Infisical

@purista/infisical-secret-store connects to Infisical — an open-source secrets management platform with a polished developer UI, GitHub sync, environment-scoped secrets, and both cloud and self-hosted deployment options.

Capabilities

Install

npm install @purista/infisical-secret-store

Setup

import { InfisicalSecretStore } from '@purista/infisical-secret-store'

const secretStore = new InfisicalSecretStore({
  bearerToken: process.env.INFISICAL_TOKEN ?? '',
  // Point to Infisical Cloud or your self-hosted instance:
  baseUrl: process.env.INFISICAL_URL ?? 'https://app.infisical.com',
  enableSet: true,
  enableRemove: true,
})

const myService = await myV1Service.getInstance(eventBridge, { secretStore })

Obtain a service token from the Infisical project settings. Tokens are scoped to a project and environment.

Usage inside a handler

.setCommandFunction(async function (context, payload) {
  const { sendgridApiKey } = await context.secrets.getSecret('sendgridApiKey')
  // use sendgridApiKey to send email
})

Self-hosting with Docker Compose

Infisical provides an official Docker Compose setup for local or on-premise deployment. The docker-compose.yml in the @purista/infisical-secret-store package reads connection config from a root .env file for convenience:

# .env
INFISICAL_URL=http://localhost:8080
INFISICAL_TOKEN=your-service-token  # mapped to bearerToken in the store constructor

Operational tips

• Create one service token per PURISTA service with the minimum required environment scope
• Use Infisical’s secret override feature to manage per-environment values (dev/staging/prod) without duplicating secrets
• Infisical supports syncing secrets to GitHub Actions, Vercel, Netlify, and other CI/CD platforms — useful for bridging application secrets and pipeline secrets
• Self-hosted Infisical runs with PostgreSQL and Redis; enable backups for both

Related

• Secret Store overview
• Default Secret Store
• HashiCorp Vault
• AWS Secrets Manager