Multiple applications inside one workspace, each with isolated sessions Workspace web-app mobile admin-tool n8n-hook Session scoped to app encrypted · audited Hosted login Redirect → allowlisted URI https://app.example/callback Zero extra security code
Register apps once — sessions inherit isolation, policy, and audit automatically.

Workspace Management

Applications

Ship multiple products, zero extra security work. When you build with secureFlows, you register an Application inside your workspace. It's a small configuration step — name it, set a redirect URL, done. What it unlocks is significant: every user session your app creates is automatically scoped to that application, isolated from everything else in your workspace, and governed by the exact security policy you choose.

One workspace, many products

A secureFlows workspace is your tenant — your company, your team, your product line. Inside that workspace, you can register as many applications as you need:

  • Your main web app
  • A mobile companion
  • An internal admin tool
  • A third-party integration

Each application is independently configured and independently audited. A session created by your web app is invisible to your mobile app. An n8n automation running under one application ID cannot read data belonging to another. The isolation isn't a setting you configure — it's the architecture.

One tenant · many apps · hard isolation.

Per-app security policy, without the boilerplate

Each application carries its own policy:

Session token lifetime. How long before a credential expires and the user re-authenticates. Short-lived for sensitive tools. More generous for lower-risk flows. Your call, per app.

Payload TTL. How long user data lives before it's automatically purged. Set it to match your data retention commitments — per application, not globally.

Redirect URI allowlist. secureFlows only sends users back to URLs you explicitly register. Open-redirect attacks are architecturally blocked; there's nothing to misconfigure.

This means your compliance posture scales with your product portfolio. Adding a new integration doesn't mean retrofitting security policy onto a system that wasn't designed for it. It means registering an application and inheriting the same guarantees the rest of your workspace already has.

Token TTL · payload TTL · allowlisted redirects.

Built-in audit, per application

Every session event — created, accessed, expired, revoked — is logged against the application that owns it. Workspace admins get a full audit trail broken down by app, so you can answer the question "what did this integration access, and when?" without building any logging infrastructure yourself.

The audit view shows session counts, creation and expiry patterns, and revocation events per app. Payload content is never included — not in logs, not in analytics, not anywhere outside the encrypted session store. See Security for the audit and API access log.

Events tagged by application — never decrypted content.

What registration actually takes

There's no code involved. From the workspace dashboard:

  1. Give the application a name and an ID (my-app, acme-mobile, whatever fits your naming convention).
  2. Add the redirect URIs your app will use after login.
  3. Optionally override token and payload TTLs.

That's it. secureFlows produces an appId you drop into your integration as a constant. From that point on, every session your app creates is automatically scoped, isolated, encrypted, and audited. See Build your First Application for the full integration walkthrough.

Name → redirects → TTLs → ship.

The net effect

You ship a new product or integration. You don't ship new session management logic, new encryption code, new token handling, or new audit infrastructure. That work is already done — at the workspace level, extended cleanly to each application you register.

One workspace. Any number of applications. The same security guarantees across all of them.

Scale products without scaling security boilerplate.