Drop-in gateway for n8n, Zapier, or any workflow. Add API key auth, per-key rate limits, and Stripe billing — without touching your workflow code.
Workflow API is a transparent proxy. Your workflows don't change — you just point them through us.
Your user calls /run/my-api with a Bearer API key
SHA-256 key validation, per-key token bucket, scope check
Request proxied to n8n, Zapier, or any webhook URL
Workflow response passed back to your customer unchanged
No external databases. No infrastructure to manage. Everything runs in a single process.
SHA-256 hashed keys with automatic prefix generation. Keys are shown once at creation and can never be recovered — just like Stripe or OpenAI.
In-memory token bucket rate limiter with per-key granularity. Set 20 req/min for free-tier users, 1000 for enterprise — per key, not per IP.
Share a Stripe Payment Link. Customer pays → key is created, scoped, and emailed automatically. Cancel subscription → key is revoked. Zero manual work.
Every incoming Stripe webhook is verified via Stripe-Signature HMAC before touching business logic. Forged payloads are rejected with 401.
When a customer cancels, their key stays active for 48 hours. If they resubscribe within the window, the key is never revoked. Reduces churn disputes.
NewBuilt-in admin dashboard with live traffic charts, per-key analytics, and a JSON stats API for building your own custom portal.
Restrict API keys to specific workflows. A "Basic" key can access only one endpoint while "Pro" gets access to all — enforced at the gateway level.
Stripe checkout triggers an HTML email with the API key, usage examples, and rate limit info — sent directly to the customer's inbox via SMTP.
Embedded SQLite database with WAL journaling for safe multi-worker reads. No Postgres, no Redis, no Docker Compose dependencies to manage.
Not a hobby project with bolted-on auth. Every layer is hardened.
Raw keys never stored. Irreversible hashing, same as Stripe and GitHub.
Every Stripe webhook verified before business logic runs. 401 on mismatch.
Target URLs validated at startup. Localhost, private IPs, and cloud metadata blocked.
Webhook signing secret loaded from env vars only — never from config files in git.
Admin key comparison uses secrets.compare_digest to prevent timing attacks.
500 errors return generic messages. No stack traces, file paths, or class names exposed.
Pending cancellations stored in DB, not memory. Survives restarts and multi-worker.
Drop-in config with HTTPS redirect, 1MB body limit, rate limiting, and security headers.
No build step. No framework. Clone, configure, run. Works on any VPS, PaaS, or Docker host.
Python 3.11+ and pip. No extra databases.
One CLI command connects your n8n/Zapier webhook.
API keys, rate limits, and billing — all handled.
Open source, self-hosted, and free. Deploy on your own infrastructure in under 5 minutes.
View on GitHub