Open-source, end-to-end encrypted tool to manage secrets and configs across your team and infrastructure.
This is now considered a legacy SDK, as we have released a new SDK that will be receiving all future updates. You can find it here.
from flask import Flask
from infisical import InfisicalClient
app = Flask(__name__)
client = InfisicalClient(token="your_infisical_token")
@app.route("/")
def hello_world():
# access value
name = client.get_secret("NAME", environment="dev", path="/")
return f"Hello! My name is: {name.secret_value}"
This example demonstrates how to use the Infisical Python SDK with a Flask application. The application retrieves a secret named "NAME" and responds to requests with a greeting that includes the secret value.
It is also possible to use the SDK to encrypt/decrypt text; the implementation uses aes-256-gcm with components of the encryption/decryption encoded in base64.
from infisical import InfisicalClient
client = InfisicalClient()
# some plaintext you want to encrypt
plaintext = 'The quick brown fox jumps over the lazy dog'
# create a base64-encoded, 256-bit symmetric key
key = client.create_symmetric_key()
# encrypt
ciphertext, iv, tag = client.encrypt_symmetric(plaintext, key)
# decrypt
cleartext = client.decrypt_symmetric(ciphertext, key, iv, tag)
You need Python 3.7+.
$ pip install infisical
Import the SDK and create a client instance with your Infisical Token.
from infisical import InfisicalClient
client = InfisicalClient(token="your_infisical_token")
Using Infisical Token V3 (Beta):
In v1.5.0, we released a superior token authentication method; this credential is a JSON containing a publicKey, privateKey, and serviceToken and can be used to initialize the Node SDK client instead of the regular service token.
You can use this beta feature like so:
from infisical import InfisicalClient
client = InfisicalClient(token_json="your_infisical_token_v3_json")
| Parameter | Type | Description |
|---|---|---|
token | string | An Infisical Token scoped to a project and environment(s). |
tokenJson | string | An Infisical Token V3 JSON scoped to a project and environment(s) - in beta |
site_url | string | Your self-hosted Infisical site URL. Default: https://app.infisical.com. |
cache_ttl | number | Time-to-live (in seconds) for refreshing cached secrets. Default: 300. |
debug | boolean | Turns debug mode on or off. Default: false. |
The SDK caches every secret and updates it periodically based on the provided cache_ttl. For example, if cache_ttl of 300 is provided, then a secret will be refetched 5 minutes after the first fetch; if the fetch fails, the cached secret is returned.
secrets = client.get_all_secrets(environment="dev", path="/foo/bar/")
Retrieve all secrets within a given environment and folder path. The service token used must have access to the given path and environment.
environment (string): The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.path (string): The path from where secrets should be fetched from.include_imports (boolean): Whether or not to include imported secrets from the current path. Read about secret import. If not specified, the default value is True.attach_to_os_environ (boolean): Whether or not to attach fetched secrets to os.environ. If not specified, the default value is False.secret = client.get_secret("API_KEY", environment="dev", path="/")
value = secret.secret_value # get its value
By default, get_secret() fetches and returns a personal secret. If not found, it returns a shared secret, or tries to retrieve the value from os.environ. If a secret is fetched, get_secret() caches it to reduce excessive calls and re-fetches periodically based on the cacheTTL option (default is 300 seconds) when initializing the client — for more information, see the caching section.
To explicitly retrieve a shared secret:
secret = client.get_secret(secret_name="API_KEY", type="shared", environment="dev", path="/")
value = secret.secret_value # get its value
secret_name (string): The key of the secret to retrieve.environment (string): The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.path (string): The path from where secrets should be fetched from.type (string, optional): The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "personal".Create a new secret in Infisical
new_api_key = client.create_secret("API_KEY", "FOO", environment="dev", path="/", type="shared")
secret_name (string): The key of the secret to create.secret_value (string): The value of the secret.environment (string): The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.path (string): The path from where secrets should be created.type (string, optional): The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared". A personal secret can only be created if a shared secret with the same name exists.Update an existing secret in Infisical
updated_api_key = client.update_secret("API_KEY", "BAR", environment="dev", path="/", type="shared")
secret_name (string): The key of the secret to update.secret_value (string): The new value of the secret.environment (string): The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.path (string): The path from where secrets should be updated.type (string, optional): The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".Delete a secret in Infisical
deleted_secret = client.delete_secret("API_KEY", environment="dev", path="/", type="shared")
secret_name (string): The key of the secret to delete.environment (string): The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.path (string): The path from where secrets should be deleted.type (string, optional): The type of the secret. Valid options are "shared" or "personal". If not specified, the default value is "shared".Create a base64-encoded, 256-bit symmetric key to be used for encryption/decryption.
key = client.create_symmetric_key()
key (string): A base64-encoded, 256-bit symmetric key.
Encrypt plaintext -> ciphertext.
ciphertext, iv, tag = client.encrypt_symmetric(plaintext, key)
plaintext (string): The plaintext to encrypt.key (string): The base64-encoded, 256-bit symmetric key to use to encrypt the plaintext.ciphertext (string): The base64-encoded, encrypted plaintext.iv (string): The base64-encoded, 96-bit initialization vector generated for the encryption.tag (string): The base64-encoded authentication tag generated during the encryption.Decrypt ciphertext -> plaintext/cleartext.
cleartext = client.decrypt_symmetric(ciphertext, key, iv, tag)
ciphertext (string): The ciphertext to decrypt.key (string): The base64-encoded, 256-bit symmetric key to use to decrypt the ciphertext.iv (string): The base64-encoded, 96-bit initiatlization vector generated for the encryption.tag (string): The base64-encoded authentication tag generated during encryption.cleartext (string): The decrypted encryption that is the cleartext/plaintext.
Bug fixes, docs, and library improvements are always welcome. Please refer to our Contributing Guide for detailed information on how you can contribute.
If you want to familiarize yourself with the SDK, you can start by forking the repository and cloning it in your local development environment.
After cloning the repository, we recommend that you create a virtual environment:
$ python -m venv env
Then activate the environment with:
# For linux
$ source ./env/bin/activate
# For Windows PowerShell
$ .\env\Scripts\Activate.ps1
Make sure that you have the latest version of pip to avoid errors on the next step:
$ python -m pip install --upgrade pip
Then install the project in editable mode and the dependencies with:
$ pip install -e '.[dev,test]'
To run existing tests, you need to make a .env at the root of this project containing a INFISICAL_TOKEN and SITE_URL. This will execute the tests against a project and environment scoped to the INFISICAL_TOKEN on a running instance of Infisical at the SITE_URL (this could be Infisical Cloud).
To run all the tests you can use the following command:
$ pytest tests
infisical-python is distributed under the terms of the MIT license.
FAQs
Official Infisical SDK for Python
We found that infisical demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
PyPI confirms no security flaws were exploited in the Ultralytics supply chain attack and highlights improvements for safer package publishing.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.