I’ve successfully hosted Flowise on a VPS, but I’m worried about the security of the API. How do I implement Bearer token authentication for the endpoints? I don't want anyone who finds my IP to be able to burn through my OpenAI credits. Is there a built-in way to restrict access, or do I need to put an Nginx reverse proxy in front of it?
3 answers
Security should be your top priority here. Flowise actually has a built-in "API Key" feature that you can enable via environment variables (APIKEY_PATH). Once enabled, any request to your flows will require a header with that key. However, for true production security, I always recommend an Nginx reverse proxy with SSL (Certbot/Let's Encrypt). This not only encrypts the traffic but also allows you to set up rate limiting. This prevents brute-force attacks and ensures that a single user can't spam your endpoint and drain your wallet.
Have you considered using a VPN or a tool like Tailscale to keep the entire Flowise dashboard off the public internet?
Don't forget to password-protect the main UI as well using the FLOWISE_USERNAME and FLOWISE_PASSWORD environment variables.
Yes, Susan! It’s surprising how many people forget to lock the front door of their Flowise instance while focusing entirely on the backend API security.
I’m actually using a custom frontend, Daniel. So the dashboard can stay hidden, but the API itself must be reachable. I’ll look into the Nginx rate-limiting idea to keep things under control.