If you’re working with C#, the official Infisical C# SDK package is the easiest way to fetch and work with secrets for your application.

Basic Usage

using Infisical.Sdk;

namespace Example
{
    class Program
    {
        static void Main(string[] args)
        {

          ClientSettings settings = new ClientSettings
          {
            Auth = new AuthenticationOptions
            {
              UniversalAuth = new UniversalAuthMethod
              {
                ClientId = "your-client-id",
                ClientSecret = "your-client-secret"
              }
            }
          };


          var infisicalClient = new InfisicalClient(settings);

            var getSecretOptions = new GetSecretOptions
            {
                SecretName = "TEST",
                ProjectId = "PROJECT_ID",
                Environment = "dev",
            };
            var secret = infisical.GetSecret(getSecretOptions);


            Console.WriteLine($"The value of secret '{secret.SecretKey}', is: {secret.SecretValue}");
        }
    }
}

This example demonstrates how to use the Infisical C# SDK in a C# application. The application retrieves a secret named TEST from the dev environment of the PROJECT_ID project.

We do not recommend hardcoding your Machine Identity Tokens. Setting it as an environment variable would be best.

Installation

$ dotnet add package Infisical.Sdk

Configuration

Import the SDK and create a client instance with your Machine Identity.

using Infisical.Sdk;

namespace Example
{
    class Program
    {
        static void Main(string[] args)
        {
          ClientSettings settings = new ClientSettings
          {
            Auth = new AuthenticationOptions
            {
              UniversalAuth = new UniversalAuthMethod
              {
                ClientId = "your-client-id",
                ClientSecret = "your-client-secret"
              }
            }
          };


          var infisicalClient = new InfisicalClient(settings); // <-- Your SDK client is now ready to use
        }
    }
}

ClientSettings methods

options

object

Show properties

ClientId

string

deprecated

Your machine identity client ID.

ClientSecret

string

deprecated

Your machine identity client secret.

AccessToken

string

deprecated

An access token obtained from the machine identity login endpoint.

CacheTtl

number

default:"300"

Time-to-live (in seconds) for refreshing cached secrets. If manually set to 0, caching will be disabled, this is not recommended.

SiteUrl

string

default:"https://app.infisical.com"

Your self-hosted absolute site URL including the protocol (e.g. https://app.infisical.com)

Auth

AuthenticationOptions

The authentication object to use for the client. This is required unless you’re using environment variables.

Authentication

The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.

Universal Auth

Using environment variables

INFISICAL_UNIVERSAL_AUTH_CLIENT_ID - Your machine identity client ID.
INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET - Your machine identity client secret.

Using the SDK directly

    ClientSettings settings = new ClientSettings
    {
      Auth = new AuthenticationOptions
      {
        UniversalAuth = new UniversalAuthMethod
        {
          ClientId = "your-client-id",
          ClientSecret = "your-client-secret"
        }
      }
    };

    var infisicalClient = new InfisicalClient(settings);

GCP ID Token Auth

Please note that this authentication method will only work if you’re running your application on Google Cloud Platform. Please read more about this authentication method.

Using environment variables

INFISICAL_GCP_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.

Using the SDK directly

  ClientSettings settings = new ClientSettings
  {
    Auth = new AuthenticationOptions
    {
      GcpIdToken = new GcpIdTokenAuthMethod
      {
        IdentityId = "your-machine-identity-id",
      }
    }
  };


  var infisicalClient = new InfisicalClient(settings);

GCP IAM Auth

Using environment variables

INFISICAL_GCP_IAM_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.
INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH - The path to your GCP service account key file.

Using the SDK directly

  ClientSettings settings = new ClientSettings
  {
    Auth = new AuthenticationOptions
    {
      GcpIam = new GcpIamAuthMethod
      {
        IdentityId = "your-machine-identity-id",
        ServiceAccountKeyFilePath = "./path/to/your/service-account-key.json"
      }
    }
  };


  var infisicalClient = new InfisicalClient(settings);

AWS IAM Auth

Please note that this authentication method will only work if you’re running your application on AWS. Please read more about this authentication method.

Using environment variables

INFISICAL_AWS_IAM_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.

Using the SDK directly

  ClientSettings settings = new ClientSettings
  {
    Auth = new AuthenticationOptions
    {
      AwsIam = new AwsIamAuthMethod
      {
        IdentityId = "your-machine-identity-id",
      }
    }
  };


  var infisicalClient = new InfisicalClient(settings);

Azure Auth

Please note that this authentication method will only work if you’re running your application on Azure. Please read more about this authentication method.

Using environment variables

INFISICAL_AZURE_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.

Using the SDK directly

  ClientSettings settings = new ClientSettings
  {
    Auth = new AuthenticationOptions
    {
      Azure = new AzureAuthMethod
      {
        IdentityId = "YOUR_IDENTITY_ID",
      }
    }
  };

  var infisicalClient = new InfisicalClient(settings);

Kubernetes Auth

Please note that this authentication method will only work if you’re running your application on Kubernetes. Please read more about this authentication method.

Using environment variables

INFISICAL_KUBERNETES_IDENTITY_ID - Your Infisical Machine Identity ID.
INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH_ENV_NAME - The environment variable name that contains the path to the service account token. This is optional and will default to /var/run/secrets/kubernetes.io/serviceaccount/token.

Using the SDK directly

  ClientSettings settings = new ClientSettings
  {
    Auth = new AuthenticationOptions
    {
      Kubernetes = new KubernetesAuthMethod
      {
        ServiceAccountTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token", // Optional
        IdentityId = "YOUR_IDENTITY_ID",
      }
    }
  };

  var infisicalClient = new InfisicalClient(settings);

Caching

To reduce the number of API requests, the SDK temporarily stores secrets it retrieves. By default, a secret remains cached for 5 minutes after it’s first fetched. Each time it’s fetched again, this 5-minute timer resets. You can adjust this caching duration by setting the “cacheTTL” option when creating the client.

Working with Secrets

client.ListSecrets(options)

var options = new ListSecretsOptions
{
    ProjectId = "PROJECT_ID",
    Environment = "dev",
    Path = "/foo/bar",
    AttachToProcessEnv = false,
};

var secrets = infisical.ListSecrets(options);

Retrieve all secrets within the Infisical project and environment that client is connected to

Parameters

object

Show properties

Environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

ProjectId

string

The project ID where the secret lives in.

Path

string

The path from where secrets should be fetched from.

AttachToProcessEnv

boolean

default:"false"

Whether or not to set the fetched secrets to the process environment. If true, you can access the secrets like so System.getenv("SECRET_NAME").

IncludeImports

boolean

default:"false"

Whether or not to include imported secrets from the current path. Read about secret import

Recursive

boolean

default:"false"

Whether or not to fetch secrets recursively from the specified path. Please note that there’s a 20-depth limit for recursive fetching.

ExpandSecretReferences

boolean

default:"true"

Whether or not to expand secret references in the fetched secrets. Read about secret reference

client.GetSecret(options)

var options = new GetSecretOptions
    {
        SecretName = "AAAA",
        ProjectId = "659c781eb2d4fe3e307b77bd",
        Environment = "dev",
    };
var secret = infisical.GetSecret(options);

Retrieve a secret from Infisical.

By default, GetSecret() fetches and returns a shared secret.

Parameters

object

Show properties

SecretName

string

required

The key of the secret to retrieve.

ProjectId

string

required

The project ID where the secret lives in.

Environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

Path

string

The path from where secret should be fetched from.

Type

string

The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “shared”.

client.CreateSecret(options)

var options = new CreateSecretOptions {
    Environment = "dev",
    ProjectId = "PROJECT_ID",

    SecretName = "NEW_SECRET",
    SecretValue = "NEW_SECRET_VALUE",
    SecretComment = "This is a new secret",
};

var newSecret = infisical.CreateSecret(options);

Create a new secret in Infisical.

Parameters

object

Show properties

SecretName

string

required

The key of the secret to create.

SecretValue

string

required

The value of the secret.

ProjectId

string

required

The project ID where the secret lives in.

Environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

Path

string

The path from where secret should be created.

Type

string

The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “shared”.

client.UpdateSecret(options)

var options = new UpdateSecretOptions {
    Environment = "dev",
    ProjectId = "PROJECT_ID",

    SecretName = "SECRET_TO_UPDATE",
    SecretValue = "NEW VALUE"
};

var updatedSecret = infisical.UpdateSecret(options);

Update an existing secret in Infisical.

Parameters

object

Show properties

SecretName

string

required

The key of the secret to update.

SecretValue

string

required

The new value of the secret.

ProjectId

string

required

The project ID where the secret lives in.

Environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

Path

string

The path from where secret should be updated.

Type

string

The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “shared”.

client.DeleteSecret(options)

var options = new DeleteSecretOptions
{
    Environment = "dev",
    ProjectId = "PROJECT_ID",
    SecretName = "NEW_SECRET",
};

var deletedSecret = infisical.DeleteSecret(options);

Delete a secret in Infisical.

Parameters

object

Show properties

SecretName

string

The key of the secret to update.

ProjectId

string

required

The project ID where the secret lives in.

Environment

string

required

The slug name (dev, prod, etc) of the environment from where secrets should be fetched from.

Path

string

The path from where secret should be deleted.

Type

string

The type of the secret. Valid options are “shared” or “personal”. If not specified, the default value is “shared”.

Cryptography

Create a symmetric key

Create a base64-encoded, 256-bit symmetric key to be used for encryption/decryption.

var key = infisical.CreateSymmetricKey();

Returns (string)

key (string): A base64-encoded, 256-bit symmetric key, that can be used for encryption/decryption purposes.

Encrypt symmetric

var options = new EncryptSymmetricOptions
{
    Plaintext = "Infisical is awesome!",
    Key = key,
};

var encryptedData = infisical.EncryptSymmetric(options);

Parameters

object

required

Show properties

Plaintext

string

The plaintext you want to encrypt.

Key

string

required

The symmetric key to use for encryption.

Returns (object)

Tag (string): A base64-encoded, 128-bit authentication tag. Iv (string): A base64-encoded, 96-bit initialization vector. CipherText (string): A base64-encoded, encrypted ciphertext.

Decrypt symmetric

var decryptOptions = new DecryptSymmetricOptions
{
    Key = key,
    Ciphertext = encryptedData.Ciphertext,
    Iv = encryptedData.Iv,
    Tag = encryptedData.Tag,
};

var decryptedPlaintext = infisical.DecryptSymmetric(decryptOptions);

Parameters

object

required

Show properties

Ciphertext

string

The ciphertext you want to decrypt.

Key

string

required

The symmetric key to use for encryption.

string

required

The initialization vector to use for decryption.

Tag

string

required

The authentication tag to use for decryption.

Returns (string)

Plaintext (string): The decrypted plaintext.

SDK's

Infisical .NET SDK

Basic Usage

Installation

Configuration

ClientSettings methods

Authentication

Universal Auth

GCP ID Token Auth

GCP IAM Auth

AWS IAM Auth

Azure Auth

Kubernetes Auth

Caching

Working with Secrets

client.ListSecrets(options)

Parameters

client.GetSecret(options)

Parameters

client.CreateSecret(options)

Parameters

client.UpdateSecret(options)

Parameters

client.DeleteSecret(options)

Parameters

Cryptography

Create a symmetric key

Returns (string)

Encrypt symmetric

Parameters

Returns (object)

Decrypt symmetric

Parameters

Returns (string)

SDK's

​Basic Usage

​Installation

​Configuration

​ClientSettings methods

​Authentication

​Universal Auth

​GCP ID Token Auth

​GCP IAM Auth

​AWS IAM Auth

​Azure Auth

​Kubernetes Auth

​Caching

​Working with Secrets

​client.ListSecrets(options)

​Parameters

​client.GetSecret(options)

​Parameters

​client.CreateSecret(options)

​Parameters

​client.UpdateSecret(options)

​Parameters

​client.DeleteSecret(options)

​Parameters

​Cryptography

​Create a symmetric key

​Returns (string)

​Encrypt symmetric

​Parameters

​Returns (object)

​Decrypt symmetric

​Parameters

​Returns (string)

Basic Usage

Installation

Configuration

ClientSettings methods

Authentication

Universal Auth

GCP ID Token Auth

GCP IAM Auth

AWS IAM Auth

Azure Auth

Kubernetes Auth

Caching

Working with Secrets

client.ListSecrets(options)

Parameters

client.GetSecret(options)

Parameters

client.CreateSecret(options)

Parameters

client.UpdateSecret(options)

Parameters

client.DeleteSecret(options)

Parameters

Cryptography

Create a symmetric key

Returns (string)

Encrypt symmetric

Parameters

Returns (object)

Decrypt symmetric

Parameters

Returns (string)