diff --git a/cli/packages/cmd/gateway.go b/cli/packages/cmd/gateway.go
index ef4cdc944d..81baf3910d 100644
--- a/cli/packages/cmd/gateway.go
+++ b/cli/packages/cmd/gateway.go
@@ -28,7 +28,7 @@ var gatewayCmd = &cobra.Command{
Run: func(cmd *cobra.Command, args []string) {
token, err := util.GetInfisicalToken(cmd)
if err != nil {
- util.HandleError(err, "Unable to parse flag")
+ util.HandleError(err, "Unable to parse token flag")
}
if token == nil {
diff --git a/docs/cli/commands/gateway.mdx b/docs/cli/commands/gateway.mdx
new file mode 100644
index 0000000000..fd035f1fde
--- /dev/null
+++ b/docs/cli/commands/gateway.mdx
@@ -0,0 +1,107 @@
+---
+title: "infisical gateway"
+description: "Run the Infisical gateway or manage its systemd service"
+---
+
+
+
+ ```bash
+ infisical gateway --token=
+ ```
+
+
+ ```bash
+ sudo infisical gateway install --token= --domain=
+ ```
+
+
+
+## Description
+
+Run the Infisical gateway in the foreground or manage its systemd service installation. The gateway allows secure communication between your self-hosted Infisical instance and client applications.
+
+## Subcommands & flags
+
+
+ Run the Infisical gateway in the foreground. The gateway will connect to the relay service and maintain a persistent connection.
+
+ ```bash
+ infisical gateway --token= --domain=
+ ```
+
+ ### Flags
+
+
+ The machine identity access token to authenticate with Infisical.
+
+ ```bash
+ # Example
+ infisical gateway --token=
+ ```
+
+ You may also expose the token to the CLI by setting the environment variable `INFISICAL_TOKEN` before executing the gateway command.
+
+
+
+ Domain of your self-hosted Infisical instance.
+
+ ```bash
+ # Example
+ sudo infisical gateway install --domain=https://app.your-domain.com
+ ```
+
+
+
+
+ Install and enable the gateway as a systemd service. This command must be run with sudo on Linux.
+
+ ```bash
+ sudo infisical gateway install --token= --domain=
+ ```
+
+ ### Requirements
+ - Must be run on Linux
+ - Must be run with root/sudo privileges
+ - Requires systemd
+
+ ### Flags
+
+
+ The machine identity access token to authenticate with Infisical.
+
+ ```bash
+ # Example
+ sudo infisical gateway install --token=
+ ```
+
+ You may also expose the token to the CLI by setting the environment variable `INFISICAL_TOKEN` before executing the install command.
+
+
+
+ Domain of your self-hosted Infisical instance.
+
+ ```bash
+ # Example
+ sudo infisical gateway install --domain=https://app.your-domain.com
+ ```
+
+
+ ### Service Details
+ The systemd service is installed with secure defaults:
+ - Service file: `/etc/systemd/system/infisical-gateway.service`
+ - Config file: `/etc/infisical/gateway.conf`
+ - Runs with restricted privileges:
+ - InaccessibleDirectories=/home
+ - PrivateTmp=yes
+ - Resource limits configured for stability
+ - Automatically restarts on failure
+ - Enabled to start on boot
+
+ After installation, manage the service with standard systemd commands:
+ ```bash
+ sudo systemctl start infisical-gateway # Start the service
+ sudo systemctl stop infisical-gateway # Stop the service
+ sudo systemctl status infisical-gateway # Check service status
+ sudo systemctl disable infisical-gateway # Disable auto-start on boot
+ ```
+
diff --git a/docs/mint.json b/docs/mint.json
index f604ff3107..5c97790bf2 100644
--- a/docs/mint.json
+++ b/docs/mint.json
@@ -339,6 +339,7 @@
"cli/commands/secrets",
"cli/commands/dynamic-secrets",
"cli/commands/ssh",
+ "cli/commands/gateway",
"cli/commands/export",
"cli/commands/token",
"cli/commands/service-token",