Documentation

InfluxDB 3 Explorer

Install and run InfluxDB 3 Explorer

Use Docker to install and run InfluxDB 3 Explorer.

Control who can reach Explorer

Anyone who can reach the Explorer port can use the InfluxDB connection that you configure in Explorer, with that token’s permissions. By default, Docker publishes a container port on all network interfaces (0.0.0.0) and adds its own firewall rules, which can take effect even when a host firewall (such as ufw or firewalld) is set to block the port.

The examples in this guide publish Explorer on the loopback interface (127.0.0.1) so it’s reachable only from the same machine. Before you make Explorer reachable from other hosts, see Network exposure and access control.

Quick start

Get InfluxDB 3 Explorer running in minutes:

  1. Run the Explorer container:

    docker run --detach \
  --name influxdb3-explorer \
  --publish 127.0.0.1:8888:8080 \
  influxdata/influxdb3-ui:1.8.0

  2. Access the Explorer UI at http://localhost:8888

  3. Configure your InfluxDB connection in the UI

Installation methods

Prerequisites

Install Docker or Docker Desktop if you haven’t already.

Basic setup

To get the latest updates, run the following command before starting the container:

docker pull influxdata/influxdb3-ui:1.8.0

Docker run Docker Compose

docker run --detach \
  --name influxdb3-explorer \
  --publish 127.0.0.1:8888:8080 \
  influxdata/influxdb3-ui:1.8.0
# docker-compose.yml
version: '3.8'

services:
  explorer:
    image: influxdata/influxdb3-ui:1.8.0
    container_name: influxdb3-explorer
    ports:
      - "127.0.0.1:8888:8080"
    volumes:
      - ./config:/app-root/config:ro
    restart: unless-stopped

Start the container:

docker-compose up -d

Run Explorer against a production instance

Use this setup to run Explorer with persistence, admin mode, and automatic image updates when administering a production InfluxDB 3 instance.

This setup is for running Explorer in a controlled environment–for example, on an operator’s workstation or a restricted host–to administer a production InfluxDB 3 instance. It isn’t a recipe for hosting Explorer as a publicly reachable service. The examples bind Explorer to 127.0.0.1; before changing that, see Network exposure and access control.

Docker run Docker Compose

docker run --detach \
  --name influxdb3-explorer \
  --pull always \
  --publish 127.0.0.1:8888:8080 \
  --volume $(pwd)/db:/db:rw \
  --volume $(pwd)/config:/app-root/config:ro \
  --env SESSION_SECRET_KEY=$(openssl rand -hex 32) \
  --restart unless-stopped \
  influxdata/influxdb3-ui:1.8.0 \
  --mode=admin
# docker-compose.yml
version: '3.8'

services:
  explorer:
    image: influxdata/influxdb3-ui:1.8.0
    container_name: influxdb3-explorer
    pull_policy: always
    command: ["--mode=admin"]
    ports:
      - "127.0.0.1:8888:8080"
    volumes:
      - ./db:/db:rw
      - ./config:/app-root/config:ro
      - ./ssl:/etc/nginx/ssl:ro
    environment:
      SESSION_SECRET_KEY: ${SESSION_SECRET_KEY:-changeme123456789012345678901234}
    restart: unless-stopped

Create a .env file that contains the following:

SESSION_SECRET_KEY=your_32_char_hex_string_here

Start the container:

docker-compose up -d

Configuration options

Network exposure and access control

Explorer holds the InfluxDB connection details and token that you configure in it. Access to the Explorer interface is effectively access to that InfluxDB connection, so treat reaching the Explorer port the same as holding the token.

Use the following practices to control access:

  • Bind to the loopback interface for local use. The examples in this guide publish Explorer as 127.0.0.1:8888:8080, which makes it reachable only from the same machine. To reach Explorer from your browser on that machine, open http://localhost:8888.
  • Expose Explorer deliberately, not by default. To reach Explorer from another host, replace 127.0.0.1 with the specific interface address you intend to use (for example, 192.0.2.10:8888:8080). Publishing without an address (8888:8080) binds to all interfaces (0.0.0.0).
  • Account for Docker and the host firewall. Docker publishes ports by adding its own firewall rules, which can take effect even when a host firewall such as ufw or firewalld is configured to block the port. Verify reachability from another host rather than assuming the host firewall applies.
  • Put authentication in front of remote access. If you need to reach Explorer over a network, run it on the loopback interface and place an authenticating reverse proxy with TLS in front of it (for example, NGINX or Caddy).
  • Prefer least-privilege tokens. The token you configure in Explorer determines what anyone with access to Explorer can do. Use a token scoped to what the task requires.

Persist data across restarts

InfluxDB 3 Explorer stores application data in a SQLite database. To persist this data across container restarts:

  1. Create a local directory:

    mkdir -m 700 ./db

  2. Mount the directory when running the container:

    Docker Docker Compose

    docker run --detach \
  --name influxdb3-explorer \
  --publish 127.0.0.1:8888:8080 \
  --volume $(pwd)/db:/db:rw \
  influxdata/influxdb3-ui:1.8.0
    version: '3.8'

services:
  explorer:
    image: influxdata/influxdb3-ui:1.8.0
    container_name: influxdb3-explorer
    ports:
      - "127.0.0.1:8888:8080"
    volumes:
      - ./db:/db:rw
    restart: unless-stopped

Without a mounted ./db directory, application data is lost when the container is deleted.

With v1.7.0+, the Explorer container runs as a non-root user. If you’re upgrading from v1.6.x or earlier with mounted volumes, update file ownership before you start the container. The container exits with an error if mounted volumes have incorrect ownership.

Set file permissions for upgrades

In v1.7.0+, the Explorer container runs as a non-root user (influxui, uid 1500) for improved security. Because earlier versions ran as root, existing mounted volumes are owned by root and the new non-root process can’t access them.

If you start the upgraded container without updating file ownership, it exits with the following error:

ERROR: Directory '/db' is owned by root and not accessible to the 'influxui' user.

To prevent or resolve this error, change ownership of your mounted directories to uid 1500 before you start the container. For example:

sudo chown -R 1500:1500 /path/to/your/db
sudo chown -R 1500:1500 /path/to/your/config

After you update ownership, restart the container. Fresh installations are unaffected.

Pre-configure InfluxDB connections

Instead of configuring connections through the UI, you can pre-define connection settings using a config.json file. This is useful for:

  • Automated deployments
  • Shared team configurations
  • Quick setup for known environments

  1. Create a config.json file:

    mkdir -p config
cat > config/config.json << 'EOF'
{
  "DEFAULT_INFLUX_SERVER": "http://host.docker.internal:8181",
  "DEFAULT_INFLUX_DATABASE": "mydb",
  "DEFAULT_API_TOKEN": "your-token-here",
  "DEFAULT_SERVER_NAME": "Local InfluxDB 3"
}
EOF

    Customize the following properties for your InfluxDB 3 instance:

    When to use host.docker.internal

    If your InfluxDB 3 instance is running in Docker (not the same container as Explorer), use host.docker.internal as your server host to allow the Explorer container to connect to the InfluxDB container on the host–for example:

    "DEFAULT_INFLUX_SERVER": "http://host.docker.internal:8181"
    • If both Explorer and InfluxDB are in the same Docker network, use the container name instead.
    • If InfluxDB is running natively on your machine (not in Docker), use localhost.

    For more information, see the Docker networking documentation.

  2. Mount the configuration directory:

    Docker Docker Compose

    docker run --detach \
  --name influxdb3-explorer \
  --publish 127.0.0.1:8888:8080 \
  --volume $(pwd)/config:/app-root/config:ro \
  influxdata/influxdb3-ui:1.8.0
    version: '3.8'

services:
  explorer:
    image: influxdata/influxdb3-ui:1.8.0
    container_name: influxdb3-explorer
    ports:
      - "127.0.0.1:8888:8080"
    volumes:
      - ./config:/app-root/config:ro
    restart: unless-stopped

Enable TLS/SSL (HTTPS)

To enable TLS/SSL for secure connections:

  1. Create SSL directory and add certificate files:

    mkdir -m 755 ./ssl
# Copy your certificate files to the ssl directory
cp /path/to/server.crt ./ssl/
cp /path/to/server.key ./ssl/

    Required files:

    • Certificate: server.crt or fullchain.pem
    • Private key: server.key

  2. Run the container with SSL enabled:

    Docker Docker Compose

    docker run --detach \
  --name influxdb3-explorer \
  --publish 127.0.0.1:8888:8443 \
  --volume $(pwd)/ssl:/etc/nginx/ssl:ro \
  influxdata/influxdb3-ui:1.8.0
    version: '3.8'

services:
  explorer:
    image: influxdata/influxdb3-ui:1.8.0
    container_name: influxdb3-explorer
    ports:
      - "127.0.0.1:8888:8443"
    volumes:
      - ./ssl:/etc/nginx/ssl:ro
    restart: unless-stopped

  3. Access the Explorer UI at https://localhost:8888

The nginx web server automatically detects and uses certificate files in the mounted path.

TLS and certificate verification options

Use the following environment variables to configure TLS and certificate verification:

  • NODE_EXTRA_CA_CERTS - Path to custom CA certificate file inside container (recommended).

    This option adds an intermediate or custom CA certificate to the Node.js trusted certificate store and is required when InfluxDB uses certificates signed by an internal or private CA.

    • Format: PEM format certificate file
    • Example: -e NODE_EXTRA_CA_CERTS=/ca-certs/ca-bundle.crt

    This is the native Node.js environment variable for custom CAs.

  • CA_CERT_PATH - Alternative to NODE_EXTRA_CA_CERTS (convenience alias)

    • Example: -e CA_CERT_PATH=/ca-certs/ca-bundle.crt

    Use either NODE_EXTRA_CA_CERTS or CA_CERT_PATH; not both. CA_CERT_PATH aliases NODE_EXTRA_CA_CERTS.

Use self-signed certificates

To configure Explorer to trust self-signed or custom CA certificates when connecting to InfluxDB:

  1. Create a directory for CA certificates:

    mkdir -p ./ca-certs

  2. Copy your CA certificate to the directory:

    cp /path/to/your-ca.pem ./ca-certs/

  3. Mount the CA certificate directory and set the NODE_EXTRA_CA_CERTS environment variable:

View example Docker configuration for self-signed certificates

Choose operational mode

InfluxDB 3 Explorer supports two operational modes:

  • Query mode (default): Read-only UI for querying data
  • Admin mode: Full UI with administrative capabilities

Set the mode using the --mode parameter:

Docker Docker Compose

# Query mode (default)
docker run --detach \
  --name influxdb3-explorer \
  --publish 127.0.0.1:8888:8080 \
  influxdata/influxdb3-ui:1.8.0 \
  --mode=query

# Admin mode
docker run --detach \
  --name influxdb3-explorer \
  --publish 127.0.0.1:8888:8080 \
  influxdata/influxdb3-ui:1.8.0 \
  --mode=admin
version: '3.8'

services:
  explorer:
    image: influxdata/influxdb3-ui:1.8.0
    container_name: influxdb3-explorer
    # For query mode (default), omit the command
    # For admin mode, add:
    command: ["--mode=admin"]
    ports:
      - "127.0.0.1:8888:8080"
    restart: unless-stopped

Advanced configuration

Environment variables

VariableDefaultDescription
SESSION_SECRET_KEY(random)Secret key for session management. Set this in production to persist sessions across restarts.
DATABASE_URL/db/sqlite.dbPath to SQLite database inside container
SSL_CERT_PATH/etc/nginx/ssl/cert.pemPath to SSL certificate file
SSL_KEY_PATH/etc/nginx/ssl/key.pemPath to SSL private key file
NODE_EXTRA_CA_CERTS(none)Path to custom CA certificate file (PEM format) for trusting self-signed or internal CA certificates
CA_CERT_PATH(none)Alias for NODE_EXTRA_CA_CERTS

Always set SESSION_SECRET_KEY in production to persist user sessions across container restarts. Enter the following command to generate a secure key:

openssl rand -hex 32

Volume reference

Container PathPurposePermissionsRequired
/dbSQLite database storage700No (but recommended)
/app-root/configConnection configuration755No
/etc/nginx/sslTLS/SSL certificates755Only for HTTPS
/ca-certsCustom CA certificates755Only for self-signed certificates

Port reference

Container PortProtocolPurposeCommon Host Mapping
8080HTTPWeb UI (unencrypted)8888
8443HTTPSWeb UI (encrypted)8888

Complete examples

Full configuration with all features

Docker Docker Compose

# Create required directories
mkdir -m 700 ./db
mkdir -m 755 ./config ./ssl

# Generate session secret
export SESSION_SECRET=$(openssl rand -hex 32)

# Create configuration
cat > config/config.json << 'EOF'
{
  "DEFAULT_INFLUX_SERVER": "http://host.docker.internal:8181",
  "DEFAULT_INFLUX_DATABASE": "production",
  "DEFAULT_API_TOKEN": "your-production-token",
  "DEFAULT_SERVER_NAME": "Production InfluxDB 3"
}
EOF

# Run Explorer with all features
docker run --detach \
  --name influxdb3-explorer \
  --pull always \
  --publish 127.0.0.1:8888:8443 \
  --volume $(pwd)/db:/db:rw \
  --volume $(pwd)/config:/app-root/config:ro \
  --volume $(pwd)/ssl:/etc/nginx/ssl:ro \
  --env SESSION_SECRET_KEY=$SESSION_SECRET \
  --restart unless-stopped \
  influxdata/influxdb3-ui:1.8.0 \
  --mode=admin
# docker-compose.yml
version: '3.8'

services:
  explorer:
    image: influxdata/influxdb3-ui:1.8.0
    container_name: influxdb3-explorer
    pull_policy: always
    command: ["--mode=admin"]
    ports:
      - "127.0.0.1:8888:8443"
    volumes:
      - ./db:/db:rw
      - ./config:/app-root/config:ro
      - ./ssl:/etc/nginx/ssl:ro
    environment:
      SESSION_SECRET_KEY: ${SESSION_SECRET_KEY}
    restart: unless-stopped

Create a .env file that contains the following:

SESSION_SECRET_KEY=your_32_char_hex_string_here

Start the container:

docker-compose up -d

Development setup (minimal)

Docker Docker Compose

docker run --rm \
  --name influxdb3-explorer \
  --publish 127.0.0.1:8888:8080 \
  influxdata/influxdb3-ui:1.8.0
# docker-compose.yml
version: '3.8'

services:
  explorer:
    image: influxdata/influxdb3-ui:1.8.0
    container_name: influxdb3-explorer
    ports:
      - "127.0.0.1:8888:8080"

Was this page helpful?

Thank you for your feedback!

© 2026 InfluxData, Inc.

Where are you running InfluxDB?

Select your InfluxDB Cloud region and cluster or your InfluxDB OSS URL and we’ll customize code examples for you. Identify your InfluxDB Cloud cluster.

For more information, see InfluxDB Cloud regions or InfluxDB OSS URLs.

Thank you for your feedback!

Let us know what we can do better:

Thank you!

No thanks

InfluxDB OSS 2.9.0: API tokens are hashed by default

Stronger token security in InfluxDB OSS 2.9.0 — tokens are hashed on disk by default. Existing tokens are hashed on first startup and can’t be recovered afterward. Capture any plaintext tokens you still need before you upgrade.

View InfluxDB OSS 2.9.0 release notes

Hashed tokens authenticate exactly like unhashed tokens — clients and integrations keep working.

Also new in 2.9.0:

  • Configurable backup compression
  • Restore support for backups containing hashed tokens
  • Tighter Edge Data Replication queue validation
  • Flux upgrade
  • Compaction reliability improvements

Key enhancements in Explorer 1.8

Explorer 1.8 is now available with streaming data subscriptions (beta), line protocol preview, and query history & saved queries.

View Explorer 1.8 release notes

Explorer 1.8 includes new features and improvements that make it easier to ingest, explore, and manage data.

Highlights:

  • Streaming data subscriptions (beta): Stream data into Explorer from MQTT, Kafka, and AMQP sources.
  • Line protocol preview: Preview line protocol, schema, and parse errors before data is written.
  • Custom sample data: Generate custom sample datasets with line protocol and schema preview.
  • Query history and saved queries: Browse query history and save/re-run named queries.
  • Retention period management: Set, update, or clear retention periods on databases and tables.

For more details, see Explorer 1.8 release notes

InfluxDB 3.9: Performance upgrade preview

InfluxDB 3 Enterprise 3.9 includes a beta of major performance upgrades with faster single-series queries, wide-and-sparse table support, and more.

InfluxDB 3 Enterprise 3.9 includes a beta of major performance and feature updates.

Key improvements:

  • Faster single-series queries
  • Consistent resource usage
  • Wide-and-sparse table support
  • Automatic distinct value caches for reduced latency with metadata queries

Preview features are subject to breaking changes.

For more information, see:

Telegraf Enterprise now in public beta

Get early access to the Telegraf Controller and provide feedback to help shape the future of Telegraf Enterprise.

See the Blog Post

The upcoming Telegraf Enterprise offering is for organizations running Telegraf at scale and is comprised of two key components:

  • Telegraf Controller: A control plane (UI + API) that centralizes Telegraf configuration management and agent health visibility.
  • Telegraf Enterprise Support: Official support for Telegraf Controller and Telegraf plugins.

Join the Telegraf Enterprise beta to get early access to the Telegraf Controller and provide feedback to help shape the future of Telegraf Enterprise.

For more information:

Telegraf Controller v0.0.7-beta now available

Telegraf Controller v0.0.7-beta is now available with new features, improvements, bug fixes, and an important breaking change.

View the release notes
Download Telegraf Controller v0.0.7-beta

InfluxDB Docker latest tag changing to InfluxDB 3 Core

On September 15, 2026, the latest tag for InfluxDB Docker images will point to InfluxDB 3 Core. To avoid unexpected upgrades, use specific version tags in your Docker deployments.

If using Docker to install and run InfluxDB, the latest tag will point to InfluxDB 3 Core. To avoid unexpected upgrades, use specific version tags in your Docker deployments. For example, if using Docker to run InfluxDB v2, replace the latest version tag with a specific version tag in your Docker pull command–for example:

docker pull influxdb:2