Application
Learn how to set up app-level access control for your Flowise instances
Email & Password
From v3.0.1 onwards, a new authentication method was introduced. Flowise uses a Passport.js-based authentication system with JWT tokens stored in secure HTTP-only cookies. When a user logs in, the system validates their email/password against the database using bcrypt hash comparison, then generates two JWT tokens: a short-lived access token (default 60 minutes) and a long-lived refresh token (default 90 days). These tokens are stored as secure cookies. For subsequent requests, the system extracts the JWT from cookies, validates the signature and claims using Passport's JWT strategy, and checks that the user session still exists. The system also supports automatic token refresh when the access token expires, maintains sessions using either Redis or database storage depending on configuration.
For existing users who have been using Username & Password (Deprecated), you need to set up a new admin account. To prevent unauthorized ownership claims, you must first authenticate using the existing username and password configured as FLOWISE_USERNAME
and FLOWISE_PASSWORD
.

The following environment variables can be altered:
Application URL
APP_URL
- Your hosted Flowise appication URL. Default tohttp://localhost:3000
JWT Environment Variables Configuration
To configure Flowise's JWT authentication parameters, user may alter the following environment variables:
JWT_AUTH_TOKEN_SECRET
- The secret key for signing access tokensJWT_REFRESH_TOKEN_SECRET
- Secret for refresh tokens (defaults to auth token secret if not set)JWT_TOKEN_EXPIRY_IN_MINUTES
- Access token lifetime (default: 60 minutes)JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES
- Refresh token lifetime (default: 129,600 minutes or 90 days)JWT_AUDIENCE
- Token validation audience claim (default: 'AUDIENCE')JWT_ISSUER
- Token validation issuer claim (default: 'ISSUER')EXPRESS_SESSION_SECRET
- Session encryption secret (default: 'flowise')EXPIRE_AUTH_TOKENS_ON_RESTART
- Set to 'true' to invalidate all tokens on server restart (useful for development)
SMTP Email Configuration
Configure these variables to enable email functionality for password resets, and notifications:
SMTP_HOST
- The hostname of your SMTP server (e.g.,smtp.gmail.com
,smtp.host.com
)SMTP_PORT
- The port number for SMTP connection (common values:587
for TLS,465
for SSL,25
for unencrypted)SMTP_USER
- Username for SMTP authentication (usually your email address)SMTP_PASSWORD
- Password or app-specific password for SMTP authenticationSMTP_SECURE
- Set totrue
for SSL/TLS encryption,false
for unencrypted connectionsALLOW_UNAUTHORIZED_CERTS
- Set totrue
to allow self-signed certificates (not recommended for production)SENDER_EMAIL
- The "from" email address that will appear on outgoing emails
Security and Token Configuration
These variables control authentication security, token expiration, and password hashing:
PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS
- Expiration time for password reset tokens (default: 15 minutes)PASSWORD_SALT_HASH_ROUNDS
- Number of bcrypt salt rounds for password hashing (default: 10, higher = more secure but slower)TOKEN_HASH_SECRET
- Secret key used for hashing tokens and sensitive data (use a strong, random string)
Security Best Practices
Use strong, unique values for
TOKEN_HASH_SECRET
and store them securelyFor production, use
SMTP_SECURE=true
andALLOW_UNAUTHORIZED_CERTS=false
Set appropriate token expiry times based on your security requirements
Use higher
PASSWORD_SALT_HASH_ROUNDS
values (12-15) for better security in production
Username & Password (Deprecated)
App level authorization protects your Flowise instance by username and password. This protects your apps from being accessible by anyone when deployed online.

How to Set Username & Password
Npm
Install Flowise
npm install -g flowise
Start Flowise with username & password
npx flowise start --FLOWISE_USERNAME=user --FLOWISE_PASSWORD=1234
Docker
Navigate to
docker
folder
cd docker
Create
.env
file and specify thePORT
,FLOWISE_USERNAME
, andFLOWISE_PASSWORD
PORT=3000
FLOWISE_USERNAME=user
FLOWISE_PASSWORD=1234
Pass
FLOWISE_USERNAME
andFLOWISE_PASSWORD
to thedocker-compose.yml
file:
environment:
- PORT=${PORT}
- FLOWISE_USERNAME=${FLOWISE_USERNAME}
- FLOWISE_PASSWORD=${FLOWISE_PASSWORD}
docker compose up -d
You can bring the containers down by
docker compose stop
Git clone
To enable app level authentication, add FLOWISE_USERNAME
and FLOWISE_PASSWORD
to the .env
file in packages/server
:
FLOWISE_USERNAME=user
FLOWISE_PASSWORD=1234
Last updated