infisical/docs/api-reference/overview/examples/retrieve-secrets.mdx

---
title: "Retrieve secrets"
description: "How to get all secrets using an Infisical Token scoped to a project and environment"
---

Prerequisites:

- Set up and add envars to [Infisical Cloud](https://app.infisical.com).
- Create an [Infisical Token](/documentation/platform/token) for your project and environment.
- Grasp a basic understanding of the system and its underlying cryptography [here](/api-reference/overview/introduction).
- [Ensure that your project is blind-indexed](../blind-indices).

## Flow

1. [Get your Infisical Token data](/api-reference/endpoints/service-tokens/get) including a (encrypted) project key.
2. [Get secrets for your project and environment](/api-reference/endpoints/secrets/read).
3. Decrypt the (encrypted) project key with the key from your Infisical Token.
4. Decrypt the (encrypted) secrets

## Example

<Tabs>
  <Tab title="Javascript">
```js
const crypto = require('crypto');
const axios = require('axios');

const BASE_URL = 'https://app.infisical.com';
const ALGORITHM = 'aes-256-gcm';

const decrypt = ({ ciphertext, iv, tag, secret}) => {
	const decipher = crypto.createDecipheriv(
		ALGORITHM,
		secret,
		Buffer.from(iv, 'base64')
	);
	decipher.setAuthTag(Buffer.from(tag, 'base64'));

    let cleartext = decipher.update(ciphertext, 'base64', 'utf8');
    cleartext += decipher.final('utf8');

    return cleartext;
}

const getSecrets = async () => {
	const serviceToken = 'your_service_token';
	const serviceTokenSecret = serviceToken.substring(serviceToken.lastIndexOf('.') + 1);

    // 1. Get your Infisical Token data
    const { data: serviceTokenData } = await axios.get(
       `${BASE_URL}/api/v2/service-token`,
        {
            headers: {
                Authorization: `Bearer ${serviceToken}`
            }
        }
    );

    // 2. Get secrets for your project and environment
    const { data } = await axios.get(
       `${BASE_URL}/api/v3/secrets?${new URLSearchParams({
            environment: serviceTokenData.environment,
            workspaceId: serviceTokenData.workspace
        })}`,
        {
            headers: {
                Authorization: `Bearer ${serviceToken}`
            }
        }
    );

    const encryptedSecrets = data.secrets;

    // 3. Decrypt the (encrypted) project key with the key from your Infisical Token
    const projectKey = decrypt({
        ciphertext: serviceTokenData.encryptedKey,
        iv: serviceTokenData.iv,
        tag: serviceTokenData.tag,
        secret: serviceTokenSecret
    });

	// 4. Decrypt the (encrypted) secrets
    const secrets = encryptedSecrets.map((secret) => {
        const secretKey = decrypt({
          ciphertext: secret.secretKeyCiphertext,
          iv: secret.secretKeyIV,
          tag: secret.secretKeyTag,
          secret: projectKey
        });

        const secretValue = decrypt({
          ciphertext: secret.secretValueCiphertext,
          iv: secret.secretValueIV,
          tag: secret.secretValueTag,
          secret: projectKey
        });

        return ({
            secretKey,
            secretValue
        });
    });

    console.log('secrets: ', secrets);
}

getSecrets();

```
  </Tab>

<Tab title="Python">
```Python
import requests
import base64
from Cryptodome.Cipher import AES


BASE_URL = "http://app.infisical.com"


def decrypt(ciphertext, iv, tag, secret):
    secret = bytes(secret, "utf-8")
    iv = base64.standard_b64decode(iv)
    tag = base64.standard_b64decode(tag)
    ciphertext = base64.standard_b64decode(ciphertext)

    cipher = AES.new(secret, AES.MODE_GCM, iv)
    cipher.update(tag)
    cleartext = cipher.decrypt(ciphertext).decode("utf-8")
    return cleartext


def get_secrets():
    service_token = "your_service_token"
    service_token_secret = service_token[service_token.rindex(".") + 1 :]

    # 1. Get your Infisical Token data
    service_token_data = requests.get(
        f"{BASE_URL}/api/v2/service-token",
        headers={"Authorization": f"Bearer {service_token}"},
    ).json()

    # 2. Get secrets for your project and environment
    data = requests.get(
        f"{BASE_URL}/api/v3/secrets",
        params={
            "environment": service_token_data["environment"],
            "workspaceId": service_token_data["workspace"],
        },
        headers={"Authorization": f"Bearer {service_token}"},
    ).json()

    encrypted_secrets = data["secrets"]

    # 3. Decrypt the (encrypted) project key with the key from your Infisical Token
    project_key = decrypt(
        ciphertext=service_token_data["encryptedKey"],
        iv=service_token_data["iv"],
        tag=service_token_data["tag"],
        secret=service_token_secret,
    )

    # 4. Decrypt the (encrypted) secrets
    secrets = []
    for secret in encrypted_secrets:
        secret_key = decrypt(
            ciphertext=secret["secretKeyCiphertext"],
            iv=secret["secretKeyIV"],
            tag=secret["secretKeyTag"],
            secret=project_key,
        )

        secret_value = decrypt(
            ciphertext=secret["secretValueCiphertext"],
            iv=secret["secretValueIV"],
            tag=secret["secretValueTag"],
            secret=project_key,
        )

        secrets.append(
            {
                "secret_key": secret_key,
                "secret_value": secret_value,
            }
        )

    print("secrets:", secrets)


get_secrets()

```
</Tab>
</Tabs>