eenvfyio
Self-hosted · Zero plaintext Open Dashboard →
Self-hosted · fyio ecosystem · GK #AEFF00

Secrets managed.
Zero plaintext.

The single source of truth for API keys, env vars, and app secrets across the fyio ecosystem — gofyio, payfyio, authfyio, kolaystack and more. Machine identities, runtime injection, audit logs. Nothing stored in the clear.

per-app projects·dev / staging / production· k8s operator·CI injection·short-TTL tokens

Open Dashboard → How it works ↓
Self-hosted on dev102 Tailscale + Cloudflare Access Infisical core, nfyio branded
envfyio · secrets inject —  □  ✕
$infisical run --projectId gofyio --env production -- node server.js
identitygofyio/machine-api authenticated0.2s
secrets34 vars fetched (production)0.4s
injectenv exported to child process0.4s
auditaccess logged · TTL 8h0.5s
server running · 0 plaintext vars in DB live
Self-hosted Infisical· Machine identities· k8s operator· Secret versioning· Point-in-time recovery· Rotation & audit logs
Platform features

Built for machines, not humans

Infisical is purpose-built for API keys, env vars, app secrets, teams, environments, and CI/CD. Vaultwarden handles human passwords. envfyio handles everything else.

Per-app Projects

Each fyio app gets its own Infisical project with dev / staging / production environments and least-privilege service tokens.

Machine Identities

Universal Auth client IDs/secrets with scoped access. Short-TTL tokens for k8s pods, CI runners, and app services — no long-lived credentials.

Runtime Injection

k8s Operator syncs secrets directly into pod envs. CLI infisical run wraps any process. GitHub Actions integration for CI pipelines.

Audit & Versioning

Every secret read, write, and rotation is logged. Full version history with point-in-time recovery. Know who accessed what and when.

Private by Default

Runs on dev102 behind Tailscale. Web UI gated by Cloudflare Access. The secrets API is never public — only accessible over the tailnet.

SDK Provider

A thin @envfyio/sdk wraps Infisical behind a provider interface. Swap to OpenBao later without touching app code.

How it works

From plaintext to zero-trust in four steps

Apps never store secrets in the repo or database. envfyio injects them at runtime — in k8s, CI, or CLI — from the single source of truth.

01

Create project

Each fyio app gets an Infisical project with dev / staging / production environments.

02

Issue identity

Generate a Machine Identity (Universal Auth) with scoped access. Short TTL, least privilege.

03

Inject at runtime

k8s Operator, infisical run CLI, or SDK fetches secrets into the process env — never written to disk.

04

Rotate & audit

Rotate secrets on schedule. Every access is logged. Point-in-time recovery for any secret version.

Migration

Leaving plaintext behind

Provider API keys in api_credentials table. Domain logins in domain_credentials. OpenAI key committed in .env.example. All of that goes away.

Before
Provider keys in DB — unencrypted
Credentials with // should be encrypted
OpenAI key in .env.example
Manual 1Password — narrow, not runtime
No rotation, no audit trail
After · envfyio
Encrypted at rest in Infisical
Zero plaintext in the application DB
No secrets in any repo file
Machine identities with short TTLs
Full rotation, versioning & audit logs
envfyio · GK · #AEFF00

The goalkeeper of the fyio stack. Zero secrets in the clear.

Open Dashboard → Read the Docs