Infisical · adilsitos · Apr 2, 2026
diff --git a/backend/src/lib/api-docs/constants.ts b/backend/src/lib/api-docs/constants.ts
@@ -1257,7 +1257,9 @@ export const RAW_SECRETS = {
     metadataFilter:
       "Unencrypted secret metadata key-value pairs used to filter secrets. Only metadata with unencrypted values is supported. When querying for multiple metadata pairs, the query is treated as an AND operation. Secret metadata format is key=value1,value=value2|key=value3,value=value4.",
     includePersonalOverrides:
-      "Whether or not to include personal secrets in the response. When enabled, personal secrets will be included in the response. Shared secrets will still be included, but personal secrets will take priority, and the corresponding shared secrets will be replaced with the personal secrets."
+      "Whether or not to include personal secrets in the response. When enabled, personal secrets will be included in the response. Shared secrets will still be included, but personal secrets will take priority, and the corresponding shared secrets will be replaced with the personal secrets.",
+    filterInaccessibleSecrets:
+      "Whether or not to filter out secrets that the user does not have access to read the value of. When enabled, secrets that the user does not have the ReadValue permission for will be removed entirely from the response."
   },
   CREATE: {
     secretName: "The name of the secret to create.",

diff --git a/backend/src/server/routes/v4/secret-router.ts b/backend/src/server/routes/v4/secret-router.ts
@@ -130,6 +130,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         recursive: convertStringBoolean().describe(RAW_SECRETS.LIST.recursive),
         includePersonalOverrides: convertStringBoolean().describe(RAW_SECRETS.LIST.includePersonalOverrides),
         includeImports: convertStringBoolean(true).describe(RAW_SECRETS.LIST.includeImports),
+        filterInaccessibleSecrets: convertStringBoolean().describe(RAW_SECRETS.LIST.filterInaccessibleSecrets),
         tagSlugs: z
           .string()
           .describe(RAW_SECRETS.LIST.tagSlugs)
@@ -200,6 +201,7 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
         includeImports: req.query.includeImports,
         recursive: req.query.recursive,
         tagSlugs: req.query.tagSlugs,
+        filterInaccessibleSecrets: req.query.filterInaccessibleSecrets,
         ifNoneMatch: req.headers["if-none-match"]
       });
 

diff --git a/backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts b/backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts
@@ -1151,6 +1151,7 @@ export const secretV2BridgeServiceFactory = ({
       expandSecretReferences: shouldExpandSecretReferences,
       expandPersonalOverrides,
       personalOverridesBehavior,
+      filterInaccessibleSecrets,
       throwOnMissingReadValuePermission = true,
       ifNoneMatch,
       ...params
@@ -1330,6 +1331,23 @@ export const secretV2BridgeServiceFactory = ({
           return false;
         }
 
+        if (filterInaccessibleSecrets) {
+          const canReadValue = hasSecretReadValueOrDescribePermission(
+            permission,
+            ProjectPermissionSecretActions.ReadValue,
+            {
+              environment,
+              secretPath: groupedPaths[el.folderId][0].path,
+              secretName: el.key,
+              secretTags: el.tags.map((i) => i.slug)
+            }
+          );
+
+          if (!canReadValue) {
+            return false;
+          }
+        }
+
         if (viewSecretValue) {
           // Recursive secret, should be filtered out
           if (groupedPaths[el.folderId][0].path !== path) {
@@ -1547,7 +1565,7 @@ export const secretV2BridgeServiceFactory = ({
           }
         );
 
-        return viewSecretValue ? canDescribe && canReadValue : canDescribe;
+        return viewSecretValue || filterInaccessibleSecrets ? canDescribe && canReadValue : canDescribe;
       }
     });
 

diff --git a/backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts b/backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts
@@ -46,6 +46,7 @@ export type TGetSecretsDTO = {
   recursive?: boolean;
   tagSlugs?: string[];
   viewSecretValue: boolean;
+  filterInaccessibleSecrets?: boolean;
   throwOnMissingReadValuePermission?: boolean;
   metadataFilter?: {
     key?: string;

diff --git a/backend/src/services/secret/secret-service.ts b/backend/src/services/secret/secret-service.ts
@@ -1431,6 +1431,7 @@ export const secretServiceFactory = ({
     expandPersonalOverrides,
     recursive,
     tagSlugs = [],
+    filterInaccessibleSecrets = false,
     throwOnMissingReadValuePermission = true,
     ifNoneMatch,
     ...paramsV2
@@ -1447,7 +1448,8 @@ export const secretServiceFactory = ({
         actor,
         actorOrgId,
         viewSecretValue,
-        throwOnMissingReadValuePermission,
+        filterInaccessibleSecrets,
+        throwOnMissingReadValuePermission: filterInaccessibleSecrets ? false : throwOnMissingReadValuePermission,
         environment,
         path,
         recursive,

diff --git a/backend/src/services/secret/secret-types.ts b/backend/src/services/secret/secret-types.ts
@@ -212,6 +212,7 @@ export type TGetSecretsRawDTO = {
   path: string;
   environment: string;
   viewSecretValue: boolean;
+  filterInaccessibleSecrets?: boolean;
   throwOnMissingReadValuePermission?: boolean;
   includeImports?: boolean;
   recursive?: boolean;