feat(public-api): add env var and permission group controls to disable public API access

Add DISABLE_PUBLIC_API / NEXT_PUBLIC_DISABLE_PUBLIC_API environment variables
and disablePublicApi permission group config option to allow self-hosted
deployments and enterprise admins to globally disable the public API toggle.

When disabled: the Access toggle is hidden in the Edit API Info modal,
the execute route blocks unauthenticated public access (401), and the
public-api PATCH route rejects enabling public API (403).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: waleedlatif1

apps/docs/components/ui/icon-mapping.ts

@@ -37,8 +37,8 @@ import {
   EyeIcon,
   FirecrawlIcon,
   FirefliesIcon,
-  GitLabIcon,
   GithubIcon,
+  GitLabIcon,
   GmailIcon,
   GongIcon,
   GoogleBooksIcon,
@@ -71,9 +71,9 @@ import {
   LinearIcon,
   LinkedInIcon,
   LinkupIcon,
-  MailServerIcon,
   MailchimpIcon,
   MailgunIcon,
+  MailServerIcon,
   Mem0Icon,
   MicrosoftDataverseIcon,
   MicrosoftExcelIcon,
@@ -106,8 +106,6 @@ import {
   ResendIcon,
   RevenueCatIcon,
   S3Icon,
-  SQSIcon,
-  STTIcon,
   SalesforceIcon,
   SearchIcon,
   SendgridIcon,
@@ -119,17 +117,19 @@ import {
   SimilarwebIcon,
   SlackIcon,
   SmtpIcon,
+  SQSIcon,
   SshIcon,
+  STTIcon,
   StagehandIcon,
   StripeIcon,
   SupabaseIcon,
-  TTSIcon,
   TavilyIcon,
   TelegramIcon,
   TextractIcon,
   TinybirdIcon,
   TranslateIcon,
   TrelloIcon,
+  TTSIcon,
   TwilioIcon,
   TypeformIcon,
   UpstashIcon,
@@ -140,11 +140,11 @@ import {
   WhatsAppIcon,
   WikipediaIcon,
   WordpressIcon,
+  xIcon,
   YouTubeIcon,
   ZendeskIcon,
   ZepIcon,
   ZoomIcon,
-  xIcon,
 } from '@/components/icons'
 
 type IconComponent = ComponentType<SVGProps<SVGSVGElement>>

apps/docs/content/docs/en/tools/meta.json

@@ -145,4 +145,4 @@
     "zep",
     "zoom"
   ]
-}
+}

apps/sim/app/api/workflows/[id]/deploy/route.ts

@@ -51,6 +51,7 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
         deployedAt: null,
         apiKey: null,
         needsRedeployment: false,
+        isPublicApi: workflowData.isPublicApi ?? false,
       })
     }
 
@@ -98,6 +99,7 @@ export async function GET(request: NextRequest, { params }: { params: Promise<{
       isDeployed: workflowData.isDeployed,
       deployedAt: workflowData.deployedAt,
       needsRedeployment,
+      isPublicApi: workflowData.isPublicApi ?? false,
     })
   } catch (error: any) {
     logger.error(`[${requestId}] Error fetching deployment info: ${id}`, error)
@@ -301,6 +303,49 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
   }
 }
 
+export async function PATCH(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const requestId = generateRequestId()
+  const { id } = await params
+
+  try {
+    const { error, session } = await validateWorkflowPermissions(id, requestId, 'admin')
+    if (error) {
+      return createErrorResponse(error.message, error.status)
+    }
+
+    const body = await request.json()
+    const { isPublicApi } = body
+
+    if (typeof isPublicApi !== 'boolean') {
+      return createErrorResponse('Invalid request body: isPublicApi must be a boolean', 400)
+    }
+
+    if (isPublicApi) {
+      const { validatePublicApiAllowed, PublicApiNotAllowedError } = await import(
+        '@/ee/access-control/utils/permission-check'
+      )
+      try {
+        await validatePublicApiAllowed(session?.user?.id)
+      } catch (err) {
+        if (err instanceof PublicApiNotAllowedError) {
+          return createErrorResponse('Public API access is disabled', 403)
+        }
+        throw err
+      }
+    }
+
+    await db.update(workflow).set({ isPublicApi }).where(eq(workflow.id, id))
+
+    logger.info(`[${requestId}] Updated isPublicApi for workflow ${id} to ${isPublicApi}`)
+
+    return createSuccessResponse({ isPublicApi })
+  } catch (error: unknown) {
+    const message = error instanceof Error ? error.message : 'Failed to update deployment settings'
+    logger.error(`[${requestId}] Error updating deployment settings: ${id}`, { error })
+    return createErrorResponse(message, 500)
+  }
+}
+
 export async function DELETE(
   request: NextRequest,
   { params }: { params: Promise<{ id: string }> }

apps/sim/app/api/workflows/[id]/execute/route.ts

@@ -254,10 +254,49 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
 
   try {
     const auth = await checkHybridAuth(req, { requireWorkflowId: false })
+
+    let userId: string
+    let isPublicApiAccess = false
+
     if (!auth.success || !auth.userId) {
-      return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+      const hasExplicitCredentials =
+        req.headers.has('x-api-key') || req.headers.get('authorization')?.startsWith('Bearer ')
+      if (hasExplicitCredentials) {
+        return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+      }
+
+      const { db: dbClient, workflow: workflowTable } = await import('@sim/db')
+      const { eq } = await import('drizzle-orm')
+      const [wf] = await dbClient
+        .select({
+          isPublicApi: workflowTable.isPublicApi,
+          isDeployed: workflowTable.isDeployed,
+          userId: workflowTable.userId,
+        })
+        .from(workflowTable)
+        .where(eq(workflowTable.id, workflowId))
+        .limit(1)
+
+      if (!wf?.isPublicApi || !wf.isDeployed) {
+        return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+      }
+
+      const { isPublicApiDisabled } = await import('@/lib/core/config/feature-flags')
+      if (isPublicApiDisabled) {
+        return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+      }
+
+      const { getUserPermissionConfig } = await import('@/ee/access-control/utils/permission-check')
+      const ownerConfig = await getUserPermissionConfig(wf.userId)
+      if (ownerConfig?.disablePublicApi) {
+        return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
+      }
+
+      userId = wf.userId
+      isPublicApiAccess = true
+    } else {
+      userId = auth.userId
     }
-    const userId = auth.userId
 
     let body: any = {}
     try {
@@ -284,7 +323,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       )
     }
 
-    const defaultTriggerType = auth.authType === 'api_key' ? 'api' : 'manual'
+    const defaultTriggerType = isPublicApiAccess || auth.authType === 'api_key' ? 'api' : 'manual'
 
     const {
       selectedOutputs,
@@ -341,7 +380,7 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
     // For API key and internal JWT auth, the entire body is the input (except for our control fields)
     // For session auth, the input is explicitly provided in the input field
     const input =
-      auth.authType === 'api_key' || auth.authType === 'internal_jwt'
+      isPublicApiAccess || auth.authType === 'api_key' || auth.authType === 'internal_jwt'
         ? (() => {
             const {
               selectedOutputs,
@@ -360,7 +399,16 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
           })()
         : validatedInput
 
-    const shouldUseDraftState = useDraftState ?? auth.authType === 'session'
+    // Public API callers must not override workflow state, stop execution early, or resume from a block.
+    // These are administrative/debugging features restricted to authenticated users.
+    const sanitizedWorkflowStateOverride = isPublicApiAccess ? undefined : workflowStateOverride
+    const sanitizedStopAfterBlockId = isPublicApiAccess ? undefined : stopAfterBlockId
+    const sanitizedRunFromBlock = isPublicApiAccess ? undefined : resolvedRunFromBlock
+
+    // Public API callers always execute the deployed state, never the draft.
+    const shouldUseDraftState = isPublicApiAccess
+      ? false
+      : (useDraftState ?? auth.authType === 'session')
     const workflowAuthorization = await authorizeWorkflowByWorkspacePermission({
       workflowId,
       userId,
@@ -533,7 +581,8 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
       )
     }
 
-    const effectiveWorkflowStateOverride = workflowStateOverride || cachedWorkflowData || undefined
+    const effectiveWorkflowStateOverride =
+      sanitizedWorkflowStateOverride || cachedWorkflowData || undefined
 
     if (!enableSSE) {
       logger.info(`[${requestId}] Using non-SSE execution (direct JSON response)`)
@@ -575,8 +624,8 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
           loggingSession,
           includeFileBase64,
           base64MaxBytes,
-          stopAfterBlockId,
-          runFromBlock: resolvedRunFromBlock,
+          stopAfterBlockId: sanitizedStopAfterBlockId,
+          runFromBlock: sanitizedRunFromBlock,
           abortSignal: timeoutController.signal,
         })
 
@@ -973,8 +1022,8 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
             abortSignal: timeoutController.signal,
             includeFileBase64,
             base64MaxBytes,
-            stopAfterBlockId,
-            runFromBlock: resolvedRunFromBlock,
+            stopAfterBlockId: sanitizedStopAfterBlockId,
+            runFromBlock: sanitizedRunFromBlock,
           })
 
           if (result.status === 'paused') {