Skip to main content

Documentation Index

Fetch the complete documentation index at: https://infisical-saif-eng-4890-add-support-for-oracle-db-access-in.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

This guide covers setting up the relay and gateway components for local PAM (Privileged Access Management) development. It assumes you already have the Infisical platform running locally.
If you haven’t set up the Infisical platform yet, follow the local development guide first.

Local Development Setup

In a local dev environment, the Infisical platform runs inside Docker while the relay and gateway run directly on your host machine:
ComponentWhere it runsWhat it does
Infisical PlatformDockerBackend API, database, Redis
Relay ServerHost machineRoutes traffic between backend and gateway
GatewayHost machineProxies connections to local resources
The relay uses host.docker.internal so the Dockerized backend can reach it on your host machine.
For more details on the production architecture, see:

Prerequisites

  • Infisical platform running locally via docker compose -f docker-compose.dev.yml up
  • Go installed
  • A machine identity with Token Auth configured (see Token Auth docs)

Clone the CLI Repository

The relay and gateway live in the Infisical CLI repository. For local development, run them via go run main.go rather than the pre-built binary: 
git clone https://github.com/Infisical/cli.git
cd cli

Start the Relay Server

From the CLI repository root: 
go run main.go relay start \
  --name=local-relay \
  --token=<your-token> \
  --domain=http://localhost:8080 \
  --host=host.docker.internal
Use host.docker.internal because the Infisical backend runs inside Docker and needs to reach the relay on your host machine.
Verify registration at Organization Settings > Networking > Relays. For all available flags, see the Relay CLI Reference.

Start the Gateway

In a new terminal, from the CLI repository root: 
go run main.go gateway start \
  --token=<your-token> \
  --domain=http://localhost:8080 \
  --target-relay-name=local-relay \
  --name=local-gateway \
  --pam-session-recording-path=$(pwd)/session
Verify registration at Organization Settings > Networking > Gateways. For all available flags, see the Gateway CLI Reference.

Quick Reference

ComponentCommand
Relaygo run main.go relay start --name=local-relay --token=<token> --domain=http://localhost:8080 --host=host.docker.internal
Gatewaygo run main.go gateway start --token=<token> --domain=http://localhost:8080 --target-relay-name=local-relay --name=local-gateway --pam-session-recording-path=$(pwd)/session

Seed Test Resources

Once your relay and gateway are up, you still need actual databases and SSH servers to point PAM at. Spinning those up by hand — running each container, creating users, then clicking through the UI to register every resource and account — is the slow part of any PAM dev loop. The dev/pam dev stack in the Infisical CLI repo does both in one shot: it boots the resources you pick in .env, pre-seeded with users and sample data, then registers each one as a PAM resource + account in your local Infisical against the gateway you just started. 
ENABLE_POSTGRES=true
ENABLE_MYSQL=false
ENABLE_MSSQL=false
ENABLE_MONGODB=false
ENABLE_REDIS=true
ENABLE_SSH_PASSWORD=false
ENABLE_SSH_KEY=false
After make up, you get a connection table along with the CLI command and web access URL for each resource — no need to dig through the Infisical UI to grab them, just copy and use: 
PAM dev stack — connection details:

resource              host       port   user       password       extras
postgres              127.0.0.1  55432  infisical  Infisical@123  db=infisical
redis                 127.0.0.1  55479  infisical  Infisical@123

Access snippets:
postgres (local01-2026-04-25-postgres / local01-2026-04-25-postgres-account)
  CLI:  go run main.go pam db access --resource ... --account ... --duration 1h
  Web:  http://localhost:8080/organizations/<org>/projects/pam/<project>/resources/postgres/<rid>/accounts/<aid>/access
Useful for faster development and reviews, reproducing issues, and testing across multiple resource types. See the dev/pam README for setup, env vars, and the full list of make targets. You’re not locked into this stack — PAM works against anything reachable from the gateway, so you can also point it at your own containers or cloud-hosted resources (DigitalOcean, AWS, etc.) when you need to test against something closer to production.

Troubleshooting

Ensure the backend is fully started before running relay/gateway. Check logs:
docker compose -f docker-compose.dev.yml logs -f backend
  • Verify relay is running and registered in the UI
  • Check --target-relay-name matches relay’s --name
  • Ensure port 2222 is not blocked
  • Check resource connection details are correct
  • Ensure target resource is running and accessible from your machine

Next Steps