Documentation

InfluxDB OSS v2

Store secrets in Vault

This page documents an earlier version of InfluxDB OSS. InfluxDB 3 Core is the latest stable version.

Vault secures, stores, and controls access to tokens, passwords, certificates, and other sensitive secrets. Store sensitive secrets in Vault using InfluxDB’s built-in Vault integration.

To store secrets in Vault, complete the following steps:

  1. Start a Vault server.
  2. Provide Vault server address and token.
  3. Start InfluxDB.
  4. Manage secrets through the InfluxDB API.

Start a Vault server

Start a Vault server and ensure InfluxDB has network access to the server.

The following links provide information about running Vault in both development and production:

InfluxDB supports the Vault KV Secrets Engine Version 2 API only. When you create a secrets engine, enable the kv-v2 version by running:

vault secrets enable kv-v2

For this example, install Vault on your local machine and start a Vault dev server.

vault server -dev

Provide Vault server address and token

Use influxd Vault-related tags or Vault environment variables to provide connection credentials and other important Vault-related information to InfluxDB.

Required credentials

Vault address

Provide the API address of your Vault server (available in the Vault server output) using the --vault-addr flag when starting influxd or with the VAULT_ADDR environment variable.

Vault token

Provide your Vault token (required to access your Vault server) using the --vault-token flag when starting influxd or with the VAULT_TOKEN environment variable.

Your Vault server configuration may require other Vault settings.

Start InfluxDB

Start the influxd service with the --secret-store option set to vault and any other necessary flags–for example, enter the following command:

influxd --secret-store vault \
  --vault-addr=http://127.0.0.1:8200 \
  --vault-token=$VAULT_TOKEN

influxd includes the following Vault configuration options. If set, these flags override any Vault environment variables:

  • --vault-addr
  • --vault-cacert
  • --vault-capath
  • --vault-client-cert
  • --vault-client-key
  • --vault-max-retries
  • --vault-client-timeout
  • --vault-skip-verify
  • --vault-tls-server-name
  • --vault-token

For more information, see InfluxDB configuration options.

Manage secrets through the InfluxDB API

Use the InfluxDB /org/{orgID}/secrets API endpoint to add tokens to Vault. For details, see Secrets.

secrets security

Was this page helpful?

Thank you for your feedback!

© 2025 InfluxData, Inc.

What is your InfluxDB OSS URL?

Customize your InfluxDB OSS URL and we’ll update code examples for you.

Default
Custom

For more information, see InfluxDB OSS URLs.

Thank you for your feedback!

Let us know what we can do better:

Thank you!

No thanks

New in InfluxDB 3.5

Key enhancements in InfluxDB 3.5 and the InfluxDB 3 Explorer 1.3.

See the Blog Post

InfluxDB 3.5 is now available for both Core and Enterprise, introducing custom plugin repository support, enhanced operational visibility with queryable CLI parameters and manual node management, stronger security controls, and general performance improvements.

InfluxDB 3 Explorer 1.3 brings powerful new capabilities including Dashboards (beta) for saving and organizing your favorite queries, and cache querying for instant access to Last Value and Distinct Value caches—making Explorer a more comprehensive workspace for time series monitoring and analysis.

For more information, check out:

InfluxDB Docker latest tag changing to InfluxDB 3 Core

On February 3, 2026, the latest tag for InfluxDB Docker images will point to InfluxDB 3 Core. To avoid unexpected upgrades, use specific version tags in your Docker deployments.

If using Docker to install and run InfluxDB, the latest tag will point to InfluxDB 3 Core. To avoid unexpected upgrades, use specific version tags in your Docker deployments. For example, if using Docker to run InfluxDB v2, replace the latest version tag with a specific version tag in your Docker pull command–for example:

docker pull influxdb:2