DEV.co
Open-Source DevOps · ZimengXiong

ExcaliDash

ExcaliDash is a self-hosted dashboard for Excalidraw drawings with persistent storage, real-time multi-user collaboration, version history, and optional OIDC authentication. It provides scoped sharing, search, collections, and backup/import capabilities in a TypeScript/Docker-based application.

Source: GitHub — github.com/ZimengXiong/ExcaliDash
1.3k
GitHub stars
121
Forks
TypeScript
Primary language
AGPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryZimengXiong/ExcaliDash
OwnerZimengXiong
Primary languageTypeScript
LicenseAGPL-3.0 — OSI-approved
Stars1.3k
Forks121
Open issues40
Latest releasev0.5.1 (2026-06-21)
Last updated2026-06-29
Sourcehttps://github.com/ZimengXiong/ExcaliDash

What ExcaliDash is

TypeScript full-stack application (Node.js backend, frontend) deployed via Docker Compose with SQLite storage, WebSocket-based real-time collaboration, Prisma ORM, and optional OIDC identity provider integration. Includes admin bootstrap, JWT authentication, and configurable reverse-proxy trust for TLS deployments.

Quickstart

Get the ExcaliDash source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/ZimengXiong/ExcaliDash.gitcd ExcaliDash# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Team Diagramming & Design Collaboration

Multi-user real-time editing of system diagrams, architecture sketches, and design mockups with persistent version history and scoped sharing for internal and external stakeholders.

Self-Hosted Knowledge Management

Organizations needing on-premise storage of visual diagrams and drawings with full control over data, backups, and user access policies; export in open .excalidraw format ensures no vendor lock-in.

Enterprise Design Asset Library

Centralized dashboard for managing and organizing drawing collections with role-based access, OIDC SSO integration, admin controls, and audit trails via multi-user authentication.

Implementation considerations

  • Set fixed JWT_SECRET in production environments; auto-generation on first start is not portable. Use strong, randomly generated secret (minimum 32 characters).
  • Configure TRUST_PROXY correctly: set to 1 (or appropriate hop count) only when requests pass through a trusted reverse proxy that sets X-Forwarded-* headers; default TRUST_PROXY=false is safer for direct deployments.
  • Establish and automate regular backup strategy for SQLite database volume (backend storage). README warns BETA status requires manual backups; losing the SQLite DB means losing all drawings, version history, and user data.
  • Plan for secrets management: JWT_SECRET, OIDC client credentials, and other environment variables must be injected securely (not hardcoded in docker-compose files or version control).
  • Review and test OIDC integration thoroughly if deploying with multi-user authentication; README shows migration and admin bootstrap flows but does not document failure scenarios or attribute mapping requirements.

When to avoid it — and what to weigh

  • High-Scale SaaS Deployment — Project is in BETA and documentation cautions production-readiness depends on TLS, reverse proxy, fixed secrets, backups, and rate limits. SQLite may not scale horizontally; not suitable for multi-tenant cloud SaaS without significant hardening.
  • Proprietary Data Format Requirement — ExcaliDash deliberately stores drawings in open .excalidraw format for portability. If your workflow requires proprietary or vendor-locked formats, this is not the right fit.
  • Zero DevOps Overhead Tolerance — Requires Docker/Docker Compose, manual backup strategy, environment variable management, and operational scripts (e.g., admin recovery, auth simulation). Organizations seeking zero-ops platforms should consider managed SaaS alternatives.
  • Minimal Code Review / Single Maintainer Dependency — Project has 1,304 stars and 121 forks but is maintained by a single developer. No information on security audit, code review practices, or contributor vetting process; mission-critical deployments may require additional due diligence.

License & commercial use

Licensed under AGPL-3.0 (GNU Affero General Public License v3.0). This is a strong copyleft license requiring any network service modifications to make source code available to users. Forking, modifying, and deploying on a private network does not trigger the AGPL copyleft obligation; distributing the software or offering it as a service does. Requires careful review before incorporating into proprietary products or commercial deployments.

AGPL-3.0 permits commercial use, but with significant obligations: any modification or network deployment triggers source-code disclosure requirements to users. Internal business use (non-public network, not offered as a service) is permitted. Commercial software vendors, SaaS providers, or organizations planning proprietary modifications must obtain explicit legal counsel. AGPL is NOT a permissive license and requires proactive compliance review.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

README explicitly warns: BETA status and production-readiness depends on operator controls (TLS, reverse proxy, fixed secrets, backups, rate limits). No mention of security audit, vulnerability disclosure policy, or third-party code review. Admin recovery scripts available but no audit logging mentioned. OIDC support present but provider attribute mapping, MFA enforcement, and password policy customization not documented. SQLite is single-process; concurrent access at scale requires consideration. Operators must implement rate limiting, monitor outbound UPDATE_CHECK calls, and enforce network-level access controls.

Alternatives to consider

Excalidraw (Official SaaS)

Official cloud-hosted Excalidraw eliminates self-hosting overhead, guaranteed uptime, and automatic updates. Trade-off: data stored on Excalidraw's servers, not on-premise. Better for teams without self-hosting capability or concerns about vendor lock-in.

Miro or Mural

Commercial diagramming/whiteboarding platforms with enterprise SSO, audit logs, SOC 2 compliance, and professional support. Trade-off: higher cost, proprietary format, not self-hostable. Better for large enterprises with compliance requirements.

draw.io / diagrams.net

Open-source diagram editor with self-hosting option (Docker) and broad diagram type support. Trade-off: no built-in real-time collaboration, different feature set (not Excalidraw-specific). Better if you need a more general-purpose diagramming tool.

Software development agency

Build on ExcaliDash with DEV.co software developers

Start with Docker Compose in minutes. For production deployments, reverse-proxy setup, OIDC integration, and backup strategy—consult our DevOps and cloud deployment services.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

ExcaliDash FAQ

Can I use ExcaliDash offline?
README does not document offline mode. Real-time collaboration requires WebSocket connectivity. Single-user mode appears feasible locally, but no explicit offline sync or offline-first architecture is documented. Requires review of deployment docs or direct inquiry.
What happens to my drawings if I upgrade ExcaliDash?
README provides upgrade instructions: pull latest images, recreate containers, and preserve the backend volume (do not use -v flag with docker down). SQLite database persists in the volume, so drawings are retained. Always backup before upgrading, as BETA status means no guarantee of schema compatibility.
Can I migrate from another Excalidraw instance?
README mentions import/export in .excalidraw format and shows a 'migration' auth onboarding flow for v0.3 users. This suggests some migration tooling exists, but specific migration paths from other platforms are not documented. Requires review of docs/DEPLOYMENT.md or GitHub issues.
Is ExcaliDash suitable for production?
README cautions: 'This is a BETA deployment and production-readiness depends on deployment controls: use TLS, trusted reverse proxy, fixed secrets, backups, and endpoint rate limits.' It is usable in production but requires operator expertise and risk acceptance. Not recommended for mission-critical workflows without additional hardening and monitoring.

Software development & web development with DEV.co

Adopting ExcaliDash is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source devops software in production.

Ready to Deploy ExcaliDash?

Start with Docker Compose in minutes. For production deployments, reverse-proxy setup, OIDC integration, and backup strategy—consult our DevOps and cloud deployment services.