Back to MCP Servers

Infisical MCP Server

Official MCP server for Infisical secrets management. Create, read, update, and delete secrets, projects, environments, and folders via natural language.

Developer Tools by Infisical API Key active
GitHub Docs npm: @infisical/mcp
Overview

The Infisical MCP Server is the official Model Context Protocol integration for Infisical, an open-source secrets management platform. It exposes Infisical's APIs as tools an AI agent can call, letting you manage secrets, projects, environments, folders, and project membership through natural language.

The server supports two authentication methods: Universal Auth (the default) uses Machine Identity client ID and client secret credentials, while Access Token authentication uses a personal or machine identity token. An optional INFISICAL_HOST_URL environment variable allows pointing the server at self-hosted Infisical deployments instead of the default cloud (https://app.infisical.com).

Distributed as the @infisical/mcp npm package, it runs via npx with no local install required and integrates with Claude Desktop, Cursor, and other MCP clients through standard JSON configuration. The server is maintained directly by Infisical in their official GitHub organization.

Tools

Tool Description
create-secret Create a new secret in a given project and environment.
delete-secret Delete an existing secret.
update-secret Update the value of an existing secret.
list-secrets List all secrets in a project and environment.
get-secret Retrieve a single secret by name.
create-project Create a new Infisical project.
create-environment Create a new environment within a project.
create-folder Create a new folder for organizing secrets.
invite-members-to-project Invite one or more members to a project.
list-projects List all projects accessible to the authenticated identity.
Setup Guide

Prerequisites

  • An Infisical account (cloud or self-hosted)
  • Either a Machine Identity (for Universal Auth) or an access token

Installation

The server runs via npx with no local install:

npx -y @infisical/mcp

Claude Desktop config (Universal Auth, default)

{
  "mcpServers": {
    "infisical": {
      "command": "npx",
      "args": ["-y", "@infisical/mcp"],
      "env": {
        "INFISICAL_HOST_URL": "https://<custom-host-url>.com",
        "INFISICAL_UNIVERSAL_AUTH_CLIENT_ID": "<client-id>",
        "INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET": "<client-secret>"
      }
    }
  }
}

Claude Desktop config (Access Token)

{
  "mcpServers": {
    "infisical": {
      "command": "npx",
      "args": ["-y", "@infisical/mcp"],
      "env": {
        "INFISICAL_AUTH_METHOD": "access-token",
        "INFISICAL_TOKEN": "<your-access-token>"
      }
    }
  }
}

Environment variables

  • INFISICAL_AUTH_METHOD: universal-auth (default) or access-token
  • INFISICAL_UNIVERSAL_AUTH_CLIENT_ID: Machine Identity client ID (Universal Auth)
  • INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET: Machine Identity client secret (Universal Auth)
  • INFISICAL_TOKEN: Personal or machine identity access token (Access Token method)
  • INFISICAL_HOST_URL: Optional. Custom Infisical host URL, defaults to https://app.infisical.com

Debugging

Clone the repo, run npm run build, then test individual tools with the MCP Inspector:

npx @modelcontextprotocol/inspector node dist/index.js
Use Cases
  • Programmatically rotate or update application secrets in a target Infisical project and environment from an AI workflow.
  • Bootstrap a new Infisical project with environments, folders, and an initial set of secrets in one agent run.
  • Audit secret inventory across environments by listing secrets and retrieving specific values for review.
  • Onboard new team members by inviting them to one or more projects directly from chat.
  • Self-hosted Infisical management through an MCP client by pointing INFISICAL_HOST_URL at an internal deployment.
Example Prompts
  • "List all projects in my Infisical workspace and show me the secrets in the production environment of the api-gateway project."
  • "Create a new Infisical project called payments-service with dev, staging, and prod environments."
  • "Update the STRIPE_API_KEY secret in the prod environment of payments-service to the new value."
  • "Invite alice@acme.com and bob@acme.com to the api-gateway project."
  • "Create a folder called database in the staging environment of payments-service and add DB_HOST, DB_USER, and DB_PASSWORD secrets to it."
Pros
  • Maintained by Infisical in their official GitHub organization, so coverage tracks the platform.
  • Supports both Universal Auth (Machine Identities) and Access Token authentication for flexible deployment.
  • Works with self-hosted Infisical via the optional INFISICAL_HOST_URL variable.
  • Zero-install execution through npx -y @infisical/mcp.
Limitations
  • Tool surface is limited to core secret, project, environment, folder, and membership operations. There are no tools for dynamic secrets, integrations, audit logs, or approval workflows.
  • README documentation is sparse on per-tool input parameters; you may need to consult the source code or Infisical API docs.
  • Granting an agent secret write/delete access carries obvious security risk and requires careful Machine Identity scoping.
Alternatives
More Developer Tools MCP Servers
AWS API
Bridge that lets AI assistants manage AWS infrastructure by executing validated AWS CLI commands across every AWS service.
AWS CDK
Official AWS Labs MCP server that guides agents through AWS CDK development with prescriptive patterns, CDK Nag security validation, and Solutions Constructs discovery.
AWS CloudWatch
Official AWS Labs MCP server for CloudWatch. Query metrics, analyze logs, investigate alarms, and run PromQL queries for AI-powered root cause analysis.
Aiven
Official MCP server for the Aiven cloud data platform. Manage PostgreSQL, Apache Kafka, and other Aiven services from AI assistants.