Redis serves as both a caching layer and a persistent job queue in Infisical. Unlike typical cache-only use cases, Infisical relies on Redis to durably store background job data, making persistence a hard requirement.Documentation Index
Fetch the complete documentation index at: https://infisical-docs-self-host-infra.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
What it stores
| Data | Description |
|---|---|
| Cache | Frequently accessed data and configurations, reducing load on PostgreSQL |
| Background Job Queues | Jobs for secret syncs to third-party integrations, secret rotations, scheduled tasks, webhook deliveries, and audit log processing |
| Job State | Metadata for in-progress, completed, and failed jobs including retry information |
| Session Data | Active user session tokens and ephemeral authentication state |
Supported modes
| Mode | Supported |
|---|---|
| Standalone (Single Node) | Yes |
| Sentinel (High Availability) | Yes |
| Cluster | Yes |
| Active-Active Geo-Replication | No |
Configuration
Configure Redis connectivity by setting the following environment variables on your Infisical instance.- Redis Standalone
- Redis Sentinel
- Redis Cluster
- Redis Read Replica
Redis connection string. For SSL/TLS connections, use the
rediss:// protocol (note the double ‘s’).Examples:- Without SSL:
redis://localhost:6379 - With SSL:
rediss://localhost:6379 - With authentication:
redis://:password@localhost:6379 - With SSL and authentication:
rediss://:password@localhost:6379
SSL/TLS
To connect to Redis with SSL/TLS, use therediss:// protocol (note the double ‘s’) in your connection string.
If your Redis server uses a certificate signed by a private CA or a self-signed certificate, set the NODE_EXTRA_CA_CERTS environment variable to the path of your CA certificate file:
REDIS_SENTINEL_ENABLE_TLS or REDIS_CLUSTER_ENABLE_TLS environment variables respectively.
Impact of data loss
Redis data loss is disruptive but recoverable. Unlike PostgreSQL, Redis does not hold the source of truth — secrets and configurations remain safe in PostgreSQL. However, the impact depends on what was in Redis at the time:- Cache loss: No lasting impact. The cache repopulates automatically as read requests come in. You may see a temporary spike in PostgreSQL load until the cache warms up.
- Queue loss: Pending background jobs are lost. In-flight operations such as secret syncs to third-party integrations, pending secret rotations, or scheduled webhook deliveries will not complete. These operations will need to be re-triggered manually or will recover on the next scheduled cycle.
Why persistence is required
Infisical uses Redis to manage background job queues. These queues handle operations that must eventually complete:- Syncing secrets to external providers (AWS Secrets Manager, GCP Secret Manager, etc.)
- Rotating credentials on a schedule
- Delivering webhooks
- Processing audit logs
Recommendations
- Enable persistence using AOF (
appendonly yes) withappendfsync everysecfor a good balance between durability and performance. RDB snapshots can be used as an additional safety net. - Set eviction policy to
noevictionto prevent Redis from silently dropping queue data under memory pressure. - Use Redis 6.2+. Infisical supports Redis versions 6.x and 7.x, with 6.2 as the minimum recommended version.
- High availability: Use Redis Sentinel or a managed Redis service with automatic failover.
- Monitor memory usage. Because
noevictionis required, Redis will reject new writes if it runs out of memory rather than evicting data. Ensure sufficient memory is provisioned for your workload.