug: "my-new-service", // optional: custom URL slug kmsKeyId: "kms_key_abc123", // optional: custom KMS key for encryption }); ``` ### Response #### Success Response (200) - **id** (string) - The unique identifier of the created project. - **name** (string) - The name of the created project. - **slug** (string) - The slug of the created project. ``` -------------------------------- ### folders().create(options) Source: https://context7.com/infisical/node-sdk-v2/llms.txt Creates a folder at a given path within a project environment to organize secrets hierarchically. Requires folder name, path, project ID, and environment. ```APIDOC ## `folders().create(options)` — Create a folder Creates a folder at a given path within a project environment to organize secrets hierarchically. ### Parameters #### Options - **name** (string) - Required - The name of the folder. - **path** (string) - Required - The parent path for the new folder (e.g., "/backend"). - **projectId** (string) - Required - The ID of the project. - **environment** (string) - Required - The environment slug (e.g., "production"). - **description** (string) - Optional - A description for the folder. ### Request Example ```typescript await client.folders().create({ name: "database", path: "/backend", // parent path; creates /backend/database projectId: "proj_abc123", environment: "production", description: "Database credentials", // optional }); ``` ### Response #### Success Response (200) - **id** (string) - The unique identifier of the created folder. - **name** (string) - The name of the created folder. - **envId** (string) - The ID of the environment the folder belongs to. ``` -------------------------------- ### projects().inviteMembers(options) Source: https://context7.com/infisical/node-sdk-v2/llms.txt Invites members to a project by email or username, optionally assigning specific roles. Requires the project ID and a list of emails or usernames. ```APIDOC ## `projects().inviteMembers(options)` — Invite members to a project Adds existing organization members to a project by email or username, optionally assigning specific roles. ### Parameters #### Options - **projectId** (string) - Required - The ID of the project to invite members to. - **emails** (string[]) - Optional - A list of email addresses of members to invite. - **usernames** (string[]) - Optional - A list of usernames of members to invite. - **roleSlugs** (string[]) - Optional - A list of role slugs to assign to the invited members. ### Request Example ```typescript await client.projects().inviteMembers({ projectId: "proj_abc123", emails: ["alice@example.com", "bob@example.com"], usernames: ["charlie"], // can use emails or usernames or both roleSlugs: ["developer"], // optional: assign roles }); ``` ### Response #### Success Response (200) - **memberships** (array) - A list of membership objects for the invited members. - **userId** (string) - The ID of the user. - **role** (string) - The role assigned to the user. - **status** (string) - The status of the invitation (e.g., "invited"). ``` -------------------------------- ### Create Project Environment Source: https://context7.com/infisical/node-sdk-v2/llms.txt Creates a new environment (e.g., `production`, `staging`) within an existing project. Requires project ID, environment name, and slug. An optional position can be provided for ordering. ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); const environment = await client.environments().create({ name: "Staging", slug: "staging", projectId: "proj_abc123", position: 2, // optional: ordering position }); console.log(environment.id); // => "env_abc123" console.log(environment.name); // => "Staging" console.log(environment.slug); // => "staging" console.log(environment.projectId); // => "proj_abc123" ``` -------------------------------- ### Create a Dynamic Secret Lease with Infisical SDK Source: https://context7.com/infisical/node-sdk-v2/llms.txt Generates short-lived credentials by creating a lease against an existing dynamic secret. The returned `lease.data` contains provider-specific credentials. You can optionally override the default TTL and specify a path. Remember to delete the lease after use. ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); const leaseResult = await client.dynamicSecrets().leases.create({ dynamicSecretName: "postgres-dynamic", projectSlug: "my-project", environmentSlug: "production", ttl: "30m", // optional: override default TTL path: "/", // optional: folder path }); const { lease } = leaseResult; console.log(lease.id); // => "lease_xyz789" console.log(lease.data.username); // => "v-token-abc123" console.log(lease.data.password); // => "A1b2C3d4..." console.log(lease.expiresAt); // => "2024-03-15T11:30:00.000Z" // Use credentials, then clean up await client.dynamicSecrets().leases.delete(lease.id, { projectSlug: "my-project", environmentSlug: "production", }); ``` -------------------------------- ### List Supported Signing Algorithms for a KMS Key Source: https://context7.com/infisical/node-sdk-v2/llms.txt Use this method to retrieve a list of signing algorithms supported by a specific KMS key. Ensure you have authenticated with the SDK before calling this method. ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); const algorithms = await client.kms().signing().listSigningAlgorithms({ keyId: "kmskey_signing_abc", }); console.log(algorithms); // => ["RSASSA_PSS_SHA_512", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_256", // "RSASSA_PKCS1_V1_5_SHA_512", "RSASSA_PKCS1_V1_5_SHA_384", // "RSASSA_PKCS1_V1_5_SHA_256"] ``` -------------------------------- ### Create New Infisical Project Source: https://context7.com/infisical/node-sdk-v2/llms.txt Creates a new Infisical project under the authenticated identity's organization. Supports providing a custom slug, description, KMS key, and project template. ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); const project = await client.projects().create({ projectName: "My New Service", type: "secretsManager", // project type projectDescription: "Backend API secrets", slug: "my-new-service", // optional: custom URL slug kmsKeyId: "kms_key_abc123", // optional: custom KMS key for encryption }); console.log(project.id); // => "proj_abc123" console.log(project.name); // => "My New Service" console.log(project.slug); // => "my-new-service" ``` -------------------------------- ### List Supported Signing Algorithms Source: https://context7.com/infisical/node-sdk-v2/llms.txt Retrieves a list of signing algorithms supported by a specific KMS key based on its type. ```APIDOC ## `kms().signing().listSigningAlgorithms(options)` — List supported signing algorithms for a key Returns the list of signing algorithms supported by a given KMS key based on its algorithm type. ### Parameters #### Path Parameters - **keyId** (string) - Required - The ID of the KMS key. ### Request Example ```typescript await client.kms().signing().listSigningAlgorithms({ keyId: "kmskey_signing_abc", }); ``` ### Response #### Success Response (200) - **algorithms** (array) - A list of supported signing algorithm strings. ``` -------------------------------- ### Authenticate with a raw access token Source: https://context7.com/infisical/node-sdk-v2/llms.txt Directly sets a pre-obtained access token on the SDK instance, useful when the token is managed externally. ```APIDOC ## `auth().accessToken(token)` — Authenticate with a raw access token Directly sets a pre-obtained access token on the SDK instance. Useful in environments where the token is injected by an external system (e.g., CI/CD). ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); client.auth().accessToken(process.env.INFISICAL_TOKEN!); const secret = await client.secrets().getSecret({ secretName: "API_KEY", projectId: "proj_abc123", environment: "staging", }); console.log(secret.secretValue); // => "sk-live-..." ``` ``` -------------------------------- ### List Folders in Project Environment Source: https://context7.com/infisical/node-sdk-v2/llms.txt Lists folders within a specified project environment path. Supports recursive listing and filtering by last modified date. Ensure you are authenticated before calling this method. ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); const folders = await client.folders().listFolders({ projectId: "proj_abc123", environment: "production", path: "/", // list folders at root recursive: true, // include nested sub-folders }); for (const folder of folders) { console.log(`${folder.name} (${folder.id})`); } // => backend (folder_001) // => backend/database (folder_002) // => frontend (folder_003) ``` -------------------------------- ### Create a Dynamic Secret with Infisical SDK Source: https://context7.com/infisical/node-sdk-v2/llms.txt Creates a dynamic secret configuration backed by various providers like SQL databases, Redis, AWS IAM, etc. Requires specifying provider type, inputs, and lifecycle settings like TTL and max TTL. Ensure you are authenticated. ```typescript import { InfisicalSDK, DynamicSecretProviders, SqlProviders } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); const dynamicSecret = await client.dynamicSecrets().create({ name: "postgres-dynamic", projectSlug: "my-project", environmentSlug: "production", defaultTTL: "1h", maxTTL: "24h", provider: { type: DynamicSecretProviders.SqlDatabase, inputs: { client: SqlProviders.Postgres, host: "db.example.com", port: 5432, database: "mydb", username: "admin_user", password: "admin_password", creationStatement: "CREATE USER \"{{username}}\" WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{username}}\";", revocationStatement: "REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM \"{{username}}\"; DROP USER \"{{username}}\";", renewStatement: "SELECT 1;"; // optional }, }, }); console.log(dynamicSecret.id); // => "dynsec_abc123" console.log(dynamicSecret.name); // => "postgres-dynamic" console.log(dynamicSecret.status); // => "configured" ``` -------------------------------- ### List Folders Source: https://context7.com/infisical/node-sdk-v2/llms.txt Lists folders within a project environment path. Supports recursive listing and filtering by last modified date. ```APIDOC ## `folders().listFolders(options)` — List folders Lists folders within a project environment path. Supports recursive listing and filtering by last modified date. ### Parameters #### Path Parameters - **projectId** (string) - Required - The ID of the project. - **environment** (string) - Required - The name of the environment. - **path** (string) - Optional - The path to list folders from. Defaults to root ('/'). - **recursive** (boolean) - Optional - Whether to list folders recursively. Defaults to false. ### Request Example ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); const folders = await client.folders().listFolders({ projectId: "proj_abc123", environment: "production", path: "/", // list folders at root recursive: true, // include nested sub-folders }); for (const folder of folders) { console.log(`${folder.name} (${folder.id})`); } // => backend (folder_001) // => backend/database (folder_002) // => frontend (folder_003) ``` ``` -------------------------------- ### Create Dynamic Secret Lease Source: https://context7.com/infisical/node-sdk-v2/llms.txt Generates actual short-lived credentials by creating a lease against an existing dynamic secret. ```APIDOC ## `dynamicSecrets().leases.create(options)` — Create a dynamic secret lease Generates actual short-lived credentials by creating a lease against an existing dynamic secret. The returned `lease.data` contains the provider-specific credentials (e.g., `username` and `password` for SQL). ### Parameters #### Options - `dynamicSecretName` (string) - Required - The name of the dynamic secret to create a lease for. - `projectSlug` (string) - Required - The slug of the project. - `environmentSlug` (string) - Required - The slug of the environment. - `ttl` (string) - Optional - Overrides the default TTL for this lease. - `path` (string) - Optional - The folder path for the lease. ### Request Example ```typescript await client.dynamicSecrets().leases.create({ dynamicSecretName: "postgres-dynamic", projectSlug: "my-project", environmentSlug: "production", ttl: "30m", // optional: override default TTL path: "/", // optional: folder path }); ``` ### Response #### Success Response (200) - `leaseResult` (object) - Contains the lease information. - `lease` (object) - The lease details. - `id` (string) - The ID of the lease. - `data` (object) - Provider-specific credentials (e.g., `username`, `password`). - `expiresAt` (string) - The expiration time of the lease in ISO format. ``` -------------------------------- ### Create Folder for Secrets Organization Source: https://context7.com/infisical/node-sdk-v2/llms.txt Creates a folder at a given path within a project environment to organize secrets hierarchically. Requires folder name, path, project ID, and environment. An optional description can be provided. ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); const folder = await client.folders().create({ name: "database", path: "/backend", // parent path; creates /backend/database projectId: "proj_abc123", environment: "production", description: "Database credentials", // optional }); console.log(folder.id); // => "folder_abc123" console.log(folder.name); // => "database" console.log(folder.envId); // => "env_abc123" ``` -------------------------------- ### List All Secrets with Options Source: https://context7.com/infisical/node-sdk-v2/llms.txt Fetch all secrets for a project and environment. Supports recursive traversal, reference expansion, import merging, tag filtering, and injecting secrets into process.env. ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); const result = await client.secrets().listSecrets({ projectId: "proj_abc123", environment: "production", secretPath: "/backend", // optional: scope to a folder expandSecretReferences: true, // expand ${OTHER_SECRET} references includeImports: true, // include secrets imported from other paths recursive: false, // set true to traverse sub-folders tagSlugs: ["release-1.0"], attachToProcessEnv: true, // inject all secrets into process.env }); // Access secrets array for (const secret of result.secrets) { console.log(`${secret.secretKey}=${secret.secretValue}`); } // => DATABASE_URL=postgres://... // => REDIS_URL=redis://... // process.env is now populated too (because attachToProcessEnv: true) console.log(process.env.DATABASE_URL); // => "postgres://..." ``` -------------------------------- ### Error Handling Source: https://context7.com/infisical/node-sdk-v2/llms.txt Explains the error types thrown by the SDK, `InfisicalSDKError` and `InfisicalSDKRequestError`, and how to handle them. ```APIDOC ## Error Handling — `InfisicalSDKError` and `InfisicalSDKRequestError` All SDK methods throw typed errors. `InfisicalSDKRequestError` is thrown for HTTP response failures and includes the URL, HTTP method, and status code in the message. `InfisicalSDKError` is thrown for non-HTTP errors such as missing credentials or invalid state. ### Usage ```typescript try { // Attempt an SDK operation that might fail await client.secrets().getSecret({ secretName: "NONEXISTENT_SECRET", projectId: "proj_abc123", environment: "production", }); } catch (err) { if (err.name === "InfisicalSDKRequestError") { // Handle HTTP-specific errors console.error(`HTTP Error: ${err.message}`); } else if (err.name === "InfisicalSDKError") { // Handle general SDK errors console.error(`SDK Error: ${err.message}`); } } ``` ### Error Types - **`InfisicalSDKRequestError`**: Thrown for HTTP request failures. The error message includes the request URL, HTTP method, and status code. - **`InfisicalSDKError`**: Thrown for non-HTTP related errors, such as authentication issues or invalid input. ``` -------------------------------- ### Authenticate with Raw Access Token Source: https://context7.com/infisical/node-sdk-v2/llms.txt Set a pre-obtained access token directly on the SDK instance. This method is suitable for environments where the token is provided externally, such as in CI/CD pipelines. Ensure the `INFISICAL_TOKEN` environment variable is set. ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); client.auth().accessToken(process.env.INFISICAL_TOKEN!); const secret = await client.secrets().getSecret({ secretName: "API_KEY", projectId: "proj_abc123", environment: "staging", }); console.log(secret.secretValue); // => "sk-live-..." ``` -------------------------------- ### secrets().createSecret(secretName, options) Source: https://context7.com/infisical/node-sdk-v2/llms.txt Creates a new secret with the given name in a specified project, environment, and optional folder path. ```APIDOC ## `secrets().createSecret(secretName, options)` — Create a new secret Creates a new secret with the given name in a specified project, environment, and optional folder path. ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); const result = await client.secrets().createSecret("NEW_API_KEY", { projectId: "proj_abc123", environment: "development", secretValue: "dev-key-xyz-789", secretPath: "/integrations", // optional: target folder secretComment: "Used for dev testing", // optional tagIds: ["tag_id_1"], skipMultilineEncoding: false, // optional }); console.log(result.secret.id); // => "sec_xyz..." console.log(result.secret.secretKey); // => "NEW_API_KEY" console.log(result.secret.createdAt); // => "2024-03-15T10:00:00.000Z" ``` ``` -------------------------------- ### Invite Members to a Project Source: https://context7.com/infisical/node-sdk-v2/llms.txt Adds existing organization members to a project by email or username, optionally assigning specific roles. Requires project ID and a list of emails or usernames. ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); const memberships = await client.projects().inviteMembers({ projectId: "proj_abc123", emails: ["alice@example.com", "bob@example.com"], usernames: ["charlie"], // can use emails or usernames or both roleSlugs: ["developer"], // optional: assign roles }); for (const m of memberships) { console.log(`${m.userId} → role: ${m.role}, status: ${m.status}`); } // => user_001 → role: developer, status: invited // => user_002 → role: developer, status: invited ``` -------------------------------- ### secrets().listSecrets(options) Source: https://context7.com/infisical/node-sdk-v2/llms.txt Retrieves all secrets for a given project and environment. Supports recursive folder traversal, secret reference expansion, import merging, tag filtering, and optionally injecting all secrets directly into process.env. ```APIDOC ## `secrets().listSecrets(options)` — List all secrets in a project environment Retrieves all secrets for a given project and environment. Supports recursive folder traversal, secret reference expansion, import merging, tag filtering, and optionally injecting all secrets directly into `process.env`. ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); const result = await client.secrets().listSecrets({ projectId: "proj_abc123", environment: "production", secretPath: "/backend", // optional: scope to a folder expandSecretReferences: true, // expand ${OTHER_SECRET} references includeImports: true, // include secrets imported from other paths recursive: false, // set true to traverse sub-folders tagSlugs: ["release-1.0"], attachToProcessEnv: true, // inject all secrets into process.env }); // Access secrets array for (const secret of result.secrets) { console.log(`${secret.secretKey}=${secret.secretValue}`); } // => DATABASE_URL=postgres://... // => REDIS_URL=redis://... // process.env is now populated too (because attachToProcessEnv: true) console.log(process.env.DATABASE_URL); // => "postgres://..." ``` ``` -------------------------------- ### Authenticate with Universal Auth Source: https://context7.com/infisical/node-sdk-v2/llms.txt Log in using Universal Auth by exchanging client ID and secret for an access token. The client is automatically authenticated for subsequent calls. Ensure environment variables INFISICAL_CLIENT_ID and INFISICAL_CLIENT_SECRET are set. ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); // The client is now authenticated — proceed with other operations const secret = await client.secrets().getSecret({ secretName: "DATABASE_URL", projectId: "proj_abc123", environment: "production", }); console.log(secret.secretValue); // => "postgres://user:pass@host:5432/db" ``` -------------------------------- ### Create KMS Key Source: https://context7.com/infisical/node-sdk-v2/llms.txt Creates a new KMS key in a project for either symmetric encryption/decryption or asymmetric signing/verification. ```APIDOC ## `kms().keys().create(options)` — Create a KMS key Creates a new KMS key in a project for either symmetric encryption/decryption or asymmetric signing/verification. ### Parameters #### Path Parameters - **projectId** (string) - Required - The ID of the project. #### Request Body - **name** (string) - Required - The name of the KMS key. - **description** (string) - Optional - A description for the KMS key. - **keyUsage** (KeyUsage) - Required - The intended use of the key (e.g., ENCRYPTION, SIGNING). - **encryptionAlgorithm** (EncryptionAlgorithm) - Required if `keyUsage` is ENCRYPTION - The encryption algorithm to use (e.g., AES_256_GCM). - **signingAlgorithm** (SigningAlgorithm) - Required if `keyUsage` is SIGNING - The signing algorithm to use (e.g., RSA_4096). ### Request Example ```typescript import { InfisicalSDK, KeyUsage, EncryptionAlgorithm } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); // Create a symmetric AES-256-GCM key for encryption const encKey = await client.kms().keys().create({ projectId: "proj_abc123", name: "my-encryption-key", description: "AES-256 key for data encryption", keyUsage: KeyUsage.ENCRYPTION, encryptionAlgorithm: EncryptionAlgorithm.AES_256_GCM, }); console.log(encKey.id); // => "kmskey_abc" console.log(encKey.encryptionAlgorithm); // => "aes-256-gcm" // Create an asymmetric RSA-4096 key for signing const signKey = await client.kms().keys().create({ projectId: "proj_abc123", name: "my-signing-key", keyUsage: KeyUsage.SIGNING, encryptionAlgorithm: EncryptionAlgorithm.RSA_4096, // Note: This should likely be signingAlgorithm for signing keys }); console.log(signKey.keyUsage); // => "sign-verify" ``` ``` -------------------------------- ### Create Dynamic Secret Source: https://context7.com/infisical/node-sdk-v2/llms.txt Creates a dynamic secret configuration backed by one of the supported providers. Each creation comes with TTL and max TTL settings. ```APIDOC ## `dynamicSecrets().create(options)` — Create a dynamic secret Creates a dynamic secret configuration backed by one of the supported providers (SQL databases, Redis, AWS IAM, Cassandra, MongoDB, ElasticSearch, RabbitMQ, Azure Entra ID, LDAP, Snowflake, TOTP, SAP HANA, SAP ASE, AWS ElastiCache, MongoDB Atlas). Each creation comes with TTL and max TTL settings. ### Parameters #### Options - `name` (string) - Required - The name of the dynamic secret. - `projectSlug` (string) - Required - The slug of the project. - `environmentSlug` (string) - Required - The slug of the environment. - `defaultTTL` (string) - Required - The default Time-To-Live for generated credentials. - `maxTTL` (string) - Required - The maximum Time-To-Live for generated credentials. - `provider` (object) - Required - The configuration for the secret provider. - `type` (string) - Required - The type of the provider (e.g., `DynamicSecretProviders.SqlDatabase`). - `inputs` (object) - Required - Provider-specific input parameters. - `client` (string) - Required for SQL databases - The specific SQL client (e.g., `SqlProviders.Postgres`). - `host` (string) - Required for SQL databases - The database host. - `port` (number) - Required for SQL databases - The database port. - `database` (string) - Required for SQL databases - The database name. - `username` (string) - Required for SQL databases - The database username. - `password` (string) - Required for SQL databases - The database password. - `creationStatement` (string) - Optional - SQL statement to create user/permissions. - `revocationStatement` (string) - Optional - SQL statement to revoke user/permissions. - `renewStatement` (string) - Optional - SQL statement to renew credentials. ### Request Example ```typescript await client.dynamicSecrets().create({ name: "postgres-dynamic", projectSlug: "my-project", environmentSlug: "production", defaultTTL: "1h", maxTTL: "24h", provider: { type: DynamicSecretProviders.SqlDatabase, inputs: { client: SqlProviders.Postgres, host: "db.example.com", port: 5432, database: "mydb", username: "admin_user", password: "admin_password", creationStatement: "CREATE USER \"{{username}}\" WITH PASSWORD '{{password}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{username}}\";", revocationStatement: "REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM \"{{username}}\"; DROP USER \"{{username}}\";", renewStatement: "SELECT 1;", // optional }, }, }); ``` ### Response #### Success Response (200) - `dynamicSecret` (object) - Contains the created dynamic secret configuration. - `id` (string) - The ID of the dynamic secret. - `name` (string) - The name of the dynamic secret. - `status` (string) - The status of the dynamic secret (e.g., "configured"). ``` -------------------------------- ### Create KMS Encryption and Signing Keys Source: https://context7.com/infisical/node-sdk-v2/llms.txt Creates a new KMS key in a project for either symmetric encryption/decryption or asymmetric signing/verification. Ensure you are authenticated before calling this method. ```typescript import { InfisicalSDK, KeyUsage, EncryptionAlgorithm } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); // Create a symmetric AES-256-GCM key for encryption const encKey = await client.kms().keys().create({ projectId: "proj_abc123", name: "my-encryption-key", description: "AES-256 key for data encryption", keyUsage: KeyUsage.ENCRYPTION, encryptionAlgorithm: EncryptionAlgorithm.AES_256_GCM, }); console.log(encKey.id); // => "kmskey_abc" console.log(encKey.encryptionAlgorithm); // => "aes-256-gcm" // Create an asymmetric RSA-4096 key for signing const signKey = await client.kms().keys().create({ projectId: "proj_abc123", name: "my-signing-key", keyUsage: KeyUsage.SIGNING, encryptionAlgorithm: EncryptionAlgorithm.RSA_4096, }); console.log(signKey.keyUsage); // => "sign-verify" ``` -------------------------------- ### Authenticate with Universal Auth Source: https://context7.com/infisical/node-sdk-v2/llms.txt Exchanges a Machine Identity client ID and secret for a short-lived access token, which is then stored on the SDK instance for subsequent authenticated calls. ```APIDOC ## `auth().universalAuth.login(options)` — Authenticate with Universal Auth Exchanges a Machine Identity client ID and secret for a short-lived access token, then stores it on the SDK instance so all subsequent calls are automatically authorized. Returns the authenticated `InfisicalSDK` instance for chaining. ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); // The client is now authenticated — proceed with other operations const secret = await client.secrets().getSecret({ secretName: "DATABASE_URL", projectId: "proj_abc123", environment: "production", }); console.log(secret.secretValue); // => "postgres://user:pass@host:5432/db" ``` ``` -------------------------------- ### Retrieve Public Key Source: https://context7.com/infisical/node-sdk-v2/llms.txt Fetches the PEM-encoded public key for an asymmetric KMS signing key, useful for offline signature verification. ```APIDOC ## `kms().signing().getPublicKey(options)` — Retrieve the public key for a KMS signing key Returns the PEM-encoded public key corresponding to an asymmetric KMS signing key, for use in offline signature verification. ### Parameters #### Path Parameters - **keyId** (string) - Required - The ID of the KMS signing key. ### Request Example ```typescript await client.kms().signing().getPublicKey({ keyId: "kmskey_signing_abc", }); ``` ### Response #### Success Response (200) - **publicKey** (string) - The PEM-encoded public key. ``` -------------------------------- ### auth().getAccessToken() Source: https://context7.com/infisical/node-sdk-v2/llms.txt Retrieves the currently stored access token string. Returns null if the SDK has not yet been authenticated. ```APIDOC ## `auth().getAccessToken()` — Retrieve the current access token Returns the currently stored access token string, or `null` if the SDK has not yet been authenticated. ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); console.log(client.auth().getAccessToken()); // => null await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); const token = client.auth().getAccessToken(); console.log(token); // => "eyJhbGciOiJI..." ``` ``` -------------------------------- ### Create a New Secret Source: https://context7.com/infisical/node-sdk-v2/llms.txt Create a new secret with a given name, value, and optional metadata like path, comment, and tags. Returns the created secret's details. ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); const result = await client.secrets().createSecret("NEW_API_KEY", { projectId: "proj_abc123", environment: "development", secretValue: "dev-key-xyz-789", secretPath: "/integrations", // optional: target folder secretComment: "Used for dev testing", // optional tagIds: ["tag_id_1"], // optional: attach tags skipMultilineEncoding: false, // optional }); console.log(result.secret.id); // => "sec_xyz..." console.log(result.secret.secretKey); // => "NEW_API_KEY" console.log(result.secret.createdAt); // => "2024-03-15T10:00:00.000Z" ``` -------------------------------- ### Retrieve Public Key for a KMS Signing Key Source: https://context7.com/infisical/node-sdk-v2/llms.txt Obtain the PEM-encoded public key for an asymmetric KMS signing key. This is useful for verifying signatures offline. Authentication is required prior to execution. ```typescript import { InfisicalSDK } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); const publicKey = await client.kms().signing().getPublicKey({ keyId: "kmskey_signing_abc", }); console.log(publicKey); // => "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqh..." ``` -------------------------------- ### secrets().getSecret(options) Source: https://context7.com/infisical/node-sdk-v2/llms.txt Retrieves a specific secret by its key name within a project/environment combination. Supports fetching a particular version, filtering by type (shared vs personal), and expanding inline secret references. ```APIDOC ## `secrets().getSecret(options)` — Fetch a single secret by name Retrieves a specific secret by its key name within a project/environment combination. Supports fetching a particular version, filtering by type (shared vs personal), and expanding inline secret references. ```typescript import { InfisicalSDK, SecretType } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); try { const secret = await client.secrets().getSecret({ secretName: "STRIPE_SECRET_KEY", projectId: "proj_abc123", environment: "production", secretPath: "/payments", // optional: folder path type: SecretType.Shared, // "shared" | "personal" expandSecretReferences: true, version: 3, // optional: fetch a specific version }); console.log(secret.secretKey); // => "STRIPE_SECRET_KEY" console.log(secret.secretValue); // => "sk_live_..." console.log(secret.version); // => 3 } catch (err) { console.error(err.message); // => "[URL=...] [Method=GET] [StatusCode=404] Secret not found" } ``` ``` -------------------------------- ### Sign and Verify Data with KMS Key Source: https://context7.com/infisical/node-sdk-v2/llms.txt Signs data using an asymmetric KMS key and verifies the signature. The `data` field must be base64-encoded. Set `isDigest: true` if providing a pre-hashed digest rather than raw data. Ensure you are authenticated and have a valid key ID. ```typescript import { InfisicalSDK, SigningAlgorithm } from "@infisical/sdk"; const client = new InfisicalSDK(); await client.auth().universalAuth.login({ clientId: process.env.INFISICAL_CLIENT_ID!, clientSecret: process.env.INFISICAL_CLIENT_SECRET!, }); const payload = Buffer.from("important document content").toString("base64"); const signResult = await client.kms().signing().sign({ keyId: "kmskey_signing_abc", data: payload, signingAlgorithm: SigningAlgorithm.RSASSA_PSS_SHA_256, isDigest: false, }); console.log(signResult.signature); // => base64 signature string console.log(signResult.signingAlgorithm); // => "RSASSA_PSS_SHA_256" // Verify the signature const verifyResult = await client.kms().signing().verify({ keyId: "kmskey_signing_abc", data: payload, signature: signResult.signature, signingAlgorithm: SigningAlgorithm.RSASSA_PSS_SHA_256, isDigest: false, }); console.log(verifyResult.signatureValid); // => true ```