feat(public-api): add env var and permission group controls to disable public API access

Add DISABLE_PUBLIC_API / NEXT_PUBLIC_DISABLE_PUBLIC_API environment variables
and disablePublicApi permission group config option to allow self-hosted
deployments and enterprise admins to globally disable the public API toggle.

When disabled: the Access toggle is hidden in the Edit API Info modal,
the execute route blocks unauthenticated public access (401), and the
public-api PATCH route rejects enabling public API (403).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/workflows/[id]/deploy/route.ts

@@ -51,6 +51,7 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
         deployedAt: null,
         apiKey: null,
         needsRedeployment: false,
+        isPublicApi: workflowData.isPublicApi ?? false,
       })
     }
 
@@ -98,6 +99,7 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
       isDeployed: workflowData.isDeployed,
       deployedAt: workflowData.deployedAt,
       needsRedeployment,
+      isPublicApi: workflowData.isPublicApi ?? false,
     })
   } catch (error: any) {
     logger.error(`[${requestId}] Error fetching deployment info: ${id}`, error)

apps/sim/app/api/workflows/[id]/execute/route.ts

@@ -254,10 +254,33 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
 
   try {
     const auth = await checkHybridAuth(req, { requireWorkflowId: false })
+
+    let userId: string
+    let isPublicApiAccess = false
+
     if (!auth.success || !auth.userId) {
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+      const { db: dbClient, workflow: workflowTable } = await import('@sim/db')
+      const { eq } = await import('drizzle-orm')
+      const [wf] = await dbClient
+        .select({ isPublicApi: workflowTable.isPublicApi, userId: workflowTable.userId })
+        .from(workflowTable)
+        .where(eq(workflowTable.id, workflowId))
+        .limit(1)
+
+      if (!wf?.isPublicApi) {
+        return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+      }
+
+      const { isPublicApiDisabled } = await import('@/lib/core/config/feature-flags')
+      if (isPublicApiDisabled) {
+        return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+      }
+
+      userId = wf.userId
+      isPublicApiAccess = true
+    } else {
+      userId = auth.userId
     }
-    const userId = auth.userId
 
     let body: any = {}
     try {
@@ -284,7 +307,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       )
     }
 
-    const defaultTriggerType = auth.authType === 'api_key' ? 'api' : 'manual'
+    const defaultTriggerType = isPublicApiAccess || auth.authType === 'api_key' ? 'api' : 'manual'
 
     const {
       selectedOutputs,
@@ -341,7 +364,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
     // For API key and internal JWT auth, the entire body is the input (except for our control fields)
     // For session auth, the input is explicitly provided in the input field
     const input =
-      auth.authType === 'api_key' || auth.authType === 'internal_jwt'
+      isPublicApiAccess || auth.authType === 'api_key' || auth.authType === 'internal_jwt'
         ? (() => {
             const {
               selectedOutputs,

apps/sim/app/api/workflows/[id]/public-api/route.ts

@@ -0,0 +1,54 @@
+import { db, workflow } from '@sim/db'
+import { createLogger } from '@sim/logger'
+import { eq } from 'drizzle-orm'
+import type { NextRequest } from 'next/server'
+import { z } from 'zod'
+import { generateRequestId } from '@/lib/core/utils/request'
+import { validateWorkflowPermissions } from '@/lib/workflows/utils'
+import { createErrorResponse, createSuccessResponse } from '@/app/api/workflows/utils'
+
+const logger = createLogger('WorkflowPublicApiRoute')
+
+export const dynamic = 'force-dynamic'
+export const runtime = 'nodejs'
+
+const UpdatePublicApiSchema = z.object({
+  isPublicApi: z.boolean(),
+})
+
+export async function PATCH(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const requestId = generateRequestId()
+  const { id } = await params
+
+  try {
+    const { error } = await validateWorkflowPermissions(id, requestId, 'admin')
+    if (error) {
+      return createErrorResponse(error.message, error.status)
+    }
+
+    const body = await request.json()
+    const validation = UpdatePublicApiSchema.safeParse(body)
+    if (!validation.success) {
+      return createErrorResponse('Invalid request body', 400)
+    }
+
+    const { isPublicApi } = validation.data
+
+    if (isPublicApi) {
+      const { isPublicApiDisabled } = await import('@/lib/core/config/feature-flags')
+      if (isPublicApiDisabled) {
+        return createErrorResponse('Public API access is disabled', 403)
+      }
+    }
+
+    await db.update(workflow).set({ isPublicApi }).where(eq(workflow.id, id))
+
+    logger.info(`[${requestId}] Updated isPublicApi for workflow ${id} to ${isPublicApi}`)
+
+    return createSuccessResponse({ isPublicApi })
+  } catch (error: unknown) {
+    const message = error instanceof Error ? error.message : 'Failed to update public API setting'
+    logger.error(`[${requestId}] Error updating public API setting: ${id}`, { error })
+    return createErrorResponse(message, 500)
+  }
+}

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/components/deploy-modal/components/api/api.tsx

@@ -21,6 +21,7 @@ interface WorkflowDeploymentInfo {
   endpoint: string
   exampleCommand: string
   needsRedeployment: boolean
+  isPublicApi?: boolean
 }
 
 interface ApiDeployProps {
@@ -107,12 +108,12 @@ export function ApiDeploy({
     if (!info) return ''
     const endpoint = getBaseEndpoint()
     const payload = getPayloadObject()
+    const isPublic = info.isPublicApi
 
     switch (language) {
       case 'curl':
         return `curl -X POST \\
-  -H "X-API-Key: $SIM_API_KEY" \\
-  -H "Content-Type: application/json" \\
+${isPublic ? '' : '  -H "X-API-Key: $SIM_API_KEY" \\\n'}  -H "Content-Type: application/json" \\
   -d '${JSON.stringify(payload)}' \\
   ${endpoint}`
 
@@ -123,8 +124,7 @@ import requests
 response = requests.post(
     "${endpoint}",
     headers={
-        "X-API-Key": os.environ.get("SIM_API_KEY"),
-        "Content-Type": "application/json"
+${isPublic ? '' : '        "X-API-Key": os.environ.get("SIM_API_KEY"),\n'}        "Content-Type": "application/json"
     },
     json=${JSON.stringify(payload, null, 4).replace(/\n/g, '\n    ')}
 )
@@ -135,8 +135,7 @@ print(response.json())`
         return `const response = await fetch("${endpoint}", {
   method: "POST",
   headers: {
-    "X-API-Key": process.env.SIM_API_KEY,
-    "Content-Type": "application/json"
+${isPublic ? '' : '    "X-API-Key": process.env.SIM_API_KEY,\n'}    "Content-Type": "application/json"
   },
   body: JSON.stringify(${JSON.stringify(payload)})
 });
@@ -148,8 +147,7 @@ console.log(data);`
         return `const response = await fetch("${endpoint}", {
   method: "POST",
   headers: {
-    "X-API-Key": process.env.SIM_API_KEY,
-    "Content-Type": "application/json"
+${isPublic ? '' : '    "X-API-Key": process.env.SIM_API_KEY,\n'}    "Content-Type": "application/json"
   },
   body: JSON.stringify(${JSON.stringify(payload)})
 });
@@ -166,12 +164,12 @@ console.log(data);`
     if (!info) return ''
     const endpoint = getBaseEndpoint()
     const payload = getStreamPayloadObject()
+    const isPublic = info.isPublicApi
 
     switch (language) {
       case 'curl':
         return `curl -X POST \\
-  -H "X-API-Key: $SIM_API_KEY" \\
-  -H "Content-Type: application/json" \\
+${isPublic ? '' : '  -H "X-API-Key: $SIM_API_KEY" \\\n'}  -H "Content-Type: application/json" \\
   -d '${JSON.stringify(payload)}' \\
   ${endpoint}`
 
@@ -182,8 +180,7 @@ import requests
 response = requests.post(
     "${endpoint}",
     headers={
-        "X-API-Key": os.environ.get("SIM_API_KEY"),
-        "Content-Type": "application/json"
+${isPublic ? '' : '        "X-API-Key": os.environ.get("SIM_API_KEY"),\n'}        "Content-Type": "application/json"
     },
     json=${JSON.stringify(payload, null, 4).replace(/\n/g, '\n    ')},
     stream=True
@@ -197,8 +194,7 @@ for line in response.iter_lines():
         return `const response = await fetch("${endpoint}", {
   method: "POST",
   headers: {
-    "X-API-Key": process.env.SIM_API_KEY,
-    "Content-Type": "application/json"
+${isPublic ? '' : '    "X-API-Key": process.env.SIM_API_KEY,\n'}    "Content-Type": "application/json"
   },
   body: JSON.stringify(${JSON.stringify(payload)})
 });
@@ -216,8 +212,7 @@ while (true) {
         return `const response = await fetch("${endpoint}", {
   method: "POST",
   headers: {
-    "X-API-Key": process.env.SIM_API_KEY,
-    "Content-Type": "application/json"
+${isPublic ? '' : '    "X-API-Key": process.env.SIM_API_KEY,\n'}    "Content-Type": "application/json"
   },
   body: JSON.stringify(${JSON.stringify(payload)})
 });
@@ -241,14 +236,14 @@ while (true) {
     const endpoint = getBaseEndpoint()
     const baseUrl = endpoint.split('/api/workflows/')[0]
     const payload = getPayloadObject()
+    const isPublic = info.isPublicApi
 
     switch (asyncExampleType) {
       case 'execute':
         switch (language) {
           case 'curl':
             return `curl -X POST \\
-  -H "X-API-Key: $SIM_API_KEY" \\
-  -H "Content-Type: application/json" \\
+${isPublic ? '' : '  -H "X-API-Key: $SIM_API_KEY" \\\n'}  -H "Content-Type: application/json" \\
   -H "X-Execution-Mode: async" \\
   -d '${JSON.stringify(payload)}' \\
   ${endpoint}`
@@ -260,8 +255,7 @@ import requests
 response = requests.post(
     "${endpoint}",
     headers={
-        "X-API-Key": os.environ.get("SIM_API_KEY"),
-        "Content-Type": "application/json",
+${isPublic ? '' : '        "X-API-Key": os.environ.get("SIM_API_KEY"),\n'}        "Content-Type": "application/json",
         "X-Execution-Mode": "async"
     },
     json=${JSON.stringify(payload, null, 4).replace(/\n/g, '\n    ')}
@@ -274,8 +268,7 @@ print(job)  # Contains jobId and executionId`
             return `const response = await fetch("${endpoint}", {
   method: "POST",
   headers: {
-    "X-API-Key": process.env.SIM_API_KEY,
-    "Content-Type": "application/json",
+${isPublic ? '' : '    "X-API-Key": process.env.SIM_API_KEY,\n'}    "Content-Type": "application/json",
     "X-Execution-Mode": "async"
   },
   body: JSON.stringify(${JSON.stringify(payload)})
@@ -288,8 +281,7 @@ console.log(job); // Contains jobId and executionId`
             return `const response = await fetch("${endpoint}", {
   method: "POST",
   headers: {
-    "X-API-Key": process.env.SIM_API_KEY,
-    "Content-Type": "application/json",
+${isPublic ? '' : '    "X-API-Key": process.env.SIM_API_KEY,\n'}    "Content-Type": "application/json",
     "X-Execution-Mode": "async"
   },
   body: JSON.stringify(${JSON.stringify(payload)})

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/deploy/components/deploy-modal/components/general/components/api-info-modal.tsx

@@ -4,6 +4,8 @@ import { useCallback, useEffect, useMemo, useRef, useState } from 'react'
 import {
   Badge,
   Button,
+  ButtonGroup,
+  ButtonGroupItem,
   Input,
   Label,
   Modal,
@@ -16,6 +18,8 @@ import {
 import { normalizeInputFormatValue } from '@/lib/workflows/input-format'
 import { isInputDefinitionTrigger } from '@/lib/workflows/triggers/input-definition-triggers'
 import type { InputFormatField } from '@/lib/workflows/types'
+import { useDeploymentInfo, useUpdatePublicApi } from '@/hooks/queries/deployments'
+import { usePermissionConfig } from '@/hooks/use-permission-config'
 import { useWorkflowRegistry } from '@/stores/workflows/registry/store'
 import { useSubBlockStore } from '@/stores/workflows/subblock/store'
 import { useWorkflowStore } from '@/stores/workflows/workflow/store'
@@ -40,13 +44,19 @@ export function ApiInfoModal({ open, onOpenChange, workflowId }: ApiInfoModalPro
   )
   const updateWorkflow = useWorkflowRegistry((state) => state.updateWorkflow)
 
+  const { data: deploymentData } = useDeploymentInfo(workflowId, { enabled: open })
+  const updatePublicApiMutation = useUpdatePublicApi()
+  const { isPublicApiDisabled } = usePermissionConfig()
+
   const [description, setDescription] = useState('')
   const [paramDescriptions, setParamDescriptions] = useState<Record<string, string>>({})
+  const [accessMode, setAccessMode] = useState<'api_key' | 'public'>('api_key')
   const [isSaving, setIsSaving] = useState(false)
   const [showUnsavedChangesAlert, setShowUnsavedChangesAlert] = useState(false)
 
   const initialDescriptionRef = useRef('')
   const initialParamDescriptionsRef = useRef<Record<string, string>>({})
+  const initialAccessModeRef = useRef<'api_key' | 'public'>('api_key')
 
   const starterBlockId = useMemo(() => {
     for (const [blockId, block] of Object.entries(blocks)) {
@@ -92,11 +102,16 @@ export function ApiInfoModal({ open, onOpenChange, workflowId }: ApiInfoModalPro
       }
       setParamDescriptions(descriptions)
       initialParamDescriptionsRef.current = { ...descriptions }
+
+      const initialAccess = deploymentData?.isPublicApi ? 'public' : 'api_key'
+      setAccessMode(initialAccess)
+      initialAccessModeRef.current = initialAccess
     }
-  }, [open, workflowMetadata, inputFormat])
+  }, [open, workflowMetadata, inputFormat, deploymentData])
 
   const hasChanges = useMemo(() => {
     if (description.trim() !== initialDescriptionRef.current.trim()) return true
+    if (accessMode !== initialAccessModeRef.current) return true
 
     for (const field of inputFormat) {
       const currentValue = (paramDescriptions[field.name] || '').trim()
@@ -105,7 +120,7 @@ export function ApiInfoModal({ open, onOpenChange, workflowId }: ApiInfoModalPro
     }
 
     return false
-  }, [description, paramDescriptions, inputFormat])
+  }, [description, paramDescriptions, inputFormat, accessMode])
 
   const handleParamDescriptionChange = (fieldName: string, value: string) => {
     setParamDescriptions((prev) => ({
@@ -126,6 +141,7 @@ export function ApiInfoModal({ open, onOpenChange, workflowId }: ApiInfoModalPro
     setShowUnsavedChangesAlert(false)
     setDescription(initialDescriptionRef.current)
     setParamDescriptions({ ...initialParamDescriptionsRef.current })
+    setAccessMode(initialAccessModeRef.current)
     onOpenChange(false)
   }, [onOpenChange])
 
@@ -151,6 +167,13 @@ export function ApiInfoModal({ open, onOpenChange, workflowId }: ApiInfoModalPro
         setValue(starterBlockId, 'inputFormat', updatedValue)
       }
 
+      if (accessMode !== initialAccessModeRef.current) {
+        await updatePublicApiMutation.mutateAsync({
+          workflowId,
+          isPublicApi: accessMode === 'public',
+        })
+      }
+
       onOpenChange(false)
     } finally {
       setIsSaving(false)
@@ -165,6 +188,8 @@ export function ApiInfoModal({ open, onOpenChange, workflowId }: ApiInfoModalPro
     paramDescriptions,
     setValue,
     onOpenChange,
+    accessMode,
+    updatePublicApiMutation,
   ])
 
   return (
@@ -187,6 +212,26 @@ export function ApiInfoModal({ open, onOpenChange, workflowId }: ApiInfoModalPro
               />
             </div>
 
+            {!isPublicApiDisabled && (
+              <div>
+                <Label className='mb-[6.5px] block pl-[2px] font-medium text-[13px] text-[var(--text-primary)]'>
+                  Access
+                </Label>
+                <ButtonGroup
+                  value={accessMode}
+                  onValueChange={(val) => setAccessMode(val as 'api_key' | 'public')}
+                >
+                  <ButtonGroupItem value='api_key'>API Key</ButtonGroupItem>
+                  <ButtonGroupItem value='public'>Public</ButtonGroupItem>
+                </ButtonGroup>
+                <p className='mt-1 text-[12px] text-[var(--text-secondary)]'>
+                  {accessMode === 'public'
+                    ? 'Anyone can call this API without authentication. You will be billed for all usage.'
+                    : 'Requires a valid API key to call this endpoint.'}
+                </p>
+              </div>
+            )}
+
             {inputFormat.length > 0 && (
               <div>
                 <Label className='mb-[6.5px] block pl-[2px] font-medium text-[13px] text-[var(--text-primary)]'>