AI workflow automation is revolutionizing how organizations streamline business processes, increase productivity, and reduce manual workloads. However, as automation becomes more sophisticated and data-driven, security risks grow in parallel. Building secure AI workflow automations with open-source tools is not just possible—it's essential for organizations that value transparency, flexibility, and control.
As we covered in our Top AI Workflow Automation Trends Transforming 2026 Business Operations, security and open-source adoption are shaping the future of workflow automation. This deep-dive tutorial will walk you through building a secure, auditable AI workflow automation using leading open-source tools.
Prerequisites
- Basic Linux command line knowledge
- Python 3.10+ (tested with Python 3.11)
- Docker (version 24+ recommended) and Docker Compose
- Git (version 2.34+)
- Familiarity with YAML and environment variables
- Open-source tools used:
LangChain(AI orchestration framework)FastAPI(API layer)Keycloak(open-source identity and access management)Traefik(reverse proxy with TLS support)Docker Compose(for orchestration)
- Hardware: 4GB+ RAM, 2+ CPU cores recommended
1. Set Up the Project Structure
-
Create a project directory:
mkdir secure-ai-workflow && cd secure-ai-workflow
-
Initialize a Git repository:
git init
-
Create subdirectories:
mkdir app config keycloak traefik
-
Resulting structure:
secure-ai-workflow/ ├── app/ ├── config/ ├── keycloak/ ├── traefik/
2. Build the AI Workflow Engine (LangChain + FastAPI)
-
Initialize a Python virtual environment:
cd app python3 -m venv .venv source .venv/bin/activate
-
Create
requirements.txt:fastapi uvicorn[standard] langchain openai python-dotenv -
Install dependencies:
pip install -r requirements.txt
-
Create
main.pyinapp/:from fastapi import FastAPI, Depends, HTTPException, Request from langchain.llms import OpenAI import os app = FastAPI() def get_api_key(request: Request): api_key = request.headers.get("Authorization") if not api_key or api_key != f"Bearer {os.environ.get('WORKFLOW_API_KEY')}": raise HTTPException(status_code=401, detail="Unauthorized") return True @app.post("/run-workflow", dependencies=[Depends(get_api_key)]) async def run_workflow(prompt: str): llm = OpenAI(openai_api_key=os.environ["OPENAI_API_KEY"]) response = llm(prompt) return {"result": response} -
Add a
.envfile inapp/:OPENAI_API_KEY=sk-... WORKFLOW_API_KEY=supersecuretoken -
Test locally:
uvicorn main:app --reload --host 0.0.0.0 --port 8000
Screenshot description: The FastAPI Swagger UI at http://localhost:8000/docs shows the /run-workflow endpoint, requiring an Authorization header.
3. Secure Identity & Access Management with Keycloak
-
Create
docker-compose.ymlfor Keycloak:version: "3.8" services: keycloak: image: quay.io/keycloak/keycloak:22.0 environment: - KEYCLOAK_ADMIN=admin - KEYCLOAK_ADMIN_PASSWORD=adminpassword command: start-dev ports: - "8080:8080" volumes: - ./keycloak:/opt/keycloak/data -
Start Keycloak:
docker compose up -d keycloak
-
Access Keycloak admin UI:
http://localhost:8080 -
Create a new realm, client, and user:
- Log in with
admin/adminpassword - Create a realm: secure-ai
- Add a client: ai-workflow-api (type: OpenID Connect, public access)
- Add a user: testuser (set password, enable)
- Log in with
-
Configure FastAPI to use Keycloak JWTs:
-
Install extra dependency:
pip install python-jose
-
Update
main.pyto validate JWTs (replace previousget_api_key):from jose import jwt import requests KEYCLOAK_URL = os.environ.get("KEYCLOAK_URL", "http://keycloak:8080") REALM = "secure-ai" def get_public_key(): url = f"{KEYCLOAK_URL}/realms/{REALM}/protocol/openid-connect/certs" jwks = requests.get(url).json() return jwks["keys"][0] def get_current_user(request: Request): auth = request.headers.get("Authorization") if not auth or not auth.startswith("Bearer "): raise HTTPException(status_code=401, detail="Missing token") token = auth.split(" ")[1] public_key = get_public_key() try: payload = jwt.decode(token, public_key, algorithms=["RS256"], audience="ai-workflow-api") return payload except Exception: raise HTTPException(status_code=401, detail="Invalid token") -
Update route dependencies:
@app.post("/run-workflow", dependencies=[Depends(get_current_user)]) async def run_workflow(prompt: str): ...
-
Install extra dependency:
Screenshot description: Keycloak admin UI showing the secure-ai realm, with the ai-workflow-api client and testuser user configured.
4. Add HTTPS and Reverse Proxy with Traefik
-
Create
traefik/traefik.yml:entryPoints: web: address: ":80" websecure: address: ":443" providers: docker: exposedByDefault: false api: dashboard: true -
Create
traefik/docker-compose.yml:version: "3.8" services: traefik: image: traefik:v2.10 command: - --configFile=/etc/traefik/traefik.yml ports: - "80:80" - "443:443" - "8081:8080" # Traefik dashboard volumes: - ./traefik.yml:/etc/traefik/traefik.yml - /var/run/docker.sock:/var/run/docker.sock networks: - proxy networks: proxy: external: true -
Start Traefik:
docker compose -f traefik/docker-compose.yml up -d
-
Update
app/Dockerfilefor FastAPI:FROM python:3.11-slim WORKDIR /app COPY requirements.txt . RUN pip install --no-cache-dir -r requirements.txt COPY . . CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"] -
Add Traefik labels to FastAPI in
docker-compose.yml:app: build: ./app environment: - OPENAI_API_KEY=${OPENAI_API_KEY} - KEYCLOAK_URL=http://keycloak:8080 labels: - "traefik.enable=true" - "traefik.http.routers.app.rule=Host(`localhost`)" - "traefik.http.routers.app.entrypoints=web" - "traefik.http.services.app.loadbalancer.server.port=8000" networks: - proxy -
Rebuild and launch all services:
docker compose up -d --build
-
Test HTTPS (optional, with self-signed certs):
- Configure Traefik for TLS as per official docs.
Screenshot description: Traefik dashboard at http://localhost:8081 shows the app and keycloak services registered and healthy.
5. Orchestrate Everything with Docker Compose
-
Create a root
docker-compose.yml:version: "3.8" services: traefik: image: traefik:v2.10 command: - --configFile=/etc/traefik/traefik.yml ports: - "80:80" - "443:443" - "8081:8080" volumes: - ./traefik/traefik.yml:/etc/traefik/traefik.yml - /var/run/docker.sock:/var/run/docker.sock networks: - proxy keycloak: image: quay.io/keycloak/keycloak:22.0 environment: - KEYCLOAK_ADMIN=admin - KEYCLOAK_ADMIN_PASSWORD=adminpassword command: start-dev ports: - "8080:8080" volumes: - ./keycloak:/opt/keycloak/data networks: - proxy app: build: ./app environment: - OPENAI_API_KEY=${OPENAI_API_KEY} - KEYCLOAK_URL=http://keycloak:8080 labels: - "traefik.enable=true" - "traefik.http.routers.app.rule=Host(`localhost`)" - "traefik.http.routers.app.entrypoints=web" - "traefik.http.services.app.loadbalancer.server.port=8000" depends_on: - keycloak networks: - proxy networks: proxy: driver: bridge -
Start the full stack:
docker compose up -d --build
-
Verify all services:
docker compose ps
Screenshot description: Terminal output of docker compose ps showing all services (traefik, keycloak, app) as "Up".
6. Test the Secure AI Workflow Automation
-
Obtain a Keycloak access token:
curl -X POST \ "http://localhost:8080/realms/secure-ai/protocol/openid-connect/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "client_id=ai-workflow-api" \ -d "username=testuser" \ -d "password=yourpassword" \ -d "grant_type=password"Copy the
access_tokenfrom the response. -
Call the workflow endpoint securely:
curl -X POST "http://localhost/run-workflow" \ -H "Authorization: Bearer <access_token>" \ -H "Content-Type: application/json" \ -d '{"prompt": "Summarize this document: ..."}'You should receive a JSON response from the OpenAI-powered workflow.
Screenshot description: Terminal showing a successful curl response with a JSON result from the workflow endpoint.
Common Issues & Troubleshooting
-
Keycloak not starting or port conflict:
- Check if port 8080 is free (
lsof -i :8080).
- Check if port 8080 is free (
-
FastAPI app cannot validate JWTs:
- Ensure
KEYCLOAK_URLis accessible from the app container. - Check that the JWT audience matches the client ID.
- Ensure
-
Traefik does not route traffic:
- Check Traefik dashboard (
http://localhost:8081). - Verify Traefik labels and network configuration.
- Check Traefik dashboard (
-
OpenAI API errors:
- Ensure
OPENAI_API_KEYis set and valid.
- Ensure
-
Docker network issues:
- Try
docker network prune(careful: this removes unused networks).
- Try
Next Steps
- Expand your workflow: Integrate more advanced LLM plugins and orchestration techniques. See Best LLM Plugins for Workflow Automation: 2026’s Must-Have Extensions Compared for recommendations.
- Enhance security: Move toward a Zero Trust Security model, including least-privilege access and continuous monitoring.
- Explore RAG systems: For workflows that require retrieval-augmented generation, see RAG Systems for Workflow Automation: State of the Art in 2026.
- Automate data privacy: Learn about AI-Driven Document Redaction to protect sensitive data in your workflow automations.
- Real-world use cases: If you're a small business, check out our AI Workflow Automation for Small Retailers playbook.
By following this guide, you've built a foundation for secure AI workflow automation using open-source tools. For more on the strategic context and future trends, revisit our parent pillar article.