Skip to main content
Flowise provides comprehensive authentication and security features to protect your instance and data.

Authentication Overview

Flowise supports multiple authentication mechanisms:
  • Username/Password Authentication - Local user accounts with JWT tokens
  • Email Verification - Password reset and account verification via email
  • Session Management - Secure session handling with Express sessions
  • JWT Tokens - Access and refresh tokens for API authentication

Basic Authentication Setup

To enable authentication, configure the following environment variables:

Required Configuration

1

Set application URL

Configure the base URL of your Flowise instance:
.env
APP_URL=http://localhost:3000
# For production:
# APP_URL=https://flowise.example.com
2

Generate secure secrets

Generate cryptographically secure secrets for JWT and sessions:
openssl rand -hex 32
Add to your .env file:
.env
JWT_AUTH_TOKEN_SECRET=<32-byte-hex-string>
JWT_REFRESH_TOKEN_SECRET=<32-byte-hex-string>
EXPRESS_SESSION_SECRET=<32-byte-hex-string>
TOKEN_HASH_SECRET=<32-byte-hex-string>
3

Configure JWT settings

.env
JWT_ISSUER=Flowise
JWT_AUDIENCE=Flowise
JWT_TOKEN_EXPIRY_IN_MINUTES=360  # 6 hours
JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200  # 30 days
Never use weak or default secrets in production. Always generate new, random secrets using openssl rand -hex 32.

Secret Key Management

Flowise supports three methods for storing authentication secrets:
Set secrets directly in environment variables:
.env
JWT_AUTH_TOKEN_SECRET=<your-secret>
JWT_REFRESH_TOKEN_SECRET=<your-secret>
EXPRESS_SESSION_SECRET=<your-secret>
TOKEN_HASH_SECRET=<your-secret>
Pros: Simple, works everywhereCons: Secrets stored in plain text

How Flowise Handles Secrets

Flowise uses a priority system for authentication secrets:
  1. Check environment variables - If set (and not a weak default), use them
  2. Check AWS Secrets Manager - If SECRETKEY_STORAGE_TYPE=aws, retrieve from AWS
  3. Check local files - Look for secret key files in SECRETKEY_PATH
  4. Generate new secrets - If none exist, generate random 32-byte secrets
Flowise automatically detects weak default values and treats them as “not set”, forcing use of file/AWS storage instead.

Token Configuration

Access & Refresh Tokens

JWT_TOKEN_EXPIRY_IN_MINUTES
number
default:"360"
Expiry time for access tokens (default: 6 hours).
.env
JWT_TOKEN_EXPIRY_IN_MINUTES=360
JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES
number
default:"43200"
Expiry time for refresh tokens (default: 30 days).
.env
JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
EXPIRE_AUTH_TOKENS_ON_RESTART
boolean
default:"false"
Force all tokens to expire when the application restarts.
.env
EXPIRE_AUTH_TOKENS_ON_RESTART=true

Token Security

Flowise implements several security measures:
  • Token rotation - Refresh tokens can be rotated on use
  • Token hashing - Tokens are hashed before storage using TOKEN_HASH_SECRET
  • Token revocation - Tokens can be invalidated on logout or security events
  • Secure cookies - Tokens stored in HTTP-only cookies when SECURE_COOKIES=true

Email Configuration

Email is required for password reset and user invitations.

SMTP Setup

1

Configure SMTP server

.env
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USER=[email protected]
SMTP_PASSWORD=your-app-password
SMTP_SECURE=true
SENDER_EMAIL=[email protected]
2

Test email configuration

Use the password reset feature to test email delivery.
.env
SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_USER=[email protected]
SMTP_PASSWORD=<app-password>
SMTP_SECURE=true
SENDER_EMAIL=[email protected]
For Gmail, you need to create an App Password instead of using your regular password.

Email Security

ALLOW_UNAUTHORIZED_CERTS
boolean
default:"false"
Allow self-signed SSL certificates (for testing only).
.env
ALLOW_UNAUTHORIZED_CERTS=false
Never enable ALLOW_UNAUTHORIZED_CERTS in production. This bypasses SSL certificate validation.

Password Security

Password Hashing

PASSWORD_SALT_HASH_ROUNDS
number
default:"10"
Number of bcrypt salt rounds for password hashing. Higher values are more secure but slower.
.env
PASSWORD_SALT_HASH_ROUNDS=10

Password Reset

PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS
number
default:"15"
Expiry time for password reset tokens.
.env
PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=15
SECURE_COOKIES
boolean
Enable secure cookies (HTTPS only). Required for production with HTTPS.
.env
SECURE_COOKIES=true
Always set SECURE_COOKIES=true when using HTTPS. Cookies will only be sent over secure connections.

CORS Configuration

Control which origins can access your Flowise API.
CORS_ORIGINS
string
default:"*"
Comma-separated list of allowed origins.
.env
# Allow all origins (development only)
CORS_ORIGINS=*

# Allow specific origins (production)
CORS_ORIGINS=https://flowise.example.com,https://app.example.com
IFRAME_ORIGINS
string
default:"*"
Comma-separated list of allowed iframe origins.
.env
IFRAME_ORIGINS=https://flowise.example.com

Proxy & Trust Settings

TRUST_PROXY
string
default:"false"
Trust proxy headers for IP detection. Required when behind load balancers.Options: true, false, 1, loopback, linklocal, uniquelocal, or IP addresses
.env
TRUST_PROXY=true
NUMBER_OF_PROXIES
number
Number of proxies between user and Flowise.
.env
NUMBER_OF_PROXIES=1

HTTP Security

Security Checks

HTTP_SECURITY_CHECK
boolean
default:"true"
Enable HTTP security checks for outbound requests.
.env
HTTP_SECURITY_CHECK=true
HTTP_DENY_LIST
string
Comma-separated list of blocked HTTP hosts.
.env
HTTP_DENY_LIST=localhost,127.0.0.1,169.254.169.254

Custom MCP Security

CUSTOM_MCP_SECURITY_CHECK
boolean
default:"true"
Enable security checks for custom MCP protocols.
.env
CUSTOM_MCP_SECURITY_CHECK=true
CUSTOM_MCP_PROTOCOL
string
default:"sse"
Custom MCP protocol type. Options: stdio or sse.
.env
CUSTOM_MCP_PROTOCOL=sse

User Management

Creating the First Admin User

When you first access Flowise with authentication enabled, you’ll be prompted to create an admin account:
  1. Navigate to your Flowise URL
  2. Click “Sign Up” or you’ll be redirected to registration
  3. Enter admin credentials
  4. Verify email if configured

User Roles

Flowise supports role-based access control:
  • Admin - Full access to all features and settings
  • User - Access to create and manage workflows
  • Viewer - Read-only access
User role management is available in Flowise Enterprise Edition.

Workspace Management (Enterprise)

Workspace Invitations

INVITE_TOKEN_EXPIRY_IN_HOURS
number
default:"24"
Expiry time for workspace invitation tokens.
.env
INVITE_TOKEN_EXPIRY_IN_HOURS=24
WORKSPACE_INVITE_TEMPLATE_PATH
string
Path to custom workspace invitation email template.
.env
WORKSPACE_INVITE_TEMPLATE_PATH=/path/to/custom/workspace_invite.hbs

Production Security Checklist

Before deploying to production:
  • Generate strong, unique secrets using openssl rand -hex 32
  • Set APP_URL to your production URL
  • Configure SMTP for password reset
  • Enable SECURE_COOKIES=true for HTTPS
  • Set appropriate token expiry times
  • Consider using AWS Secrets Manager for secret storage
  • Never commit secrets to version control

Example Production Configuration

Here’s a complete example for a secure production deployment:
.env
# Application
PORT=3000
APP_URL=https://flowise.example.com

# Database (PostgreSQL with SSL)
DATABASE_TYPE=postgres
DATABASE_HOST=flowise-db.xxxxx.rds.amazonaws.com
DATABASE_PORT=5432
DATABASE_NAME=flowise
DATABASE_USER=flowise
DATABASE_PASSWORD=<strong-password>
DATABASE_SSL=true

# Authentication Secrets (AWS Secrets Manager)
SECRETKEY_STORAGE_TYPE=aws
SECRETKEY_AWS_ACCESS_KEY=<your-access-key>
SECRETKEY_AWS_SECRET_KEY=<your-secret-key>
SECRETKEY_AWS_REGION=us-east-1
SECRETKEY_AWS_NAME=FlowiseEncryptionKey

# JWT Configuration
JWT_ISSUER=Flowise
JWT_AUDIENCE=Flowise
JWT_TOKEN_EXPIRY_IN_MINUTES=360
JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200

# Session & Security
SECURE_COOKIES=true
PASSWORD_SALT_HASH_ROUNDS=12
PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=15

# Email (SendGrid)
SMTP_HOST=smtp.sendgrid.net
SMTP_PORT=587
SMTP_USER=apikey
SMTP_PASSWORD=<sendgrid-api-key>
SMTP_SECURE=true
SENDER_EMAIL=[email protected]

# CORS & Network
CORS_ORIGINS=https://flowise.example.com,https://app.example.com
IFRAME_ORIGINS=https://flowise.example.com
TRUST_PROXY=true
NUMBER_OF_PROXIES=1

# HTTP Security
HTTP_SECURITY_CHECK=true
HTTP_DENY_LIST=localhost,127.0.0.1,169.254.169.254

# Storage (S3)
STORAGE_TYPE=s3
S3_STORAGE_BUCKET_NAME=flowise-production
S3_STORAGE_ACCESS_KEY_ID=<your-access-key>
S3_STORAGE_SECRET_ACCESS_KEY=<your-secret-key>
S3_STORAGE_REGION=us-east-1

# Logging
LOG_LEVEL=info
LOG_SANITIZE_BODY_FIELDS=password,pwd,pass,secret,token,apikey,api_key
LOG_SANITIZE_HEADER_FIELDS=authorization,x-api-key,x-auth-token,cookie
DISABLE_FLOWISE_TELEMETRY=true

# Security
CUSTOM_MCP_SECURITY_CHECK=true
CUSTOM_MCP_PROTOCOL=sse

Troubleshooting

Common Issues

  1. Verify APP_URL is set correctly
  2. Check that secrets are properly configured
  3. Ensure database is accessible
  4. Check logs for authentication errors
  5. Verify CORS settings if accessing from different origin
  1. Verify SMTP configuration is correct
  2. Test SMTP credentials separately
  3. Check spam folder
  4. Verify sender email is authenticated
  5. Check firewall allows outbound SMTP connections
  1. Check JWT_TOKEN_EXPIRY_IN_MINUTES setting
  2. Verify system clock is accurate
  3. Check if EXPIRE_AUTH_TOKENS_ON_RESTART=true
  4. Look for token revocation in logs
  1. Set CORS_ORIGINS to include your frontend URL
  2. Ensure protocol (http/https) matches exactly
  3. Check for trailing slashes in URLs
  4. Verify TRUST_PROXY is set correctly

Next Steps

Environment Variables

Complete environment variable reference

Docker Deployment

Deploy Flowise with Docker

Cloud Providers

Deploy to cloud platforms

Build docs developers (and LLMs) love

Get started for freeTalk to us