Hardcoded secret in n8n
Why API keys and tokens in node parameters are a critical security risk
What is this issue?
A hardcoded secret is an API key, password, or token embedded directly in a workflow node rather than stored securely in n8n's credential system. Common patterns include strings starting with sk-, xoxb-, ghp_, AIza, and similar prefixes.
Common secret patterns detected:
•sk-... (OpenAI, Stripe API keys)•xoxb-... (Slack bot tokens)•ghp_... (GitHub personal access tokens)•AIza... (Google API keys)
Why is this dangerous?
Full API access exposure
Anyone seeing the workflow has your API key with full permissions to that service.
Workflow export risks
Exported JSON files contain secrets in plain text, easy to accidentally share.
Version control exposure
Secrets in Git history persist forever, even after you delete them from current version.
Credential rotation difficulty
When you need to rotate keys, you must find and update every workflow manually.
How to fix it
- 1
Move to n8n credentials
Create a proper credential in Settings → Credentials for each secret. n8n encrypts these at rest.
- 2
Update node configuration
Change the node to reference the credential instead of the hardcoded value.
- 3
Rotate compromised secrets
If the workflow was shared or committed, consider the secret compromised. Generate a new one.
- 4
Audit all workflows
Use Audit8n to scan all your workflows for hardcoded secrets systematically.
Scan your workflow now
Upload your n8n workflow JSON and instantly detect any hardcoded API keys, tokens, or secrets.