Skip to main content
Replicas integrates with Infisical to sync secrets from your Infisical projects directly into workspace environment variables. Connections are configured per environment scope, so you can connect different Infisical projects or environments to your global, repository, or repository-set scopes.

Setup

Only organization admins can connect Infisical.
  1. In Infisical, create a Machine Identity with Universal Auth enabled
  2. Add the identity to your target project with read access to the desired environment
  3. Generate a Client ID and Client Secret for the identity
  4. Go to Environment settings in Replicas
  5. Select a scope: Global, a specific Repository, or a Repository Set
  6. Open the Variables tab, scroll to the Integrations section, and click Connect Infisical, then fill in:
    • Client ID and Client Secret from your Machine Identity
    • Project ID: found in your Infisical project settings
    • Environment: the environment slug to pull secrets from (e.g., dev, staging, prod)
    • Secret Path: the folder path within the environment (defaults to /)
    • Site URL: only needed for EU Cloud (https://eu.infisical.com) or self-hosted instances (defaults to US Cloud)
  7. Click Save & Connect. Replicas validates the credentials before saving
You can connect Infisical independently at each scope. For example, you might sync staging secrets globally and production secrets for a specific repository.

How It Works

When a workspace is created, Replicas authenticates with Infisical using the stored Machine Identity credentials for each applicable scope, fetches all secrets, and injects them as environment variables into the workspace.

Priority

Infisical secrets follow the same priority ordering as manual environment variables, but within each scope, manual variables always override Infisical secrets:
  1. Global Infisical secrets (lowest)
  2. Global manual environment variables
  3. Repository-set Infisical secrets
  4. Repository-set manual environment variables
  5. Repository Infisical secrets
  6. Repository manual environment variables (highest)
If you define a variable manually in the same scope with the same key as an Infisical secret, the manual value wins. A repository-scoped Infisical secret overrides a global manual variable.

Test Sync

After connecting, use the Test Sync button to verify that Replicas can reach your Infisical project and see which secret keys are available. Secret values are never displayed; only the key names are shown.

Reconfiguring

Click Reconfigure to update the Machine Identity credentials, change the project/environment, or switch the secret path. The new credentials are validated before saving.

Disconnecting

Click Disconnect to remove the Infisical connection for that scope. Existing workspaces are not affected, but new workspaces will no longer receive Infisical secrets from that scope.