diff --git a/docs/contributing/developing.mdx b/docs/contributing/developing.mdx
index e89c40afcb..83d00d9f12 100644
--- a/docs/contributing/developing.mdx
+++ b/docs/contributing/developing.mdx
@@ -26,19 +26,19 @@ cp .env.example .env
```bash
# build and start the services
-docker-compose -f docker-compose.yml -f docker-compose.prod.yml up --build
+docker-compose -f docker-compose.dev.yml up --build
```
-Then browse http://localhost:3000
+Then browse http://localhost:8080
```bash
# To stop environment use Control+C (on Mac) CTRL+C (on Win) or
-docker-compose down
+docker-compose -f docker-compose.dev.yml down
# start services
-docker-compose up
+docker-compose -f docker-compose.dev.yml up
```
-The docker-compose environment consists of:
+The docker-compose development environment consists of:
- frontend
- backend
diff --git a/docs/getting-started/cli/cli-guide.mdx b/docs/getting-started/cli/cli-guide.mdx
index db4a43b227..ce0a45bdb5 100644
--- a/docs/getting-started/cli/cli-guide.mdx
+++ b/docs/getting-started/cli/cli-guide.mdx
@@ -1,31 +1,56 @@
---
-title: "Infisical CLI"
-description: "Learn about each supported command and its flags"
+title: "Usage"
---
-## Background
+Prerequisite: [Install the CLI](../../getting-started/cli/installation)
-Infisical ships with multiple commands to assist with ongoing project needs; we list these commands and give context for them below.
+## Login
-
- If you haven't already, install the Infisical CLI
-
+Login in using the `login` command in your terminal. Logging in is a one-time, post-installation action that authenticates you with the platform — to change users, you can run the command again.
-Note on arguments:
+```bash
+infisical login
+```
-- [environment]: the intended environment for the given command being one of dev, staging, or prod.
-- [projectId]: the project identifier found on the dashboard.
+## Initialization
-## Commands
+In the root of your local project, initialize Infisical and follow steps to connect your project to the platform.
-- `login` used to set the logged in user. Your credentials are saved securely in your system key ring. Note: only one user can be logged in at a time. To change the logged in user, run the command again and overwrite the previous login.
-- `init` used to link your infisical.com project to your local project. Run this command ideally at the root of your local project. You will have to run this command for each new project you create locally.
-- `run` used to inject your secrets as environment variables into your application process. Example `infisical run --stage=prod -- npm run start`
- - `---projectId` flag is used to link your local project to a Infisical.com project. Use this option only when you are injecting via Infisical Token instead of your login.
- - `---stage` flag is used to set the environment from which your secrets are pulled from. By default, secrets from your project are pulled from the `dev`. To change to for example prod, add `--stage=prod`
+```bash
+cd /path/to/project
-### Global flags
-These are flags you can add to any command
+# initialization
+infisical init
+```
-- `--domain` you may change this if you are self hosting Infisical. By default, the CLI points to Infisical.com backend. To point to your own backend, make sure to set this flag for each command you run. Example `infisical login --domain=https://mybackend.com`
-- `--debug` use this flag when you want to see more logs related to the error you are receiving. By default debug logs are hidden. Example `infisical run --debug `
\ No newline at end of file
+## Injecting environment variables
+
+To inject environment variables from the platform to your project, use the `run` command.
+
+```bash
+# command
+infisical run -- [your application start command]
+```
+
+Options you can specify:
+
+| Option | Description | Default value |
+| ------------- | ----------------------------------------------------------------------------------------------------------- | ------------- |
+| `--env` | Used to set the environment that secrets are pulled from. Accepted values: `dev`, `staging`, `test`, `prod` | `dev` |
+| `--projectId` | Used to link a local project to the platform (required only if injecting via the service token method) | `None` |
+
+Examples:
+
+```bash
+# example with node
+infisical run -- node index.js
+
+# example with node (nodemon)
+infisical run -- nodemon index.js
+
+# example with node (nodemon) pulling in secrets from test environment
+infisical run --env=test -- nodemon index.js
+
+# example with flask
+infisical run -- flask run
+```
diff --git a/docs/getting-started/cli/infisical-token.mdx b/docs/getting-started/cli/infisical-token.mdx
deleted file mode 100644
index eeee4b76bf..0000000000
--- a/docs/getting-started/cli/infisical-token.mdx
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: "Infisical Token"
-description: "Learn to authenticate via the CLI without in manually"
----
-
-## Background
-
-To authenticate the Infisical CLI in environments other than your local desktop environment, you will have to utilize the Infisical Token.
-The Infisical Token is a quick and easy way to authenticate the CLI without having to type in your email and password. This is especially needed
-in production environments where you cannot type in your login details.
-
-With the Infisical Token, you can allow read only access to a particular environment (dev, prod, etc.) for a given project for a set amount of time. Once the token expires, any CLI application
-that relies on it for authentication will be denied access to retrieve the related secrets.
-
-## Generate a Infisical Token
-To get started, navigate to your dashboard and select the project for which you would like to generate a Infisical Token for.
-Then head over to project settings and you should see a similar page like below.
-
-
-
-To add a new Infisical Token, press the `add new token` button. This will bring up a page like below.
-
-
-
-Enter a name to help you identify the token then choose the environment from which you would like the CLI to retrieve the secrets from. Lastly, choose a duration
-for the token.
-
-
-Once the token is expired, the CLI using it will no longer be able to make requests with it.
-
-
-
-## Use Infisical token with CLI
-Once you have generated a token, it is easy to tell the Infisical CLI to use it.
-
-### Feeding the token to the CLI
-The CLI looks out for an environment variable called `INFISICAL_TOKEN`. Setting this environment variable depends on where you run the CLI.
-For example, if you are running the CLI in a Docker container, you may set the environment variable via the docker run command like so.
-
-Docker run example:
-```
- docker run --env INFISICAL_TOKEN=...
-```
-
-
-In the event your token is exposed, visit the project settings page again and deactivate the token to expire it immediately.
-
-
-### Prepare `infisical run` command
-
-Once you have exposed the `INFISICAL_TOKEN` environment variable to the environment the CLI is running in you can prepare the run command.
-To have the CLI authenticate via the Infisical Token, you must provide values for flags `--stage` and `--projectId`
-
-Example:
-```
-infisical run --stage=prod --projectId=
-```
-
-
- Notice that we do not need to run any other command such as `infisical init` or `infisical login` when we use the Infisical Token.
-
-
-
-To learn more about the commands and it's flags [visit](/CLI)
-
-### Support
-
-Lastly, if you have any questions or inquiries, shoot an email over to [support@infisical.com](mailto:support@infisical.com) so we can assist you. Alternatively, feel free to post your question or DM us on Slack here; we'd be happy to connect with you.
diff --git a/docs/getting-started/cli/installation.mdx b/docs/getting-started/cli/installation.mdx
index 71d57790c0..229f31cb97 100644
--- a/docs/getting-started/cli/installation.mdx
+++ b/docs/getting-started/cli/installation.mdx
@@ -2,6 +2,8 @@
title: "Installation"
---
+Prerequisite: [Setup an account](../../getting-started/dashboard/create-account) with Infisical Cloud or via self-hosted installation.
+
Follow the guide for your OS below to install the CLI.
@@ -84,64 +86,10 @@ Follow the guide for your OS below to install the CLI.
| sudo -E bash
```
- Then install CLI
- ```
- $ apt-get update && apt-get install -y infisical
- ```
+ Then install CLI
+ ```bash
+ $ apt-get update && apt-get install -y infisical
+ ```
-
-## Usage
-
-Once you have the CLI installed in your system, follow the guide to login and sync your first project.
-
-#### Login
-
-Login to the CLI by running the following command in your terminal
-
-```
-infisical login
-```
-
-
- To authenticate without logging in manually, read about [Infisical
- Token](/infisicalToken)
-
-#### Link secrets to your project After logging in, `CD` into the root of your local
-project. Then run the following command in the terminal to link your Infisical project
-to your local project.
-
-```
-infisical init
-```
-
-#### Inject
-
-To inject the secrets from the Infisical project you have selected in step 2 into your application process, run the following command.
-
-```
-infisical run --
-```
-
-Example:
-
-```
-infisical run -- npm run dev
-```
-
-By default, Infisical injects secrets from your development environment. To modify from which environment your secrets are pulled from, use the --stage flag
-
-Example:
-
-```
-infisical run --stage=prod -- npm run dev
-```
-
-You're now automatically pulling and injecting secrets as environment variables into your application!
-
-### Support
-
-We're constantly improving Infisical, so we'd love to get your feedback and take feature requests.
-
-Lastly, if you have any questions or inquiries, shoot an email over to [support@infisical.com](mailto:support@infisical.com) so we can assist you. Alternatively, feel free to post your question or DM us on Slack here; we'd be happy to connect with you.
diff --git a/docs/getting-started/cli/reference.mdx b/docs/getting-started/cli/reference.mdx
new file mode 100644
index 0000000000..c0bc557cd3
--- /dev/null
+++ b/docs/getting-started/cli/reference.mdx
@@ -0,0 +1,55 @@
+---
+title: "Reference"
+---
+
+## Commands
+
+| Command | Description | Options |
+| ------- | -------------------------------------------------------------------- | ---------------------- |
+| `login` | Used to authenticate and set the logged in user. |
+| `init` | Used to link a local project to the platform. |
+| `run` | Used to inject envars from the platform into an application process. | `--projectId`, `--env` |
+
+## Global options
+
+| Option | Description |
+| ----------------- | ---------------------------------- |
+| `--help`, `-h` | List help for any command |
+| `--debug`, `-d` | Enable verbose logging |
+| `--domain` | Use to direct Infisical to |
+| `--version`, `-v` | Print version information and quit |
+
+### Login
+
+Used to authenticate and set the logged in user.
+
+Post-authentication credentials are saved securely in your system keyring. Since only one user can be logged in at a time, to change the logged in user, run the command again to overwrite the previous login.
+
+```bash
+infisical login
+```
+
+### Init
+
+Used to link a local project to the platform (cloud or self-hosted)
+
+Run this command at the root of your local project. You will have to run this command for each new project you create locally.
+
+```bash
+infisical init
+```
+
+### Run
+
+Used to inject environment variables from the platform into an application process.
+
+```bash
+infisical run [options] -- [your application start command]
+```
+
+Options you can specify:
+
+| Option | Description | Default value |
+| ------------- | ----------------------------------------------------------------------------------------------------------- | ------------- |
+| `--env` | Used to set the environment that secrets are pulled from. Accepted values: `dev`, `staging`, `test`, `prod` | `dev` |
+| `--projectId` | Used to link a local project to the platform (required only if injecting via the service token method) | `None` |
diff --git a/docs/getting-started/cli/token.mdx b/docs/getting-started/cli/token.mdx
new file mode 100644
index 0000000000..043f07431c
--- /dev/null
+++ b/docs/getting-started/cli/token.mdx
@@ -0,0 +1,21 @@
+---
+title: "Infisical Token"
+---
+
+Prerequisite: [Infisical Token and How to Generate One](../../getting-started/dashboard/token).
+
+It's possible to use the CLI to sync environment varialbes without manually entering login credentials by using a service token in the prerequisite link above.
+
+## Feeding Infisical Token to the CLI
+
+The CLI looks out for an environment variable called the `INFISICAL_TOKEN` which you can set depending on where you run the CLI. If `INFISICAL_TOKEN` is detected by the CLI, it will authenticate and retrieve the environment variables which the token is authorized for.
+
+A common use-case is to use the Infisical Token to fetch environment variables with Docker. More specifically, a token can be passed to a container as an environment variable for the CLI to authenticate and pull its corresponding secrets. Check out the integration guides for that:
+
+- [Docker](../../integrations/docker)
+- [Docker Compose](../../integrations/docker-compose)
+
+
+ Once the token is expired, the CLI using it will no longer be able to make
+ requests with it.
+
diff --git a/docs/getting-started/dashboard/create-account.mdx b/docs/getting-started/dashboard/create-account.mdx
index 1ac0e82fa4..c71a748e00 100644
--- a/docs/getting-started/dashboard/create-account.mdx
+++ b/docs/getting-started/dashboard/create-account.mdx
@@ -1,5 +1,5 @@
---
-title: "New Account"
+title: "Sign up"
---
## Self-hosted
@@ -8,13 +8,17 @@ If you're using a self-hosted installation, follow the [setup](/self-hosting/ove
## Infisical Cloud
-**Step 1.** Open [infisical.com](https://infisical.com/) and click on either "Try Infisical for free" or "Start for free" to head to the signup sequence.
+**Step 1:** Open [infisical.com](https://infisical.com/) and click on either "Try Infisical for free" or "Start for free" to head to the signup sequence.
-**Step 2.** Fill out the signup sequence.
+**Step 2:** Fill out the signup sequence.
-After verifying your email address, you'll be prompted to fill out some required fields to set up your account.
+
+
+
+
+You'll be prompted to fill out some required fields to set up your account.
| Field | Description |
| ---------- | --------------------------- |
diff --git a/docs/getting-started/dashboard/integrations.mdx b/docs/getting-started/dashboard/integrations.mdx
new file mode 100644
index 0000000000..2a4791af48
--- /dev/null
+++ b/docs/getting-started/dashboard/integrations.mdx
@@ -0,0 +1,13 @@
+---
+title: "Integrations"
+---
+
+We’re still early with integrations but you’ll be able to sync environment variables across your entire infrastructure from local development to CI/CD and production.
+
+
+
+Check out integrations:
+
+- Heroku
+- Docker
+- Docker Compose
diff --git a/docs/getting-started/dashboard/token.mdx b/docs/getting-started/dashboard/token.mdx
new file mode 100644
index 0000000000..c2f98c77f3
--- /dev/null
+++ b/docs/getting-started/dashboard/token.mdx
@@ -0,0 +1,23 @@
+---
+title: "Infisical Token"
+---
+
+An Infisical Token is needed to authenticate the CLI when there isn't an easy way to manually type in your login credentials to sync environment variables to your applications.
+
+It grants read-only access to a particular environment and project for a specified amount of time; once the token expires, any CLI application that relies on it for authentication will be denied access to retrieve related secrets.
+
+This is useful in the following contexts:
+
+- [Docker](../../integrations/docker)/[Docker-Compose](../../integrations/docker-compose) integration: An Infisical Token can be passed to a Docker container as an environment variable for the CLI to authenticate and pull its corresponding secrets.
+
+## Generate an Infisical Token
+
+It's possible to generate an Infisical token in the settings of a project.
+
+
+
+
+
+
+
+To use the Infisical Token in the CLI, check out the docs for that [here](../../getting-started/cli/token).
diff --git a/docs/getting-started/features.mdx b/docs/getting-started/features.mdx
index 92b4d237f4..9c77c225ba 100644
--- a/docs/getting-started/features.mdx
+++ b/docs/getting-started/features.mdx
@@ -46,18 +46,20 @@ Missing an integration? Throw in a request.
We're building the future of secret management, one that's comprehensive and accessible to all. Some high-level features we have in mind:
-| Feature | Status |
-| ------------------------------------- | --------------- |
-| Integrations | Ongoing |
-| More hosting options | Ongoing |
-| 1-Click Deploys | Ongoing |
-| Slack & MS teams integrations | Not yet started |
-| Access logs | Not yet started |
-| Version control for secrets | Not yet started |
-| 2FA | Not yet started |
-| Restricted IPs | Not yet started |
-| Read/write access controls | Not yet started |
-| Secret rotation | Not yet started |
-| Comparing secrets across environments | Not yet started |
+| Feature | Status |
+| ------------------------------------- | ---------------- |
+| Integrations | Ongoing |
+| More hosting options | Ongoing |
+| 1-Click Deploys | Ongoing |
+| Account recovery: Backup key | Ongoing |
+| Account recovery: Member-assisted | Noet yet started |
+| Slack & MS teams integrations | Not yet started |
+| Access logs | Not yet started |
+| Version control for secrets | Not yet started |
+| 2FA | Not yet started |
+| Restricted IPs | Not yet started |
+| Read/write access controls | Not yet started |
+| Secret rotation | Not yet started |
+| Comparing secrets across environments | Not yet started |
Interested in contributing? Check out the guide.
diff --git a/docs/getting-started/introduction.mdx b/docs/getting-started/introduction.mdx
index fa02e7f8d4..106d37c14c 100644
--- a/docs/getting-started/introduction.mdx
+++ b/docs/getting-started/introduction.mdx
@@ -2,6 +2,12 @@
title: "Introduction"
---
+
+
Infisical is an [open-source](https://opensource.com/resources/what-open-source), end-to-end encrypted (E2EE) secret manager that enables teams to easily manage and sync their environment variables.
It stops [secret sprawl](https://www.gitguardian.com/glossary/secret-sprawl-definition) by providing a single source-of-truth for environment variables. It offers a dashboard for teams to manage environment variables and a platform-agnostic CLI to inject them into apps and infrastructure.
@@ -13,12 +19,3 @@ Some problems we solve:
- Sending environment variables over email.
Infisical uses [end-to-end encryption](https://en.wikipedia.org/wiki/End-to-end_encryption) to ensure that only designated team members can read their environment variables; unless intended for specific integrations, environment variables are always encrypted before being sent to the server.
-
-
- Learn more about our system + security here.
-
diff --git a/docs/getting-started/security/data-model.mdx b/docs/getting-started/security/data-model.mdx
new file mode 100644
index 0000000000..6c60f9e41c
--- /dev/null
+++ b/docs/getting-started/security/data-model.mdx
@@ -0,0 +1,27 @@
+---
+title: "Data Model"
+---
+
+Infisical stores a range of data namely user, secrets, keys, organization, project, and membership data.
+
+## Users
+
+The `User` model includes the fields `email`, `firstName`, `lastName`, `publicKey`, `encryptedPrivateKey`, `iv`, `tag`, `salt`, `verifier`, and `refreshVersion`.
+
+Infisical makes a usability-security tradeoff to give users convenient access to public-private key pairs across different devices upon login, solving key-storage and transfer challenges across device and browser mediums, in exchange for it storing `encryptedPrivateKey`. In any case, private keys are symmetrically encrypted locally by user passwords which are not sent to the server — this is done with SRP.
+
+## Secrets
+
+The `Secret` model includes the fields `workspace`, `type`, `user`, `environment`, `secretKeyCiphertext`, `secretKeyIV`, `secretKeyTag`, `secretKeyHash`, `secretValueCiphertext`, `secretValueIV`, `secretValueTag`, and `secretValueHash`.
+
+Each secret is symmetrically encrypted by the key of the project that it belongs to; that key's encrypted copies are stored in a separate `Key` collection.
+
+## Keys
+
+The `Key` model includes the fields `encryptedKey`, `nonce`, `sender`, `receiver`, and `workspace`.
+
+Infisical stores copies of project keys, one for each member of a project, encrypted under each member's public key.
+
+## Organizations and Workspaces
+
+The `Organization`, `Workspace`, `MembershipOrg`, and `Membership` models contain enrollment information for organizations and projects; they are used to check if users are authorized to retrieve select secrets.
diff --git a/docs/getting-started/security/mechanics.mdx b/docs/getting-started/security/mechanics.mdx
new file mode 100644
index 0000000000..814524d734
--- /dev/null
+++ b/docs/getting-started/security/mechanics.mdx
@@ -0,0 +1,24 @@
+---
+title: "Mechanics"
+---
+
+## Signup
+
+During account signup, a user confirms their email address via OTP, generates a public-private key pair to be stored locally (private keys are symmetrically encrypted by the user's newly-made password), and forwards SRP-related values and user identifier information to the server. This includes `email`, `firstName`, `lastName`, `publicKey`, `encryptedPrivateKey`, `iv`, `tag`, `salt`, `verifier`, and `organizationName`.
+
+Once authenticated via SRP, a user is issued a JWT and refresh token. The JWT token is stored in browser memory under a write-only class `SecurityClient` that appends the token to all future outbound requests requiring authentication. The refresh token is stored in an `HttpOnly` cookie and included in future requests to `/api/token` for JWT token renewal. This design side-steps potential XSS attacks on local storage.
+
+
+ Infisical authenticates users using the SRP protocol. With SRP, the server can
+ authenticate users without ever seeing their passwords.
+
+
+## Invitation
+
+After signing up, a user can invite other users to their organization to partake in projects — An invitation here consists of an email verification link sent to the invitee to confirm their identity if they've not previously signed up to Infisical. Both organization and project invites authorize invitees for resources but project invites differ in that they also involve sharing project keys by encrypting them under the invitees' public keys.
+
+## Pushing/Pulling Secrets
+
+To push secrets, a sender randomly-generates a symmetric encryption key, uses that key to encrypt their secret keys and values separately, asymmetrically encrypts the key with the receivers’ public keys, and uploads the encrypted secrets and keys to the server.
+
+To pull secrets, a receiver obtains encrypted secret keys and values and their encrypted copy of the project key to decrypt the secrets from the server — they asymmetrically decrypt the key using their private key and use the decrypted key to decrypt the secrets. This public-key mechanism prevents the server-side from reading any secrets.
diff --git a/docs/getting-started/security/overview.mdx b/docs/getting-started/security/overview.mdx
new file mode 100644
index 0000000000..edb95f4062
--- /dev/null
+++ b/docs/getting-started/security/overview.mdx
@@ -0,0 +1,20 @@
+---
+title: "Overview"
+---
+
+## Summary
+
+Infisical uses end-to-end encryption (E2EE) whenever possible to securely store and share secrets. It uses secure remote password (SRP) to handle authentication and public-key cryptography for secret sharing and syncing; secrets are symmetrically encrypted at rest by keys decryptable only by members of the project.
+
+Infisical uses AES256-GCM for symmetric encryption and x2519-xsalsa20-poly1305 for asymmetric encryption operations mentioned in this brief; key generation and asymmetric algorithms are implemented with the [TweetNaCl.js](https://tweetnacl.js.org/#/) library which has been well-audited and recommended for use by cybersecurity firm Cure53. Lastly, the secure remote password (SRP) implementation uses [jsrp](https://github.com/alax/jsrp) package for user authentication. As part of our commitment to user privacy and security, we aim to conduct formal security and compliance audits in the following year.
+
+## Scope
+
+Infisical's security model spans sensitive data stored on the server-side and in transit between user devices; it makes no security guarantees for malicious events that can occur beyond its control such as user-device security exploits or key-logging arising from poor cybersecurity management on the users’ behalf.
+
+## Lingo
+
+In subsequent sections, we refer:
+
+- To users uploading their secrets to Infisical as “senders” and those receiving secrets as “receivers". For instance, if Bob and Alice are both enrolled in a project and Bob adds new secrets to the project to be pulled by Alice, then Bob is considered to be the sender and Alice the receiver.
+- To any activity involving uploading or modifying secrets to Infisical as "pushing" and fetching secrets from Infisical as "pulling."
diff --git a/docs/getting-started/security/statement.mdx b/docs/getting-started/security/statement.mdx
new file mode 100644
index 0000000000..60f6c2bd56
--- /dev/null
+++ b/docs/getting-started/security/statement.mdx
@@ -0,0 +1,11 @@
+---
+title: "Statement"
+---
+
+As a secrets manager, we are deeply committed to enforcing the privacy and security of all users and data on the platform but acknowledge that it is virtually impossible to guarantee perfect security; unfortunately, even the most secure systems have vulnerabilities.
+
+As part of our commitment, we do our best to maintain platform privacy and security, notify users if anything goes wrong, and rectify adverse situations immediately if anything happens. As Infisical grows, we will be adding more opt-in security measures to ensure better data protection and maintain trust within the growing community. With that, let’s make the most simple and secure secrets management system out there!
+
+Best,
+
+Infisical Team
diff --git a/docs/images/project-integrations.png b/docs/images/project-integrations.png
new file mode 100644
index 0000000000..90f50a8c42
Binary files /dev/null and b/docs/images/project-integrations.png differ
diff --git a/docs/images/project-token-add.png b/docs/images/project-token-add.png
new file mode 100644
index 0000000000..cd17b3027c
Binary files /dev/null and b/docs/images/project-token-add.png differ
diff --git a/docs/images/project-token-added.png b/docs/images/project-token-added.png
new file mode 100644
index 0000000000..302a862803
Binary files /dev/null and b/docs/images/project-token-added.png differ
diff --git a/docs/images/project-token-name.png b/docs/images/project-token-name.png
new file mode 100644
index 0000000000..662fbb0f7f
Binary files /dev/null and b/docs/images/project-token-name.png differ
diff --git a/docs/images/signup-box.png b/docs/images/signup-box.png
new file mode 100644
index 0000000000..ca3c27f973
Binary files /dev/null and b/docs/images/signup-box.png differ
diff --git a/docs/images/signup-complete-account.png b/docs/images/signup-complete-account.png
new file mode 100644
index 0000000000..d26bb576c1
Binary files /dev/null and b/docs/images/signup-complete-account.png differ
diff --git a/docs/images/signup-otp.png b/docs/images/signup-otp.png
new file mode 100644
index 0000000000..8bddb1a2d4
Binary files /dev/null and b/docs/images/signup-otp.png differ
diff --git a/docs/integrations/docker.mdx b/docs/integrations/docker.mdx
index 14038c9441..7d66f3db69 100644
--- a/docs/integrations/docker.mdx
+++ b/docs/integrations/docker.mdx
@@ -2,7 +2,9 @@
title: "Docker"
---
-### Step 1: Add CLI to your Dockerfile
+Prerequisite: [Infisical Token and How to Generate One](../../getting-started/dashboard/token).
+
+## Step 1: Add CLI to your Dockerfile
@@ -29,32 +31,32 @@ title: "Docker"
-### Step 2: Generate Infisical Token
-In order for Infisical CLI to authenticate and retrieve your project's secrets without exposing your login credentials, you must generate a Infisical Token.
-To learn how, visit [Infisical Token](../getting-started/cli/infisical-token). Once you have generated the token, keep it handy.
+## Step 2: Generate Infisical Token
-### Step 3: Set start command
-```dockerfile
-CMD ["infisical", "--env=", "projectId=", "run", "---", ""]
-```
+In order for the CLI to authenticate and retrieve your project's secrets without requiring your login credentials, you must [generate an Infisical Token](../../getting-started/dashboard/token); keep it handy.
+
+## Step 3: Set start command of your container
-Example
```dockerfile
+CMD ["infisical", "--env=[your-project-env-name]", "projectId=[your-project-id]", "run", "---", ""]
+
+# example
CMD ["infisical", "--env=prod", "projectId=62faf98ae0b05e83239b5da41", "run", "---", "npm run start"]
```
-| flag | Description |
-| ------------ | ----------------------------------- |
-| `--env` | This is the environment name the CLI will use to pull secrets from your project.
-| `--projectId` | This is the project id of the token you generated in step 2. |
-To learn more about the flags used above, please visit our [CLI guide](../getting-started/cli/cli-guide)
+Required options:
+
+| Option | Description | Default value |
+| ------------- | ----------------------------------------------------------------------------------------------------------- | ------------- |
+| `--env` | Used to set the environment that secrets are pulled from. Accepted values: `dev`, `staging`, `test`, `prod` | `dev` |
+| `--projectId` | Used to link a local project to the platform | `None` |
-### Last step: Tell Docker your Infisical Token
+## Step 4: Feed Docker your Infisical Token
-The Infisical CLI looks out for a environment variable called `INFISICAL_TOKEN`. To expose this environment variable to
-your container do the following when running the `docker run` command. Remember, the `INFISICAL_TOKEN` is the token you generated in
-step 2.
+The CLI looks out for an environment variable called the `INFISICAL_TOKEN` which you can set depending on where you run the CLI. If `INFISICAL_TOKEN` is detected by the CLI, it will authenticate and retrieve the environment variables which the token is authorized for.
```bash
docker run --env INFISICAL_TOKEN=...
-```
\ No newline at end of file
+```
+
+Note: `INFISICAL_TOKEN` is the token you generated in step 2.
diff --git a/docs/mint.json b/docs/mint.json
index e879b4092b..4ee36a37cb 100644
--- a/docs/mint.json
+++ b/docs/mint.json
@@ -27,11 +27,6 @@
"url": "https://infisical.com/signup"
},
"anchors": [
- {
- "name": "Security",
- "icon": "shield-halved",
- "url": "https://infisical.com/security"
- },
{
"name": "Blog",
"icon": "newspaper",
@@ -44,19 +39,34 @@
"pages": [
"getting-started/introduction",
"getting-started/features",
+ {
+ "group": "Security",
+ "pages": [
+ "getting-started/security/overview",
+ "getting-started/security/data-model",
+ "getting-started/security/mechanics",
+ "getting-started/security/statement"
+ ]
+ },
{
"group": "Web UI",
"pages": [
"getting-started/dashboard/create-account",
"getting-started/dashboard/organization",
- "getting-started/dashboard/project"
+ "getting-started/dashboard/project",
+ "getting-started/dashboard/integrations",
+ "getting-started/dashboard/token"
]
},
{
"group": "Command Line",
- "pages": ["getting-started/cli/installation", "getting-started/cli/cli-guide", "getting-started/cli/infisical-token"]
- },
- "getting-started/infiscial-token"
+ "pages": [
+ "getting-started/cli/installation",
+ "getting-started/cli/cli-guide",
+ "getting-started/cli/token",
+ "getting-started/cli/reference"
+ ]
+ }
]
},
{
diff --git a/docs/self-hosting/configuration/envars.mdx b/docs/self-hosting/configuration/envars.mdx
index 083bfc24dd..3a22d627be 100644
--- a/docs/self-hosting/configuration/envars.mdx
+++ b/docs/self-hosting/configuration/envars.mdx
@@ -15,16 +15,16 @@ Configuring Infisical requires setting some environment variables. There is a fi
| `JWT_SIGNUP_SECRET` | ❗️JWT token secret | `None` |
| `JWT_REFRESH_SECRET` | ❗️ JWT token secret | `None` |
| `JWT_AUTH_SECRET` | ❗️ JWT token secret | `None` |
-| `JWT_SECRET_SECRET` | ❗️ JWT token secret | `None` |
| `JWT_SIGNUP_LIFETIME` | JWT token lifetime expressed in seconds or a string describing a time span (e.g. 60, "2 days", "10h", "7d") | `15m` |
| `JWT_REFRESH_LIFETIME` | JWT token lifetime expressed in seconds or a string describing a time span (e.g. 60, "2 days", "10h", "7d") | `90d` |
| `JWT_AUTH_LIFETIME` | JWT token lifetime expressed in seconds or a string describing a time span (e.g. 60, "2 days", "10h", "7d") | `10d` |
| `EMAIL_TOKEN_LIFETIME` | Email OTP/magic-link lifetime expressed in seconds | `86400` |
| `MONGO_URL` | ❗️ MongoDB instance connection string either to container instance or MongoDB Cloud | `None` |
-| `MONGO_USERNAME` | MongoDB container username | `None` |
-| `MONGO_PASSWORD` | MongoDB container password | `None` |
+| `MONGO_INITDB_ROOT_USERNAME` | MongoDB container username | `None` |
+| `MONGO_INITDB_ROOT_PASSWORD` | MongoDB container password | `None` |
| `ME_CONFIG_MONGODB_ADMINUSERNAME` | Same as `MONGO_USERNAME` for mongo-express in development | `None` |
| `ME_CONFIG_MONGODB_ADMINPASSWORD` | Same as `MONGO_PASSWORD` for mongo-express in development | `None` |
+| `NODE_ENV` | ❗️ `production` or `development` | `None` |
| `NEXT_PUBLIC_WEBSITE_URL` | ❗️ Site URL - should be an absolute URL including the protocol (e.g. `https://infisical.com`) | `None` |
| `SMT_HOST` | Whether the user joined the community | `smtp.gmail.com` |
| `SMTP_NAME` | ❗️ Whether the user joined the community | `None` |
diff --git a/docs/self-hosting/deployments/linux.mdx b/docs/self-hosting/deployments/linux.mdx
index c9c37818e9..282dacc38c 100644
--- a/docs/self-hosting/deployments/linux.mdx
+++ b/docs/self-hosting/deployments/linux.mdx
@@ -27,18 +27,17 @@ apt install docker-compose
```bash
# Download env file template
-wget -O .env https://raw.githubusercontent.com/Infisical/infisical-merge/main/.env.example
+wget -O .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
# Download docker compose template
-wget -O docker-compose.yml https://raw.githubusercontent.com/Infisical/infisical-merge/main/docker-compose.yml
-wget -O docker-compose.yml https://raw.githubusercontent.com/Infisical/infisical-merge/main/docker-compose.prod.yml
+wget -O docker-compose.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.yml
# Download nginx config
-mkdir nginx && cd nginx && wget -O https://raw.githubusercontent.com/Infisical/infisical-merge/main/nginx/default.conf
+mkdir nginx && cd nginx && wget -O https://raw.githubusercontent.com/Infisical/infisical/main/nginx/default.conf
cd ..
```
-3. Tweak the `.env` according to your preferences. Refer to the available [environment variables](envars).
+3. Tweak the `.env` according to your preferences. Refer to the available [environment variables](../../self-hosting/configuration/envars)
```bash
# update environment variables like mongo login
@@ -49,7 +48,7 @@ nano .env
```bash
# Start up services in detached mode
-docker-compose -f docker-compose.yaml -f docker-compose.prod.yml up -d
+docker-compose -f docker-compose.prod.yml up -d
```
-5. Your Infisical installation is complete. Please note that the containers are not exposed to the internet and only bind to the localhost. It's up to you to set up a firewall and implement any additional security measures.
+5. Your Infisical installation is complete and should be running on ports 40 and 443. Please note that the containers are not exposed to the internet and only bind to the localhost. It's up to you to configure a firewall, SSL certificates, and implement any additional security measures.
diff --git a/docs/self-hosting/overview.mdx b/docs/self-hosting/overview.mdx
index f12a03a819..d096c42e4e 100644
--- a/docs/self-hosting/overview.mdx
+++ b/docs/self-hosting/overview.mdx
@@ -1,6 +1,5 @@
---
title: "Overview"
-description: "Options for hosting Infisical"
---