Infisical · LewisDwyer · Apr 14, 2026 · chatgpt-codex-connector · Apr 14, 2026
diff --git a/docs/docs.json b/docs/docs.json
@@ -21,6 +21,8 @@
             "pages": [
               "documentation/getting-started/overview",
               "documentation/getting-started/introduction",
+              "documentation/getting-started/quickstart",
+              "documentation/getting-started/self-hosted-quickstart",
               {
                 "group": "Concepts",
                 "pages": [
@@ -347,6 +349,7 @@
                   "self-hosting/guides/mongo-to-postgres",
                   "self-hosting/guides/custom-certificates",
                   "self-hosting/guides/automated-bootstrapping",
+                  "self-hosting/guides/end-to-end-automation",
                   "self-hosting/guides/production-hardening",
                   "self-hosting/guides/monitoring-telemetry"
                 ]

diff --git a/docs/documentation/getting-started/quickstart.mdx b/docs/documentation/getting-started/quickstart.mdx
@@ -0,0 +1,172 @@
+---
+title: "Get Started in 5 Minutes"
+sidebarTitle: "5-Minute Quickstart"
+description: "Go from zero to retrieving your first secret with Infisical Cloud and the CLI."
+---
+
+This guide walks you through the complete flow: create an account, store a secret, and retrieve it in your app. By the end, you'll have Infisical injecting environment variables into a running process.
+
+If you'd rather run Infisical on your own infrastructure, start with the [Self-Hosted Quickstart](/documentation/getting-started/self-hosted-quickstart) instead.
+
+## Prerequisites
+
+- A terminal (macOS, Linux, or WSL on Windows)
+- An application that reads environment variables (any language/framework)
+
+## Step 1: Create your Infisical Cloud account
+
+Go to [app.infisical.com](https://app.infisical.com) and sign up. You can use email, Google, GitHub, GitLab, or SAML SSO.
+
+After signing up, Infisical creates your first **organization** automatically. An organization is the top-level container that holds your projects, team members, and billing.
+
+## Step 2: Create a project and add a secret
+
+1. From the organization dashboard, click **Add New Project** and select **Secret Manager**.
+2. Give it a name (e.g. `my-app`) and click **Create Project**.
+3. You'll land in the **Secrets** dashboard. You're in the **Development** environment by default — Infisical ships with **Development**, **Staging**, and **Production** environments out of the box.
+4. Click **Add Secret**. Enter a key and value:
+   - **Key:** `GREETING`
+   - **Value:** `Hello from Infisical!`
+5. The secret saves automatically.
+
+You now have one secret stored in your project's Development environment.
+
+<Tip>
+  Migrating from an existing `.env` file? You can bulk-import in two ways:
+  - **From the dashboard:** click the **Actions** dropdown and select **Import from .env** to upload your file.
+  - **From the CLI** (after Step 4): `infisical secrets set --file=".env" --env=dev`. Supports `.env` and YAML formats; `#` and `//` comments are ignored.
+</Tip>
+
+## Step 3: Install the Infisical CLI
+
+<Tabs>
+  <Tab title="macOS">
+    ```bash
+    brew install infisical/get-cli/infisical
+    ```
+  </Tab>
+  <Tab title="Debian/Ubuntu">
+    ```bash
+    curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | sudo -E bash
+    sudo apt-get update && sudo apt-get install -y infisical
+    ```
+  </Tab>
+  <Tab title="RedHat/CentOS/Amazon Linux">
+    ```bash
+    curl -1sLf 'https://artifacts-cli.infisical.com/setup.rpm.sh' | sudo -E bash
+    sudo yum install infisical
+    ```
+  </Tab>
+  <Tab title="Windows">
+    ```bash
+    scoop bucket add org https://github.com/Infisical/scoop-infisical.git
+    scoop install infisical
+    ```
+  </Tab>
+  <Tab title="Alpine">
+    ```bash
+    apk add --no-cache bash sudo wget
+    wget -qO- 'https://artifacts-cli.infisical.com/setup.apk.sh' | sudo sh
+    apk update && sudo apk add infisical
+    ```
+  </Tab>
+  <Tab title="Arch Linux">
+    ```bash
+    yay -S infisical-bin
+    ```
+  </Tab>
+</Tabs>
+
+Verify the installation:
+
+```bash
+infisical --version
+```
+
+## Step 4: Log in and link your project
+
+```bash
+# Authenticate with Infisical Cloud (opens your browser)
+infisical login
+
+# Navigate to your project directory
+cd /path/to/your/project
+
+# Link this directory to your Infisical project (select it from the list)
+infisical init
+```
+
+The `init` command creates a `.infisical.json` file in your project root. This file only contains a project ID reference (stored as `workspaceId`) — no secrets — so it's safe to commit to version control.
+
+<Tip>
+  Want different environments per git branch? Add a `gitBranchToEnvironmentMapping` block to `.infisical.json` and the CLI will pick the environment to fetch from automatically based on your current branch:
+
+  ```json .infisical.json
+  {
+    "workspaceId": "63ee5410a45f7a1ed39ba118",
+    "gitBranchToEnvironmentMapping": {
+      "main": "prod",
+      "staging": "staging",
+      "develop": "dev"
+    }
+  }
+  ```
+</Tip>
+
+## Step 5: Retrieve your secret
+
+There are three ways to use your secrets. Pick whichever fits your workflow.
+
+### Option A: Inject into a running process
+
+The most common approach. `infisical run` fetches your secrets and passes them as environment variables to whatever command follows `--`:
+
+```bash
+infisical run --env=dev -- printenv GREETING
+# Output: Hello from Infisical!
+```
+
+Replace `printenv GREETING` with your real start command:
+
+```bash
+infisical run --env=dev -- npm run dev
+infisical run --env=dev -- python app.py
+infisical run --env=dev -- go run main.go
+```
+
+Your application reads `process.env.GREETING` (or the equivalent in your language) exactly as it would with a `.env` file — no code changes needed.
+
+### Option B: Export to a file
+
+Generate a `.env` file from your Infisical secrets:
+
+```bash
+infisical export --env=dev --format=dotenv > .env
+```
+
+Other supported formats: `yaml`, `json`, `csv`, `dotenv-export`.
+
+### Option C: List secrets in the terminal
+
+Inspect what's stored without running an app:
+
+```bash
+infisical secrets --env=dev
+```
+
+## What's next
+
+You've stored a secret and retrieved it. Here's where to go from here:
+
+- **Add your team:** Invite members from the organization settings page. They install the CLI, run `infisical login` and `infisical init`, and instantly have access to the same secrets — no `.env` files changing hands.
+- **Use environments:** Your project already has Development, Staging, and Production environments. Switch between them with the `--env` flag (`dev`, `staging`, `prod`).
+- **Set up CI/CD and production:** For non-interactive environments, create a [Machine Identity](/documentation/platform/identities/machine-identities) instead of using personal login. Machine identities use client credentials that can be scoped to specific projects and environments. Once you have an identity token, set `INFISICAL_TOKEN` in the environment and every CLI command will use it — no `infisical login` required:
+
+    ```bash
+    export INFISICAL_TOKEN=$(infisical login --method=universal-auth \
+      --client-id="<id>" --client-secret="<secret>" --plain --silent)
+    infisical run --env=prod -- your-start-command
+    ```
+- **Use an SDK instead of the CLI:** Infisical has native SDKs for [Node.js, Python, Go, Java, .NET, Ruby, PHP, Rust, and C++](/sdks/overview). SDKs fetch secrets at runtime from your application code.
+- **Explore integrations:** Sync secrets to [AWS Parameter Store, Vercel, GitHub Actions, Kubernetes, and more](/integrations/secret-syncs).
+- **Self-host:** To run Infisical on your own infrastructure, follow the [Self-Hosted Quickstart](/documentation/getting-started/self-hosted-quickstart) for a local setup, or the [self-hosting overview](/self-hosting/overview) for deployment options.
diff --git a/docs/documentation/getting-started/self-hosted-quickstart.mdx b/docs/documentation/getting-started/self-hosted-quickstart.mdx
@@ -0,0 +1,117 @@
+---
+title: "Quickstart with Self-Hosted Infisical"
+sidebarTitle: "Self-Hosted Quickstart"
+description: "Run Infisical locally with Docker Compose, bootstrap an admin account, and retrieve your first secret from the CLI."
+---
+
+This guide gets a self-hosted Infisical instance running on your machine and walks you through retrieving your first secret from it. By the end, you'll have Infisical injecting environment variables into a process — with no reliance on Infisical Cloud.
+
+If you're trying Infisical for the first time and don't need to self-host, use the [Cloud quickstart](/documentation/getting-started/quickstart) instead.
+
+## Prerequisites
+
+- [Docker Engine](https://docs.docker.com/engine/install/) (20.10+) and [Docker Compose](https://docs.docker.com/compose/install/) (v2+)
+- A terminal (macOS, Linux, or WSL on Windows)
+
+## Step 1: Start Infisical locally
+
+Download the production Docker Compose file and the default environment variables, then start the stack:
+
+```bash
+curl -o docker-compose.prod.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.prod.yml
+curl -o .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
+
+docker compose -f docker-compose.prod.yml up -d
+```
+
+This starts three containers: the Infisical backend (exposed on port 80), PostgreSQL, and Redis.
+
+<Warning>
+  If you have run this stack before, old database volumes may still exist with different credentials than your current `.env`. Run `docker compose -f docker-compose.prod.yml down -v` first to wipe them — otherwise the database will reject connections with an authentication error.
+</Warning>
+
+<Warning>
+  The downloaded `.env` file contains credentials that control the security of your deployment. Do not commit it, and tighten its permissions:
+
+  ```bash
+  chmod 600 .env
+  ```
+</Warning>
+
+Confirm the backend is responding:
+
+```bash
+curl -s http://localhost:80/api/status | head -c 100
+```
+
+For the full set of configuration options and production-grade deployments, see the [Docker Compose guide](/self-hosting/deployment-options/docker-compose).
+
+## Step 2: Bootstrap the instance
+
+Fresh Infisical instances have no users, organizations, or identities. Instead of creating the first admin through the UI, use the `infisical bootstrap` command — it creates the admin user, an organization, and an **instance admin machine identity** in a single call, and returns a JWT token you can use for further automation:
+
+```bash
+infisical bootstrap \
+  --domain="http://localhost:80" \
+  --email="admin@example.com" \
+  --password="your-secure-password" \
+  --organization="my-org" \
+  --ignore-if-bootstrapped
+```
+
+The response is a JSON object containing the new user, organization, and identity — including an `identity.credentials.token` field. For a full breakdown of the response and alternative bootstrap methods (API, Helm), see [Programmatic Provisioning](/self-hosting/guides/automated-bootstrapping).
+
+<Tip>
+  Don't have the CLI yet? Install it with `brew install infisical/get-cli/infisical` (macOS) or see Step 3 of the [Cloud quickstart](/documentation/getting-started/quickstart#step-3-install-the-infisical-cli) for other platforms.
+</Tip>
+
+## Step 3: Create a project and add a secret
+
+Open [http://localhost:80](http://localhost:80) in your browser and log in with the admin credentials you bootstrapped.
+
+1. From the organization dashboard, click **Add New Project** and select **Secret Manager**.
+2. Give it a name (e.g. `my-app`) and click **Create Project**.
+3. You'll land in the **Secrets** dashboard in the **Development** environment.
+4. Click **Add Secret**. Enter:
+   - **Key:** `GREETING`
+   - **Value:** `Hello from self-hosted Infisical!`
+5. The secret saves automatically.
+
+<Tip>
+  Want to skip the UI entirely? The [End-to-End Automation guide](/self-hosting/guides/end-to-end-automation) shows how to script project creation and secret import using the bootstrap token.
+</Tip>
+
+## Step 4: Point the CLI at your self-hosted instance
+
+By default, the CLI talks to Infisical Cloud. Set the domain to your local instance, then log in as the admin user:
+
+```bash
+infisical login --domain="http://localhost:80"
+```
+
+Link your project directory:
+
+```bash
+cd /path/to/your/project
+infisical init
+```
+
+`init` writes a `.infisical.json` file containing the project ID (stored as `workspaceId`) — no secrets, safe to commit.
+
+## Step 5: Retrieve your secret
+
+Run any command with `infisical run` and your secrets are injected as environment variables:
+
+```bash
+infisical run --env=dev -- printenv GREETING
+# Output: Hello from self-hosted Infisical!
+```
+
+Replace `printenv GREETING` with your real start command — `npm run dev`, `python app.py`, `go run main.go`, and so on. Your app reads `process.env.GREETING` (or the language equivalent) exactly as it would with a `.env` file.
+
+## What's next
+
+- **Automate the whole flow:** See the [End-to-End Automation guide](/self-hosting/guides/end-to-end-automation) for a scripted path from empty instance to running app.
+- **Production-grade deployment:** The steps above are a local proof of concept. For high-availability setups, review the [Kubernetes Helm guide](/self-hosting/deployment-options/kubernetes-helm) and the [reference architectures](/self-hosting/reference-architectures/on-prem-k8s-ha).
+- **Secure your instance:** See [Production Hardening](/self-hosting/guides/production-hardening) before exposing the instance beyond your local machine.
+- **Use an SDK instead of the CLI:** Infisical has native SDKs for [Node.js, Python, Go, Java, .NET, Ruby, PHP, Rust, and C++](/sdks/overview).