Restricting execution of flows (endpoint security / per‐key permissions)

[flefevre]

Hello Langflow team,

I’m using Langflow to allow users to build flows and then expose endpoints (e.g. /api/v1/run/$FLOW_ID) for execution. My concern is around the authorization model for executing flows:

A user creates a flow, and an endpoint (e.g. /api/v1/run/{flow_id}) becomes available for execution.

It appears that any client possessing an API key (via x-api-key header or query param) may call the endpoint and run that flow, provided the key is valid.

The question: Is there a mechanism to restrict which API keys can execute a given flow? For example:

• Only the flow’s owner (or a set of approved users) may execute it.
• Or each user has a unique API key that only grants execution rights for the flows they own/are permitted.
• Possibly restrict per‐endpoint (flow) rather than globally.

My use case summary:

• I host a Langflow server for multiple internal teams.
• Team A creates several flows and I want Team A to only allow their internal clients to execute those flows. Team B should not be able to execute Team A’s flows.
• Ideally each team/client has their own API key or credentials, and execution is scoped accordingly.
• I want to avoid the situation where one key (or all keys) can execute all flows irrespective of ownership.

Thank you for any guidance!

Best regards,

[flefevre]

We are checking our configuration of Langflow helm. It is possible we have missed something. I will close if we find

[flefevre]

feat: Add flow execution permission checks #10306