Overview The AutoMFlows API does not currently require authentication for local development and internal network usage. All endpoints are publicly accessible without API keys, tokens, or credentials.
No Authentication Required You can make requests directly without any authentication headers:
curl http://localhost:3003/api/workflows/execution/status
fetch ( 'http://localhost:3003/api/workflows/execution/status' ) . then ( res => res . json ()) . then ( data => console . log ( data ));
Security Considerations The default configuration is designed for local development only . If deploying AutoMFlows where it’s accessible over a network, implement appropriate security measures.
Local Development For local development, no authentication is needed:
API runs on localhost by default
Access is limited to the local machine
Suitable for development and testing
Network Deployment If exposing the API over a network (using --host flag), consider these security measures:
1. Reverse Proxy with Authentication Use Nginx or Apache as a reverse proxy with HTTP Basic Authentication:
Nginx Configuration: server { listen 80 ; server_name automflows.yourdomain.com; auth_basic "AutoMFlows API" ; auth_basic_user_file /etc/nginx/.htpasswd; location / { proxy_pass http://localhost:3003; proxy_http_version 1.1 ; proxy_set_header Upgrade $ http_upgrade ; proxy_set_header Connection 'upgrade' ; proxy_set_header Host $ host ; proxy_cache_bypass $ http_upgrade ; } }
Create password file:
sudo htpasswd -c /etc/nginx/.htpasswd username
2. Custom Authentication Middleware Add authentication middleware to backend/src/server.ts:
import express from 'express' ; // API Key middleware const apiKeyAuth = ( req : express . Request , res : express . Response , next : express . NextFunction ) => { const apiKey = req . headers [ 'x-api-key' ]; if ( ! apiKey || apiKey !== process . env . API_KEY ) { return res . status ( 401 ). json ({ error: 'Unauthorized' , message: 'Invalid or missing API key' }); } next (); }; // Apply to all API routes app . use ( '/api' , apiKeyAuth );
Then use the API with an API key:
curl http://localhost:3003/api/workflows/execution/status \ -H "X-API-Key: your-secret-api-key"
3. JWT Authentication Implement JWT-based authentication for more sophisticated access control:
import jwt from 'jsonwebtoken' ; const jwtAuth = ( req : express . Request , res : express . Response , next : express . NextFunction ) => { const token = req . headers . authorization ?. split ( ' ' )[ 1 ]; if ( ! token ) { return res . status ( 401 ). json ({ error: 'Unauthorized' , message: 'Missing authentication token' }); } try { const decoded = jwt . verify ( token , process . env . JWT_SECRET ! ); ( req as any ). user = decoded ; next (); } catch ( error ) { return res . status ( 401 ). json ({ error: 'Unauthorized' , message: 'Invalid token' }); } }; app . use ( '/api' , jwtAuth );
Make authenticated requests:
curl http://localhost:3003/api/workflows/execution/status \ -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
CORS Configuration By default, CORS is enabled for all origins:
app . use ( cors ({ origin: '*' , methods: [ 'GET' , 'POST' , 'DELETE' ] }));
Restrict CORS Origins For production, restrict CORS to specific domains:
app . use ( cors ({ origin: [ 'https://yourdomain.com' , 'https://app.yourdomain.com' ], methods: [ 'GET' , 'POST' , 'DELETE' ], credentials: true }));
HTTPS/TLS For production deployments, always use HTTPS to encrypt traffic:
Option 1: Reverse Proxy with SSL Use Nginx or Apache with Let’s Encrypt SSL certificates:
sudo certbot --nginx -d automflows.yourdomain.com
Option 2: Node.js HTTPS Server Modify backend/src/server.ts to use HTTPS:
import https from 'https' ; import fs from 'fs' ; const httpsOptions = { key: fs . readFileSync ( '/path/to/privkey.pem' ), cert: fs . readFileSync ( '/path/to/cert.pem' ) }; const httpsServer = https . createServer ( httpsOptions , app ); httpsServer . listen ( PORT , () => { console . log ( `Secure server running on https://localhost: ${ PORT } ` ); });
Network Access Control Limit API access by network configuration:
Firewall Rules Restrict access to specific IP addresses:
# Allow only specific IP sudo ufw allow from 192.168.1.100 to any port 3003 # Block all other access sudo ufw deny 3003
Bind to Specific Interface By default, the server binds to localhost. To expose on a network:
# Bind to all interfaces npm run dev -- --host 0.0.0.0 # Bind to specific interface HOST = 192.168.1.100 npm run dev
Environment Variables Use environment variables for sensitive configuration:
# .env API_KEY = your-secret-api-key-here JWT_SECRET = your-jwt-secret-here ALLOWED_ORIGINS = https://yourdomain.com,https://app.yourdomain.com
Load environment variables:
import dotenv from 'dotenv' ; dotenv . config (); const API_KEY = process . env . API_KEY ; const JWT_SECRET = process . env . JWT_SECRET ;
Best Practices
Use HTTPS
Always use HTTPS in production to encrypt API traffic
Implement Authentication
Add API key, JWT, or OAuth authentication for network deployments
Restrict CORS
Limit CORS to specific trusted origins in production
Rate Limiting
Implement rate limiting to prevent abuse
Network Isolation
Use firewall rules and VPNs to restrict network access
Next Steps
Execute Workflows Start executing workflows via API
Monitor Execution Track workflow execution status
