// the find
Infisical/infisical
Infisical is the open-source platform for secrets, certificates, and privileged access management.
Infisical is an open-core secrets management platform that has expanded into PKI, KMS, and now PAM — essentially attempting to be the self-hostable alternative to HashiCorp Vault with a significantly better UX. It targets teams that want centralized secret storage with environment syncing, certificate lifecycle management, and database credential brokering without paying Vault enterprise prices. The dual TypeScript + Go backend handles the breadth of features, with Go taking over the performance-critical paths.
The dynamic secrets feature is genuinely well-implemented — ephemeral database credentials with configurable TTLs means you're not rotating static passwords on a schedule, you're just never handing them out permanently. The Agent Vault addition (proxying AI agent outbound requests to inject secrets at the edge) is the right architectural answer to the credential-exfiltration-via-prompt-injection problem that most teams haven't solved yet. Test infrastructure is serious for a project this size: BDD tests in Python/Behave for ACME and SCEP protocol compliance, Go integration tests using real containers, TypeScript e2e tests across four API versions — not just unit tests on happy paths. FIPS-compliant Docker images are a meaningful signal that regulated industries are actually using this, which usually means the core auth paths have been scrutinized.
The open-core license is a practical trap: the repo is MIT except the `ee/` directory, and that directory is where SAML SSO, audit log streaming, IP allowlisting, and granular RBAC live. You can self-host, but you'll hit the paywall for anything a compliance team actually asks about. Feature expansion pace is a red flag — secrets to PKI to KMS to full PAM with session recording in the span of two years with a small team; HashiCorp has hundreds of engineers on Vault and PAM is still a hard problem. The mixed TypeScript + Go codebase creates real cognitive overhead: a single request can touch both backends and tracing a bug means reading two languages, two frameworks, and two test suites. Self-hosted production operations are also underspecified in the docs — Redis, Postgres, SMTP, and the Go service all need to be managed separately, and the official docs lean toward pointing you at Infisical Cloud rather than walking through hardened self-hosted deployments.