FlowiseAI
English
English
  • Introduction
  • Get Started
  • Contribution Guide
    • Building Node
  • API Reference
    • Assistants
    • Attachments
    • Chat Message
    • Chatflows
    • Document Store
    • Feedback
    • Leads
    • Ping
    • Prediction
    • Tools
    • Upsert History
    • Variables
    • Vector Upsert
  • Using Flowise
    • Agentflow V2
    • Agentflow V1 (Deprecating)
      • Multi-Agents
      • Sequential Agents
        • Video Tutorials
    • API
    • Analytic
      • Arize
      • Langfuse
      • Lunary
      • Opik
      • Phoenix
    • Document Stores
    • Embed
    • Monitoring
    • Streaming
    • Uploads
    • Variables
    • Workspaces
    • Evaluations
  • Configuration
    • Auth
      • Application
      • Flows
    • Databases
    • Deployment
      • AWS
      • Azure
      • Alibaba Cloud
      • Digital Ocean
      • Elestio
      • GCP
      • Hugging Face
      • Kubernetes using Helm
      • Railway
      • Render
      • Replit
      • RepoCloud
      • Sealos
      • Zeabur
    • Environment Variables
    • Rate Limit
    • Running Flowise behind company proxy
    • SSO
    • Running Flowise using Queue
    • Running in Production
  • Integrations
    • LangChain
      • Agents
        • Airtable Agent
        • AutoGPT
        • BabyAGI
        • CSV Agent
        • Conversational Agent
        • Conversational Retrieval Agent
        • MistralAI Tool Agent
        • OpenAI Assistant
          • Threads
        • OpenAI Function Agent
        • OpenAI Tool Agent
        • ReAct Agent Chat
        • ReAct Agent LLM
        • Tool Agent
        • XML Agent
      • Cache
        • InMemory Cache
        • InMemory Embedding Cache
        • Momento Cache
        • Redis Cache
        • Redis Embeddings Cache
        • Upstash Redis Cache
      • Chains
        • GET API Chain
        • OpenAPI Chain
        • POST API Chain
        • Conversation Chain
        • Conversational Retrieval QA Chain
        • LLM Chain
        • Multi Prompt Chain
        • Multi Retrieval QA Chain
        • Retrieval QA Chain
        • Sql Database Chain
        • Vectara QA Chain
        • VectorDB QA Chain
      • Chat Models
        • AWS ChatBedrock
        • Azure ChatOpenAI
        • NVIDIA NIM
        • ChatAnthropic
        • ChatCohere
        • Chat Fireworks
        • ChatGoogleGenerativeAI
        • Google VertexAI
        • ChatHuggingFace
        • ChatLocalAI
        • ChatMistralAI
        • IBM Watsonx
        • ChatOllama
        • ChatOpenAI
        • ChatTogetherAI
        • GroqChat
      • Document Loaders
        • API Loader
        • Airtable
        • Apify Website Content Crawler
        • Cheerio Web Scraper
        • Confluence
        • Csv File
        • Custom Document Loader
        • Document Store
        • Docx File
        • File Loader
        • Figma
        • FireCrawl
        • Folder with Files
        • GitBook
        • Github
        • Json File
        • Json Lines File
        • Notion Database
        • Notion Folder
        • Notion Page
        • PDF Files
        • Plain Text
        • Playwright Web Scraper
        • Puppeteer Web Scraper
        • S3 File Loader
        • SearchApi For Web Search
        • SerpApi For Web Search
        • Spider Web Scraper/Crawler
        • Text File
        • Unstructured File Loader
        • Unstructured Folder Loader
        • VectorStore To Document
      • Embeddings
        • AWS Bedrock Embeddings
        • Azure OpenAI Embeddings
        • Cohere Embeddings
        • Google GenerativeAI Embeddings
        • Google VertexAI Embeddings
        • HuggingFace Inference Embeddings
        • LocalAI Embeddings
        • MistralAI Embeddings
        • Ollama Embeddings
        • OpenAI Embeddings
        • OpenAI Embeddings Custom
        • TogetherAI Embedding
        • VoyageAI Embeddings
      • LLMs
        • AWS Bedrock
        • Azure OpenAI
        • Cohere
        • GoogleVertex AI
        • HuggingFace Inference
        • Ollama
        • OpenAI
        • Replicate
      • Memory
        • Buffer Memory
        • Buffer Window Memory
        • Conversation Summary Memory
        • Conversation Summary Buffer Memory
        • DynamoDB Chat Memory
        • MongoDB Atlas Chat Memory
        • Redis-Backed Chat Memory
        • Upstash Redis-Backed Chat Memory
        • Zep Memory
      • Moderation
        • OpenAI Moderation
        • Simple Prompt Moderation
      • Output Parsers
        • CSV Output Parser
        • Custom List Output Parser
        • Structured Output Parser
        • Advanced Structured Output Parser
      • Prompts
        • Chat Prompt Template
        • Few Shot Prompt Template
        • Prompt Template
      • Record Managers
      • Retrievers
        • Extract Metadata Retriever
        • Custom Retriever
        • Cohere Rerank Retriever
        • Embeddings Filter Retriever
        • HyDE Retriever
        • LLM Filter Retriever
        • Multi Query Retriever
        • Prompt Retriever
        • Reciprocal Rank Fusion Retriever
        • Similarity Score Threshold Retriever
        • Vector Store Retriever
        • Voyage AI Rerank Retriever
      • Text Splitters
        • Character Text Splitter
        • Code Text Splitter
        • Html-To-Markdown Text Splitter
        • Markdown Text Splitter
        • Recursive Character Text Splitter
        • Token Text Splitter
      • Tools
        • BraveSearch API
        • Calculator
        • Chain Tool
        • Chatflow Tool
        • Custom Tool
        • Exa Search
        • Google Custom Search
        • OpenAPI Toolkit
        • Code Interpreter by E2B
        • Read File
        • Request Get
        • Request Post
        • Retriever Tool
        • SearchApi
        • SearXNG
        • Serp API
        • Serper
        • Tavily
        • Web Browser
        • Write File
      • Vector Stores
        • AstraDB
        • Chroma
        • Couchbase
        • Elastic
        • Faiss
        • In-Memory Vector Store
        • Milvus
        • MongoDB Atlas
        • OpenSearch
        • Pinecone
        • Postgres
        • Qdrant
        • Redis
        • SingleStore
        • Supabase
        • Upstash Vector
        • Vectara
        • Weaviate
        • Zep Collection - Open Source
        • Zep Collection - Cloud
    • LiteLLM Proxy
    • LlamaIndex
      • Agents
        • OpenAI Tool Agent
        • Anthropic Tool Agent
      • Chat Models
        • AzureChatOpenAI
        • ChatAnthropic
        • ChatMistral
        • ChatOllama
        • ChatOpenAI
        • ChatTogetherAI
        • ChatGroq
      • Embeddings
        • Azure OpenAI Embeddings
        • OpenAI Embedding
      • Engine
        • Query Engine
        • Simple Chat Engine
        • Context Chat Engine
        • Sub-Question Query Engine
      • Response Synthesizer
        • Refine
        • Compact And Refine
        • Simple Response Builder
        • Tree Summarize
      • Tools
        • Query Engine Tool
      • Vector Stores
        • Pinecone
        • SimpleStore
    • Utilities
      • Custom JS Function
      • Set/Get Variable
      • If Else
      • Sticky Note
    • External Integrations
      • Zapier Zaps
  • Migration Guide
    • Cloud Migration
    • v1.3.0 Migration Guide
    • v1.4.3 Migration Guide
    • v2.1.4 Migration Guide
  • Use Cases
    • Calling Children Flows
    • Calling Webhook
    • Interacting with API
    • Multiple Documents QnA
    • SQL QnA
    • Upserting Data
    • Web Scrape QnA
  • Flowise
    • Flowise GitHub
    • Flowise Cloud
Powered by GitBook
On this page
  • Email & Password
  • Application URL
  • JWT Environment Variables Configuration
  • SMTP Email Configuration
  • Security and Token Configuration
  • Security Best Practices
  • Username & Password (Deprecated)
  • How to Set Username & Password
Edit on GitHub
  1. Configuration
  2. Auth

Application

Learn how to set up app-level access control for your Flowise instances

PreviousAuthNextFlows

Last updated 1 day ago

Email & Password

From v3.0.1 onwards, a new authentication method was introduced. Flowise uses a -based authentication system with JWT tokens stored in secure HTTP-only cookies. When a user logs in, the system validates their email/password against the database using bcrypt hash comparison, then generates two JWT tokens: a short-lived access token (default 60 minutes) and a long-lived refresh token (default 90 days). These tokens are stored as secure cookies. For subsequent requests, the system extracts the JWT from cookies, validates the signature and claims using Passport's JWT strategy, and checks that the user session still exists. The system also supports automatic token refresh when the access token expires, maintains sessions using either Redis or database storage depending on configuration.

For existing users who have been using , you need to set up a new admin account. To prevent unauthorized ownership claims, you must first authenticate using the existing username and password configured as FLOWISE_USERNAME and FLOWISE_PASSWORD.

The following environment variables can be altered:

Application URL

  • APP_URL - Your hosted Flowise appication URL. Default to http://localhost:3000

JWT Environment Variables Configuration

To configure Flowise's JWT authentication parameters, user may alter the following environment variables:

  • JWT_AUTH_TOKEN_SECRET - The secret key for signing access tokens

  • JWT_REFRESH_TOKEN_SECRET - Secret for refresh tokens (defaults to auth token secret if not set)

  • JWT_TOKEN_EXPIRY_IN_MINUTES - Access token lifetime (default: 60 minutes)

  • JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES - Refresh token lifetime (default: 129,600 minutes or 90 days)

  • JWT_AUDIENCE - Token validation audience claim (default: 'AUDIENCE')

  • JWT_ISSUER - Token validation issuer claim (default: 'ISSUER')

  • EXPRESS_SESSION_SECRET - Session encryption secret (default: 'flowise')

  • EXPIRE_AUTH_TOKENS_ON_RESTART - Set to 'true' to invalidate all tokens on server restart (useful for development)

SMTP Email Configuration

Configure these variables to enable email functionality for password resets, and notifications:

  • SMTP_HOST - The hostname of your SMTP server (e.g., smtp.gmail.com, smtp.host.com)

  • SMTP_PORT - The port number for SMTP connection (common values: 587 for TLS, 465 for SSL, 25 for unencrypted)

  • SMTP_USER - Username for SMTP authentication (usually your email address)

  • SMTP_PASSWORD - Password or app-specific password for SMTP authentication

  • SMTP_SECURE - Set to true for SSL/TLS encryption, false for unencrypted connections

  • ALLOW_UNAUTHORIZED_CERTS - Set to true to allow self-signed certificates (not recommended for production)

  • SENDER_EMAIL - The "from" email address that will appear on outgoing emails

Security and Token Configuration

These variables control authentication security, token expiration, and password hashing:

  • PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS - Expiration time for password reset tokens (default: 15 minutes)

  • PASSWORD_SALT_HASH_ROUNDS - Number of bcrypt salt rounds for password hashing (default: 10, higher = more secure but slower)

  • TOKEN_HASH_SECRET - Secret key used for hashing tokens and sensitive data (use a strong, random string)

Security Best Practices

  • Use strong, unique values for TOKEN_HASH_SECRET and store them securely

  • For production, use SMTP_SECURE=true and ALLOW_UNAUTHORIZED_CERTS=false

  • Set appropriate token expiry times based on your security requirements

  • Use higher PASSWORD_SALT_HASH_ROUNDS values (12-15) for better security in production

Username & Password (Deprecated)

App level authorization protects your Flowise instance by username and password. This protects your apps from being accessible by anyone when deployed online.

How to Set Username & Password

Npm

  1. Install Flowise

npm install -g flowise

  1. Start Flowise with username & password

npx flowise start --FLOWISE_USERNAME=user --FLOWISE_PASSWORD=1234

Docker

  1. Navigate to docker folder

cd docker

  1. Create .env file and specify the PORT, FLOWISE_USERNAME, and FLOWISE_PASSWORD

PORT=3000
FLOWISE_USERNAME=user
FLOWISE_PASSWORD=1234

  1. Pass FLOWISE_USERNAME and FLOWISE_PASSWORD to the docker-compose.yml file:

environment:
    - PORT=${PORT}
    - FLOWISE_USERNAME=${FLOWISE_USERNAME}
    - FLOWISE_PASSWORD=${FLOWISE_PASSWORD}

  1. docker compose up -d

  3. You can bring the containers down by docker compose stop

Git clone

To enable app level authentication, add FLOWISE_USERNAME and FLOWISE_PASSWORD to the .env file in packages/server:

FLOWISE_USERNAME=user
FLOWISE_PASSWORD=1234

Open

Open

http://localhost:3000
http://localhost:3000
Passport.js
#Username & Password (Deprecated)