n8n Credential Security: OAuth2, API Keys & Vault Integration

n8n encrypts every credential—OAuth2 tokens, API keys, Basic Auth credentials—with AES‑256 in CBC mode before storing them in its database. An environment‑variable‑held encryption key ensures that a database breach does not expose secrets. You can further off‑load secrets to HashiCorp Vault or AWS Secrets Manager, reference them with $env syntax, and rotate keys without altering any workflow logic. [1]

How does n8n encrypt and protect stored credentials in the database?

n8n encrypts every credential using AES‑256 in CBC mode with a random initialization vector generated per operation. The encryption key is stored in the n8n configuration file or set via the N8N_ENCRYPTION_KEY environment variable. Without this key, even a full database compromise cannot recover the original values. [1]

For self‑hosted users, rotate the N8N_ENCRYPTION_KEY by generating a new key, setting it as the active key, and re‑encrypting all existing credentials using n8nʼs key‑rotation tool. For more on securing the entire instance, see the n8n Security Hub.

How do you set up OAuth2 authentication for third‑party services in n8n?

In the credentials panel, select “OAuth2” as the authentication type. n8n provides a built‑in callback URL that you register in the service’s developer console. After you click “Connect Account,” n8n handles the redirect, obtains the access token, and securely stores the encrypted token alongside a refresh token for automatic renewal. [3]

For services that require custom scopes or different grant types (e.g., client credentials), you can configure additional OAuth2 parameters in the credential’s advanced settings. This OAuth2 flow is the same used for AI model authentication like OpenAI and Anthropic.

How do you securely manage and reference API keys across n8n workflows?

Instead of pasting raw keys into node fields, store them as n8n credentials (API Key type) and reference them in expressions via {{ $credentials }}. The key is encrypted at rest and never exposed in execution logs. For even greater isolation, inject keys as environment variables and reference them with $env:API_KEY. [4]

Shared credentials can be reused across workflows, and you can set granular permissions on who can view or edit each credential. For production, restrict sensitive keys to specific workflow collaborators and use external secret managers as described in the credential hardening guide.

How do environment variables prevent secret leakage in n8n?

Define variables like N8N_API_KEY at the OS or Docker level and reference them as $env:N8N_API_KEY inside n8n nodes. The actual value never appears in the workflow definition, shared JSON files, or git exports. This separates code from secrets and simplifies rotation without touching any workflow. [5]

Use a .env file only in local development and never check it into version control. For cloud deployments, the platform injects variables through its own secret management, keeping them encrypted in transit and at rest.

How do you integrate HashiCorp Vault or AWS Secrets Manager with n8n?

Configure the externalSecrets settings in n8nʼs configuration to point to a Vault instance or AWS Secrets Manager. Then reference secrets in credential fields using the {{$vault.secret.path}} syntax. n8n fetches the latest version at runtime, enabling automated secret rotation without workflow editing. [2]

Vault integration supports dynamic database secrets: n8n requests a temporary credential that expires after a few hours, dramatically reducing the risk of credential leak. For operational monitoring of secret usage, combine with DevOps monitoring workflows.

How do you rotate n8n credentials and audit their usage?

Rotate credentials by replacing the stored secret in your vault or environment, then trigger a re‑encrypt operation in n8n. For API keys stored by reference, simply update the environment variable value and restart the n8n worker. Execution logs show which credential was used by each node, helping trace access patterns and detect anomalies. [1]

Schedule a periodic audit workflow that queries the n8n REST API for all stored credentials, checks their last‑rotated date, and alerts via Slack if any have exceeded the rotation policy. This pattern ties directly into the SLA‑style notification design.