Skip to main content
If you’re working with Go, the official Infisical Go SDK package is the easiest way to fetch and work with secrets for your application.

Basic Usage

package main

import (
  "fmt"
  "os"
  "context"
  infisical "github.com/infisical/go-sdk"
)

func main() {

	client := infisical.NewInfisicalClient(context.Background(), infisical.Config{
		SiteUrl: "https://app.infisical.com", // Optional, default is https://app.infisical.com
    AutoTokenRefresh: true, // Wether or not to let the SDK handle the access token lifecycle. Defaults to true if not specified.
	})

	_, err := client.Auth().UniversalAuthLogin("YOUR_CLIENT_ID", "YOUR_CLIENT_SECRET")

	if err != nil {
		fmt.Printf("Authentication failed: %v", err)
		os.Exit(1)
	}

	apiKeySecret, err := client.Secrets().Retrieve(infisical.RetrieveSecretOptions{
		SecretKey:   "API_KEY",
		Environment: "dev",
		ProjectID:   "YOUR_PROJECT_ID",
		SecretPath:  "/",
	})

	if err != nil {
		fmt.Printf("Error: %v", err)
		os.Exit(1)
	}

	fmt.Printf("API Key Secret: %v", apiKeySecret)

}
This example demonstrates how to use the Infisical Go SDK in a simple Go application. The application retrieves a secret named API_KEY from the dev environment of the YOUR_PROJECT_ID project.
We do not recommend hardcoding your Machine Identity Tokens. Setting it as an environment variable would be best.

Installation

$ go get github.com/infisical/go-sdk

Configuration

Import the SDK and create a client instance. 
client := infisical.NewInfisicalClient(context.Background(), infisical.Config{
		SiteUrl: "https://app.infisical.com", // Optional, default is https://api.infisical.com
	})

Configuration Options

options
object

Automatic token refreshing

The Infisical Go SDK supports automatic token refreshing, enabled by default. After using one of the auth methods such as Universal Auth, the SDK will automatically renew and re-authenticate when needed. You can opt-out by setting AutoTokenRefresh to false in the client settings. 
  client := infisical.NewInfisicalClient(context.Background(), infisical.Config{
    AutoTokenRefresh: false, // <- Disable automatic token refreshing
  })

Client Lifecycle

When using automatic token refreshing it’s important to understand how your application uses the Infisical client. If you are instantiating new instances of the client often, it’s important to cancel the context when the client is no longer needed to avoid the token refreshing process from running indefinitely. 
  ctx, cancel := context.WithCancel(context.Background())
  defer cancel() // Cancel the context when the client is no longer needed

  client := infisical.NewInfisicalClient(ctx, infisical.Config{
    AutoTokenRefresh: true,
  })

  // Use the client
This is only necessary if you are creating multiple instances of the client, and those instances are deleted or otherwise removed throughout the application lifecycle. If you are only creating one instance of the client, and it will be used throughout the lifetime of your application, you don’t need to worry about this.

Authentication

Authentication Methods

The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.
Using environment variablesCall .Auth().UniversalAuthLogin() with empty arguments to use the following environment variables:
  • INFISICAL_UNIVERSAL_AUTH_CLIENT_ID - Your machine identity client ID.
  • INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET - Your machine identity client secret.
Using the SDK directly
_, err := client.Auth().UniversalAuthLogin("CLIENT_ID", "CLIENT_SECRET")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}
Please note that this authentication method will only work if you’re running your application on Google Cloud Platform. Please read more about this authentication method.
Using environment variablesCall .Auth().GcpIdTokenAuthLogin() with empty arguments to use the following environment variables:
  • INFISICAL_GCP_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.
Using the SDK directly
_, err := client.Auth().GcpIdTokenAuthLogin("YOUR_MACHINE_IDENTITY_ID")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}
Using environment variablesCall .Auth().GcpIamAuthLogin() with empty arguments to use the following environment variables:
  • INFISICAL_GCP_IAM_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.
  • INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH - The path to your GCP service account key file.
Using the SDK directly
_, err = client.Auth().GcpIamAuthLogin("MACHINE_IDENTITY_ID", "SERVICE_ACCOUNT_KEY_FILE_PATH")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}
Please note that this authentication method will only work if you’re running your application on AWS. Please read more about this authentication method.
Using environment variablesCall .Auth().AwsIamAuthLogin() with empty arguments to use the following environment variables:
  • INFISICAL_AWS_IAM_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.
Using the SDK directly
_, err = client.Auth().AwsIamAuthLogin("MACHINE_IDENTITY_ID")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}
Please note that this authentication method will only work if you’re running your application on Azure. Please read more about this authentication method.
Using environment variablesCall .Auth().AzureAuthLogin() with empty arguments to use the following environment variables:
  • INFISICAL_AZURE_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.
Using the SDK directly
_, err = client.Auth().AzureAuthLogin("MACHINE_IDENTITY_ID")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}
Please note that this authentication method will only work if you’re running your application on Kubernetes. Please read more about this authentication method.
Using environment variablesCall .Auth().KubernetesAuthLogin() with empty arguments to use the following environment variables:
  • INFISICAL_KUBERNETES_IDENTITY_ID - Your Infisical Machine Identity ID.
  • INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH_ENV_NAME - The environment variable name that contains the path to the service account token. This is optional and will default to /var/run/secrets/kubernetes.io/serviceaccount/token.
Using the SDK directly
// Service account token path will default to /var/run/secrets/kubernetes.io/serviceaccount/token if empty value is passed
_, err = client.Auth().KubernetesAuthLogin("MACHINE_IDENTITY_ID", "SERVICE_ACCOUNT_TOKEN_PATH")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}
Please note that this authentication method requires a valid JWT token from your JWT issuer. Please read more about this authentication method.
Using the SDK
credential, err := client.Auth().JwtAuthLogin("MACHINE_IDENTITY_ID", "JWT_TOKEN")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}
Please note that this authentication method requires LDAP credentials. Please read more about this authentication method.
Using environment variablesYou can set the INFISICAL_LDAP_AUTH_IDENTITY_ID environment variable and pass empty string for the identity ID:
credential, err := client.Auth().LdapAuthLogin("", "LDAP_USERNAME", "LDAP_PASSWORD")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}
Using the SDK directly
credential, err := client.Auth().LdapAuthLogin("MACHINE_IDENTITY_ID", "LDAP_USERNAME", "LDAP_PASSWORD")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}
Please note that this authentication method will only work if you’re running your application on Oracle Cloud Infrastructure. Please read more about this authentication method.
Using environment variablesYou can set the INFISICAL_OCI_AUTH_IDENTITY_ID environment variable and omit the IdentityID field:
credential, err := client.Auth().OciAuthLogin(infisical.OciAuthLoginOptions{
  UserID:      "USER_OCID",
  TenancyID:   "TENANCY_OCID",
  Fingerprint: "FINGERPRINT",
  PrivateKey:  "PRIVATE_KEY",
  Region:      "REGION",
})

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}
Using the SDK directly
credential, err := client.Auth().OciAuthLogin(infisical.OciAuthLoginOptions{
  IdentityID:  "MACHINE_IDENTITY_ID",
  UserID:      "USER_OCID",
  TenancyID:   "TENANCY_OCID",
  Fingerprint: "FINGERPRINT",
  PrivateKey:  "PRIVATE_KEY",
  Region:      "REGION",
  Passphrase:  nil, // Optional: pointer to string if your private key has a passphrase
})

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}
OciAuthLoginOptions fields:
  • IdentityID (string) - Your Infisical Machine Identity ID. Can be set via INFISICAL_OCI_AUTH_IDENTITY_ID environment variable.
  • UserID (string) - Your OCI user OCID.
  • TenancyID (string) - Your OCI tenancy OCID.
  • Fingerprint (string) - Your OCI API key fingerprint.
  • PrivateKey (string) - Your OCI private key (PEM format).
  • Region (string) - Your OCI region (e.g., us-ashburn-1).
  • Passphrase (*string) - Optional: pointer to passphrase string if your private key is encrypted.

Sub-Organization Authentication

This section is only relevant to you if your organization is utilizing sub-organizations within Infisical.
All SDK authentication methods support logging into a sub-organization that your machine identity has access to. This is optional and only necessary when attempting to authenticate into a sub-organization using an identity created at the root organization. Use the .Auth().WithOrganizationSlug("<organization-slug>") method to specify which organization to authenticate against: 
_, err := client.Auth().WithOrganizationSlug("ORGANIZATION_SLUG").UniversalAuthLogin("CLIENT_ID", "CLIENT_SECRET")

if err != nil {
  fmt.Println(err)
  os.Exit(1)
}
If no organization slug is provided, the authentication session defaults to the organization where the machine identity was originally created.

Secrets

List Secrets

client.Secrets().List(options) Retrieve all secrets within the Infisical project and environment that client is connected to. 
secrets, err := client.Secrets().List(infisical.ListSecretsOptions{
  ProjectID:          "PROJECT_ID",
  Environment:        "dev",
  SecretPath:         "/foo/bar",
  AttachToProcessEnv: false,
})

Parameters

Parameters
object

Retrieve Secret

client.Secrets().Retrieve(options) Retrieve a secret from Infisical. By default Secrets().Retrieve() fetches and returns a shared secret. 
secret, err := client.Secrets().Retrieve(infisical.RetrieveSecretOptions{
  SecretKey:   "API_KEY",
  ProjectID:   "PROJECT_ID",
  Environment: "dev",
})

Parameters

Parameters
object

Create Secret

client.Secrets().Create(options) Create a new secret in Infisical. 
secret, err := client.Secrets().Create(infisical.CreateSecretOptions{
  ProjectID:   "PROJECT_ID",
  Environment: "dev",

  SecretKey:     "NEW_SECRET_KEY",
  SecretValue:   "NEW_SECRET_VALUE",
  SecretComment: "This is a new secret",
})

Parameters

Parameters
object

Update Secret

client.Secrets().Update(options) Update an existing secret in Infisical. 
secret, err := client.Secrets().Update(infisical.UpdateSecretOptions{
  ProjectID:                "PROJECT_ID",
  Environment:              "dev",
  SecretKey:                "NEW_SECRET_KEY",
  NewSecretValue:           "NEW_SECRET_VALUE",
  NewSkipMultilineEncoding: false,
})

Parameters

Parameters
object

Delete Secret

client.Secrets().Delete(options) Delete a secret in Infisical. 
secret, err := client.Secrets().Delete(infisical.DeleteSecretOptions{
  ProjectID:   "PROJECT_ID",
  Environment: "dev",
  SecretKey:   "SECRET_KEY",
})

Parameters

Parameters
object

Batch Create Secrets

client.Secrets().Batch().Create(options) Create multiple secrets in Infisical. 
	createdSecrets, err := client.Secrets().Batch().Create(infisical.BatchCreateSecretsOptions{
		Environment: "<environment-slug>",
		SecretPath:  "<secret-path>",
		ProjectID:   "<project-id>",
		Secrets: []infisical.BatchCreateSecret{
			{
				SecretKey:   "SECRET-1",
				SecretValue: "test-value-1",
			},
			{
				SecretKey:   "SECRET-2",
				SecretValue: "test-value-2",
			},
		},
	})

Parameters

Parameters
object

Folders

List Folders

client.Folders().List(options) Retrieve all within the Infisical project and environment that client is connected to. 
folders, err := client.Folders().List(infisical.ListFoldersOptions{
  ProjectID:   "PROJECT_ID",
  Environment: "dev",
  Path:        "/",
})

Parameters

Parameters
object

Create Folder

client.Folders().Create(options) Create a new folder in Infisical. 
folder, err := client.Folders().Create(infisical.CreateFolderOptions{
  ProjectID:   "PROJECT_ID",
  Name:        "new=folder-name",
  Environment: "dev",
  Path:        "/",
})

Parameters

Parameters
object

Update Folder

client.Folders().Update(options) Update an existing folder in Infisical. 
folder, err := client.Folders().Update(infisical.UpdateFolderOptions{
  ProjectID:   "PROJECT_ID",
  Environment: "dev",
  Path:        "/",
  FolderID:    "FOLDER_ID_TO_UPDATE",
  NewName:     "new-folder-name",
})

Parameters

Parameters
object

Delete Folder

client.Folders().Delete(options) Delete a folder in Infisical. 
deletedFolder, err := client.Folders().Delete(infisical.DeleteFolderOptions{
  // Either folder ID or folder name is required.
  FolderName:  "name-of-folder-to-delete",
  FolderID:    "folder-id-to-delete",
  ProjectID:   "PROJECT_ID",
  Environment: "dev",
  Path:        "/",
})

Parameters

Parameters
object

Dynamic Secrets

Dynamic secrets generate credentials on-demand instead of storing static values. Credentials are issued through short-lived leases that Infisical automatically revokes when they expire.
The Go SDK reads dynamic secret configurations and manages their leases. Creating or updating a dynamic secret’s configuration is done through the Infisical dashboard or the API.

List Dynamic Secrets

client.DynamicSecrets().List(options) Retrieve all dynamic secrets within a project environment and path. 
dynamicSecrets, err := client.DynamicSecrets().List(infisical.ListDynamicSecretsRootCredentialsOptions{
  ProjectSlug:     "<project-slug>",
  EnvironmentSlug: "dev",
  SecretPath:      "/",
})

Parameters

Parameters
object

Get Dynamic Secret by Name

client.DynamicSecrets().GetByName(options) Retrieve a single dynamic secret configuration by name. 
dynamicSecret, err := client.DynamicSecrets().GetByName(infisical.GetDynamicSecretRootCredentialByNameOptions{
  DynamicSecretName: "<dynamic-secret-name>",
  ProjectSlug:       "<project-slug>",
  EnvironmentSlug:   "dev",
  SecretPath:        "/",
})

Parameters

Parameters
object

Dynamic Secret Leases

A lease represents a single set of generated credentials with its own TTL. Use leases to generate, inspect, renew, and revoke credentials from a dynamic secret. Access the leases interface with client.DynamicSecrets().Leases().

Create Lease

client.DynamicSecrets().Leases().Create(options) Generate a new set of credentials from a dynamic secret. 
credentials, dynamicSecret, lease, err := client.DynamicSecrets().Leases().Create(infisical.CreateDynamicSecretLeaseOptions{
  DynamicSecretName: "<dynamic-secret-name>",
  ProjectSlug:       "<project-slug>",
  EnvironmentSlug:   "dev",
  SecretPath:        "/",
  TTL:               "5m", // Optional
})
Your generated credentials are returned in the first return value (credentials, a map[string]any). The exact keys depend on the dynamic secret provider.

Parameters

Parameters
object

Return

Return
(map[string]any, DynamicSecret, DynamicSecretLease, error)
The generated credentials, the dynamic secret the lease was created from, the lease details, and an error if the request failed.

List Leases

client.DynamicSecrets().Leases().List(options) Retrieve all leases for a dynamic secret. 
leases, err := client.DynamicSecrets().Leases().List(infisical.ListDynamicSecretLeasesOptions{
  DynamicSecretName: "<dynamic-secret-name>",
  ProjectSlug:       "<project-slug>",
  EnvironmentSlug:   "dev",
  SecretPath:        "/",
})

Parameters

Parameters
object

Get Lease by ID

client.DynamicSecrets().Leases().GetById(options) Retrieve a single lease, including its associated dynamic secret. 
lease, err := client.DynamicSecrets().Leases().GetById(infisical.GetDynamicSecretLeaseByIdOptions{
  LeaseId:         "<lease-id>",
  ProjectSlug:     "<project-slug>",
  EnvironmentSlug: "dev",
  SecretPath:      "/",
})

Parameters

Parameters
object

Return (map)

Return
(DynamicSecretLeaseWithDynamicSecret, error)
The lease, with the associated dynamic secret nested in its DynamicSecret field, and an error if the request failed.

Renew Lease

client.DynamicSecrets().Leases().RenewById(options) Extend the TTL of an existing lease. 
lease, err := client.DynamicSecrets().Leases().RenewById(infisical.RenewDynamicSecretLeaseOptions{
  LeaseId:         "<lease-id>",
  ProjectSlug:     "<project-slug>",
  EnvironmentSlug: "dev",
  SecretPath:      "/",
  TTL:             "10m", // Optional
})
Renewals must happen before the lease expires. Renewing does not issue new credentials; it extends the expiration of the existing credentials.

Parameters

Parameters
object

Delete Lease

client.DynamicSecrets().Leases().DeleteById(options) Revoke a lease and its associated credentials. 
lease, err := client.DynamicSecrets().Leases().DeleteById(infisical.DeleteDynamicSecretLeaseOptions{
  LeaseId:         "<lease-id>",
  ProjectSlug:     "<project-slug>",
  EnvironmentSlug: "dev",
  SecretPath:      "/",
  IsForced:        false,
})

Parameters

Parameters
object

KMS

Create Key

client.Kms().Keys().Create(options) Create a new key in Infisical. 
	newKey, err := client.Kms().Keys().Create(infisical.KmsCreateKeyOptions{
		KeyUsage:            "<sign-verify>|<encrypt-decrypt>",
		Description:         "<key-description>",
		Name:                "<key-name>",
		EncryptionAlgorithm: "<rsa-4096>|<ecc-nist-p256>|<aes-256-gcm>|<aes-128-gcm>",
		ProjectId:           "<project-id>",
	})

Parameters

Parameters
object

Return (object)

Return
object

Delete Key

client.Kms().Keys().Delete(options) Delete a key in Infisical. 
deletedKey, err = client.Kms().Keys().Delete(infisical.KmsDeleteKeyOptions{
		KeyId: "<key-id>",
	})

Parameters

Parameters
object

Return

Return
object

Signing Data

client.Kms().Signing().Sign(options) Sign data in Infisical. 
res, err := client.Kms().Signing().SignData(infisical.KmsSignDataOptions{
  KeyId:            "<key-id>",
  Data:             "<data-to-sign>", // Must be a base64 encoded string.
  SigningAlgorithm: "<signing-algorithm>", // The signing algorithm that will be used to sign the data.
})

Parameters

Parameters
object

Return ([]byte)

Return
[]byte
The signature of the data that was signed.

Verifying Data

client.Kms().Signing().Verify(options) Verify data in Infisical. 
res, err := client.Kms().Signing().Verify(infisical.KmsVerifyDataOptions{
  KeyId:            "<key-id>",
  Data:             "<data-to-verify>", // Must be a base64 encoded string.
  SigningAlgorithm: "<signing-algorithm>", // The signing algorithm that was used to sign the data.
})

Parameters

Parameters
object

Return (object)

Return
object

List Signing Algorithms

client.Kms().Signing().ListSigningAlgorithms(options) List signing algorithms in Infisical. 
res, err := client.Kms().Signing().ListSigningAlgorithms(infisical.KmsListSigningAlgorithmsOptions{
  KeyId: "<key-id>",
})

Parameters

Parameters
object

Return ([]string)

Return
[]string
The signing algorithms that are available for the key.

Get Public Key

This method is only available for keys with key usage sign-verify. If you attempt to use this method on a key that is intended for encryption/decryption, it will return an error.
client.Kms().Signing().GetPublicKey(options) Get the public key in Infisical. 
publicKey, err := client.Kms().Signing().GetPublicKey(infisical.KmsGetPublicKeyOptions{
  KeyId: "<key-id>",
})

Parameters

Parameters
object

Return (string)

Return
string
The public key for the key.

Encrypt Data

client.Kms().Encryption().Encrypt(options) Encrypt data with a key in Infisical KMS. 
res, err := client.Kms().EncryptData(infisical.KmsEncryptDataOptions{
  KeyId: "<key-id>",
  Plaintext: "<data-to-encrypt>",
})

Parameters

Parameters
object

Return (string)

Return
string
The encrypted data.

Decrypt Data

client.Kms().DecryptData(options) Decrypt data with a key in Infisical KMS. 
res, err := client.Kms().DecryptData(infisical.KmsDecryptDataOptions{
  KeyId: "<key-id>",
  Ciphertext: "<encrypted-data>",
})

Parameters

Parameters
object

Return (string)

Return
string
The decrypted data.