package mainimport ( "fmt" "os" "context" infisical "github.com/infisical/go-sdk")func main() { client := infisical.NewInfisicalClient(context.Background(), infisical.Config{ SiteUrl: "https://app.infisical.com", // Optional, default is https://app.infisical.com AutoTokenRefresh: true, // Wether or not to let the SDK handle the access token lifecycle. Defaults to true if not specified. }) _, err := client.Auth().UniversalAuthLogin("YOUR_CLIENT_ID", "YOUR_CLIENT_SECRET") if err != nil { fmt.Printf("Authentication failed: %v", err) os.Exit(1) } apiKeySecret, err := client.Secrets().Retrieve(infisical.RetrieveSecretOptions{ SecretKey: "API_KEY", Environment: "dev", ProjectID: "YOUR_PROJECT_ID", SecretPath: "/", }) if err != nil { fmt.Printf("Error: %v", err) os.Exit(1) } fmt.Printf("API Key Secret: %v", apiKeySecret)}
This example demonstrates how to use the Infisical Go SDK in a simple Go application. The application retrieves a secret named API_KEY from the dev environment of the YOUR_PROJECT_ID project.
We do not recommend hardcoding your Machine Identity
Tokens. Setting it as an environment variable
would be best.
Defines how long certain responses should be cached in memory, in seconds. When set to a positive value, responses from specific methods (like secret fetching) will be cached for this duration. Set to 0 to disable caching.
The Infisical Go SDK supports automatic token refreshing. After using one of the auth methods such as Universal Auth, the SDK will automatically renew and re-authenticate when needed.
This behavior is enabled by default, but you can opt-out by setting AutoTokenRefresh to false in the client settings.
When using automatic token refreshing it’s important to understand how your application uses the Infiiscal client. If you are instantiating new instances of the client often, it’s important to cancel the context when the client is no longer needed to avoid the token refreshing process from running indefinitely.
ctx, cancel := context.WithCancel(context.Background()) defer cancel() // Cancel the context when the client is no longer needed client := infisical.NewInfisicalClient(ctx, infisical.Config{ AutoTokenRefresh: true, }) // Use the client
This is only necessary if you are creating multiple instances of the client, and those instances are deleted or otherwise removed throughout the application lifecycle.
If you are only creating one instance of the client, and it will be used throughout the lifetime of your application, you don’t need to worry about this.
The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.
Please note that this authentication method will only work if you’re running
your application on Google Cloud Platform. Please read
more about this authentication
method.
Using environment variables
Call .Auth().GcpIdTokenAuthLogin() with empty arguments to use the following environment variables:
INFISICAL_GCP_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.
Please note that this authentication method will only work if you’re running
your application on AWS. Please read
more about this authentication
method.
Using environment variables
Call .Auth().AwsIamAuthLogin() with empty arguments to use the following environment variables:
INFISICAL_AWS_IAM_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.
Please note that this authentication method will only work if you’re running
your application on Azure. Please read
more about this authentication
method.
Using environment variables
Call .Auth().AzureAuthLogin() with empty arguments to use the following environment variables:
INFISICAL_AZURE_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.
Please note that this authentication method will only work if you’re running
your application on Kubernetes. Please read
more about this
authentication method.
Using environment variables
Call .Auth().KubernetesAuthLogin() with empty arguments to use the following environment variables:
INFISICAL_KUBERNETES_IDENTITY_ID - Your Infisical Machine Identity ID.
INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH_ENV_NAME - The environment variable name that contains the path to the service account token. This is optional and will default to /var/run/secrets/kubernetes.io/serviceaccount/token.
Using the SDK directly
// Service account token path will default to /var/run/secrets/kubernetes.io/serviceaccount/token if empty value is passed_, err = client.Auth().KubernetesAuthLogin("MACHINE_IDENTITY_ID", "SERVICE_ACCOUNT_TOKEN_PATH")if err != nil { fmt.Println(err) os.Exit(1)}
deletedFolder, err := client.Folders().Delete(infisical.DeleteFolderOptions{ // Either folder ID or folder name is required. FolderName: "name-of-folder-to-delete", FolderID: "folder-id-to-delete", ProjectID: "PROJECT_ID", Environment: "dev", Path: "/",})
client.Kms().Signing().Sign(options)
Sign data in Infisical.
res, err := client.Kms().Signing().SignData(infisical.KmsSignDataOptions{ KeyId: "<key-id>", Data: "<data-to-sign>", // Must be a base64 encoded string. SigningAlgorithm: "<signing-algorithm>", // The signing algorithm that will be used to sign the data.})
The signing algorithm to use. You must use a signing algorithm that matches the key usage.
If you are unsure about which signing algorithms are available for your key, you can use the client.Kms().Signing().ListSigningAlgorithms() method. It will return an array of signing algorithms that are available for your key.
client.Kms().Signing().Verify(options)
Verify data in Infisical.
res, err := client.Kms().Signing().Verify(infisical.KmsVerifyDataOptions{ KeyId: "<key-id>", Data: "<data-to-verify>", // Must be a base64 encoded string. SigningAlgorithm: "<signing-algorithm>", // The signing algorithm that was used to sign the data.})
This method is only available for keys with key usage sign-verify. If you attempt to use this method on a key that is intended for encryption/decryption, it will return an error.
client.Kms().Signing().GetPublicKey(options)
Get the public key in Infisical.
