Skip to main content
Flowise provides multiple authentication methods including JWT-based authentication, basic HTTP auth, and enterprise SSO options.

Authentication Methods

JWT Authentication

Flowise uses JSON Web Tokens (JWT) for modern authentication with access and refresh token support.

Configure JWT Secrets

Generate secure random secrets for JWT tokens: 
# Generate secrets
openssl rand -hex 32  # Use for JWT_AUTH_TOKEN_SECRET
openssl rand -hex 32  # Use for JWT_REFRESH_TOKEN_SECRET
Add to your .env file: 
# JWT Configuration
JWT_AUTH_TOKEN_SECRET=your_generated_secret_here
JWT_REFRESH_TOKEN_SECRET=your_generated_refresh_secret_here
JWT_ISSUER=Flowise
JWT_AUDIENCE=Flowise
If you don’t set JWT_AUTH_TOKEN_SECRET and JWT_REFRESH_TOKEN_SECRET, Flowise will automatically generate and store them securely in the filesystem or AWS Secrets Manager.

JWT Token Configuration

JWT_AUTH_TOKEN_SECRET
string
Secret key for signing access tokens. Auto-generated if not provided.
JWT_REFRESH_TOKEN_SECRET
string
Secret key for signing refresh tokens. Auto-generated if not provided.
JWT_ISSUER
string
default:"Flowise"
Token issuer claim (iss)
JWT_AUDIENCE
string
default:"Flowise"
Token audience claim (aud)
JWT_TOKEN_EXPIRY_IN_MINUTES
number
default:"360"
Access token lifetime in minutes (default: 6 hours)
JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES
number
default:"43200"
Refresh token lifetime in minutes (default: 30 days)

Basic HTTP Authentication

Basic authentication is a legacy feature. For production deployments, use JWT authentication instead.
Set username and password for basic HTTP authentication: 
FLOWISE_USERNAME=admin
FLOWISE_PASSWORD=your_secure_password
FLOWISE_USERNAME
string
Username for basic HTTP authentication
FLOWISE_PASSWORD
string
Password for basic HTTP authentication

Session Management

Express Session Configuration

# Generate session secret
EXPRESS_SESSION_SECRET=$(openssl rand -hex 32)
EXPRESS_SESSION_SECRET
string
Secret for Express session cookie signing. Auto-generated if not provided.
SECURE_COOKIES
boolean
Enable secure flag on cookies. Set to true for HTTPS deployments.
SECURE_COOKIES=true  # For HTTPS

Token Management

TOKEN_HASH_SECRET
string
Secret for hashing authentication tokens. Auto-generated if not provided.
TOKEN_HASH_SECRET=$(openssl rand -hex 32)
EXPIRE_AUTH_TOKENS_ON_RESTART
boolean
default:"false"
Force all users to re-authenticate when the application restarts
EXPIRE_AUTH_TOKENS_ON_RESTART=true

User Management

Password Configuration

PASSWORD_SALT_HASH_ROUNDS
number
default:"10"
Number of bcrypt salt rounds for password hashing. Higher values are more secure but slower.
  • 10: Default (recommended for most use cases)
  • 12: Higher security
  • 14: Maximum security (slower)

Invitation & Password Reset

INVITE_TOKEN_EXPIRY_IN_HOURS
number
default:"24"
Workspace invitation token validity period in hours
INVITE_TOKEN_EXPIRY_IN_HOURS=48  # 2 days
PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS
number
default:"15"
Password reset token validity period in minutes
PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=30  # 30 minutes

Secret Storage

Flowise supports multiple storage backends for authentication secrets:

Local File Storage (Default)

Secrets are stored in encrypted files on the local filesystem: 
SECRETKEY_STORAGE_TYPE=local
SECRETKEY_PATH=/path/to/secret/storage  # Default: ~/.flowise
SECRETKEY_STORAGE_TYPE
string
default:"local"
Storage backend for secrets. Options: local, aws
SECRETKEY_PATH
string
default:"~/.flowise"
Local directory for storing secret keys when using local storage

AWS Secrets Manager

For production deployments, use AWS Secrets Manager: 
SECRETKEY_STORAGE_TYPE=aws
SECRETKEY_AWS_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
SECRETKEY_AWS_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
SECRETKEY_AWS_REGION=us-east-1
SECRETKEY_AWS_NAME=FlowiseEncryptionKey
SECRETKEY_AWS_AUTH_PREFIX=Flowise
SECRETKEY_AWS_ACCESS_KEY
string
AWS access key ID with permissions for Secrets Manager
SECRETKEY_AWS_SECRET_KEY
string
AWS secret access key
SECRETKEY_AWS_REGION
string
default:"us-west-2"
AWS region where secrets are stored
SECRETKEY_AWS_NAME
string
default:"FlowiseEncryptionKey"
Name of the main encryption key secret in AWS Secrets Manager
SECRETKEY_AWS_AUTH_PREFIX
string
default:"Flowise"
Prefix for auth-related secret names (e.g., FlowiseTokenHashSecret)
When using AWS Secrets Manager, the following secrets are automatically created:
  • {PREFIX}TokenHashSecret
  • {PREFIX}ExpressSessionSecret
  • {PREFIX}JWTAuthTokenSecret
  • {PREFIX}JWTRefreshTokenSecret
  • {PREFIX}JWTIssuer
  • {PREFIX}JWTAudience

Required IAM Permissions

If using AWS Secrets Manager, ensure your IAM user/role has these permissions: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:CreateSecret",
        "secretsmanager:UpdateSecret"
      ],
      "Resource": "arn:aws:secretsmanager:REGION:ACCOUNT:secret:Flowise*"
    }
  ]
}

Enterprise SSO (Enterprise Edition)

SSO features require Flowise Enterprise Edition.
Flowise Enterprise supports multiple SSO providers:
  • Google OAuth 2.0
  • Microsoft Azure AD
  • Auth0
  • GitHub
SSO configuration is managed through the Admin UI under Settings > Login Methods.

Email Configuration for Auth

Configure SMTP for sending authentication emails (verification, password reset, invitations): 
# SMTP Configuration
SMTP_HOST=smtp.gmail.com
SMTP_PORT=465
SMTP_USER=[email protected]
SMTP_PASSWORD=your_app_password
SMTP_SECURE=true
SENDER_EMAIL=[email protected]
SMTP_HOST
string
SMTP server hostname
SMTP_PORT
number
default:"465"
SMTP server port (465 for SSL, 587 for TLS)
SMTP_USER
string
SMTP authentication username
SMTP_PASSWORD
string
SMTP authentication password
SMTP_SECURE
boolean
default:"true"
Use TLS/SSL for SMTP connection
SENDER_EMAIL
string
From address for all authentication emails

Custom Email Templates

WORKSPACE_INVITE_TEMPLATE_PATH
string
Path to custom Handlebars template for workspace invitation emails
WORKSPACE_INVITE_TEMPLATE_PATH=/path/to/templates/workspace_invite.hbs

Security Best Practices

1. Use Strong Secrets

Always generate cryptographically secure random values: 
# Generate 32-byte hex strings
openssl rand -hex 32

2. Enable HTTPS

For production, always use HTTPS and enable secure cookies: 
APP_URL=https://flowise.yourdomain.com
SECURE_COOKIES=true

3. Configure Token Expiry

Set appropriate token expiration based on your security requirements: 
# Shorter expiry for high-security environments
JWT_TOKEN_EXPIRY_IN_MINUTES=60          # 1 hour
JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=1440  # 1 day

4. Use AWS Secrets Manager in Production

For production deployments, store secrets in AWS Secrets Manager: 
SECRETKEY_STORAGE_TYPE=aws
SECRETKEY_AWS_REGION=us-east-1
# AWS credentials via IAM role (recommended) or access keys

5. Rotate Secrets Regularly

Implement a secret rotation policy:
  1. Generate new secrets
  2. Update environment variables
  3. Restart Flowise
  4. Optionally expire existing tokens with EXPIRE_AUTH_TOKENS_ON_RESTART=true

Testing Authentication

Verify Basic Auth

curl -u username:password http://localhost:3000/api/v1/account/basic-auth

Get JWT Token

curl -X POST http://localhost:3000/api/v1/account/login \
  -H "Content-Type: application/json" \
  -d '{"email":"[email protected]","password":"password"}'

Use JWT Token

curl http://localhost:3000/api/v1/chatflows \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"

Troubleshooting

Invalid or Expired Token

Problem: Users get logged out unexpectedly Solutions:
  • Check JWT_TOKEN_EXPIRY_IN_MINUTES is appropriate
  • Ensure system clocks are synchronized (JWT uses timestamps)
  • Verify JWT_AUTH_TOKEN_SECRET hasn’t changed

SMTP Connection Failed

Problem: Email invitations not sending Solutions:
  • Verify SMTP credentials are correct
  • Check firewall allows outbound connections on SMTP port
  • For Gmail, use App Passwords instead of account password
  • Test SMTP settings:
DEBUG=true LOG_LEVEL=debug

AWS Secrets Manager Access Denied

Problem: Cannot read/write secrets in AWS Solutions:
  • Verify IAM permissions (see Required IAM Permissions above)
  • Check AWS credentials are valid
  • Ensure region is correct
  • Verify secret names match the prefix pattern

Example Production Configuration

# Production Authentication Setup

# JWT Configuration (auto-generated, stored in AWS)
SECRETKEY_STORAGE_TYPE=aws
SECRETKEY_AWS_REGION=us-east-1
SECRETKEY_AWS_AUTH_PREFIX=FlowiseProd

# Token Expiry
JWT_TOKEN_EXPIRY_IN_MINUTES=120
JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=10080
EXPIRE_AUTH_TOKENS_ON_RESTART=false

# Session Security
SECURE_COOKIES=true

# Password Security
PASSWORD_SALT_HASH_ROUNDS=12

# Email Configuration
SMTP_HOST=smtp.sendgrid.net
SMTP_PORT=587
SMTP_USER=apikey
SMTP_PASSWORD=${SENDGRID_API_KEY}
SMTP_SECURE=true
SENDER_EMAIL=[email protected]

# Token Expiry
INVITE_TOKEN_EXPIRY_IN_HOURS=24
PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=15

# Application URL
APP_URL=https://flowise.yourdomain.com

Build docs developers (and LLMs) love

Get started for freeTalk to us