If you’re working with Java, the official Infisical Java SDK package is the easiest way to fetch and work with secrets for your application.

Basic Usage

package com.example.app;

import com.infisical.sdk.InfisicalClient;
import com.infisical.sdk.schema.*;

public class Example {
    public static void main(String[] args) {
       
        // Create the authentication settings for the client
        ClientSettings settings = new ClientSettings();
        AuthenticationOptions authOptions = new AuthenticationOptions();
        UniversalAuthMethod authMethod = new UniversalAuthMethod();

        authMethod.setClientID("YOUR_IDENTITY_ID");
        authMethod.setClientSecret("YOUR_CLIENT_SECRET");

        authOptions.setUniversalAuth(authMethod);
        settings.setAuth(authOptions);

        // Create a new Infisical Client
        InfisicalClient client = new InfisicalClient(settings);

        // Create the options for fetching the secret
        GetSecretOptions options = new GetSecretOptions();
        options.setSecretName("TEST");
        options.setEnvironment("dev");
        options.setProjectID("PROJECT_ID");

        // Fetch the sercret with the provided options
        GetSecretResponseSecret secret = client.getSecret(options);

        // Print the value
        System.out.println(secret.getSecretValue());

        // Important to avoid memory leaks!
        // If you intend to use the client throughout your entire application, you can omit this line.
        client.close();
    }
}

This example demonstrates how to use the Infisical Java SDK in a Java application. The application retrieves a secret named TEST from the dev environment of the PROJECT_ID project.

We do not recommend hardcoding your Machine Identity Tokens. Setting it as an environment variable would be best.

Installation

The Infisical Java SDK is hosted on the GitHub Packages Apache Maven registry. Because of this you need to configure your environment properly so it’s able to pull dependencies from the GitHub registry. Please check this guide from GitHub on how to achieve this.

Our package is located here. Please follow the installation guide on the page.

Configuration

Import the SDK and create a client instance with your Machine Identity.

import com.infisical.sdk.InfisicalClient;
import com.infisical.sdk.schema.*;

public class App {
    public static void main(String[] args) {
        // Create the authentication settings for the client
        ClientSettings settings = new ClientSettings();
        AuthenticationOptions authOptions = new AuthenticationOptions();
        UniversalAuthMethod authMethod = new UniversalAuthMethod();

        authMethod.setClientID("YOUR_IDENTITY_ID");
        authMethod.setClientSecret("YOUR_CLIENT_SECRET");

        authOptions.setUniversalAuth(authMethod);
        settings.setAuth(authOptions);

        // Create a new Infisical Client
        InfisicalClient client = new InfisicalClient(settings); // Your client!
    }
}

ClientSettings methods

options
object

Authentication

The SDK supports a variety of authentication methods. The most common authentication method is Universal Auth, which uses a client ID and client secret to authenticate.

Universal Auth

Using environment variables

  • INFISICAL_UNIVERSAL_AUTH_CLIENT_ID - Your machine identity client ID.
  • INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET - Your machine identity client secret.

Using the SDK directly

  ClientSettings settings = new ClientSettings();
  AuthenticationOptions authOptions = new AuthenticationOptions();
  UniversalAuthMethod authMethod = new UniversalAuthMethod();

  authMethod.setClientID("YOUR_IDENTITY_ID");
  authMethod.setClientSecret("YOUR_CLIENT_SECRET");

  authOptions.setUniversalAuth(authMethod);
  settings.setAuth(authOptions);

  InfisicalClient client = new InfisicalClient(settings);

GCP ID Token Auth

Please note that this authentication method will only work if you’re running your application on Google Cloud Platform. Please read more about this authentication method.

Using environment variables

  • INFISICAL_GCP_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.

Using the SDK directly

  ClientSettings settings = new ClientSettings();
  AuthenticationOptions authOptions = new AuthenticationOptions();
  GCPIDTokenAuthMethod authMethod = new GCPIDTokenAuthMethod();

  authMethod.setIdentityID("YOUR_MACHINE_IDENTITY_ID");

  authOptions.setGcpIDToken(authMethod);
  settings.setAuth(authOptions);

  InfisicalClient client = new InfisicalClient(settings);

GCP IAM Auth

Using environment variables

  • INFISICAL_GCP_IAM_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.
  • INFISICAL_GCP_IAM_SERVICE_ACCOUNT_KEY_FILE_PATH - The path to your GCP service account key file.

Using the SDK directly

  ClientSettings settings = new ClientSettings();
  AuthenticationOptions authOptions = new AuthenticationOptions();
  GCPIamAuthMethod authMethod = new GCPIamAuthMethod();

  authMethod.setIdentityID("YOUR_MACHINE_IDENTITY_ID");
  authMethod.setServiceAccountKeyFilePath("./path/to/your/service-account-key.json");

  authOptions.setGcpIam(authMethod);
  settings.setAuth(authOptions);

  InfisicalClient client = new InfisicalClient(settings);

AWS IAM Auth

Please note that this authentication method will only work if you’re running your application on AWS. Please read more about this authentication method.

Using environment variables

  • INFISICAL_AWS_IAM_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.

Using the SDK directly

  ClientSettings settings = new ClientSettings();
  AuthenticationOptions authOptions = new AuthenticationOptions();
  AWSIamAuthMethod authMethod = new AWSIamAuthMethod();

  authMethod.setIdentityID("YOUR_MACHINE_IDENTITY_ID");

  authOptions.setAwsIam(authMethod);
  settings.setAuth(authOptions);

  InfisicalClient client = new InfisicalClient(settings);

Azure Auth

Please note that this authentication method will only work if you’re running your application on Azure. Please read more about this authentication method.

Using environment variables

  • INFISICAL_AZURE_AUTH_IDENTITY_ID - Your Infisical Machine Identity ID.

Using the SDK directly

  ClientSettings settings = new ClientSettings();
  AuthenticationOptions authOptions = new AuthenticationOptions();
  AzureAuthMethod authMethod = new AzureAuthMethod();
  
  authMethod.setIdentityID("YOUR_IDENTITY_ID");

  authOptions.setAzure(authMethod);
  settings.setAuth(authOptions);

  InfisicalClient client = new InfisicalClient(settings);

Kubernetes Auth

Please note that this authentication method will only work if you’re running your application on Kubernetes. Please read more about this authentication method.

Using environment variables

  • INFISICAL_KUBERNETES_IDENTITY_ID - Your Infisical Machine Identity ID.
  • INFISICAL_KUBERNETES_SERVICE_ACCOUNT_TOKEN_PATH_ENV_NAME - The environment variable name that contains the path to the service account token. This is optional and will default to /var/run/secrets/kubernetes.io/serviceaccount/token.

Using the SDK directly

  ClientSettings settings = new ClientSettings();
  AuthenticationOptions authOptions = new AuthenticationOptions();
  KubernetesAuthMethod authMethod = new KubernetesAuthMethod();

  authMethod.setIdentityID("YOUR_IDENTITY_ID");
  authMethod.setServiceAccountTokenPath("/var/run/secrets/kubernetes.io/serviceaccount/token"); // Optional

  authOptions.setKubernetes(authMethod);
  settings.setAuth(authOptions);

  InfisicalClient client = new InfisicalClient(settings);

Caching

To reduce the number of API requests, the SDK temporarily stores secrets it retrieves. By default, a secret remains cached for 5 minutes after it’s first fetched. Each time it’s fetched again, this 5-minute timer resets. You can adjust this caching duration by setting the “cacheTTL” option when creating the client.

Working with Secrets

client.listSecrets(options)

ListSecretsOptions options = new ListSecretsOptions();
options.setEnvironment("dev");
options.setProjectID("PROJECT_ID");
options.setPath("/foo/bar");
options.setIncludeImports(false);
options.setRecursive(false);
options.setExpandSecretReferences(true);

SecretElement[] secrets = client.listSecrets(options);

Retrieve all secrets within the Infisical project and environment that client is connected to

Methods

Parameters
object

client.getSecret(options)

GetSecretOptions options = new GetSecretOptions();
options.setSecretName("TEST");
options.setEnvironment("dev");
options.setProjectID("PROJECT_ID");

GetSecretResponseSecret secret = client.getSecret(options);

String secretValue = secret.getSecretValue();

Retrieve a secret from Infisical.

By default, getSecret() fetches and returns a shared secret.

Methods

Parameters
object

client.createSecret(options)

CreateSecretOptions createOptions = new CreateSecretOptions();
createOptions.setSecretName("NEW_SECRET");
createOptions.setEnvironment("dev");
createOptions.setProjectID("PROJECT_ID");
createOptions.setSecretValue("SOME SECRET VALUE");
createOptions.setPath("/"); // Default
createOptions.setType("shared"); // Default

CreateSecretResponseSecret newSecret = client.createSecret(createOptions);

Create a new secret in Infisical.

Methods

Parameters
object

client.updateSecret(options)

UpdateSecretOptions options = new UpdateSecretOptions();

options.setSecretName("SECRET_TO_UPDATE");
options.setSecretValue("NEW SECRET VALUE");
options.setEnvironment("dev");
options.setProjectID("PROJECT_ID");
options.setPath("/"); // Default
options.setType("shared"); // Default

UpdateSecretResponseSecret updatedSecret = client.updateSecret(options);

Update an existing secret in Infisical.

Methods

Parameters
object

client.deleteSecret(options)

DeleteSecretOptions options = new DeleteSecretOptions();

options.setSecretName("SECRET_TO_DELETE");
options.setEnvironment("dev");
options.setProjectID("PROJECT_ID");
options.setPath("/"); // Default
options.setType("shared"); // Default

DeleteSecretResponseSecret deletedSecret = client.deleteSecret(options);

Delete a secret in Infisical.

Methods

Parameters
object

Cryptography

Create a symmetric key

Create a base64-encoded, 256-bit symmetric key to be used for encryption/decryption.

String key = client.createSymmetricKey();

Returns (string)

key (string): A base64-encoded, 256-bit symmetric key, that can be used for encryption/decryption purposes.

Encrypt symmetric

EncryptSymmetricOptions options = new EncryptSymmetricOptions();
options.setKey(key);
options.setPlaintext("Infisical is awesome!");

EncryptSymmetricResponse encryptedData = client.encryptSymmetric(options);

Methods

Parameters
object
required

Returns (object)

tag (getTag()) (string): A base64-encoded, 128-bit authentication tag. iv (getIv()) (string): A base64-encoded, 96-bit initialization vector. ciphertext (getCipherText()) (string): A base64-encoded, encrypted ciphertext.

Decrypt symmetric

DecryptSymmetricOptions decryptOptions = new DecryptSymmetricOptions();
decryptOptions.setKey(key);
decryptOptions.setCiphertext(encryptedData.getCiphertext());
decryptOptions.setIv(encryptedData.getIv());
decryptOptions.setTag(encryptedData.getTag());

String decryptedString = client.decryptSymmetric(decryptOptions);

Methods

Parameters
object
required

Returns (string)

Plaintext (string): The decrypted plaintext.