Skip to main content
infisical login

Description

The CLI uses authentication to verify your identity. You can authenticate using:
  • Browser Login (default): Opens a browser for authentication
  • Direct Login: Provide email and password via flags or environment variables for non-interactive workflows
  • Interactive CLI Login: Use the --interactive flag to enter credentials via CLI prompts
When authenticated, a token is generated and saved in your system Keyring to allow you to make future interactions with the CLI. To change where the login credentials are stored, visit the vaults command. If you have added multiple users, you can switch between the users by using the user command.
JWT Token Output:
  • For user authentication with the --plain --silent flags: outputs only the JWT access token (useful for scripting)
  • For machine identity authentication: an access token is always printed to the console
Use the --plain flag to print only the token in plain text and the --silent flag to disable update alerts.Both flags are ideal for capturing the token in environment variables or CI/CD pipelines.

Authentication Methods

The Infisical CLI supports two main categories of authentication: User Authentication and Machine Identity Authentication.

User Authentication

User authentication is designed for individual developers and supports multiple login flows.
The User authentication method allows you to log in with your email and password. This method supports three different login flows:
  • Browser Login (default): Opens a browser for authentication
  • Direct Login: Provide credentials via flags or environment variables for CI/CD
  • Interactive CLI Login: Enter credentials via CLI prompts using --interactive
Flags
infisical login

infisical login --email=user@example.com --password=your-password --organization-id=your-organization-id

# Or using environment variables
export INFISICAL_EMAIL="user@example.com"
export INFISICAL_PASSWORD="your-password"
export INFISICAL_ORGANIZATION_ID="your-organization-id"
infisical login

infisical login --interactive

export INFISICAL_TOKEN=$(infisical login --email=user@example.com --password=your-password --organization-id=your-organization-id --plain --silent)

Machine Identity Authentication

Machine identity authentication methods are designed for automated systems, services, and CI/CD pipelines.
The Universal Auth method is a simple and secure way to authenticate with Infisical. It requires a client ID and a client secret to authenticate with Infisical.
Flags
1

Create a universal auth machine identity

To create a universal auth machine identity, follow the step by step guide outlined here.
2

Obtain an access token

Run the login command with the following flags to obtain an access token:
  infisical login --method=universal-auth --client-id=<client-id> --client-secret=<client-secret>
The Native Kubernetes method is used to authenticate with Infisical when running in a Kubernetes environment. It requires a service account token to authenticate with Infisical.
Flags
1

Create a Kubernetes machine identity

To create a Kubernetes machine identity, follow the step by step guide outlined here.
2

Obtain access an token

Run the login command with the following flags to obtain an access token:
  # --service-account-token-path is optional, and will default to '/var/run/secrets/kubernetes.io/serviceaccount/token' if not provided.
  infisical login --method=kubernetes --machine-identity-id=<machine-identity-id> --service-account-token-path=<service-account-token-path>
The Native Azure method is used to authenticate with Infisical when running in an Azure environment.
Flags
1

Create an Azure machine identity

To create an Azure machine identity, follow the step by step guide outlined here.
2

Obtain an access token

Run the login command with the following flags to obtain an access token:
  infisical login --method=azure --machine-identity-id=<machine-identity-id>
The Native GCP ID Token method is used to authenticate with Infisical when running in a GCP environment.
Flags
1

Create a GCP machine identity

To create a GCP machine identity, follow the step by step guide outlined here.
2

Obtain an access token

Run the login command with the following flags to obtain an access token:
  infisical login --method=gcp-id-token --machine-identity-id=<machine-identity-id>
The GCP IAM method is used to authenticate with Infisical with a GCP service account key.
Flags
1

Create a GCP machine identity

To create a GCP machine identity, follow the step by step guide outlined here.
2

Obtain an access token

Run the login command with the following flags to obtain an access token:
  infisical login --method=gcp-iam --machine-identity-id=<machine-identity-id> --service-account-key-file-path=<service-account-key-file-path>
The AWS IAM method is used to authenticate with Infisical with an AWS IAM role while running in an AWS environment like EC2, Lambda, etc.
Flags
1

Create an AWS machine identity

To create an AWS machine identity, follow the step by step guide outlined here.
2

Obtain an access token

Run the login command with the following flags to obtain an access token:
  infisical login --method=aws-iam --machine-identity-id=<machine-identity-id>
The OIDC Auth method is used to authenticate with Infisical via identity tokens with OIDC.
Flags
1

Create an OIDC machine identity

To create an OIDC machine identity, follow the step by step guide outlined here.
2

Obtain an access token

Run the login command with the following flags to obtain an access token:
  infisical login --method=oidc-auth --machine-identity-id=<machine-identity-id> --jwt=<oidc-jwt>
The JWT Auth method is used to authenticate with Infisical via a JWT token.
Flags
1

Obtain an access token

Run the login command with the following flags to obtain an access token:
  infisical login --method=jwt-auth --jwt=<jwt-token> --machine-identity-id=<machine-identity-id>

Flags

The login command supports a number of flags that you can use for different authentication methods. Below is a list of all the flags that can be used with the login command. 
infisical login --method=<auth-method> # Optional, will default to 'user'.

Valid values for the method flag are:

  • user: Login using email and password. (default)
  • universal-auth: Login using a universal auth client ID and client secret.
  • kubernetes: Login using a Kubernetes native auth.
  • azure: Login using an Azure native auth.
  • gcp-id-token: Login using a GCP ID token native auth.
  • gcp-iam: Login using a GCP IAM.
  • aws-iam: Login using an AWS IAM native auth.
  • oidc-auth: Login using OIDC auth.
  • jwt-auth: Login using a plain JWT token.
infisical login --client-id=<client-id> # Optional, required if --method=universal-auth.

Description

The client ID of the universal auth machine identity. This is required if the --method flag is set to universal-auth.
The client-id flag can be substituted with the INFISICAL_UNIVERSAL_AUTH_CLIENT_ID environment variable.
infisical login --client-secret=<client-secret> # Optional, required if --method=universal-auth.

Description

The client secret of the universal auth machine identity. This is required if the --method flag is set to universal-auth.
The client-secret flag can be substituted with the INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET environment variable.
infisical login --machine-identity-id=<your-machine-identity-id> # Optional, required if --method=kubernetes, azure, gcp-id-token, gcp-iam, or aws-iam.

Description

The ID of the machine identity. This is required if the --method flag is set to kubernetes, azure, gcp-id-token, gcp-iam, or aws-iam.
The machine-identity-id flag can be substituted with the INFISICAL_MACHINE_IDENTITY_ID environment variable.
infisical login --service-account-token-path=<service-account-token-path> # Optional Will default to '/var/run/secrets/kubernetes.io/serviceaccount/token'.

Description

The path to the Kubernetes service account token to use for authentication. This is optional and will default to /var/run/secrets/kubernetes.io/serviceaccount/token.
The service-account-token-path flag can be substituted with the INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH environment variable.
infisical login --service-account-key-file-path=<gcp-service-account-key-file-path> # Optional, but required if --method=gcp-iam.

Description

The path to your GCP service account key file. This is required if the --method flag is set to gcp-iam.
The service-account-key-path flag can be substituted with the INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH environment variable.
infisical login --email=<email> --password=<password> --organization-id=<organization-id>

Description

User email address. Required if you want to do a non-interactive login when the —method flag is set to user. Must be used together with the --password and --organization-id flag.
You can omit the —method=user if you want as it’s the default method.
The email flag can be substituted with the INFISICAL_EMAIL environment variable.
infisical login --email=<email> --password=<password> --organization-id=<organization-id>

Description

User password. Required if you want to do a non-interactive login when the —method flag is set to user. Must be used together with the --email and --organization-id flag.
For security in CI/CD environments, prefer using the INFISICAL_PASSWORD environment variable instead of passing the password as a command-line flag.
You can omit the —method=user if you want as it’s the default method.
The password flag can be substituted with the INFISICAL_PASSWORD environment variable.
infisical login --email=<email> --password=<password> --organization-id=<organization-id>

Description

User organization id. Required if you want to do a non-interactive login when the —method flag is set to user. Must be used together with the --email and --password flag.
You can omit the —method=user if you want as it’s the default method.
The organization-id flag can be substituted with the INFISICAL_ORGANIZATION_ID environment variable.
infisical login --interactive

Description

Forces interactive CLI login where you’ll be prompted to enter your email, password, and select your organization in the terminal, instead of opening a browser.
infisical login --email=<email> --password=<password> --organization-id=<organization-id> --plain

Description

When used with direct user login or machine identity authentication, outputs only the JWT access token without any additional formatting. This is useful for scripting and CI/CD pipelines where you need to capture the token.
# Example: Capture token in a variable
export INFISICAL_TOKEN=$(infisical login --email=<email> --password=<password> --organization-id=<organization-id> --plain --silent)
Use it alongside the silent flag to disable all messages in the console except from the access token.
infisical login --jwt=<jwt-token> --machine-identity-id=<machine-identity-id>

Description

The JWT provided by an identity provider for OIDC or plain JWT authentication. This is required if the --method flag is set to oidc-auth or jwt-auth.
The jwt flag can be substituted with the INFISICAL_JWT environment variable.
infisical login --domain=<domain-url>

Description

Specifies the Infisical API URL for non-US Cloud instances. This flag is required when connecting to any instance other than US Cloud (e.g. EU Cloud or self-hosted).
# Example for EU Cloud
infisical login --domain="https://eu.infisical.com"

# Example for localhost
infisical login --domain="http://localhost:8080"

# Example for self-hosted
infisical login --domain="https://your-self-hosted-infisical.com"
Critical: If you use --domain during login, you must also include it on all subsequent CLI commands (e.g., infisical secrets, infisical export, etc.). Alternatively, set the INFISICAL_API_URL environment variable to avoid having to use --domain on every command. Refer to the Domain Configuration section for more details.

User Authentication Examples

The following examples demonstrate different ways to authenticate as a user with the Infisical CLI.
By default, running infisical login without any flags opens your browser for authentication.
# Opens browser for authentication
infisical login
The browser will open to the Infisical login page, and upon successful authentication, the CLI will be automatically authenticated.
Direct login is ideal for CI/CD pipelines and automation scripts where browser-based authentication is not possible.

Using Command-Line Flags

# Basic direct login (defaults to US Cloud)
infisical login --email user@example.com --password "your-password" --organization-id "your-organization-id"

# Basic direct login (EU Cloud)
infisical login --domain https://eu.infisical.com --email user@example.com --password "your-password" --organization-id "your-organization-id"

# Basic direct login (Self-hosted Instance)
infisical login --domain https://your-self-hosted-infisical.com --email user@example.com --password "your-password" --organization-id "your-organization-id"

# Output only JWT token for scripting
export INFISICAL_TOKEN=$(infisical login --email user@example.com --password "your-password" --organization-id "your-organization-id" --plain --silent)

# Set credentials as environment variables
export INFISICAL_EMAIL="user@example.com"
export INFISICAL_PASSWORD="your-password"
export INFISICAL_ORGANIZATION_ID="your-organization-id"

# Login without additional flags
infisical login

# Or with plain output for token capture
export INFISICAL_TOKEN=$(infisical login --plain --silent)
For non-US Cloud instances: If you’re using EU Cloud or a self-hosted instance, you must set INFISICAL_API_URL before login or use --domain on all commands. Refer to the Domain Configuration section for more details.
Interactive login prompts you to enter credentials in the terminal instead of opening a browser.
# Force interactive CLI login
infisical login --interactive
You’ll be prompted to enter:
  • Email address
  • Password
After the prompt, you will be shown a list of organizations to choose from.
If you have SSO enabled, we recommend using the default browser login.

Machine Identity Authentication Quick Start

In this example we’ll be using the universal-auth method to login to obtain an Infisical access token, which we will then use to fetch secrets with.
1

Obtain an access token

  export INFISICAL_TOKEN=$(infisical login --method=universal-auth --client-id=<client-id> --client-secret=<client-secret> --silent --plain) # silent and plain is important to ensure only the token itself is printed, so we can easily set it as an environment variable.
For non-US Cloud instances: If you’re using EU Cloud or a self-hosted instance, you must set INFISICAL_API_URL before login or use --domain on all commands. Refer to the Domain Configuration section for more details.
Now that we’ve set the INFISICAL_TOKEN environment variable, we can use the CLI to interact with Infisical. The CLI will automatically check for the presence of the INFISICAL_TOKEN environment variable and use it for authentication.Alternatively, if you would rather use the --token flag to pass the token directly, you can do so by running the following command:
  infisical [command] --token=<your-access-token> # The token output from the login command.
2

Fetch all secrets from an environment

  infisical secrets --projectId=<your-project-id> --env=dev --recursive
This command will fetch all secrets from the dev environment in your project, including all secrets in subfolders.
The --recursive, and --env flag is optional and will fetch all secrets in subfolders. The default environment is dev if no --env flag is provided.