infisical/docs/api-reference/overview/examples/create-secrets.mdx

---
title: "Create secrets"
---

In this example, we demonstrate how to add secrets to a project and environment using an Infisical Token.

Prerequisites:

- Set up and add envars to [Infisical Cloud](https://app.infisical.com)
- Create an [Infisical Token](../../../getting-started/dashboard/token) for your project and environment.
- Grasp a basic understanding of the system and its underlying cryptography [here](/api-reference/overview/introduction).

## Flow

1. [Get your Infisical Token data](/api-reference/endpoints/service-tokens/get) including a (encrypted) project key.
2. Decrypt the (encrypted) project key with the key from your Infisical Token.
3. Encrypt your secret(s) with the project key
4. [Send (encrypted) secret(s) to Infical](/api-reference/endpoints/secrets/create)

## Example

<Tabs>
<Tab title="Javascript">
```js
const crypto = require('crypto');
const axios = require('axios');
const nacl = require('tweetnacl');

const BASE_URL = 'https://app.infisical.com';
const ALGORITHM = 'aes-256-gcm';
const BLOCK_SIZE_BYTES = 16;

const encrypt = ({ text, secret }) => {
    const iv = crypto.randomBytes(BLOCK_SIZE_BYTES);
    const cipher = crypto.createCipheriv(ALGORITHM, secret, iv);

    let ciphertext = cipher.update(text, 'utf8', 'base64');
    ciphertext += cipher.final('base64');
    return {
        ciphertext,
        iv: iv.toString('base64'),
        tag: cipher.getAuthTag().toString('base64')
    };
}

const decrypt = ({ ciphertext, iv, tag, secret}) => {
	const decipher = crypto.createDecipheriv(
		ALGORITHM,
		secret,
		Buffer.from(iv, 'base64')
	);
	decipher.setAuthTag(Buffer.from(tag, 'base64'));

	let cleartext = decipher.update(ciphertext, 'base64', 'utf8');
	cleartext += decipher.final('utf8');

	return cleartext;
}

const createSecrets = async () => {
    const serviceToken = '';
    const serviceTokenSecret = serviceToken.substring(serviceToken.lastIndexOf('.') + 1);
    
    const secretType = 'shared'; // 'shared' or 'personal'
    const secretKey = 'some_key';
    const secretValue = 'some_value';
    const secretComment = 'some_comment';

    // 1. Get your Infisical Token data
    const { data: serviceTokenData } = await axios.get(
       `${BASE_URL}/api/v2/service-token`,
        {
            headers: {
                Authorization: `Bearer ${serviceToken}`
            }
        }
    );

    // 2. Decrypt the (encrypted) project key with the key from your Infisical Token
    const projectKey = decrypt({
        ciphertext: serviceTokenData.encryptedKey,
        iv: serviceTokenData.iv,
        tag: serviceTokenData.tag,
        secret: serviceTokenSecret
    });
    
	// 3. Encrypt your secret(s) with the project key
    const {
        ciphertext: secretKeyCiphertext,
        iv: secretKeyIV,
        tag: secretKeyTag
    } = encrypt({
        text: secretKey,
        secret: projectKey
    });

    const {
        ciphertext: secretValueCiphertext,
        iv: secretValueIV,
        tag: secretValueTag
    } = encrypt({
        text: secretValue,
        secret: projectKey
    });

    const {
        ciphertext: secretCommentCiphertext,
        iv: secretCommentIV,
        tag: secretCommentTag
    } = encrypt({
        text: secretComment,
        secret: projectKey
    });
    
    const secret = {
        type: secretType,
        secretKeyCiphertext,
        secretKeyIV,
        secretKeyTag,
        secretValueCiphertext,
        secretValueIV,
        secretValueTag,
        secretCommentCiphertext,
        secretCommentIV,
        secretCommentTag
    }

	// 4. Send (encrypted) secret(s) to Infisical
    await axios.post(
        `${BASE_URL}/api/v2/secrets`,
        {
            workspaceId: serviceTokenData.workspace,
            environment: serviceTokenData.environment,
            secrets: [secret]
        },
        {
            headers: {
                Authorization: `Bearer ${serviceToken}`
            }
        }
    );
}

createSecrets();
```
</Tab>

<Tab title="Python">
```Python
import base64
import requests
from Cryptodome.Cipher import AES
from Cryptodome.Random import get_random_bytes


BASE_URL = "https://app.infisical.com"
BLOCK_SIZE_BYTES = 16


def encrypt(text, secret):
    iv = get_random_bytes(BLOCK_SIZE_BYTES)
    secret = bytes(secret, "utf-8")
    cipher = AES.new(secret, AES.MODE_GCM, iv)
    ciphertext, tag = cipher.encrypt_and_digest(text.encode("utf-8"))
    return {
        "ciphertext": base64.standard_b64encode(ciphertext).decode("utf-8"),
        "tag": base64.standard_b64encode(tag).decode("utf-8"),
        "iv": base64.standard_b64encode(iv).decode("utf-8"),
    }


def decrypt(ciphertext, iv, tag, secret):
    secret = bytes(secret, "utf-8")
    iv = base64.standard_b64decode(iv)
    tag = base64.standard_b64decode(tag)
    ciphertext = base64.standard_b64decode(ciphertext)

    cipher = AES.new(secret, AES.MODE_GCM, iv)
    cipher.update(tag)
    cleartext = cipher.decrypt(ciphertext).decode("utf-8")
    return cleartext


def create_secrets():
    service_token = "your_service_token"
    service_token_secret = service_token[service_token.rindex(".") + 1 :]

    secret_type = "shared"  # "shared or "personal"
    secret_key = "some_key"
    secret_value = "some_value"
    secret_comment = "some_comment"

    # 1. Get your Infisical Token data
    service_token_data = requests.get(
        f"{BASE_URL}/api/v2/service-token",
        headers={"Authorization": f"Bearer {service_token}"},
    ).json()

    # 2. Decrypt the (encrypted) project key with the key from your Infisical Token
    project_key = decrypt(
        ciphertext=service_token_data["encryptedKey"],
        iv=service_token_data["iv"],
        tag=service_token_data["tag"],
        secret=service_token_secret,
    )

    # 3. Encrypt your secret(s) with the project key
    encrypted_key_data = encrypt(text=secret_key, secret=project_key)
    encrypted_value_data = encrypt(text=secret_value, secret=project_key)
    encrypted_comment_data = encrypt(text=secret_comment, secret=project_key)

    secret = {
        "type": secret_type,
        "secretKeyCiphertext": encrypted_key_data["ciphertext"],
        "secretKeyIV": encrypted_key_data["iv"],
        "secretKeyTag": encrypted_key_data["tag"],
        "secretValueCiphertext": encrypted_value_data["ciphertext"],
        "secretValueIV": encrypted_value_data["iv"],
        "secretValueTag": encrypted_value_data["tag"],
        "secretCommentCiphertext": encrypted_comment_data["ciphertext"],
        "secretCommentIV": encrypted_comment_data["iv"],
        "secretCommentTag": encrypted_comment_data["tag"],
    }

    # 4. Send (encrypted) secret (s) to Infisical
    requests.post(
        f"{BASE_URL}/api/v2/secrets",
        json={
            "workspaceId": service_token_data["workspace"],
            "environment": service_token_data["environment"],
            "secrets": [secret],
        },
        headers={"Authorization": f"Bearer {service_token}"},
    )


create_secrets()

```
</Tab>
</Tabs>

<Info>
  This example uses [TweetNaCl.js](https://tweetnacl.js.org/#/), a port of
  TweetNacl/Nacl, to perform asymmeric decryption of the project key but there
  are ports of NaCl available in every major language.
</Info>