infisical gateway - Infisical

New Gateway Architecture AvailableA completely redesigned gateway system is now available under the infisical network command with a fundamentally different architecture:

TCP-based SSH tunnels instead of UDP/TURN protocol
Eliminates firewall complexity - no UDP configuration needed
Enhanced security with certificate-based authentication
Flexible deployment options - instance-wide or organization-specific proxies

Learn more: See infisical network for the new gateway architecture.Migration: The current infisical gateway command will continue to work but will be deprecated in a future release. Migration to infisical network gateway requires complete reconfiguration - you cannot simply switch commands as this is an entirely different gateway infrastructure. We strongly recommend planning migration to infisical network gateway for all deployments.

Run gateway
Install service

infisical gateway --token=<token>

sudo infisical gateway install --token=<token> --domain=<domain>

Description

Run the Infisical gateway in the foreground or manage its systemd service installation. The gateway allows secure communication between your self-hosted Infisical instance and client applications.

Subcommands & flags

infisical gateway

Run the Infisical gateway in the foreground. The gateway will connect to the relay service and maintain a persistent connection.

infisical gateway --domain=<domain> --auth-method=<auth-method>

Authentication

The Infisical CLI supports multiple authentication methods. Below are the available authentication methods, with their respective flags.

Universal Auth

The Universal Auth method is a simple and secure way to authenticate with Infisical. It requires a client ID and a client secret to authenticate with Infisical.

Flags

Show properties

client-id

string

required

Your machine identity client ID.

client-secret

string

required

Your machine identity client secret.

auth-method

string

required

The authentication method to use. Must be universal-auth when using Universal Auth.

  infisical gateway --auth-method=universal-auth --client-id=<client-id> --client-secret=<client-secret>

Native Kubernetes

The Native Kubernetes method is used to authenticate with Infisical when running in a Kubernetes environment. It requires a service account token to authenticate with Infisical.

Flags

Show properties

machine-identity-id

string

required

Your machine identity ID.

service-account-token-path

string

Path to the Kubernetes service account token to use. Default: /var/run/secrets/kubernetes.io/serviceaccount/token.

auth-method

string

required

The authentication method to use. Must be kubernetes when using Native Kubernetes.

  infisical gateway --auth-method=kubernetes --machine-identity-id=<machine-identity-id>

Native Azure

The Native Azure method is used to authenticate with Infisical when running in an Azure environment.

Flags

Show properties

machine-identity-id

string

required

Your machine identity ID.

auth-method

string

required

The authentication method to use. Must be azure when using Native Azure.

  infisical gateway --auth-method=azure --machine-identity-id=<machine-identity-id>

Native GCP ID Token

The Native GCP ID Token method is used to authenticate with Infisical when running in a GCP environment.

Flags

Show properties

machine-identity-id

string

required

Your machine identity ID.

auth-method

string

required

The authentication method to use. Must be gcp-id-token when using Native GCP ID Token.

  infisical gateway --auth-method=gcp-id-token --machine-identity-id=<machine-identity-id>

GCP IAM

The GCP IAM method is used to authenticate with Infisical with a GCP service account key.

Flags

Show properties

machine-identity-id

string

required

Your machine identity ID.

service-account-key-file-path

string

required

Path to your GCP service account key file (Must be in JSON format!)

auth-method

string

required

The authentication method to use. Must be gcp-iam when using GCP IAM.

  infisical gateway --auth-method=gcp-iam --machine-identity-id=<machine-identity-id> --service-account-key-file-path=<service-account-key-file-path>

Native AWS IAM

The AWS IAM method is used to authenticate with Infisical with an AWS IAM role while running in an AWS environment like EC2, Lambda, etc.

Flags

Show properties

machine-identity-id

string

required

Your machine identity ID.

auth-method

string

required

The authentication method to use. Must be aws-iam when using Native AWS IAM.

  infisical gateway --auth-method=aws-iam --machine-identity-id=<machine-identity-id>

OIDC Auth

The OIDC Auth method is used to authenticate with Infisical via identity tokens with OIDC.

Flags

Show properties

machine-identity-id

string

required

Your machine identity ID.

jwt

string

required

The OIDC JWT from the identity provider.

auth-method

string

required

The authentication method to use. Must be oidc-auth when using OIDC Auth.

  infisical gateway --auth-method=oidc-auth --machine-identity-id=<machine-identity-id> --jwt=<oidc-jwt>

JWT Auth

The JWT Auth method is used to authenticate with Infisical via a JWT token.

Flags

Show properties

jwt

string

required

The JWT token to use for authentication.

machine-identity-id

string

required

Your machine identity ID.

auth-method

string

required

The authentication method to use. Must be jwt-auth when using JWT Auth.

  infisical gateway --auth-method=jwt-auth --jwt=<jwt> --machine-identity-id=<machine-identity-id>

Token Auth

You can use the INFISICAL_TOKEN environment variable to authenticate with Infisical with a raw machine identity access token.

Flags

Show properties

token

string

required

The machine identity access token to use for authentication.

  infisical gateway --token=<token>

Other Flags

--domain

Domain of your self-hosted Infisical instance.

# Example
infisical gateway --domain=https://app.your-domain.com

infisical gateway install

Install and enable the gateway as a systemd service. This command must be run with sudo on Linux.

sudo infisical gateway install --token=<token> --domain=<domain>

Requirements

Must be run on Linux
Must be run with root/sudo privileges
Requires systemd

Flags

--token

The machine identity access token to authenticate with Infisical.

# Example
sudo infisical gateway install --token=<token>

You may also expose the token to the CLI by setting the environment variable INFISICAL_TOKEN before executing the install command.

--domain

Domain of your self-hosted Infisical instance.

# Example
sudo infisical gateway install --domain=https://app.your-domain.com

Service Details

The systemd service is installed with secure defaults:

Service file: /etc/systemd/system/infisical-gateway.service
Config file: /etc/infisical/gateway.conf
Runs with restricted privileges:
- InaccessibleDirectories=/home
- PrivateTmp=yes
- Resource limits configured for stability
Automatically restarts on failure
Enabled to start on boot

After installation, manage the service with standard systemd commands:

sudo systemctl start infisical-gateway    # Start the service
sudo systemctl stop infisical-gateway     # Stop the service
sudo systemctl status infisical-gateway   # Check service status
sudo systemctl disable infisical-gateway  # Disable auto-start on boot

Documentation Index

​Description

​Subcommands & flags

​Authentication

​Other Flags

​Requirements

​Flags

​Service Details

Description

Subcommands & flags

Authentication

Other Flags

Requirements

Flags

Service Details