eenvfyio
Self-hosted · Zero plaintext Open Dashboard →
Platform features

Built for machines,
not humans

Infisical under the hood. Hardened for the fyio ecosystem — per-app projects, machine identities, runtime injection, full audit trail. Nothing stored in the clear.

Open Dashboard → Security architecture ↓
01 · Projects

One project per app,
three environments each

Each fyio service — gofyio, payfyio, authfyio, kolaystack — gets its own Infisical project. Secrets are isolated: a leaked token in one app can never read secrets from another.

  • dev / staging / production environments per project
  • Least-privilege service tokens — read-only by default
  • Namespace isolation — cross-project access denied at API level
  • Secret tagging, folders, and path-based organisation
envfyio · project list —  □  ✕
$infisical projects list
gofyio· 3 envs · 41 secrets
payfyio· 3 envs · 28 secrets
authfyio· 3 envs · 19 secrets
kolaystack· 3 envs · 34 secrets
vaultwarden· 1 env · 7 secrets
02 · Identities

Machine identities,
not human passwords

Universal Auth client IDs + secrets replace long-lived API keys. Each identity has a configured scope: which project, which environment, which paths. Tokens expire. Credentials rotate.

  • Client ID / secret pair per machine or service
  • Short-TTL access tokens — configurable expiry, auto-refresh
  • IP allowlisting for CI runners and k8s node IPs
  • Revoke any identity instantly from the dashboard
envfyio · identity auth —  □  ✕
$infisical login --method=universal-auth \
--client-id=$INFISICAL_CLIENT_ID \
--client-secret=$INFISICAL_CLIENT_SECRET
authenticated asgofyio/machine-api
token TTL8h · scoped to production
accessread · /secrets/gofyio/*
03 · Injection

Secrets injected at
runtime — never at rest

Three injection paths depending on context: the Infisical CLI wraps any process, the k8s Operator syncs secrets into pod environment variables, and the SDK fetches on demand within application code.

  • infisical run -- wraps any binary — Node, Python, Go
  • k8s Operator syncs secrets → InfisicalSecret CRDs
  • GitHub Actions integration for CI pipelines
  • @envfyio/sdk for in-process, on-demand fetching
envfyio · k8s operator —  □  ✕
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
  name: gofyio-secrets
spec:
  hostAPI: https://envfyio.internal
  authentication:
    universalAuth:
      secretsScope:
        projectSlug: gofyio
        envSlug: production
04 · Audit

Full audit trail,
version history, point-in-time

Every read, write, rotation, and identity authentication is logged with a timestamp and actor. Secret versions are kept indefinitely — roll back any secret to any previous value instantly.

  • Immutable audit log — who read what, when, from where
  • Full version history per secret — unlimited retention
  • Point-in-time recovery — restore any secret to any version
  • Access event webhooks — pipe to your SIEM or log aggregator
envfyio · audit log —  □  ✕
2026-06-18 09:14ZREADgofyio/machine-api
2026-06-18 09:14ZREADgofyio/machine-api
2026-06-18 08:00ZROTATEadmin · STRIPE_KEY
2026-06-17 23:00ZREADci-runner/github-actions
2026-06-17 18:30ZWRITEadmin · NEW_API_KEY
i128 events this week · 0 denied
05 · Network

Never public.
Private by default.

envfyio runs on dev102 behind Tailscale. The secrets API is only reachable over the tailnet — not on the public internet. The web UI adds a second layer via Cloudflare Access with zero-trust identity verification.

  • Tailscale MagicDNS — envfyio.internal only on tailnet
  • Cloudflare Access gate on the web dashboard
  • No public API surface — zero external attack surface
  • TLS everywhere — even inside the tailnet
gofyio
pod / CI

tailnet
envfyio
dev102
Secrets API · never public
Cloudflare Access · web UI
TLS · end-to-end
06 · SDK

Provider abstraction.
Swap backends later.

@envfyio/sdk wraps Infisical behind a stable provider interface. App code calls secrets.get('KEY_NAME') — the backend can switch from Infisical to OpenBao or another vault without touching application code.

  • Single SecretsProvider interface for all apps
  • In-process caching with configurable TTL
  • TypeScript-first — full type inference on secret keys
  • Backend-agnostic — Infisical, OpenBao, env fallback for tests
@envfyio/sdk · usage —  □  ✕
import { createSecretsClient } from '@envfyio/sdk';
const secrets = createSecretsClient({
  project: 'gofyio',
  env: process.env.NODE_ENV,
});
const key = await secrets.get('STRIPE_SECRET_KEY');
typed · cached 5m · zero plaintext in code
envfyio · GK · #AEFF00

Ready to eliminate plaintext secrets?

Open the dashboard to start creating projects, issuing machine identities, and injecting secrets at runtime.

Open Dashboard → Read Security Docs