From 51faacf7df1b0d2c4facee15cd0215e5bd92c42f Mon Sep 17 00:00:00 2001
From: Abdulmoiz <abdulmoiz3140@gmail.com>
Date: Tue, 23 Jun 2026 13:53:07 +0500
Subject: [PATCH 1/3] fix(docs): align relay systemd install flags with actual
 CLI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

infisical relay systemd install does not support --enroll-method or
--relay-id (confirmed against its --help output in #6979) — those flags
only exist on relay start. The systemd install examples were copied from
relay start and silently failed with "unknown flag: --enroll-method".

Updates the examples to use the install subcommand's actual flags
(--token / --type=instance --relay-auth-secret) and documents its full
flag set.

Fixes #6979
---
 docs/cli/commands/relay.mdx | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/docs/cli/commands/relay.mdx b/docs/cli/commands/relay.mdx
index 96cb9640470..d38184d29c2 100644
--- a/docs/cli/commands/relay.mdx
+++ b/docs/cli/commands/relay.mdx
@@ -39,11 +39,12 @@ Relays support two enrollment methods. The enrollment method is set when creatin
         ```bash
         sudo infisical relay systemd install \
           --name=<name> \
-          --enroll-method=token \
           --token=<enrollment-token> \
           --domain=<your-infisical-domain>
         sudo systemctl start infisical-relay
         ```
+
+        `infisical relay systemd install` does not accept `--enroll-method` — it always installs an org-type relay (the default) unless `--type=instance` is passed. See [`infisical relay systemd`](#infisical-relay-systemd) below for its full flag set.
       </Tab>
     </Tabs>
 
@@ -69,11 +70,13 @@ Relays support two enrollment methods. The enrollment method is set when creatin
         ```bash
         sudo infisical relay systemd install \
           --name=<name> \
-          --enroll-method=aws \
-          --relay-id=<relay-id> \
+          --type=instance \
+          --relay-auth-secret=<relay-auth-secret> \
           --domain=<your-infisical-domain>
         sudo systemctl start infisical-relay
         ```
+
+        `infisical relay systemd install` does not accept `--enroll-method` or `--relay-id`. AWS-authenticated relays are installed with `--type=instance` and a `--relay-auth-secret` instead. See [`infisical relay systemd`](#infisical-relay-systemd) below for its full flag set.
       </Tab>
     </Tabs>
 
@@ -121,6 +124,16 @@ Relays support two enrollment methods. The enrollment method is set when creatin
 <Accordion title="install">
   Install and enable systemd service for the relay. See the authentication section above for install commands.
 
+  `install` has its own flag set, distinct from `infisical relay start` — it does **not** accept `--enroll-method` or `--relay-id`:
+
+  - `--name` — the name of the relay
+  - `--type` — `org` (default) or `instance`
+  - `--token` — machine identity access token, used for `--type=org` (default)
+  - `--relay-auth-secret` — relay auth secret, used for `--type=instance` (or set via env if unset)
+  - `--host` — the IP or hostname for the relay
+  - `--domain` — domain of your self-hosted Infisical instance
+  - `--log-file` — file to write service logs to (logs aren't written to a file if omitted)
+
   After installation, start the service:
 
   ```bash

From 3c91ce228b974d6c6e571fb4213dd548b74c9a0d Mon Sep 17 00:00:00 2001
From: Abdulmoiz <abdulmoiz3140@gmail.com>
Date: Tue, 23 Jun 2026 14:00:20 +0500
Subject: [PATCH 2/3] fix(docs): clarify systemd install --token is a machine
 identity access token

The install example reused relay start's <enrollment-token> placeholder for
--token, but install's --token is a machine identity access token per its
own --help text, not the one-time enrollment token relay start uses.
---
 docs/cli/commands/relay.mdx | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/cli/commands/relay.mdx b/docs/cli/commands/relay.mdx
index d38184d29c2..203e80971ff 100644
--- a/docs/cli/commands/relay.mdx
+++ b/docs/cli/commands/relay.mdx
@@ -39,12 +39,12 @@ Relays support two enrollment methods. The enrollment method is set when creatin
         ```bash
         sudo infisical relay systemd install \
           --name=<name> \
-          --token=<enrollment-token> \
+          --token=<machine-identity-access-token> \
           --domain=<your-infisical-domain>
         sudo systemctl start infisical-relay
         ```
 
-        `infisical relay systemd install` does not accept `--enroll-method` — it always installs an org-type relay (the default) unless `--type=instance` is passed. See [`infisical relay systemd`](#infisical-relay-systemd) below for its full flag set.
+        `infisical relay systemd install` does not accept `--enroll-method`, and its `--token` flag is a machine identity access token — not the one-time enrollment token used by `relay start`. It always installs an org-type relay (the default) unless `--type=instance` is passed. See [`infisical relay systemd`](#infisical-relay-systemd) below for its full flag set.
       </Tab>
     </Tabs>
 

From 90aeda342b70642d6297cc6ca47efa5495cd53e2 Mon Sep 17 00:00:00 2001
From: Abdulmoiz <abdulmoiz3140@gmail.com>
Date: Tue, 23 Jun 2026 14:02:09 +0500
Subject: [PATCH 3/3] fix(docs): add required --host and correct AWS-auth
 systemd guidance
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

relaySystemdInstallCmd requires --host (it doesn't store/look it up
server-side like relay start does) — add it to both install examples.

Also drop the --type=instance/--relay-auth-secret mapping for AWS-auth
relays: that's a separate static-secret instance mechanism and isn't
equivalent to relay start --enroll-method=aws --relay-id. There's no
systemd install path for AWS-authenticated relays today.
---
 docs/cli/commands/relay.mdx | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/docs/cli/commands/relay.mdx b/docs/cli/commands/relay.mdx
index 203e80971ff..1f92e061945 100644
--- a/docs/cli/commands/relay.mdx
+++ b/docs/cli/commands/relay.mdx
@@ -23,7 +23,7 @@ Relays support two enrollment methods. The enrollment method is set when creatin
   <Accordion title="Token Auth">
     Token auth uses a one-time enrollment token (1 hour expiry) generated from the relay detail page. The token is exchanged for a long-lived access token on first start and stored on disk for subsequent restarts.
 
-    The `--host` flag is not required — the host is stored server-side when the relay is created.
+    For `infisical relay start`, `--host` is not required — the host is stored server-side when the relay is created.
 
     <Tabs>
       <Tab title="Foreground">
@@ -39,12 +39,13 @@ Relays support two enrollment methods. The enrollment method is set when creatin
         ```bash
         sudo infisical relay systemd install \
           --name=<name> \
+          --host=<host> \
           --token=<machine-identity-access-token> \
           --domain=<your-infisical-domain>
         sudo systemctl start infisical-relay
         ```
 
-        `infisical relay systemd install` does not accept `--enroll-method`, and its `--token` flag is a machine identity access token — not the one-time enrollment token used by `relay start`. It always installs an org-type relay (the default) unless `--type=instance` is passed. See [`infisical relay systemd`](#infisical-relay-systemd) below for its full flag set.
+        `infisical relay systemd install` does not accept `--enroll-method`. Its `--token` flag is a machine identity access token — not the one-time enrollment token used by `relay start` — and `--host` is required (install does not store/look up the host server-side). It always installs an org-type relay (the default) unless `--type=instance` is passed. See [`infisical relay systemd`](#infisical-relay-systemd) below for its full flag set.
       </Tab>
     </Tabs>
 
@@ -67,16 +68,9 @@ Relays support two enrollment methods. The enrollment method is set when creatin
         ```
       </Tab>
       <Tab title="Linux (systemd)">
-        ```bash
-        sudo infisical relay systemd install \
-          --name=<name> \
-          --type=instance \
-          --relay-auth-secret=<relay-auth-secret> \
-          --domain=<your-infisical-domain>
-        sudo systemctl start infisical-relay
-        ```
+        `infisical relay systemd install` has no equivalent to `relay start --enroll-method=aws --relay-id` — it cannot enroll a relay configured with the AWS Auth method. Its `--type=instance` / `--relay-auth-secret` flags are an unrelated, static-secret instance-relay mechanism and won't authenticate as an AWS-authenticated relay.
 
-        `infisical relay systemd install` does not accept `--enroll-method` or `--relay-id`. AWS-authenticated relays are installed with `--type=instance` and a `--relay-auth-secret` instead. See [`infisical relay systemd`](#infisical-relay-systemd) below for its full flag set.
+        To run an AWS-authenticated relay under systemd today, wrap the foreground command above in your own systemd unit.
       </Tab>
     </Tabs>
 
@@ -127,10 +121,10 @@ Relays support two enrollment methods. The enrollment method is set when creatin
   `install` has its own flag set, distinct from `infisical relay start` — it does **not** accept `--enroll-method` or `--relay-id`:
 
   - `--name` — the name of the relay
+  - `--host` — the IP or hostname for the relay (required)
   - `--type` — `org` (default) or `instance`
   - `--token` — machine identity access token, used for `--type=org` (default)
   - `--relay-auth-secret` — relay auth secret, used for `--type=instance` (or set via env if unset)
-  - `--host` — the IP or hostname for the relay
   - `--domain` — domain of your self-hosted Infisical instance
   - `--log-file` — file to write service logs to (logs aren't written to a file if omitted)