> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tembo.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Infisical

> Inject secrets into Tembo-powered runs without committing .env files.

## Features

* Works out of the box in Tembo sandboxes (Infisical CLI is already installed)
* Injects secrets at runtime without committing `.env` files
* Supports optional env var overrides for project/environment/path/domain defaults

## Installation

<Steps>
  <Step title="Open Sandbox settings">
    In Tembo, go to **Settings** -> **Sandbox**.
  </Step>

  <Step title="Add environment variable">
    Add `INFISICAL_TOKEN` to your sandbox environment variables and save.
  </Step>

  <Step title="Start a new session">
    Start a new Tembo session. That's it.
  </Step>
</Steps>

## Usage

In Tembo sandbox sessions, this will automatically work once `INFISICAL_TOKEN` is set.
Run commands with `infisical run --`:

```bash theme={null}
infisical run -- bun run --watch index.ts
infisical run -- next dev --turbopack --port 3000
```

If your script cannot infer the Infisical project automatically, add
`--projectId` before the command separator:

```bash theme={null}
infisical run --projectId <project-id> -- bun run --watch index.ts
```

## Optional overrides

If you want to override defaults for `infisical run`, add these in **Settings -> Sandbox**:

* `INFISICAL_PROJECT_ID`
* `INFISICAL_ENV`
* `INFISICAL_SECRET_PATH`
* `INFISICAL_API_URL`

Explicit CLI flags still win over env-var defaults.