Flowise · AI agents · API key security
Flowise agent API key security: scoping and capping tool calls
Flowise's visual drag-and-drop builder makes it easy to wire up an agent with Stripe, Twilio, or Resend tool nodes — but easy wiring is not the same as safe wiring. Flowise stores API keys as credentials that are shared across all conversations and all users of a given flow. This page covers the four failure scenarios this creates, and the vault-key pattern that adds per-conversation spending caps and a queryable audit trail without requiring you to change your Flowise flow structure.
TL;DR
Flowise credentials are binary: the agent node either has the full Stripe key or nothing. There's no per-conversation spend cap, no per-user isolation, no mid-session revoke that doesn't break the flow for everyone else, and no per-call audit log that ties each charge to the conversation that triggered it. The vault-key proxy changes two things in the Custom Tool or HTTP Tool node: the base URL and the API key in the request. Everything else stays the same — your flow, your prompt, your LangChain chain.
How Flowise agents access vendor API keys
Flowise (the visual LangChain builder, 30K+ GitHub stars) lets you build agents by dragging nodes onto a canvas. When you add a tool node — Custom Tool, HTTP Tool, or a community integration — you either embed the API key directly in the tool's configuration or reference a Flowise credential from the credential manager.
The credential manager encrypts keys at rest and lets you reference them across multiple nodes. When the agent decides to invoke a tool, Flowise resolves the credential and injects it into the outgoing request. From the agent's perspective, it calls the tool; from the infrastructure perspective, the real Stripe key goes out in the Authorization header.
That credential is shared: every conversation using this flow, every user of a shared chatbot, every API call through the Flowise prediction endpoint uses the same underlying key. There's no per-conversation or per-user key isolation built in.
Four failure scenarios the shared credential model creates
| Scenario | What goes wrong | Flowise's built-in answer |
|---|---|---|
| LLM reasoning loop | The agent decides to charge a customer, gets an ambiguous response, and charges again "to be sure." The loop runs until the conversation times out or the user closes the chat window. Every iteration fires a real Stripe charge with the shared key. | Conversation history and max iterations. No per-session dollar cap that fires before the charge. |
| Prompt injection via user input | A user sends a crafted message that causes the agent to invoke the payment tool with a large amount or to send messages to unintended recipients. The shared key makes the actual call with no pre-call amount check. | Prompt engineering and guardrails. No parameter-level enforcement at the API call layer. |
| Unattended multi-user chatbot | You deploy a Flowise flow as a public-facing chatbot. Multiple users simultaneously trigger payment or notification tool calls. There's no per-user spend tracking and no mechanism to isolate or revoke one user's access without breaking all users. | None. All users share the same credential and the same cumulative spend tracking (if any). |
| Shared flow in a team | Multiple team members share a Flowise instance. One member's test conversation triggers real production API calls with the shared credential. Flowise's prediction API doesn't distinguish between test and production conversations. | None. Separate dev/prod credentials require separate flows or separate Flowise instances. |
Adding a vault key to a Flowise Custom Tool node
The most flexible approach in Flowise is the Custom Tool (JavaScript function tool). You write the tool logic in the Flowise UI; inside that function, you call the vendor API. Switching to a vault key requires changing two lines:
Before (direct Stripe):
// Flowise Custom Tool — JavaScript
const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY); // real key
const intent = await stripe.paymentIntents.create({
amount: params.amount_cents,
currency: 'usd',
customer: params.customer_id,
});
return intent.id;After (vault key proxy):
// Flowise Custom Tool — JavaScript
const stripe = require('stripe')(process.env.VAULT_KEY); // scoped vault key
stripe.setApiBase('https://proxy.keybrake.com/stripe'); // proxy base URL
const intent = await stripe.paymentIntents.create({
amount: params.amount_cents,
currency: 'usd',
customer: params.customer_id,
});
return intent.id;The vault key is issued per conversation (or per flow) via a prior HTTP call to Keybrake's key issuance endpoint. For per-conversation isolation, issue the key in a customFunction node at the start of the chain and inject it into the tool's environment:
// Flowise customFunction node — issue vault key at chain start
const res = await fetch('https://proxy.keybrake.com/vault/keys', {
method: 'POST',
headers: {
'Authorization': `Bearer ${process.env.KEYBRAKE_API_KEY}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({
vendor: 'stripe',
daily_usd_cap: 200,
allowed_endpoints: ['POST /v1/payment_intents', 'GET /v1/customers/*'],
expires_in: '1h',
agent_run_label: `flowise/${$session_id}`,
}),
});
const { vault_key } = await res.json();
process.env.VAULT_KEY = vault_key; // available to downstream tool nodes in this chain
return vault_key;Each conversation gets its own vault key, its own $200/day cap, and its own audit trail segment labeled with the session ID. If a conversation goes sideways, revoking that session's vault key takes one dashboard click or one API call — without touching the shared Keybrake API key that other conversations are using.
Multi-user Flowise deployments
If you deploy Flowise as a shared chatbot (via the embedded chat widget or the prediction API), the per-conversation vault key pattern gives you per-user spend isolation without requiring separate Flowise instances. Each call to the prediction API triggers a new conversation, which issues a new vault key with its own cap. The Keybrake audit log lets you filter by agent_run_label to see exactly what each conversation spent — useful for multi-tenant scenarios where you're tracking usage by customer.
How Keybrake fits
Keybrake is the proxy layer between Flowise's Custom Tool nodes and Stripe, Twilio, or Resend. You change the API key environment variable to a vault key and the base URL to the proxy endpoint. The real vendor keys stay on the Keybrake side, never in Flowise's environment. Per-conversation spend caps, endpoint allowlists, one-click revoke, and a queryable per-call audit log with session context are all included.
Related questions
Does this work with Flowise's built-in integrations (like the Stripe Tool node), or only Custom Tool nodes?
Currently the vault-key proxy requires a tool node where you control the base URL and API key — which means Custom Tool nodes or HTTP Tool nodes where you can configure the Authorization header manually. Flowise's built-in integration nodes (where you select a credential from the credential manager and the base URL is hardcoded) don't expose a base URL override. For AI agent flows where spend enforcement matters, use a Custom Tool node with explicit Stripe SDK calls pointed at the proxy.
What happens to the Flowise conversation when the proxy blocks a call?
The Custom Tool node receives a 429 Too Many Requests response from the proxy with a body containing "error": "daily_cap_exceeded" and the cap amount. The LangChain agent inside Flowise sees a tool error. Depending on your agent's system prompt and error handling instructions, it will either tell the user it can't complete the action, try a different approach, or ask for clarification. You can include instructions in the system prompt like "if you receive a spend cap error, tell the user the payment limit has been reached and ask them to contact support."
Can I use a single vault key for an entire Flowise flow rather than per-conversation?
Yes — a per-flow vault key is simpler and appropriate when your flow is used by a small number of known users, or when conversations are short and infrequent. Set the vault key as an environment variable in Flowise's settings (or in your .env file for self-hosted Flowise) and reference it in all tool nodes. The cap applies across all conversations using the flow for the day. The tradeoff is less per-conversation isolation: a runaway conversation can exhaust the day's cap for all other conversations.
Further reading
- Dify agent API key security — the same credential isolation problem in Dify, with per-conversation vault key issuance via the Chatflow API.
- CrewAI API key management — per-agent key isolation in multi-agent CrewAI setups and why one shared key per crew is a risk.
- AI agent kill switch patterns — the four revocation mechanisms and which one is fast enough to stop a stuck agent mid-conversation.
- AI agent audit trail schema — the structured per-call log fields that make post-incident review useful, especially for multi-user chatbot deployments.