I’m using Node-RED as middleware. I’m also using WeWeb authentication.
Do I need a key from WeWeb auth to verify API requests in Node-RED? Not sure how this works.
Hi @Waz 
I’m not too familiar with Node-RED, can you tell us a bit more about your use case and how you will be using both WeWeb and Node-RED together?
I’m assuming you want to build a user interface in WeWeb. What will you be building in Node-RED?
The WeWeb Auth plugin is a pretty basic auth plugin that we developed to help users get started with an MVP. You don’t need an API key to use it and can’t connect it to an external tool. Depending on your use case, you might want to use the Token-based Auth plugin or OpenID plugin instead (or one of our native integrations with Auth0, Xano Auth, Supabase Auth)
Hi Joyce,
Thank you for taking the time to look at this.
Node-RED is a low code flow editor. I have about 7 years experience with this so I’m able to create business logic with it quickly. It’s a fantastic middleware.
What I have been able to do so far is use WeWeb authentication and in the API requests that are all sent through Node-RED, I can pull out the user ID and verify that before the request goes through the flow. So using this system I set permissions for each API call in Node-RED. I test it with postman to make sure that a user can only see what they are meant to see.
So WeWeb sends requests to a single endpoint in Node-RED. I use a “page/table” variable in the request to direct the flow. Node-RED then makes the API request to Supabase but this can’t been seen in the users console - so I guess Node-RED proxies the requests which adds a layer of security. The big upside of course is I don’t have to learn Supabase functions.
So far this works well but is there a security issue for relying on just the WeWeb auth user ID? The user ID is visible in the browser console, so to me that’s like storing a password in the clear. I’m aware that Supabase etc only use a url and API key, so they are no better really.
Also, is there any way for an admin user (of the end user app, not WeWeb platform) to create users that are in the WeWeb auth?