Infisical Sync

Pull secrets from an Infisical project into your local .env file using Infisical's universal auth flow.

Setup

1. Create a Machine Identity

In your Infisical dashboard, go to Project Settings → Machine Identities
Create a new identity with Universal Auth enabled
Copy the Client ID and Client Secret

2. Configure in VS Code

Run ENV Manager Pro: Pull from Infisical from the Command Palette. You'll be prompted for:

Client ID — the machine identity client ID
Client Secret — stored securely in VS Code SecretStorage
Project ID — found in your Infisical project URL
Environment — e.g. dev, staging, prod

How It Works

The extension uses a two-step auth flow:

Step 1 — Get access token:

POST https://app.infisical.com/api/v1/auth/universal-auth/login
{ clientId, clientSecret }
→ accessToken

Step 2 — Fetch secrets:

GET https://app.infisical.com/api/v3/secrets/raw
?workspaceId=<projectId>&environment=<env>
Authorization: Bearer <accessToken>

The returned secrets are parsed and merged into your active .env file.

Self-Hosted Infisical

If you run Infisical self-hosted, the extension targets app.infisical.com by default. Self-hosted URL support can be added by modifying the base URL in src/externalSyncManager.ts.

Security

Client secrets are stored in VS Code SecretStorage (OS keychain). Access tokens are ephemeral — they're fetched fresh on every sync and never persisted.

Setup​

1. Create a Machine Identity​

2. Configure in VS Code​

How It Works​

Self-Hosted Infisical​

Security​