Activepieces stores workflow credentials and tokens, so the critical control is protecting encryption secrets and isolating execution workers from internet-facing services.
¶ 1) Protect AP_ENCRYPTION_KEY and database credentials
Activepieces uses AP_ENCRYPTION_KEY to encrypt sensitive connection data. If this key is lost, credentials cannot be decrypted; if it is leaked, stored secrets are exposed.
Hardening policy:
- generate a long random
AP_ENCRYPTION_KEY and store it in your secret manager
- never commit
.env files with AP_ENCRYPTION_KEY or DB passwords
- back up the encryption key together with PostgreSQL backups
¶ 2) Split web and worker roles in production
Workflow runners can execute third-party API steps and untrusted payloads. Keep this execution plane separate from the public UI/API plane.
Deployment controls:
- run API/web and worker processes on separate hosts or node pools
- restrict worker outbound egress to required API endpoints only
- deny direct internet access to PostgreSQL and internal services
¶ 3) Enforce HTTPS and trusted origin settings
Set AP_FRONTEND_URL and AP_SERVER_URL to the final HTTPS hostname and terminate TLS at a reverse proxy.
Required controls:
- force HTTP to HTTPS redirect at the proxy
- use HSTS and modern TLS ciphers
- allow access to admin paths only from trusted networks where possible
¶ 4) Lock down account and workspace administration
Activepieces is multi-user and automation actions often carry privileged API tokens.
Access controls:
- restrict workspace admin roles to platform operators
- rotate integration credentials on a fixed schedule
- remove unused accounts and stale API connections immediately
¶ 5) Operational controls for upgrades and incident response
Activepieces is fast-moving and self-hosted operators are responsible for patching.
Operations baseline:
- track upstream releases and security fixes in
activepieces/activepieces
- test upgrades in staging before production rollout
- keep an incident runbook for token compromise (rotate affected credentials and rerun failed workflows)
- Activepieces docs: https://www.activepieces.com/docs
- Activepieces Docker Compose install docs: https://www.activepieces.com/docs/install/options/docker-compose
- Activepieces source repository: https://github.com/activepieces/activepieces
Any questions?
Feel free to contact us. Find all contact information on our contact page.