Deploy and authentication
Run and deploy
Section titled “Run and deploy”pnpm web:build # build the SPA -> apps/frontend/distcargo run -p flow-server # binds 127.0.0.1:8787; serves the SPA + APIcurl localhost:8787/health # -> okA deployed instance is made up of three things. It needs a single flow-server
binary, the static SPA directory, and the environment config:
| Variable | Default | Purpose |
|---|---|---|
FLOW_SERVER_ADDR | 127.0.0.1:8787 | Bind address |
FLOW_SERVER_STATIC | apps/frontend/dist | Built-SPA dir served for non-API routes |
FLOW_SERVER_TOKEN | (unset) | When set, /api/* requires Authorization: Bearer <token> |
FLOW_STUDIO_DIR | ~/.flow-studio | Instance data dir (db, settings, templates, llms, engines) |
Two commands help during development. pnpm server:dev runs the server, and
pnpm web:serve builds the SPA and then serves it in one step.
Authentication
Section titled “Authentication”A remote instance should not be left open. When you set FLOW_SERVER_TOKEN,
every /api/* route requires Authorization: Bearer <token>, and that includes
the run and download SSE streams. /health and the SPA stay public so the app
can load.
The browser captures a one-time ?token=<token> query parameter into local
storage and then strips it from the URL. After that it sends the token on every
request, so a tokenized instance URL authenticates the session in one step.
When the token is unset, as it is for local and development use, everything stays open.
The instance owns its own ~/.flow-studio directory, or whatever path you set
with FLOW_STUDIO_DIR. That directory holds execution history, settings,
templates, models, and engines, exactly like a desktop install. Runs from the
browser land in the instance’s history.