# Infisical MCP

> Infisical MCP lets your AI agent manage credentials directly from your chat client. List, get, create, update, and audit secrets across dev, staging, and production environments without leaving your terminal. It handles the complexity of secret infrastructure so you can focus on coding.

## Overview
- **Category:** developer-tools
- **Price:** Free
- **Tags:** secrets-management, encryption, devops, compliance, env-variables

## Description

Dealing with secrets used to mean switching contexts—jumping into a dashboard just to read an environment variable or provision a new key. Now, your AI client connects directly through this MCP, letting you manage credentials using natural conversation. You don't need to remember complex API calls; you just ask for what you need.

Need to see which secrets are active in staging? Just ask the agent. Want to create a new credential or update an existing one? It handles the whole lifecycle. If your current workflow uses other types of integrations, like simple REST API wrappers, this MCP gives you that same control but wrapped up for AI consumption. You'll find it connected in the Vinkius Marketplace alongside thousands of other tools, giving you a single point of access to all your infrastructure data.

## Tools

### create_secret
Provisions a brand new secret value or credential at a specified path in your project.

### delete_secret
Removes an existing secret from the Infisical project; this action cannot be undone.

### get_project_info
Retrieves general configuration and metadata about your connected Infisical project.

### get_secret
Pulls the value for a specific secret key, optionally specifying its path within the project.

### list_audit_logs
Generates a list of recent activity logs needed for security and compliance checking.

### list_environments
Lists all available operational environments (like dev, staging, prod) configured in the project.

### list_identities
Shows all machine identities and service accounts configured for automated access within your organization.

### list_secrets
Provides a directory listing of existing secrets at a given path, useful for quick audits.

### update_secret
Changes the value of an existing secret key; you must specify the key first.

## Prompt Examples

**Prompt:** 
```
List all secrets in the production environment.
```

**Response:** 
```
Found 23 secrets in production. Highlights: DATABASE_URL, REDIS_URL, STRIPE_SECRET_KEY, JWT_SECRET. 4 secrets were updated in the last 24 hours. Want to inspect any specific secret?
```

## Capabilities

### Review Access Patterns
List recent audit logs and check which service identities accessed secrets.

### Get Project Metadata
Fetch high-level information about the configured Infisical project.

### Discover Environments
List all available environments (like dev, staging, prod) so you know which context to use.

### Manage Secrets Lifecycle
Create new secrets, pull existing values, update credentials, or delete them entirely.

### List Credentials by Path
Audit what secrets exist within a specific path in the current project and environment.

## Use Cases

### Need to onboard a new service credential?
A platform engineer realizes the billing microservice needs a new API key. Instead of logging into the secret manager, they just tell their agent: 'Create a new secret for the billing service.' The agent runs `create_secret`, gets confirmation, and they're done.

### Security audit showing suspicious access?
A security analyst notices unusual activity. They ask the agent to run `list_audit_logs` for the last 24 hours. The output immediately flags when a specific identity accessed credentials in an unexpected sequence.

### Checking production secrets before deployment?
A DevOps engineer needs to verify if a critical key exists in production. They tell their agent: 'List all secrets under the root path for production.' The agent runs `list_secrets` and confirms the presence of the required keys.

### Updating an expired credential?
The CI/CD pipeline fails because a database password expired. Instead of manually logging in, the engineer asks the agent to update it: 'Update the value for DATABASE_URL.' The agent uses `update_secret` and confirms success.

## Benefits

- Instead of manually querying multiple dashboards to find credentials, you can use the agent to execute `get_secret` directly. You ask for it, and you get it.
- Audit compliance becomes immediate. Use `list_audit_logs` to pull security records instead of navigating through a complex logging UI.
- You eliminate environment context switching. First, run `list_environments`, then tell the agent which environment's secrets you need before running any CRUD operation.
- It keeps your infrastructure state visible. You can use `list_secrets` to audit what credentials exist in a path without having to guess or manually map out the structure.
- Identity management is simplified. Use `list_identities` to see who has access before an automated system attempts to provision something new.

## How It Works

The bottom line is, you never have to leave your chat interface to perform critical secret operations again.

1. Subscribe to this MCP, then input your Infisical Service Token, API URL, Project ID, and environment slug.
2. Your AI client authenticates with these credentials, mapping the secret management tools into its operational context.
3. You start managing secrets by giving a natural language command (e.g., 'What's the database key for staging?'), and the agent executes the necessary actions.

## Frequently Asked Questions

**How do I list all secrets in production using the list_secrets tool?**
You ask your agent to run `list_secrets` while specifying the 'production' environment. It will return a directory listing of every secret at that path, saving you from manually checking each environment.

**Can I use get_secret to pull credentials for staging?**
Yes. You tell your agent which environment and key name you need, and it executes `get_secret` securely. This prevents accidental credential exposure by ensuring the correct context is applied.

**What if I want to delete a secret? Do I need to run list_identities first?**
No. You can use `delete_secret` directly, but it's always smart practice to check who has access using `list_identities` beforehand. It helps you understand the blast radius before making changes.

**Does the MCP help me track compliance? How does list_audit_logs work?**
The agent uses `list_audit_logs` to pull detailed logs showing every access attempt, who attempted it, and when. This is your primary tool for proving compliance.

**What information does `get_project_info` provide about my current connection setup?**
It returns core configuration details for your project. This confirms the API URL, Project ID, and environment status you're currently operating within.

**Before I run an update command, how can I check which environments are available using `list_environments`?**
It provides a clear list of all configured scopes, like dev, staging, and production. This ensures you target the right environment before running sensitive updates.

**If I use `create_secret` but the key already exists, what error message should I expect?**
The tool throws an exception stating that the key must not already exist at that path. This means you need to run `update_secret` instead of trying to create it.

**What is the purpose of running `list_identities` for security auditing?**
It lists all machine identities configured in your organization. You use this list to audit automated access and verify which services have permissions.

**Is it safe to manage secrets through an AI agent?**
Your credentials are stored encrypted in the Vinkius vault, transmitted only to the Infisical API at runtime. The AI agent never sees raw secret values in its context — only structured operational results.