> ## Documentation Index
> Fetch the complete documentation index at: https://infisical-pam-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Secret Insights

> Monitor upcoming rotations, reminders, stale secrets, and secret access patterns across your project.

<Note>
  Secret Insights is a paid feature.

  On Infisical Cloud it is available on the Pro and Enterprise plans, If you're self-hosting Infisical, contact [sales@infisical.com](mailto:sales@infisical.com) to acquire a license.
</Note>

Secret Insights is an observability dashboard for your Secrets Management project. It surfaces the questions you care about most — *Which secrets are due for rotation? Which reminders are overdue? What hasn't been touched in months? Who's actually reading my secrets?* — and links you straight to the secrets you need to act on.

The page is read-only. Every metric is computed from data already collected by Infisical (rotation schedules, reminders, secret modification times, access logs), so there's nothing to configure to start using it.

<img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-pam-revamp/images/platform/insights/overview.png" alt="Secret Insights dashboard" />

## Accessing Insights

From a Secret Manager project, open the **Insights** tab in the project sidebar. The page is divided into four sections:

* **Summary Cards** — three at-a-glance counters for rotations, reminders, and stale secrets.
* **Audit Reports** — Generate point-in-time compliance exports.
* **Rotation & Reminder Calendar** — a month-by-month view of every upcoming rotation and reminder.
* **Secret Access Volume** — read-request trends over the past 7 days, plus the top callers.
* **Authentication Methods** — how identities are authenticating to read secrets, over the past 30 days.

The page also includes an **Audit Reports** card for generating exportable compliance reports — see [Audit Reports](#audit-reports).

## Summary

The three cards along the top of the page give you a quick read on what needs attention. Each card opens a popover with a table you can drill into; clicking a row jumps directly to the matching secret in the **Overview** page with the appropriate filters applied.

### Upcoming Rotations

Counts secret rotations scheduled to run in the **next 7 days**.

A status badge on the card calls out failed rotations:

* A green badge reads **No failed rotations** when everything is healthy.
* A red badge shows **{N} failed** when one or more rotations are in a failed state and need investigation.

Click **View Rotations** (or **View Failed Rotations**) to see the full list. Each row shows the rotation name, environment, secret path, and a relative-time status (`scheduled`, `in 3 days`, `retries in 1h`, or `failed`). Click a row to open that rotation's secret in the Overview page filtered by rotation.

<img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-pam-revamp/images/platform/insights/rotations.png" alt="Secret Insights rotation" />

### Upcoming Reminders

Counts secret reminders due in the **next 7 days**.

A status badge calls out overdue reminders:

* A green badge reads **No overdue reminders** when you're caught up.
* A red badge shows **{N} overdue** when reminders have passed their due date without being acknowledged.

Click **View Upcoming Reminders** (or **View Overdue Reminders**) to see the list. Each row shows the secret key, environment, path, and how soon it's due (or how long it's been overdue). Click a row to jump to that secret in the Overview page.

<img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-pam-revamp/images/platform/insights/reminders.png" alt="Secret Insights reminders" />

### Stale Secrets

Counts secrets that **haven't been modified in more than 90 days**.

The card shows either **All secrets up to date** when nothing is stale, or **{N} need(s) review** when there are stale secrets to look at. The popover table is paginated 10 rows at a time and shows each secret's key, environment, path, and last-modified time. Click a row to open it in Overview.

Stale secrets aren't necessarily a problem — long-lived configuration values are normal. The list is meant as a prompt to review whether anything should be rotated, removed, or refreshed.

<img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-pam-revamp/images/platform/insights/stale.png" alt="Secret Insights stale secrets" />

## Audit Reports

Audit Reports let you generate point-in-time compliance exports for a Secrets Management project — stale secrets, duplicate values, validation-rule violations, rotation status, upcoming reminders, and secret access history — and deliver them to one or more recipients as CSV attachments (one file per report type) in an email.

Where the rest of the Insights dashboard is a live, read-only view, an Audit Report is a snapshot you can hand to an auditor, attach to a ticket, or archive for SOC 2 / ISO 27001 evidence. You'll find it as the **Audit Reports** card on the Insights page.

<Warning>
  Audit reports can contain sensitive metadata — secret keys, paths, access patterns, and recipient emails. They are delivered by email to the addresses you specify; only send reports to recipients you trust, and treat the CSV as confidential.
</Warning>

### Generating a report

1. Open the **Insights** tab and find the **Audit Reports** card.
2. Click **Generate Report**.
3. In the dialog, select one or more [report types](#report-types).
4. (Optional) Enter one or more **email recipients**, comma-separated. If you leave this blank, the report is sent to your own email.
5. Click **Generate Report**.

<img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-pam-revamp/images/platform/insights/audit-reports/generate-report.png" alt="overview-screen" />

The request is queued and generated in the background. When it finishes, every recipient receives an email with one CSV file attached per requested report. You can keep working — the report's status updates live in the history table.

<Note>
  Report generation is asynchronous. A project can have at most one report generating at once.
</Note>

### Report history

The Audit Reports card lists previously requested reports, newest first, paginated (10 per page by default). Each row shows:

* **Reports** — the report type(s) included in that request. Hover to see the full list when multiple are combined.
* **Recipients** — the email addresses of the recipients who has received the audit report.
* **Status** — the generation status (see below). Hover a **Failed** or **Partial** badge for details.
* **Requested** — when the report was requested.

Use the trash icon on a row to delete a report from the history (requires the `Delete` permission).

| Status         | Meaning                                                                 |
| -------------- | ----------------------------------------------------------------------- |
| **Pending**    | Queued, not yet started.                                                |
| **Generating** | Currently being generated.                                              |
| **Completed**  | Generated and emailed successfully.                                     |
| **Partial**    | Delivered, but at least one report hit the row limit and was truncated. |
| **Failed**     | Generation failed. Hover the badge for the error message.               |

<img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-pam-revamp/images/platform/insights/audit-reports/report-history.png" alt="report-history" />

### Report types

A single request can include any combination of the following. Each becomes its own labelled section in the CSV.

| Report                           | What it contains                                                                                                                                                                        |
| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Stale Secrets**                | Secrets not updated within the last 90 days, with their last-updated time and age in days.                                                                                              |
| **Duplicate Secrets**            | Secrets that share the same value across environments and paths, grouped together. Requires the project's secret blind-index to be enabled.                                             |
| **Secret Validation Compliance** | Stored secrets that violate a secret validation rule covering them — for example, a secret created before a rule existed, or one that no longer meets a length/regex/prefix constraint. |
| **Upcoming Rotations**           | Secret rotations scheduled within the next 7 days.                                                                                                                                      |
| **Failed Rotations**             | Secret rotations currently in a failed state.                                                                                                                                           |
| **Upcoming Reminders**           | Secret reminders due within the next 7 days.                                                                                                                                            |
| **Secret Access Log**            | Who accessed secrets over the last 30 days (actor, event type, secret, environment, path, IP, timestamp).                                                                               |

## Rotation & Reminder Calendar

The calendar panel shows every upcoming rotation and reminder laid out on a month grid, so you can see the cadence of upcoming work at a glance.

<img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-pam-revamp/images/platform/insights/calendar.png" alt="Rotation & Reminder Calendar" />

**Navigation.** Use the chevrons in the panel header to move between months. The current day is highlighted with a colored border.

**Event pills.** Each day cell shows up to two events; when there are more, the second slot is replaced by a **+N more** pill that expands the rest. Pills are color-coded:

| Color                     | Event Type |
| ------------------------- | ---------- |
| Blue, with a refresh icon | Rotation   |
| Orange, with a bell icon  | Reminder   |

**Event details.** Click a pill to view its details, then use the **View in Overview** button to jump to the corresponding secret in the project Overview with filters applied.

## Secret Access Volume

This panel shows how many times secrets have been read across the project over the **past 7 days**, plotted as a daily area chart.

<img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-pam-revamp/images/platform/insights/access.png" alt="Secret Access Volume" />

Each point represents the total number of read requests on that day, regardless of which secret was read or how it was read (UI, CLI, SDK, API, agent, operator, etc.).

Below the chart, the **Top actors** row lists the up-to-five identities that issued the most read requests in the same 7-day window, along with their request counts. Actor entries are formatted as `{type}: {name} ({count})` — for example, `Service: ci-runner (5,234)` or `User: alex@acme.com (812)`.

Use this panel to spot unusual spikes, identify the heaviest consumers of your secrets, and confirm that traffic patterns match what you expect from your services.

## Authentication Methods

This panel shows the distribution of authentication methods used to read secrets over the **past 30 days**, plotted as a donut chart with a breakdown table beside it.

<img src="https://mintlify.s3.us-west-1.amazonaws.com/infisical-pam-revamp/images/platform/insights/auth.png" alt="Authentication Methods" />

Each slice represents an auth method (for example, Universal Auth, Kubernetes Auth, AWS Auth, Token Auth, JWT). The breakdown shows the method name, percentage of total reads, and absolute request count, with a **Total** row at the bottom.

You may see an **Unknown** bucket. This represents older read requests that were issued before Infisical began recording the auth method on each request. Only newer requests carry this metadata, so the Unknown share will shrink over time as historical data ages out of the 30-day window.

Use this panel to understand how your workloads are authenticating, spot identities still using older auth methods you'd like to retire, and verify that auth-method migrations are taking effect.
