Documentation

Manage settings

Owners and administrators can configure public endpoints, login security, and password requirements for Telegraf Controller.

Navigate to the Settings page from the left navigation menu to view and modify these settings.

Public endpoints

The Public Endpoints section at the top of the Settings page lets owners and administrators set the base URLs that Telegraf Controller shows to users and agents. These are display-only values: Telegraf Controller stores and returns them, but does not bind to or resolve them. Set a public endpoint when the server is reachable at a different address than the one Telegraf Controller detects locally, for example when it runs behind a reverse proxy. Leave a field blank to use the auto-detected URL.

SettingDescriptionAuto-detected fallback
User Interface URLBase URL used to access the Telegraf Controller web interface. Used to build user invite links.Browser origin
API URLBase URL used to access the Telegraf Controller API. Shown in the configuration builder and agent commands.Browser origin
Heartbeat URLBase URL Telegraf agents use to send heartbeats to the Telegraf Controller heartbeat server. Applied when you add a heartbeat output to a config.Host address with the heartbeat port

Each URL must be an absolute URL that includes a scheme and host (for example, https://telegraf.example.com), must not end with a trailing slash, and can be at most 2048 characters.

To set a public endpoint:

  1. Navigate to the Settings page.

  2. In the Public Endpoints section, enter a URL for User Interface URL, API URL, or Heartbeat URL.

    Telegraf Controller public endpoints settings
  3. Click Save.

Login security

Login attempts

You can configure the number of failed login attempts allowed before an account is locked out. The default threshold is 5 attempts, with a minimum of 1.

To change the login attempt threshold:

  1. Navigate to the Settings page.
  2. Update the Login attempts value.
  3. Click Save.

Login lockout

When a user exceeds the failed attempt threshold, their account is locked for a configurable duration. The default lockout duration is 15 minutes, with a minimum of 1 minute. The lockout clears automatically after the configured duration has elapsed.

To change the lockout duration:

  1. Navigate to the Settings page.
  2. Update the Login lockout duration value.
  3. Click Save.

If a user is locked out, an owner or administrator can reset their password to unlock the account.

Password complexity requirements

Telegraf Controller provides three password complexity levels that apply to all password operations, including initial setup, password changes, password resets, and invite completion.

LevelMin lengthUppercase*Lowercase*Digits*Special characters*
Low8NoNoNoNo
Medium10YesYesYesNo
High12YesYesYesYes

* Passwords require at least one of the defined character types.

To change the password complexity level:

  1. Navigate to the Settings page.
  2. Select the desired Password complexity level.
  3. Click Save.

Changing the password complexity level does not affect existing passwords. The new requirements apply only when users set or change their passwords.

Environment variables

You can set initial defaults for login security settings using environment variables. These values are applied when Telegraf Controller initializes its settings for the first time. Changes made on the Settings page override initialized settings.

Environment variableDescriptionDefault
LOGIN_LOCKOUT_ATTEMPTSFailed attempts before lockout5
LOGIN_LOCKOUT_MINUTESMinutes to lock account15
PASSWORD_COMPLEXITYComplexity level (low, medium, high)low

For detailed descriptions and bootstrap behavior, see the Authentication and security section in the configuration options reference.

LDAP authentication

When LDAP authentication is enabled at startup, the LDAP Authentication section on the Settings page lets the owner review the active LDAP configuration and tune how external identities map to Telegraf Controller accounts.

LDAP authentication requires a Telegraf Enterprise license. For setup instructions, see Configure LDAP authentication.

The section displays:

  • A read-only summary of the LDAP server URL, bind DN, user search base, TLS settings, and attribute mappings. These values are environment-only and can be changed only by restarting Telegraf Controller.
  • Runtime-editable provisioning controls described in the table below.
SettingDescription
Provisioning strategyinvite_only, domain_restricted, or auto_create. See Provisioning strategies.
Default roleRole assigned when no group mapping matches an authenticated user.
Allowed email domainsComma-separated list of domains, used when Provisioning strategy is domain_restricted.
Auto-link by verified emailWhen enabled, link an LDAP user to an existing local user with a matching email address.
On no group matchuse_default_role admits the user with the default role; reject denies the sign-in.
Group role mappingsList of (provider ID, group name, role) rows that map directory groups to Telegraf Controller roles.

To update LDAP settings:

  1. Sign in as the Owner.
  2. Navigate to the Settings page.
  3. In the LDAP Authentication section, update the values.
  4. Click Save.
Telegraf Controller LDAP authentication settings

OIDC authentication

When OIDC authentication is enabled at startup, the OIDC Authentication section on the Settings page lets the owner review the active OIDC configuration and tune how external identities map to Telegraf Controller accounts.

OIDC authentication requires a Telegraf Enterprise license. For setup instructions, see Configure OIDC authentication.

The section displays:

  • A read-only summary of the issuer, client ID, redirect URI, scopes, and username claim, plus the provider discovery status. These values are environment-only and can be changed only by restarting Telegraf Controller.
  • Runtime-editable provisioning controls described in the table below.
SettingDescription
Provisioning strategyinvite_only, domain_restricted, or auto_create. See Provisioning strategies.
Default roleRole assigned when no group mapping matches an authenticated user.
Allowed email domainsComma-separated list of domains, used when Provisioning strategy is domain_restricted.
Auto-link by verified emailWhen enabled, link an OIDC user to an existing local user whose email is verified and matches.
On no group matchuse_default_role admits the user with the default role; reject denies the sign-in.
Display nameOverrides the startup-time AUTH_OIDC_DISPLAY_NAME on the sign-in button.
Groups claimOverrides the startup-time AUTH_OIDC_GROUPS_CLAIM for incoming tokens.
Group role mappingsList of (provider ID, group name, role) rows that map OIDC group values to Telegraf Controller roles.

To update OIDC settings:

  1. Sign in as the Owner.
  2. Navigate to the Settings page.
  3. In the OIDC Authentication section, update the values.
  4. Click Save.
Telegraf Controller OIDC authentication settings

Audit logging

When audit logging is enabled, the Settings page lets you change the retention period for audit entries. The default retention is 90 days (2160 hours), and available values range from 30 days to 2 years or infinite.

Audit logging itself is enabled at startup only and requires a Telegraf Enterprise license. For details, see Enable and configure audit logging.

To change the audit log retention period:

  1. Navigate to the Settings page.
  2. In the Audit Logging section, select a value from Audit log retention.
  3. Click Save.
Telegraf Controller audit log retention dropdown

Enterprise licensing

License management for Telegraf Controller lives at Settings > Enterprise. Owners can view the current Telegraf Enterprise license, upload a new license, and remove a license. All users see current entitlements and usage.

For details on applying, replacing, and removing a license, see Manage your license.


Was this page helpful?

Thank you for your feedback!


InfluxDB OSS 2.9.0: API tokens are hashed by default

Stronger token security in InfluxDB OSS 2.9.0 — tokens are hashed on disk by default. Existing tokens are hashed on first startup and can’t be recovered afterward. Capture any plaintext tokens you still need before you upgrade.

View InfluxDB OSS 2.9.0 release notes

Hashed tokens authenticate exactly like unhashed tokens — clients and integrations keep working.

Also new in 2.9.0:

  • Configurable backup compression
  • Restore support for backups containing hashed tokens
  • Tighter Edge Data Replication queue validation
  • Flux upgrade
  • Compaction reliability improvements

Key enhancements in Explorer 1.9

Explorer 1.9 is now available with InfluxQL support, an AI-assisted Flux to SQL converter (beta), and new live sample data simulators.

View Explorer 1.9 release notes

Explorer 1.9 includes new features and improvements that make it easier to query, visualize, and manage data.

Highlights:

  • Flux to SQL converter (beta): Convert Flux queries to SQL with an AI-assisted converter.
  • InfluxQL support: Query data with InfluxQL in the Data Explorer and dashboards, and save and load InfluxQL queries.
  • InfluxQL visualizations: Render line and bar charts from InfluxQL results with per-tag series grouping.
  • Query error history: Review a history of query errors in the query tool.
  • Live sample data simulators: Generate continuous live sample data with new bird data and signal generator simulators.

For more details, see Explorer 1.9 release notes

InfluxDB 3.10 is now available

InfluxDB 3 Core 3.10 adds an automatic catalog format upgrade, a configurable query-concurrency limit, and processing engine improvements.

Key updates in InfluxDB 3 Core 3.10:

  • Catalog format upgrade: the on-disk catalog automatically upgrades from format v2 to v3 on first 3.10 startup. Migration is one-way—back up your catalog before upgrading.
  • --max-concurrent-queries: limit concurrent queries (adjustable at runtime).
  • GET /ready endpoint for readiness probes.
  • Processing engine: cross-database queries and trigger lockdown flags.

For more information, see the InfluxDB 3 Core release notes.

InfluxDB 3.10 is now available

InfluxDB 3 Enterprise 3.10 adds automated backup and restore, row-level deletions, and user management, with an automatic catalog format upgrade and performance preview improvements.

Key updates in InfluxDB 3 Enterprise 3.10:

  • Catalog format upgrade: the on-disk catalog automatically upgrades from format v2 to v3 on first 3.10 startup. Migration is one-way—back up your catalog before upgrading.
  • Automated backup and restore (beta)
  • Row-level deletions
  • User management (authentication and RBAC) — preview
  • Performance preview improvements

Backup and restore, row-level deletions, and the performance preview require the Enterprise storage engine upgrade (opt-in beta). Beta and preview features are subject to breaking changes and aren’t recommended for production use.

For more information, see the InfluxDB 3 Enterprise release notes

Telegraf Enterprise is now generally available

Telegraf Enterprise is now generally available, along with Telegraf Controller v1.0.

Telegraf Enterprise combines Telegraf Controller, a centralized management console for Telegraf, with official support from InfluxData. Manage configurations, monitor fleet health, and operate tens of thousands of Telegraf agents from a single system.

InfluxDB Docker latest tag changing to InfluxDB 3 Core

On September 15, 2026, the latest tag for InfluxDB Docker images will point to InfluxDB 3 Core. To avoid unexpected upgrades, use specific version tags in your Docker deployments.

If using Docker to install and run InfluxDB, the latest tag will point to InfluxDB 3 Core. To avoid unexpected upgrades, use specific version tags in your Docker deployments. For example, if using Docker to run InfluxDB v2, replace the latest version tag with a specific version tag in your Docker pull command–for example:

docker pull influxdb:2