docs/docs/Develop/authorization.mdx
Langflow includes a pluggable authorization layer for role-based access control (RBAC) over flows, projects, deployments, files, variables, and knowledge bases.
The authorization infrastructure is present in all Langflow deployments, but the open-source build registers a pass-through service that always allows every action for every authenticated user.
Setting LANGFLOW_AUTHZ_ENABLED=true without an enforcement plugin does not restrict access. Route guards still run and audit rows can still be written, but no policy is applied.
Per-resource RBAC enforcement requires a registered authorization plugin. Langflow OSS does not include a registered authorization plugin.
The following steps apply when you have a registered enforcement plugin.
Set LANGFLOW_AUTHZ_AUDIT_ENABLED=true and run Langflow in a staging environment. Review the audit log to understand what decisions would be made before enforcement is on.
Install and register the enforcement plugin following its setup guide.
Set LANGFLOW_AUTHZ_ENABLED=true. The plugin reads the role and share tables and applies its policy.
Use the roles API and role assignments API to assign the built-in viewer, developer, or admin roles to your users, or create custom roles.
Use the shares API to grant cross-user access where needed.
| Variable | Description | Default |
|---|---|---|
LANGFLOW_AUTHZ_ENABLED | Enable authorization enforcement. Requires a registered enforcement plugin. When false, all requests pass regardless of roles or shares. | false |
LANGFLOW_AUTHZ_SUPERUSER_BYPASS | When true, active superusers bypass authorization checks. The plugin may still audit the decision. | true |
LANGFLOW_AUTHZ_AUDIT_ENABLED | Write an audit log row for every authorization decision and share-administration action. Works independently of LANGFLOW_AUTHZ_ENABLED — set this to true while enforcement is off to observe traffic before enabling enforcement. | false |
LANGFLOW_AUTHZ_AUDIT_RETENTION_DAYS | Number of days to retain audit log rows. Set to 0 to disable automatic pruning. | 90 |
LANGFLOW_AUTHZ_AUDIT_CLEANUP_INTERVAL | Seconds between retention sweep runs. A sweep also runs on startup. Minimum 300. | 86400 |
Langflow seeds three built-in system roles that an enforcement plugin uses as a starting point for policy sync. These roles cannot be deleted.
| Role | Permission slugs |
|---|---|
viewer | flow:read, project:read, deployment:read, file:read, variable:read, knowledge_base:read |
developer | viewer permissions plus flow:write, flow:execute, file:write, variable:write |
admin | All actions on all resource types |
You can create additional roles with the roles API. Role assignments take effect only after an enforcement plugin is registered.
All authorization endpoints are under /api/v1/authz/. Write operations require superuser privileges.
These endpoints manage the RBAC data model. An enforcement plugin consumes roles, assignments, and shares when evaluating requests. Without a plugin, API responses succeed but access is not restricted.
POST /api/v1/authz/me/permissions
Returns the allowed actions for a set of resources for the current user, without making individual resource requests that would trigger 403 responses. The frontend uses this to enable or disable UI controls when an enforcement plugin is active.
Request body:
| Field | Type | Description |
|---|---|---|
resource_type | string | One of: flow, deployment, project, knowledge_base, variable, file, component |
resource_ids | UUID[] | Resource IDs to evaluate. Maximum 500 per request. |
actions | string[] | Actions to check. Defaults to read, write, execute, delete, create. Maximum 10. |
domain | string | Authorization domain. Typically project:{folder_id} or *. Defaults to *. |
Response:
{
"resource_type": "flow",
"permissions": {
"3fa85f64-5717-4562-b3fc-2c963f66afa6": ["read", "execute"]
}
}
/api/v1/authz/shares
Shares grant access to a resource across user boundaries. The resource owner or a superuser can administer shares for their own resources.
| Method | Path | Description |
|---|---|---|
POST | /api/v1/authz/shares | Create a share |
GET | /api/v1/authz/shares | List shares visible to the current user |
GET | /api/v1/authz/shares/{share_id} | Get a specific share |
PATCH | /api/v1/authz/shares/{share_id} | Update a share |
DELETE | /api/v1/authz/shares/{share_id} | Delete a share |
Each share write fires an invalidation call to the authorization plugin so cached policy is refreshed.
/api/v1/authz/roles — superuser only for writes
| Method | Path | Description |
|---|---|---|
GET | /api/v1/authz/roles | List roles. Filter by is_system or name substring. |
GET | /api/v1/authz/roles/{role_id} | Get a specific role |
POST | /api/v1/authz/roles | Create a custom role |
PATCH | /api/v1/authz/roles/{role_id} | Update a role name, description, or permissions |
DELETE | /api/v1/authz/roles/{role_id} | Delete a custom role (system roles cannot be deleted) |
/api/v1/authz/role-assignments — superuser only for writes
| Method | Path | Description |
|---|---|---|
GET | /api/v1/authz/role-assignments | List role assignments |
POST | /api/v1/authz/role-assignments | Assign a role to a user |
DELETE | /api/v1/authz/role-assignments/{assignment_id} | Remove a role assignment |
/api/v1/authz/teams — superuser only for writes
| Method | Path | Description |
|---|---|---|
GET | /api/v1/authz/teams | List teams |
GET | /api/v1/authz/teams/{team_id} | Get a specific team |
POST | /api/v1/authz/teams | Create a team |
PATCH | /api/v1/authz/teams/{team_id} | Update a team |
DELETE | /api/v1/authz/teams/{team_id} | Delete a team |
GET | /api/v1/authz/teams/{team_id}/members | List team members |
POST | /api/v1/authz/teams/{team_id}/members | Add a member to a team |
DELETE | /api/v1/authz/teams/{team_id}/members/{user_id} | Remove a member from a team |
GET /api/v1/authz/audit — superuser only
Returns a paginated, filterable view of the authorization audit log.
Query parameters:
| Parameter | Type | Description |
|---|---|---|
user_id | UUID | Filter by acting user |
resource_type | string | Filter by resource type slug (for example, flow) |
resource_id | UUID | Filter by resource UUID |
action | string | Filter by action string (for example, flow:read or share:create) |
result | string | Filter by decision: allow, deny, or owner_override |
since | datetime | Inclusive lower bound on timestamp |
until | datetime | Exclusive upper bound on timestamp |
Page size is capped at 200 rows.