Documentation

Telegraf

Telegraf Secret Store Plugins

Telegraf secret store plugins provide secrets such as credentials to plugins. Secret store plugins provide secrets like usernames, passwords, or tokens to other plugins including other secret stores (for example, when retrieving secrets requires a token). Different secret store plugins retrieve secrets from different stores, including the operating system, Docker Secrets, and HashiCorp Vault.

Docker

Plugin ID: secretstores.docker
Telegraf v1.27.0+

This plugin allows to access Docker secrets mounted by the engine during container runtime. The secrets are accessible as files under /run/secrets from within the container.

View

GoogleCloud Credentials

Plugin ID: secretstores.googlecloud
Telegraf v1.37.0+

This plugin allows to retrieve token-based Google Cloud Credentials.

View

HTTP Secret store

Plugin ID: secretstores.http
Telegraf v1.27.0+

This plugin allows to query secrets from an HTTP endpoint, transmitting the secrets either plain-text or in an encrypted fashion.

View

Javascript Object Signing and Encryption

Plugin ID: secretstores.jose
Telegraf v1.25.0+

This plugin allows to read local secrets from files protected by the Javascript Object Signing and Encryption algorithm.

View

OAuth2

Plugin ID: secretstores.oauth2
Telegraf v1.28.0+

This plugin allows to retrieve and maintain secrets from various OAuth2 services such as Auth0, AzureAD or others (see Configuration section. Expired tokens will be renewed automatically for allowing plugins referencing those tokens to perform their API calls without hassle.

This plugin only supports the 2-legged client credentials flow.

View

OS

Plugin ID: secretstores.os
Telegraf v1.25.0+

This plugin allows to read and manage secrets using the native Operating System keyring. For Windows this plugin uses the credential manager, on Linux the kernel keyring is used and on MacOS we use the Keychain implementation.

View

Systemd

Plugin ID: secretstores.systemd
Telegraf v1.29.0+

This plugin allows utilizing credentials and secrets provided to the Telegraf service by systemd. Systemd ensures that only the intended service can access the credentials for the lifetime of this service. The credentials appear as plaintext files to the consuming service but are stored encrypted on the host system. This encryption can also use TPM2 protection if available (see this article for details).

This plugin does not support setting the credentials. See the credentials management section below for how to setup systemd credentials and how to add credentials

This plugin requires systemd version 250+.

View

HashiCorp Vault

Plugin ID: secretstores.vault
Telegraf v1.37.0+

This plugin allows to access secrets provided by a HashiCorp Vault server via the Vault API. It supports authentication via a pre-obtained token or via the AppRole method.

View

Was this page helpful?

Thank you for your feedback!

© 2026 InfluxData, Inc.

Where are you running InfluxDB?

Select your InfluxDB Cloud region and cluster or your InfluxDB OSS URL and we’ll customize code examples for you. Identify your InfluxDB Cloud cluster.

  • InfluxDB Cloud
  • InfluxDB OSS or Enterprise
AWS

  • US West (Oregon)

GCP
Azure
Default
Custom

For more information, see InfluxDB Cloud regions or InfluxDB OSS URLs.

Thank you for your feedback!

Let us know what we can do better:

Thank you!

No thanks

InfluxDB OSS 2.9.0: API tokens are hashed by default

Stronger token security in InfluxDB OSS 2.9.0 — tokens are hashed on disk by default. Existing tokens are hashed on first startup and can’t be recovered afterward. Capture any plaintext tokens you still need before you upgrade.

View InfluxDB OSS 2.9.0 release notes

Hashed tokens authenticate exactly like unhashed tokens — clients and integrations keep working.

Also new in 2.9.0:

  • Configurable backup compression
  • Restore support for backups containing hashed tokens
  • Tighter Edge Data Replication queue validation
  • Flux upgrade
  • Compaction reliability improvements

Key enhancements in Explorer 1.8

Explorer 1.8 is now available with streaming data subscriptions (beta), line protocol preview, and query history & saved queries.

View Explorer 1.8 release notes

Explorer 1.8 includes new features and improvements that make it easier to ingest, explore, and manage data.

Highlights:

  • Streaming data subscriptions (beta): Stream data into Explorer from MQTT, Kafka, and AMQP sources.
  • Line protocol preview: Preview line protocol, schema, and parse errors before data is written.
  • Custom sample data: Generate custom sample datasets with line protocol and schema preview.
  • Query history and saved queries: Browse query history and save/re-run named queries.
  • Retention period management: Set, update, or clear retention periods on databases and tables.

For more details, see Explorer 1.8 release notes

InfluxDB 3.9: Performance upgrade preview

InfluxDB 3 Enterprise 3.9 includes a beta of major performance upgrades with faster single-series queries, wide-and-sparse table support, and more.

InfluxDB 3 Enterprise 3.9 includes a beta of major performance and feature updates.

Key improvements:

  • Faster single-series queries
  • Consistent resource usage
  • Wide-and-sparse table support
  • Automatic distinct value caches for reduced latency with metadata queries

Preview features are subject to breaking changes.

For more information, see:

Telegraf Enterprise now in public beta

Get early access to the Telegraf Controller and provide feedback to help shape the future of Telegraf Enterprise.

See the Blog Post

The upcoming Telegraf Enterprise offering is for organizations running Telegraf at scale and is comprised of two key components:

  • Telegraf Controller: A control plane (UI + API) that centralizes Telegraf configuration management and agent health visibility.
  • Telegraf Enterprise Support: Official support for Telegraf Controller and Telegraf plugins.

Join the Telegraf Enterprise beta to get early access to the Telegraf Controller and provide feedback to help shape the future of Telegraf Enterprise.

For more information:

Telegraf Controller v0.0.7-beta now available

Telegraf Controller v0.0.7-beta is now available with new features, improvements, bug fixes, and an important breaking change.

View the release notes
Download Telegraf Controller v0.0.7-beta

InfluxDB Docker latest tag changing to InfluxDB 3 Core

On September 15, 2026, the latest tag for InfluxDB Docker images will point to InfluxDB 3 Core. To avoid unexpected upgrades, use specific version tags in your Docker deployments.

If using Docker to install and run InfluxDB, the latest tag will point to InfluxDB 3 Core. To avoid unexpected upgrades, use specific version tags in your Docker deployments. For example, if using Docker to run InfluxDB v2, replace the latest version tag with a specific version tag in your Docker pull command–for example:

docker pull influxdb:2