ExcaliDash
ExcaliDash is a self-hosted dashboard for Excalidraw drawings with persistent storage, real-time multi-user collaboration, version history, and optional OIDC authentication. It provides scoped sharing, search, collections, and backup/import capabilities in a TypeScript/Docker-based application.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | ZimengXiong/ExcaliDash |
| Owner | ZimengXiong |
| Primary language | TypeScript |
| License | AGPL-3.0 — OSI-approved |
| Stars | 1.3k |
| Forks | 121 |
| Open issues | 40 |
| Latest release | v0.5.1 (2026-06-21) |
| Last updated | 2026-06-29 |
| Source | https://github.com/ZimengXiong/ExcaliDash |
What ExcaliDash is
TypeScript full-stack application (Node.js backend, frontend) deployed via Docker Compose with SQLite storage, WebSocket-based real-time collaboration, Prisma ORM, and optional OIDC identity provider integration. Includes admin bootstrap, JWT authentication, and configurable reverse-proxy trust for TLS deployments.
Get the ExcaliDash source
Clone the repository and explore it locally.
git clone https://github.com/ZimengXiong/ExcaliDash.gitcd ExcaliDash# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Set fixed JWT_SECRET in production environments; auto-generation on first start is not portable. Use strong, randomly generated secret (minimum 32 characters).
- Configure TRUST_PROXY correctly: set to 1 (or appropriate hop count) only when requests pass through a trusted reverse proxy that sets X-Forwarded-* headers; default TRUST_PROXY=false is safer for direct deployments.
- Establish and automate regular backup strategy for SQLite database volume (backend storage). README warns BETA status requires manual backups; losing the SQLite DB means losing all drawings, version history, and user data.
- Plan for secrets management: JWT_SECRET, OIDC client credentials, and other environment variables must be injected securely (not hardcoded in docker-compose files or version control).
- Review and test OIDC integration thoroughly if deploying with multi-user authentication; README shows migration and admin bootstrap flows but does not document failure scenarios or attribute mapping requirements.
When to avoid it — and what to weigh
- High-Scale SaaS Deployment — Project is in BETA and documentation cautions production-readiness depends on TLS, reverse proxy, fixed secrets, backups, and rate limits. SQLite may not scale horizontally; not suitable for multi-tenant cloud SaaS without significant hardening.
- Proprietary Data Format Requirement — ExcaliDash deliberately stores drawings in open .excalidraw format for portability. If your workflow requires proprietary or vendor-locked formats, this is not the right fit.
- Zero DevOps Overhead Tolerance — Requires Docker/Docker Compose, manual backup strategy, environment variable management, and operational scripts (e.g., admin recovery, auth simulation). Organizations seeking zero-ops platforms should consider managed SaaS alternatives.
- Minimal Code Review / Single Maintainer Dependency — Project has 1,304 stars and 121 forks but is maintained by a single developer. No information on security audit, code review practices, or contributor vetting process; mission-critical deployments may require additional due diligence.
License & commercial use
Licensed under AGPL-3.0 (GNU Affero General Public License v3.0). This is a strong copyleft license requiring any network service modifications to make source code available to users. Forking, modifying, and deploying on a private network does not trigger the AGPL copyleft obligation; distributing the software or offering it as a service does. Requires careful review before incorporating into proprietary products or commercial deployments.
AGPL-3.0 permits commercial use, but with significant obligations: any modification or network deployment triggers source-code disclosure requirements to users. Internal business use (non-public network, not offered as a service) is permitted. Commercial software vendors, SaaS providers, or organizations planning proprietary modifications must obtain explicit legal counsel. AGPL is NOT a permissive license and requires proactive compliance review.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
README explicitly warns: BETA status and production-readiness depends on operator controls (TLS, reverse proxy, fixed secrets, backups, rate limits). No mention of security audit, vulnerability disclosure policy, or third-party code review. Admin recovery scripts available but no audit logging mentioned. OIDC support present but provider attribute mapping, MFA enforcement, and password policy customization not documented. SQLite is single-process; concurrent access at scale requires consideration. Operators must implement rate limiting, monitor outbound UPDATE_CHECK calls, and enforce network-level access controls.
Alternatives to consider
Excalidraw (Official SaaS)
Official cloud-hosted Excalidraw eliminates self-hosting overhead, guaranteed uptime, and automatic updates. Trade-off: data stored on Excalidraw's servers, not on-premise. Better for teams without self-hosting capability or concerns about vendor lock-in.
Miro or Mural
Commercial diagramming/whiteboarding platforms with enterprise SSO, audit logs, SOC 2 compliance, and professional support. Trade-off: higher cost, proprietary format, not self-hostable. Better for large enterprises with compliance requirements.
draw.io / diagrams.net
Open-source diagram editor with self-hosting option (Docker) and broad diagram type support. Trade-off: no built-in real-time collaboration, different feature set (not Excalidraw-specific). Better if you need a more general-purpose diagramming tool.
Build on ExcaliDash with DEV.co software developers
Start with Docker Compose in minutes. For production deployments, reverse-proxy setup, OIDC integration, and backup strategy—consult our DevOps and cloud deployment services.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
ExcaliDash FAQ
Can I use ExcaliDash offline?
What happens to my drawings if I upgrade ExcaliDash?
Can I migrate from another Excalidraw instance?
Is ExcaliDash suitable for production?
Software development & web development with DEV.co
Adopting ExcaliDash is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source devops software in production.
Ready to Deploy ExcaliDash?
Start with Docker Compose in minutes. For production deployments, reverse-proxy setup, OIDC integration, and backup strategy—consult our DevOps and cloud deployment services.