Exec security

Production hardening for /_resuma/worker, queues, graphs, scheduler, and metrics. Complements app security (CSRF, CSP, actions).

TRY IT

Exec security

Graph access tokens, SSRF guards on worker HTTP, and rate limits on /_resuma/worker/*

When exec routes need a key

Exec routes (/_resuma/*) mount only when you call .workers(registry) or set RESUMA_EXEC_ENABLED=1. Pure SSR/Flow apps never expose them — no API key required.

When exec routes are mounted, Resuma is fail-closed: without RESUMA_EXEC_API_KEY in production, admin routes return 401. Locally, use RESUMA_EXEC_PUBLIC=1 instead of managing a secret.

Environment variables guide → (by app type, Fly secrets, full reference)

RESUMA_ENV=production
RESUMA_EXEC_API_KEY=$(openssl rand -hex 32)   # fly secrets set …
RESUMA_OPS_SESSION=$(openssl rand -hex 32)     # /ops cookie (production template)
RESUMA_DATA_DIR=/data/resuma
RESUMA_RATE_BACKEND=disk

Auth matrix

RouteAuthCSRF / origin
POST /_resuma/worker/*API keyYes
GET /_resuma/statusAPI keyNo
GET /_resuma/graph/*/eventsGraph token or API keyReads: origin in dev
POST .../pause|resume|cancelGraph token or API keyAlways
exec_statusSession or API keyAction pipeline CSRF

Graph tokens

Each started graph returns access_token in StartWorkerResponse. Pass to Flow UI components for SSE and controls. Tokens are persisted under .resuma/durable/tokens/ and validated in constant time.

Rate limits (exec)

Exec routes share the same built-in rate-limit backends as app actions — memory in dev, disk under {RESUMA_DATA_DIR}/rate-limit/ in production. No Redis.

  • RESUMA_RATE_EXEC_WORKERS — default 30/min (worker + queue POST)
  • RESUMA_RATE_EXEC_GRAPH — default 180/min (reads, SSE)
  • RESUMA_RATE_EXEC_CONTROL — default 60/min (pause/resume/cancel)

Input validation

  • RESUMA_EXEC_MAX_INPUT — JSON body size (default 512 KiB)
  • RESUMA_EXEC_MAX_DEPTH — nesting depth (default 32)

← Flow UI · Environment variables →