# Infisical MCP

> Infisical. Manage your secrets infrastructure directly from your AI client. This server lets you list, create, update, and delete secrets across multiple environments (dev, staging, prod) and audit access patterns using natural language commands. It's your full-stack secret management console, built into your chat agent.

## Overview
- **Category:** developer-tools
- **Price:** Free
- **Tags:** secrets-management, encryption, devops, compliance, env-variables

## Description

You're gonna manage your whole secrets infrastructure right from your AI client. This server lets your agent list, create, update, and delete credentials across multiple environments (dev, staging, prod), and it'll even let you audit access patterns just by talking to it. It's your full-stack secret console, built right into your chat agent.

**Provisioning and Modifying Credentials**

Your agent can create a new secret value or credential at any path in the Infisical project using `create_secret`. It can fetch an existing secret's value using `get_secret` with its exact key name and an optional path. If a value changes, it'll update an existing secret credential without having to rebuild the key using `update_secret`. You can also permanently remove a secret using `delete_secret`, which is critical for cleanup and compliance.

**Inspecting the Entire Secret Catalog**

Need to see what secrets you've got? You can list all secrets within a specific path or check the whole project's configuration details using `list_secrets` or `get_project_info`. To figure out what environments exist for the project, your agent runs `list_environments`.

**Audit and Identity Management**

To track who's doing what, your agent runs `list_audit_logs` to get recent audit entries, which is essential for compliance and tracking access history. It also runs `list_identities` to list all machine identities configured in the organization, letting you review who has access. You can also use `list_secrets` to check existing configurations for secrets in a given path or the project root.

You'll use these tools to target secrets in specific contexts—for example, making sure you're working on the production versus staging secrets.


## Tools

### create_secret
Creates a new secret value or credential at a specified path in the Infisical project.

### delete_secret
Permanently removes an existing secret from the Infisical project. Use this with caution.

### get_project_info
Retrieves metadata and configuration details for the entire Infisical project.

### get_secret
Fetches the value of a specific secret using its exact key name and optional path.

### list_audit_logs
Lists recent audit log entries, essential for checking compliance and tracking access history.

### list_environments
Lists all configured environments (like dev, staging, prod) available for the project.

### list_identities
Lists all machine identities configured in the organization for access control review.

### list_secrets
Lists all secrets within a given path or the project root to verify existing configurations.

### update_secret
Changes the value of an existing secret credential without recreating the key.

## Prompt Examples

**Prompt:** 
```
List all secrets in the production environment.
```

**Response:** 
```
Found 23 secrets in production. Highlights: DATABASE_URL, REDIS_URL, STRIPE_SECRET_KEY, JWT_SECRET. 4 secrets were updated in the last 24 hours. Want to inspect any specific secret?
```

## Capabilities

### Audit access and track changes
The server fetches and displays detailed audit logs and lists all service identities, giving you a clear picture of who is accessing the secrets store.

### Provision and modify credentials
You can create new secrets (`create_secret`), fetch existing values (`get_secret`), and update values (`update_secret`) without leaving your current workflow.

### Manage environment context
The server lists all configured environments (`list_environments`) and allows you to target secrets within specific contexts (e.g., production vs. staging).

### Inspect the entire secret catalog
You can list all secrets in a given path (`list_secrets`) or check the overall configuration of the Infisical project (`get_project_info`).

### Remove secrets safely
The server provides a controlled way to delete secrets (`delete_secret`), which is critical for compliance cleanup.

## Use Cases

### Investigating a production access breach
A security analyst notices unusual activity. Instead of logging into the dashboard, they ask their agent to run `list_audit_logs`. The agent pulls the latest entries, highlighting which service identity accessed a key outside of normal hours, solving the investigation immediately.

### Adding a new service credential
A platform engineer needs a new key for a microservice. They prompt the agent: 'Create a new secret named `SERVICE_X_API_KEY` in the staging environment.' The agent calls `create_secret`, and the key is provisioned, minimizing manual steps and preventing misconfiguration.

### Updating a stale database password
The ops engineer finds the staging database password needs rotation. They instruct the agent to `update_secret` for the specific key. The agent runs the update and confirms the change, completing the rotation without leaving their terminal.

### Verifying environment secrets before deployment
A developer needs to confirm all required secrets exist in the target environment. They ask the agent to run `list_secrets` for the `/` path in the `staging` environment, verifying credentials like `REDIS_URL` and `STRIPE_SECRET_KEY` are present before the deployment starts.

## Benefits

- **Audit Trail:** Use `list_audit_logs` to get a complete, immediate record of secret access. You don't have to export and analyze CSVs later; the data is right here.
- **Context Switching Eliminated:** Instead of jumping to a dashboard to check environments, call `list_environments` and target secrets by environment context. Your workflow stays in one place.
- **Rapid Provisioning:** Need a new credential? `create_secret` provisions it instantly. If you need to change it, `update_secret` handles the change, all via a natural conversation.
- **Full Visibility:** Use `list_secrets` to audit what's available in a path, or `list_identities` to see which service accounts have access. Everything is surfaced via the agent.
- **Compliance Check:** Need to prove a secret was deleted? `delete_secret` performs the action, and `list_audit_logs` confirms the cleanup. It’s auditable, end-to-end.
- **Project Overview:** `get_project_info` gives you the high-level status of the entire secret store, letting you confirm the project setup before you start building.

## How It Works

The bottom line is that your AI client executes the secure, complex API calls, and you just get a readable, formatted answer.

1. Subscribe to the Infisical server and provide your necessary credentials (Service Token, API URL, Project ID, and environment slug).
2. Your AI client connects to the server and executes a tool call (e.g., asking to list secrets).
3. The server runs the tool against Infisical and sends the structured data back to your AI client for a plain-text response.

## Frequently Asked Questions

**How do I list all secrets in the production environment using the list_secrets tool?**
You need to ask your agent to run `list_secrets` and specify the environment and path. The tool targets secrets in a given path and context, so specifying the environment is key to getting the right list.

**Can I use the create_secret tool to add a key to a specific project?**
Yes, the `create_secret` tool provisions a new secret value. You just need to tell the agent the exact path and the desired key name for the new credential.

**What is the difference between list_secrets and get_secret?**
`list_secrets` shows you what secrets exist in a path. `get_secret` actually fetches and returns the value of a single, specific secret.

**Do I need to use the list_identities tool to manage access?**
The `list_identities` tool lists all service identities. This is how you audit who has access to the secrets store, which is a critical step in any access review.

**Is the delete_secret tool irreversible?**
Yes, `delete_secret` permanently removes a secret. The description explicitly warns that this action cannot be undone, so always confirm before proceeding.

**How do I use the list_audit_logs tool to check for compliance violations?**
The `list_audit_logs` tool fetches detailed records of access and changes. You can filter these logs by date range or user ID to pinpoint specific compliance events.

**What happens if I try to update a secret that doesn't exist using the update_secret tool?**
The `update_secret` tool requires the key to exist; otherwise, it returns an error. You must use `create_secret` first to provision a new secret.

**Can the get_secret tool handle secrets stored in different environments (dev, staging, prod)?**
Yes, the `get_secret` tool handles environment context. You just need to specify the correct environment path when calling the tool.

**Is it safe to manage secrets through an AI agent?**
Your credentials are stored encrypted in the Vinkius vault, transmitted only to the Infisical API at runtime. The AI agent never sees raw secret values in its context — only structured operational results.