Infisical · devin-ai-integration · Jun 17, 2026 · greptile-apps · Jun 17, 2026
diff --git a/apis/externalsecrets/v1beta1/secretsstore_infisical_types.go b/apis/externalsecrets/v1beta1/secretsstore_infisical_types.go
@@ -50,4 +50,8 @@ type InfisicalProvider struct {
 	// +kubebuilder:default="https://app.infisical.com/api"
 	// +optional
 	HostAPI string `json:"hostAPI,omitempty"`
+	// OrganizationSlug is the slug of the organization to authenticate with.
+	// Required when the machine identity has access to multiple organizations (e.g. sub-organizations).
+	// +optional
+	OrganizationSlug string `json:"organizationSlug,omitempty"`
 }
diff --git a/pkg/provider/infisical/api/api.go b/pkg/provider/infisical/api/api.go
@@ -60,14 +60,15 @@ func NewAPIClient(baseURL string) (*InfisicalClient, error) {
 	return api, nil
 }
 
-func (a *InfisicalClient) SetTokenViaMachineIdentity(clientID, clientSecret string) error {
+func (a *InfisicalClient) SetTokenViaMachineIdentity(clientID, clientSecret, organizationSlug string) error {
 	if a.token != "" {
 		return nil
 	}
 
 	loginResponse, err := a.MachineIdentityLoginViaUniversalAuth(MachineIdentityUniversalAuthLoginRequest{
-		ClientID:     clientID,
-		ClientSecret: clientSecret,
+		ClientID:         clientID,
+		ClientSecret:     clientSecret,
+		OrganizationSlug: organizationSlug,
 	})
 	if err != nil {
 		return err

diff --git a/pkg/provider/infisical/api/api_models.go b/pkg/provider/infisical/api/api_models.go
@@ -26,8 +26,9 @@ type MachineIdentityDetailsResponse struct {
 }
 
 type MachineIdentityUniversalAuthLoginRequest struct {
-	ClientID     string `json:"clientId"`
-	ClientSecret string `json:"clientSecret"`
+	ClientID         string `json:"clientId"`
+	ClientSecret     string `json:"clientSecret"`
+	OrganizationSlug string `json:"organizationSlug,omitempty"`
 }
 
 type RevokeMachineIdentityAccessTokenRequest struct {

diff --git a/pkg/provider/infisical/provider.go b/pkg/provider/infisical/provider.go
@@ -86,7 +86,7 @@ func (p *Provider) NewClient(ctx context.Context, store esv1beta1.GenericStore,
 			return nil, err
 		}
 
-		if err := apiClient.SetTokenViaMachineIdentity(clientID, clientSecret); err != nil {
+		if err := apiClient.SetTokenViaMachineIdentity(clientID, clientSecret, infisicalSpec.OrganizationSlug); err != nil {
 			return nil, fmt.Errorf("failed to authenticate via universal auth %w", err)
 		}