How to Set Up Infisical for Secret Management
Set up Infisical in 6 steps — a project, 3 environments, the CLI, a CI machine identity. Then Ringtail mints scoped keys into your Infisical, value-free.

Rocco set up the three environments, then admired them like a raccoon admiring a tidy shelf. Rare feeling.

🦝 Rocco: one project, three environments, a machine identity for ci. now the secrets have a home.
To set up Infisical, create an account (cloud or self-hosted), make a project, confirm your dev / staging / prod environments, add secrets in the dashboard, install the Infisical CLI and run infisical login, then create a machine identity so CI can pull secrets without a human. Below is the full flow, the CLI commands, and how Ringtail mints scoped keys and writes them straight into your Infisical — value-free, so the secret values never touch your coding agent.
What is Infisical and where do you start?
Infisical is an open-source secret manager: it stores your environment variables in one place and syncs them to your apps, CI, and teammates. You can use Infisical Cloud or self-host it — the open-source server runs in Docker, so a small team can host its own with no vendor in the path.
Start by creating an account and a project. A project is the boundary for one app's secrets across all its environments, and it's where you'll point both the CLI and, later, Ringtail. If you're weighing Infisical against a hosted-only option, Ringtail vs Doppler: acquisition versus storage, honestly compared lays out where a store fits versus where key acquisition fits.
What are the steps to set up Infisical?
Six steps:
- Create an account at infisical.com (or deploy the self-hosted server via Docker).
- Create a project for your app.
- Confirm the environments — Infisical ships with Development, Staging, and Production by default. Keep the three so your
.env.localmaps cleanly todev. - Add secrets in the dashboard under each environment, or import an existing
.envfile. - Install the CLI and run
infisical loginto link your machine. - Create a machine identity (or service token) so CI can pull secrets without a human login.
How do you install the Infisical CLI and pull secrets?
Install the CLI, authenticate, and run your app with secrets injected from Infisical instead of a local .env:
# macOS
brew install infisical/get-cli/infisical
# then authenticate and link a project
infisical login
infisical init
Now inject secrets into any process at runtime — no plaintext .env needed:
infisical run --env=dev -- npm run dev
infisical run fetches the secrets for the named environment and passes them as environment variables to the command after --. Switch --env=dev to staging or prod and the same command runs against that environment's secrets. This is the payoff of the setup: one source of truth, per-environment, no .env files drifting out of sync.
How do you let CI pull secrets without a human?
Use a machine identity (Infisical's recommended path) or a service token, scoped to a single environment. A machine identity authenticates non-interactively with a client ID and secret, so CI can call infisical run without a person logging in:
- Create the identity under Project → Access Control → Machine Identities.
- Grant it read access to the one environment CI needs (usually
prodfor deploys). - Store its credentials as CI secrets and authenticate with them in the pipeline.
Scope each identity to the least it needs — one environment, read-only where possible. That's the same least-privilege API key provisioning discipline you apply to provider keys, now applied to the store itself.

🦝 Rocco: the machine identity reads one environment. it doesn't get the master key to the whole shelf.
How does Ringtail write into your Infisical?
Once you've set up Infisical and connected it to Ringtail, Ringtail writes every scoped key it mints straight into your Infisical — across dev, staging, and prod — so the store you just built fills itself. Ringtail reads your .env.example, mints each scoped key from the providers' official APIs, validates the scope, and pushes the value into both .env.local and the matching Infisical environment.
It's value-free: the secret value goes from the provider's API into Infisical and your local file without passing through your coding agent or any model. The agent orchestrates which keys to mint and where they go; it never sees the sk_… string. Install it once:
curl -fsSL ringtail.sh | sh
ringtail up
Ringtail uses official provider APIs only — never a browser bot — and Infisical is its default destination for team sync. So the division of labor is clean: Infisical stores and syncs, Ringtail acquires and scopes. For the full acquisition pattern, see how to stop juggling 15 API keys on every new project.
FAQ
What is Infisical used for?
Infisical is an open-source secret manager used to store environment variables in one place and sync them to your apps, CI pipelines, and teammates across environments like dev, staging, and prod. You can use Infisical Cloud or self-host the open-source server in Docker. It replaces scattered, drifting .env files with a single source of truth you inject at runtime.
How do I run my app with Infisical secrets?
Install the CLI, run infisical login and infisical init to link a project, then start your app with infisical run --env=dev -- npm run dev. The CLI fetches that environment's secrets and passes them to the command after -- as environment variables, so no plaintext .env file is needed. Swap --env=dev for staging or prod to target another environment.
How does CI authenticate to Infisical without a human login?
Create a machine identity under Project → Access Control → Machine Identities, grant it read access to the single environment CI needs, and store its client credentials as CI secrets. The pipeline authenticates non-interactively with those credentials and calls infisical run — no person logs in. Scope each identity to the least it needs, ideally one environment and read-only.
How does Ringtail work with Infisical?
Ringtail acquires keys and Infisical stores them. After you connect Infisical to Ringtail, Ringtail mints each scoped key from the providers' official APIs and writes the value straight into the matching Infisical environment and your .env.local — value-free, so the secret never reaches your coding agent. Infisical handles storage and team sync; Ringtail handles the acquisition step before it.
