Infisical CLI Secrets
Use the Infisical CLI as the source-of-truth boundary for secrets: authenticate safely, inject secrets into processes with infisical run, and avoid copying values into chat, logs, or tracked files. Prefer process-time injection and project-native secret surfaces over hand-written .env files.
Variables
- INFISICAL_DOMAIN: self-hosted or cloud domain, for example
https://infisical.example.internal. - INFISICAL_PROJECT_ID: Infisical project UUID.
- INFISICAL_ENV: environment slug, usually
dev,staging, orprod. - INFISICAL_MACHINE_ENV_FILE: optional local env file containing
INFISICAL_CLIENT_ID,INFISICAL_CLIENT_SECRET,INFISICAL_DOMAIN, andINFISICAL_PROJECT_ID. - PAWRRTAL_REPO: optional Pawrrtal checkout path when applying the Pawrrtal cookbook.
How It Works
First classify the secret surface: local dev process, service process, CI, or application-owned workspace/user secrets. Then authenticate with user login or machine identity, run the smallest safe smoke, and inject secrets at the process boundary with infisical run unless the target application has its own encrypted secret store.
Commands
| Command | Purpose |
|---|---|
/infisical-cli-secrets recon | Inspect a repo and decide how secrets should flow. |
/infisical-cli-secrets auth | Authenticate safely with user login or machine identity. |
/infisical-cli-secrets run | Wrap a command with Infisical secret injection. |
/infisical-cli-secrets sync | Add, update, or audit secret keys without leaking values. |
/infisical-cli-secrets pawrrtal | Apply the clean pattern to Pawrrtal gateway and workspace secrets. |
Cookbook
Each command has a detailed step-by-step guide. Read the relevant cookbook file before executing a command.
| Command | Cookbook | Use When |
|---|---|---|
| recon | cookbook/recon.md | You need to understand a repo's env files, config, and secret planes. |
| auth | cookbook/auth.md | You need a safe CLI session or machine token. |
| run | cookbook/run.md | You need to start a command with secrets injected. |
| sync | cookbook/sync.md | You need to set, import, compare, or verify secret keys. |
| pawrrtal | cookbook/pawrrtal.md | The repo is Pawrrtal or uses its paw/workspace-env conventions. |
When a user invokes /infisical-cli-secrets, read the matching cookbook file first, then execute the steps.
Safety Rules
- Never print secret values. Avoid
infisical secrets --plain,infisical export, orprintenvunless the output is redirected to a protected file and the user explicitly requested that. - Prefer
infisical run -- <command>over writing.env. Use a file only when the target tool cannot accept process env, and set0600permissions. - For self-hosted instances, pass
--domainon every command or exportINFISICAL_API_URL/INFISICAL_DOMAIN. - For machine identities, capture the token into
INFISICAL_TOKEN; do not pass tokens directly in command strings or store them in tracked files. - Treat deletes as high-risk. Confirm intent, verify the key name and environment, and prefer UI/API deletion if the installed CLI delete path is known broken.
Related Skills
Works with: /tailscale, /dev-box, /deploy-checklist