Flows
Table of contents

Security

Learn how to enhance the security of your flows with rate limiting rules or protecting your endpoint API with a secret key.

Endpoint secret

By default, when you enable the endpoint URL of your flow, anyone that knows the URL can execute it by sending a POST request. If you enable the Protect endpoint with secret option, your flow will require a secret key that should be passed as a Bearer token to execute the flow:

Authorization: Bearer YOUR_ENDPOINT_SECRET_KEY

Error codes

Error code Description
ERR_AUTHENTICATION_REQUIRED This flow requires a secret key to be executed.
ERR_FORBIDDEN_OPERATION The provided secret key doesn't match the expected one.

Error example

{
  "code": "ERR_AUTHENTICATION_REQUIRED",
  "message": "This webhook requires a secret to be executed"
}

Rate limiting

Rate limiting rules with temporarily block IPs run when they exceed any of the rules you specify. You can define a maximum number of requests per interval (Minutes, hours or days). Please, notice the following considerations:

  • Blocked requests will not appear in your Executions tab.
  • The time interval can't be longer than 7 days, 168 hours or 10,080 minutes.
  • You can apply up to 5 rules.

IP address

We will automatically use (as the client IP for your request) the IP address of the user that interacts with the form or the IP of the user that makes a request to the endpoint. If you execute this flow as a standalone product, you can use X-Forwarded-For header to forward the originating client's IP address. There are rare cases where the client's IP cannot be provided using the previous header, for those cases, Arengu supports a custom HTTP header X-Arengu-Client-Ip.

X-Forwarded-For and X-Arengu-Client-Ip headers will only work when endpoint secret is enabled.

Error codes

Error code Description
ERR_RATE_LIMIT_REACHED Too many requests. Limit reached.

Error example

{
  "code": "ERR_RATE_LIMIT",
  "message": "Too many requests. Limit reached."
}