Infisical is an open-source secrets management platform built as a modern alternative to HashiCorp Vault for teams that want something closer to “Doppler, but self-hostable.” The server is a Node.js/TypeScript application backed by Postgres, and it exposes secrets through a web UI, CLI, REST API, Kubernetes operator, and SDKs for most major languages.
The data model is organized around projects, environments (dev/staging/prod), and folder paths, with per-path RBAC, approval workflows, secret versioning, PR-style change requests, and audit logs. It supports dynamic secrets for Postgres, MySQL, AWS IAM, and similar backends — short-lived credentials generated on demand — as well as secret rotation, PKI issuance, and SSH certificate signing. The Kubernetes operator syncs secrets into native Secret objects or injects them directly via a mutating webhook, and there is an External Secrets Operator provider for teams already using ESO.
Infisical is dual-licensed: the core is MIT, and enterprise features (SAML/SCIM, HSM integration, higher-tier compliance) sit behind a commercial license. Compared to Vault it has a much gentler learning curve but less breadth; compared to cloud KMS-backed solutions like AWS Secrets Manager it gives you one store that spans clouds and developer laptops.