Description
n8n-nodes-infisical
This is a community node for n8n that allows you to retrieve secrets from Infisical within your n8n workflows using the official Infisical SDK.
π Table of Contents
β¨ Features
- π Direct Retrieval: From version 1.0.3, uses
getSecret()for direct secret retrieval instead of filtering for optimal performance - π§ Official SDK: Uses the official Infisical TypeScript SDK v4+ for reliable and maintained API access
- π Bearer Token Authentication: Supports Access Token (Bearer) authentication for maximum security
- π¦ Smart JSON: Automatic JSON value parsing with common formatting error correction
- π― Automatic Fallback: If exact name isn't found, automatically tries common variations (uppercase, lowercase, suffixes)
- β‘ Optimized Performance: Direct single secret retrieval instead of downloading and filtering all secrets
- π οΈ Error Handling: Robust error handling with intelligent fallback mechanisms
π§ Prerequisites
Infisical Setup
- Infisical Account: You need an account on Infisical
- Project: A configured project in Infisical
- Access Token: An access token with access to the necessary secrets
n8n Setup
- n8n version: >= 1.0.0
- Node.js: >= 18.0.0
- npm: >= 8.0.0
π¦ Installation
Method 1: Via n8n Community Nodes (Recommended)
- Open n8n and go to Settings β Community Nodes
- Click on "Install a community node"
- Enter the package name:
n8n-nodes-infisical - Click on "Install"
- Restart n8n
Method 2: Manual Installation
# Navigate to n8n directory
cd ~/.n8n
# Install the package
npm install n8n-nodes-infisical
# Restart n8n
n8n start
Method 3: Docker
Add to your Dockerfile or docker-compose.yml:
# Dockerfile
FROM n8nio/n8n:latest
USER root
RUN npm install -g n8n-nodes-infisical
USER node
# docker-compose.yml
version: '3.8'
services:
n8n:
image: n8nio/n8n:latest
environment:
- N8N_NODES_EXCLUDE=
- EXTERNAL_FRONTEND_HOOKS_URLS=
volumes:
- ~/.n8n:/home/node/.n8n
command: >
sh -c "npm install n8n-nodes-infisical && n8n start"
βοΈ Configuration
1. Creating Access Token in Infisical
- Access your Infisical dashboard
- Select the project
- Go to Project Settings β Access Tokens
- Click on "Create access token"
- Configure:
- Name: e.g. "n8n-integration"
- Environment: Select environment (dev, staging, prod)
- Secret Path:
/(or specific path) - Permissions: Read
- Copy the generated token (starts with
eyJ)
2. Credential Configuration in n8n
- Open n8n and go to Credentials
- Click on "Add credential"
- Search and select "Infisical API"
- Fill the fields:
| Field | Description | Example | Required |
|---|---|---|---|
| Site URL | URL of your Infisical instance | https://app.infisical.com |
β |
| Access Token | Infisical Access Token (Bearer) | eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ5... |
β |
| Project ID | Project ID (UUID) | 83d483a7-5187-43cb-a52b-1d930285bd4e |
β |
| Environment Slug | Environment slug | dev, staging, prod |
β |
Note for version 1.0.3+: We now use Access Token (Bearer) and Project ID (UUID) instead of the old Service Token and Project Slug for compatibility with Infisical SDK v4+.
- Click on "Test connection" to verify
- Save the credentials
π Usage
Adding the Node to Workflow
- Open your n8n workflow
- Click on "Add node"
- Search "Infisical"
- Select the "Infisical" node
- Configure the parameters
Node Parameters
| Parameter | Type | Description | Default | Required |
|---|---|---|---|---|
| Service Name | String | Name of the service to retrieve credentials for | – | β |
| Secret Path | String | Path where secrets are stored | / |
β |
| Credential Mapping | Array | Custom mappings | [] |
β |
π― Direct Retrieval (v1.0.3+)
The node now uses a direct retrieval approach for optimal performance:
- Direct Attempt: Searches for the secret using exactly the specified
Service Name - Smart Fallback: If exact name isn't found, automatically tries these variations:
- Lowercase name:
servicename - Uppercase name:
SERVICENAME - With account suffix:
servicename_account,SERVICENAME_ACCOUNT - With config suffix:
servicename_config,SERVICENAME_CONFIG - With credentials suffix:
servicename_credentials,SERVICENAME_CREDENTIALS
- Lowercase name:
π¦ JSON Value Handling
The node intelligently handles JSON values:
- Auto-parsing: Automatically detects and parses JSON values
- Error Correction: Fixes common formatting errors (e.g.
{username"β{"username") - Flat Structure: If the value is a JSON object, its properties become direct output fields
- Raw Fallback: If not valid JSON, returns the raw value
π Examples
Example 1: Direct Retrieval with JSON (v1.0.3+)
Secret in Infisical:
my_service_name = {"username": "API_USER", "password": "secret_pass"}
Node Configuration:
- Service Name:
my_service_name - Secret Path:
/
Output:
{
"username": "API_USER",
"password": "secret_pass"
}
Example 2: Simple Retrieval
Secret in Infisical:
api-token = "sk-1234567890abcdef"
Node Configuration:
- Service Name:
api-token - Secret Path:
/
Output:
{
"api-token": "sk-1234567890abcdef"
}
Example 3: Automatic Fallback
Secret in Infisical:
DATABASE_CONFIG = {"host": "db.prod.com", "port": 5432, "ssl": true}
Node Configuration:
- Service Name:
database(note: doesn't match exactly) - Secret Path:
/
Process:
- Search
databaseβ β Not found - Search
DATABASEβ β Not found - Search
database_configβ β Not found - Search
DATABASE_CONFIGβ β Found!
Output:
{
"host": "db.prod.com",
"port": 5432,
"ssl": true
}
Example 4: Automatic JSON Correction
Secret in Infisical (with formatting error):
api_config = '{username": "api_user", "token": "abc123"}'
Node Configuration:
- Service Name:
api_config - Secret Path:
/
Process:
- Detects malformed JSON:
{username" - Auto-corrects:
{"username" - Successfully parses
Output:
{
"username": "api_user",
"token": "abc123"
}
π Complete Workflow Example
{
"nodes": [
{
"name": "Start",
"type": "n8n-nodes-base.start",
"position": [250, 300]
},
{
"name": "Get DB Credentials",
"type": "n8n-nodes-infisical.infisical",
"position": [450, 300],
"parameters": {
"serviceName": "database"
},
"credentials": {
"infisicalApi": {
"id": "1",
"name": "Infisical Production"
}
}
},
{
"name": "Connect to Database",
"type": "n8n-nodes-base.postgres",
"position": [650, 300],
"parameters": {
"host": "={{$node['Get DB Credentials'].json.host}}",
"database": "myapp",
"user": "={{$node['Get DB Credentials'].json.username}}",
"password": "={{$node['Get DB Credentials'].json.password}}",
"operation": "select",
"query": "SELECT * FROM users LIMIT 10"
}
}
],
"connections": {
"Start": {
"main": [
[
{
"node": "Get DB Credentials",
"type": "main",
"index": 0
}
]
]
},
"Get DB Credentials": {
"main": [
[
{
"node": "Connect to Database",
"type": "main",
"index": 0
}
]
]
}
}
}
π§ Troubleshooting
Common Issues
1. Authentication Error
Error: Failed to retrieve secrets from Infisical: Authentication failed
Solutions:
- β Verify that the access token is correct
- β Check that the token hasn't expired
- β Verify that the project and environment are correct
- β Check the access token permissions
2. Secret Not Found
Error: Secret not found
Solutions:
- β Verify that the secret exists in Infisical
- β Check the specified path
- β Verify naming patterns
- β Check the selected environment
3. Cache Issues
Problem: Updated secrets are not retrieved
Solutions:
- β Reduce Cache TTL in credentials
- β Restart the workflow
- β Temporarily change service name to bypass cache
4. Connection Errors
Error: Network timeout or Connection refused
Solutions:
- β Verify network connectivity
- β Check the Infisical host URL
- β Verify firewalls
- β Check if the Infisical instance is reachable
Debug
For detailed debugging:
-
Enable logging in n8n:
export N8N_LOG_LEVEL=debug n8n start -
Check logs for the Infisical node:
tail -f ~/.n8n/logs/n8n.log | grep -i infisical -
Test credentials manually:
// Use browser console in dev tools const response = await fetch('https://app.infisical.com/api/v1/auth/token/validate', { headers: { 'Authorization': 'Bearer YOUR_TOKEN' } }); console.log(await response.json());
π Best Practices
Security
- Token Rotation: Regularly rotate access tokens
- Least Privilege Principle: Grant only necessary permissions
- Environment Separation: Use different tokens for different environments
- Audit Log: Monitor token usage in Infisical
Performance
- Cache TTL: Set appropriate TTL (300-900 seconds)
- Batch Secrets: Retrieve multiple secrets in one call when possible
- Path Organization: Organize secrets in logical paths
Maintenance
- Naming Convention: Use consistent naming conventions
- Documentation: Document custom mappings
- Testing: Regularly test workflows with new secrets
- Backup: Maintain configuration backups
π CompatibilitΓ API
Version 1.0.3+ (Recommended)
- Infisical SDK: v4.0.6+
- Authentication: Access Token (Bearer)
- Method:
getSecret()for direct retrieval - Project ID: UUID instead of slug
- Performance: Optimized for single requests
Previous Versions (Legacy)
- Infisical SDK: v3.x
- Authentication: Service Token
- Method:
listSecrets()with filtering - Project Slug: Textual project name
The node uses the official Infisical TypeScript SDK (@infisical/sdk) which provides:
- β Automatic API version management
- β Built-in retry mechanisms
- β Type safety for all operations
- β Secure Bearer Token authentication
- β Compatibility with Infisical Cloud and Self-hosted
π Dependencies
@infisical/sdk: Official Infisical TypeScript SDKn8n-workflow: n8n core workflow functionality
π€ Contributing
Contributions are welcome! To contribute:
- Fork the repository
- Create a branch for your feature
- Make changes
- Add tests if necessary
- Submit a pull request
Local Development
# Clone the repository
git clone https://github.com/username/n8n-nodes-infisical.git
cd n8n-nodes-infisical
# Install dependencies
npm install
# Build
npm run build
# Test
npm test
# Lint
npm run lint
π License
MIT License – see the LICENSE file for details.
π Support
- Issues: GitHub Issues
- Documentation: n8n Community Nodes
- Infisical Docs: Infisical Documentation
Made with β€οΈ for the n8n community
Installation
Follow the installation guide in the n8n community nodes documentation.
Configuration
Credentials
- Host: The URL of your Infisical instance (default: https://app.infisical.com)
- Service Token: Your Infisical service token (format: st.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx)
- Project Slug: The slug of your Infisical project
- Environment Slug: The environment slug (e.g., dev, staging, prod)
- Cache TTL: How long to cache secrets in seconds (default: 300)
Node Parameters
- Service Name: The name of the service for which to retrieve credentials
- Secret Path: The path where secrets are stored (default: /)
- Credential Mapping: Optional custom mappings between Infisical secret keys and output field names
π Changelog
v1.0.3 (Latest) – October 2025
- β¨ Direct Retrieval: Implemented
getSecret()for optimal performance - π§ Access Token: Support for Bearer Token authentication
- π¦ Smart JSON: Automatic parsing with error correction
- π― Automatic Fallback: Automatic attempt of name variations
- β‘ Performance: Drastically reduced API calls
- π οΈ Project ID: Used UUID instead of slug for compatibility
v1.0.2 – September 2025
- π Improved authentication handling
- π Fixed SDK compatibility issues
- π Updated documentation
v1.0.1 – September 2025
- π First stable public release
- π§ Complete Docker setup
- π Complete documentation
Basic Usage (v1.0.3+)
- Add the Infisical node to your workflow
- Configure credentials with Access Token and Project ID
- Set the "Service Name" parameter to match your secret name exactly
- The node will:
- Try exact match first
- Fall back to common variations automatically
- Parse JSON values intelligently
- Return structured data or raw values
Migration from v1.0.2
If upgrading from v1.0.2:
- Update credentials to use Access Token instead of Service Token
- Change Project Slug to Project ID (UUID format)
- Update Service Name to match exact secret names
- Remove custom mappings if using simple JSON secrets
Example Output (v1.0.3+)
For a secret named "database_config" with JSON value:
{
"host": "db.example.com",
"port": 5432,
"username": "db_user",
"password": "secure_password",
"ssl": true
}
For a simple secret named "api_key" with string value:
{
"api_key": "sk-1234567890abcdef"
}
