Hardcoded credentials in n8n workflows
Why embedding API keys and tokens directly in your workflow is a critical security risk
What is this issue?
Hardcoded credentials occur when sensitive data like API keys, bearer tokens, passwords, or secrets are embedded directly in workflow node parameters instead of using n8n's secure credential storage.
Common patterns detected:
•Bearer tokens in HTTP request headers•API keys starting with sk-, xoxb-, ghp_, etc.•Passwords in database connection strings•Secrets passed as node parameters
Why is this dangerous?
Workflow export exposure
When you export or share your workflow, all hardcoded secrets are included in plain text in the JSON file.
Version control leaks
If workflows are committed to Git, credentials become part of your repository history—even after deletion.
Access control bypass
Anyone with read access to the workflow can see and copy your credentials, bypassing your security policies.
Difficult rotation
Hardcoded credentials require manual updates across multiple workflows when keys are rotated or compromised.
How to fix it
- 1
Use n8n's credential system
Go to Settings → Credentials and create a new credential for each service. n8n encrypts these at rest.
- 2
Reference credentials in nodes
In your HTTP Request or service nodes, select the credential from the dropdown instead of typing values directly.
- 3
Set encryption key
Ensure N8N_ENCRYPTION_KEY is set in your environment. Without it, credentials are stored in plaintext.
- 4
Use external secret managers
For enterprise deployments, integrate with HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault.
Scan your workflow now
Upload your n8n workflow JSON and instantly detect any hardcoded credentials, API keys, or exposed secrets.