Skip to main content

JWT authentication

Langflow supports symmetric or asymmetric JSON Web Tokens (JWT) for user authentication and authorization.

JWT is an open standard for securely transmitting information between parties as a JSON object. Use JWT to create credentials that automatically expire, enable stateless authentication without database storage, and work across distributed systems.

JWT authentication with the HS256 algorithm is enabled by default, but can be configured further with the LANGFLOW_ALGORITHM environment variable.

About the JWT structure and contents

When a user logs in with their username and password at the /api/v1/login endpoint, Langflow validates the credentials and creates a JWT token containing the user's identity and expiration time. This token is then used for subsequent API requests instead of sending credentials with each request.

A JWT consists of three parts separated by dots (.):


_10
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

  • The header contains the token type and signing algorithm.
  • The payload contains claims, which are token data for user information and expiration time.
  • The signature is a secret key that ensures the token hasn't been tampered with.

Each part of the JWT is Base64URL-encoded. You can paste this example JWT to decode the actual JSON data at jwt.io.

Configure JWT environment variables

Configure JWT authentication in Langflow using the following environment variables:

VariableDescriptionDefault
LANGFLOW_ALGORITHMJWT signing algorithm (HS256, RS256, or RS512)HS256
LANGFLOW_SECRET_KEYSecret key for HS256 signingAuto-generated
LANGFLOW_PRIVATE_KEYRSA private key for RS256/RS512 signingAuto-generated
LANGFLOW_PUBLIC_KEYRSA public key for RS256/RS512 verificationDerived from private key
LANGFLOW_ACCESS_TOKEN_EXPIRE_SECONDSAccess token expiration time3600 (1 hour)
LANGFLOW_REFRESH_TOKEN_EXPIRE_SECONDSRefresh token expiration time604800 (7 days)

Configure signing algorithms

Langflow supports multiple signing algorithms and both symmetric (HS256) and asymmetric (RS256, RS512) JWTs.

Which method you choose depends upon your deployment's requirements.

HS256 (Default)

HS256 is the default JWT algorithm, with a good security level for single-server deployments. Langflow automatically generates and persists a secret key. No configuration is necessary, but if you want to explicitly set it in the Langflow .env, the default value is LANGFLOW_ALGORITHM=HS256.

To generate a custom secure key instead of using the Langflow-generated secret key, do the following:

  1. Generate a secure secret key with the Python secrets module or OpenSSL. The key must be at least 32 characters long.

    Using Python:


    _10
    python -c "import secrets; print(secrets.token_urlsafe(32))"

    Using OpenSSL:


    _10
    openssl rand -base64 32

  2. Set the value for LANGFLOW_SECRET_KEY in your .env file.


    _10
    LANGFLOW_ALGORITHM="HS256"
    _10
    LANGFLOW_SECRET_KEY="your-custom-secret-key"

RS256

The RS256 signing algorithm provides better security for production deployments by using a pair of private and public keys. The private key signs tokens, and the public verifies them. The private key must be kept secret, while the public key can be safely shared.

To automatically generate a private and public key pair and store it in the Langflow LANGFLOW_CONFIG_DIR, set LANGFLOW_ALGORITHM="RS256" in your Langflow .env. When Langflow starts, it will:

  1. Check if RSA keys exist in the configuration directory.
  2. If not, generate a new 2048-bit RSA key pair.
  3. Save the keys to private_key.pem and public_key.pem.
  4. Reuse the same keys on subsequent startups.

To use a custom private key instead of the auto-generated keys, set the following in your .env file. The LANGFLOW_PUBLIC_KEY will be automatically derived from the private key.


_10
LANGFLOW_ALGORITHM=RS256
_10
LANGFLOW_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
_10
MIIEvgIBADANBgkqhkiG9w0BAQEF...
_10
-----END PRIVATE KEY-----"

To use a custom key pair, set both keys in your Langflow .env file.


_10
LANGFLOW_ALGORITHM=RS256
_10
LANGFLOW_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
_10
MIIEvgIBADANBgkqhkiG9w0BAQEF...
_10
-----END PRIVATE KEY-----"
_10
LANGFLOW_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----
_10
MIIBIjANBgkqhkiG9w0BAQEFAAOC...
_10
-----END PUBLIC KEY-----"

To generate an RSA key pair manually, do the following:

  1. Generate a 2048-bit private key:


    _10
    openssl genrsa -out private_key.pem 2048

  2. Extract the public key from the private key:


    _10
    openssl rsa -in private_key.pem -pubout -out public_key.pem

  3. Verify the keys were created:


    _10
    cat private_key.pem
    _10
    cat public_key.pem

RS512

RS512 uses the same RSA format of private and public keys as RS256, but uses the SHA-512 hashing algorithm for greater security. The private key signs tokens, and the public verifies them. The private key must be kept secret, while the public key can be safely shared.

To automatically generate a private and public key pair and store it in the Langflow LANGFLOW_CONFIG_DIR, set LANGFLOW_ALGORITHM="RS512" in your Langflow .env. When Langflow starts, it does the following:

  1. Check if RSA keys exist in the configuration directory.
  2. If not, generate a new 2048-bit RSA key pair.
  3. Save the keys to private_key.pem and public_key.pem.
  4. Reuse the same keys on subsequent startups.

To use a custom private key instead of the auto-generated keys, set the following in your .env file. The LANGFLOW_PUBLIC_KEY will be automatically derived from the private key.


_10
LANGFLOW_ALGORITHM=RS512
_10
LANGFLOW_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
_10
MIIEvgIBADANBgkqhkiG9w0BAQEF...
_10
-----END PRIVATE KEY-----"

To use a custom key pair, set both keys in your Langflow .env file.


_10
LANGFLOW_ALGORITHM=RS512
_10
LANGFLOW_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----
_10
MIIEvgIBADANBgkqhkiG9w0BAQEF...
_10
-----END PRIVATE KEY-----"
_10
LANGFLOW_PUBLIC_KEY="-----BEGIN PUBLIC KEY-----
_10
MIIBIjANBgkqhkiG9w0BAQEFAAOC...
_10
-----END PUBLIC KEY-----"

To generate an RSA key pair manually, do the following:

  1. Generate a 2048-bit private key:


    _10
    openssl genrsa -out private_key.pem 2048

  2. Extract the public key from the private key:


    _10
    openssl rsa -in private_key.pem -pubout -out public_key.pem

  3. Verify the keys were created:


    _10
    cat private_key.pem
    _10
    cat public_key.pem

Configure Docker and Kubernetes deployments

Use Docker with HS256 (symmetric) for single-server deployments or development environments where simplicity is preferred.

Use Docker or Kubernetes with RS256 (asymmetric) for production deployments requiring enhanced security with private/public key pairs.

Docker with HS256

  1. Add the value for your JWT secret key to the Langflow .env file.


    _10
    JWT_SECRET_KEY=your-secret-key

  2. Set the signing algorithm and include a variable for the secret key in the Docker Compose file.


    _12
    version: "3.8"
    _12
    services:
    _12
    langflow:
    _12
    image: langflowai/langflow:latest
    _12
    environment:
    _12
    - LANGFLOW_ALGORITHM=HS256
    _12
    - LANGFLOW_SECRET_KEY=${JWT_SECRET_KEY} # Set in .env file
    _12
    volumes:
    _12
    - langflow_data:/app/langflow
    _12
    _12
    volumes:
    _12
    langflow_data:

Docker with RS256

To use Langflow's automatically generated key pair, set the RS256 signing algorithm in the Docker Compose file.


_12
# docker-compose.yml
_12
version: "3.8"
_12
services:
_12
langflow:
_12
image: langflowai/langflow:latest
_12
environment:
_12
- LANGFLOW_ALGORITHM=RS256
_12
volumes:
_12
- langflow_data:/app/langflow # Keys stored here
_12
_12
volumes:
_12
langflow_data:

To mount an existing key pair, set the RS256 signing algorithm and mount the private and public keys as volumes.


_14
# docker-compose.yml
_14
version: "3.8"
_14
services:
_14
langflow:
_14
image: langflowai/langflow:latest
_14
environment:
_14
- LANGFLOW_ALGORITHM=RS256
_14
volumes:
_14
- ./keys/private_key.pem:/app/langflow/private_key.pem:ro
_14
- ./keys/public_key.pem:/app/langflow/public_key.pem:ro
_14
- langflow_data:/app/langflow
_14
_14
volumes:
_14
langflow_data:

Kubernetes with RS256

Store JWT keys as Kubernetes Secrets and reference them in your Langflow deployment configuration.


_44
# jwt-secret.yaml
_44
apiVersion: v1
_44
kind: Secret
_44
metadata:
_44
name: langflow-jwt-keys
_44
type: Opaque
_44
stringData:
_44
algorithm: "RS256"
_44
private-key: |
_44
-----BEGIN PRIVATE KEY-----
_44
MIIEvgIBADANBgkqhkiG9w0BAQEF...
_44
-----END PRIVATE KEY-----
_44
public-key: |
_44
-----BEGIN PUBLIC KEY-----
_44
MIIBIjANBgkqhkiG9w0BAQEFAAOC...
_44
-----END PUBLIC KEY-----
_44
---
_44
# langflow-deployment.yaml
_44
apiVersion: apps/v1
_44
kind: Deployment
_44
metadata:
_44
name: langflow
_44
spec:
_44
template:
_44
spec:
_44
containers:
_44
- name: langflow
_44
image: langflowai/langflow:latest
_44
env:
_44
- name: LANGFLOW_ALGORITHM
_44
valueFrom:
_44
secretKeyRef:
_44
name: langflow-jwt-keys
_44
key: algorithm
_44
- name: LANGFLOW_PRIVATE_KEY
_44
valueFrom:
_44
secretKeyRef:
_44
name: langflow-jwt-keys
_44
key: private-key
_44
- name: LANGFLOW_PUBLIC_KEY
_44
valueFrom:
_44
secretKeyRef:
_44
name: langflow-jwt-keys
_44
key: public-key

Configure token expiration

To configure access and refresh token expiration times, set the values in the Langflow .env.


_10
LANGFLOW_ACCESS_TOKEN_EXPIRE_SECONDS=3600 # 1 hour
_10
LANGFLOW_REFRESH_TOKEN_EXPIRE_SECONDS=604800 # 7 days

Access tokens authenticate API requests and typically expire within 15 minutes to 1 hour to limit security risks.

Refresh tokens obtain new access tokens without requiring the user to log in again. Refresh tokens typically expire within 7 to 30 days.

When an access token expires, the client can use the refresh token to get a new access token from the /api/v1/refresh endpoint. This maintains the user's session without prompting for credentials again.

See also

Search