REST API
Infisical’s REST API is the most flexible way to read/write secrets for your application.
In this brief, we’ll explore how to fetch a secret back from a project on Infisical Cloud via the REST API.
Create a project with a secret
To create a project, head to your Organization Overview and press Add New Project; we’ll call the project Demo App.
Next, let’s head to the Development environment of the project and add a secret FOO=BAR
to it.
For this brief, you’ll need to disable end-to-end encryption in your Project Settings
Create an identity
Next, we need to create an identity to represent your application. To create one, head to your Organization Settings > Access Control > Machine Identities and press Create identity.
When creating an identity, you specify an organization level role for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
Once you’ve created an identity, you’ll be prompted to configure the Universal Auth authentication method for it.
Create a Client Secret
In order to use the identity, you’ll need the non-sensitive Client ID of the identity and a Client Secret for it; you can think of these credentials akin to a username and password used to authenticate with the Infisical API. With that, press on the key icon on the identity to generate a Client Secret for it.
Add the identity to the project
To enable the identity to access your project, we need to add it to the project. To do this, head over to the Demo App Project Settings > Access Control > Machine Identities and press Add identity.
Next, select the identity you want to add to the project and the role you want to assign it.
Get an access token for the Infisical API
To access the Infisical API as the identity, you should first perform a login operation
that is to exchange the Client ID and Client Secret of the identity for an access token
by making a request to the /api/v1/auth/universal-auth/login
endpoint.
Sample request
Sample response
Next, we can use the access token to authenticate with the Infisical API to read/write secrets
Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
the default TTL is 7200
seconds which can be adjusted.
If an identity access token expires, it can no longer authenticate with the Infisical API. In this case, a new access token should be obtained from the aforementioned login operation.
Fetch back secret
Finally, you can fetch the secret FOO=BAR
back from Step 1 by including the access token in the previous step in another request to the /api/v3/secrets/raw/{secretName}
endpoint.
Sample request
Sample response
Note that you can fetch a list of secrets back by making a request to the /api/v3/secrets/raw
endpoint.
See also: