---
title: ''
description: Telegraf plugin for retrieving secrets from Javascript Object Signing and Encryption
url: https://docs.influxdata.com/telegraf/v1/secretstore-plugins/jose/
estimated_tokens: 525
product: Telegraf Controller
version: v1
publisher: InfluxData
canonical: https://docs.influxdata.com/telegraf/v1/secretstore-plugins/jose/
date: '2026-06-11T17:00:50+02:00'
lastmod: '2026-06-11T17:00:50+02:00'
---

==========

* Telegraf v1.25.0+

[Plugin source](https://github.com/influxdata/telegraf/tree/v1.39.0/plugins/secretstores/jose/)[Download configuration](https://raw.githubusercontent.com/influxdata/telegraf/refs/tags/v1.39.0/plugins/secretstores/jose/sample.conf)

# Javascript Object Signing and Encryption Secret Store Plugin

This plugin allows to read local secrets from files protected by the[Javascript Object Signing and Encryption](https://github.com/dvsekhvalnov/jose2go) algorithm.

**Introduced in:** Telegraf v1.25.0**Tags:** system**OS support:** all

## Usage

Secrets defined by a store are referenced with `@{<store-id>:<secret_key>}`the Telegraf configuration. Only certain Telegraf plugins and options of
support secret stores. To see which plugins and options support
secrets, see their respective documentation (e.g.`plugins/outputs/influxdb/README.md`). If the plugin’s README has the`Secret store support` section, it will detail which options support secret
store usage.

## Configuration

```toml
# Read secrets from Javascript Object Signing and Encryption file
[[secretstores.jose]]
  ## Unique identifier for the secret store.
  ## This id can later be used in plugins to reference the secrets
  ## in this secret store via @{<id>:<secret_key>} (mandatory)
  id = "secretstore"

  ## Directory for storing the secrets
  path = "/etc/telegraf/secrets"

  ## Password to access the secrets.
  ## If no password is specified here, Telegraf will prompt for it at startup time.
  # password = ""
```

Each secret is stored in an individual file in the subdirectory specified using
the `path` parameter. To access the secrets, a password is required.
This password can be specified using the `password` parameter containing a
string, an environment variable or as a reference to a secret in another secret
store. If `password` is not specified in the config, you will be prompted for
the password at startup.

All secrets in this secret store are encrypted using the same password. If you
need individual passwords for each secret, please use multiple instances of
this plugin.