n8n Credentials Management: Security Best Practices (2026)

Credentials are where n8n security stands or falls. A compromised database, a lost encryption key, or a shared credential accidentally exported in a workflow file can expose every API key and OAuth token your workflows use. This guide covers how to manage credentials safely across solo, team, and enterprise setups.

How n8n Stores Credentials

Credentials are stored encrypted in the n8n database using the N8N_ENCRYPTION_KEY. Each credential has its config fields encrypted as a single blob. Even if the database is leaked, the credentials are unreadable without the encryption key. Lose the encryption key and the credentials are unrecoverable; every credential must be re-entered.

N8N_ENCRYPTION_KEY: Treat It Like a Database Password

Generate the key once using a cryptographically secure random generator (openssl rand -hex 32 is fine). Store it in your deployment's secrets manager (AWS Secrets Manager, Doppler, 1Password, HashiCorp Vault, or at minimum an offline encrypted backup). Never commit it to git. Never log it. Never include it in exported workflow files.

If you ever migrate n8n to a new instance, you must bring the encryption key with you or all credentials become unreadable. Document this in your deployment runbook.

Credential Rotation

API keys and OAuth tokens should rotate periodically. Quarterly for most credentials; more frequently for high-risk ones (payment processors, production databases). n8n does not automate rotation; you have to manually update each credential when you rotate the underlying key.

When rotating, update the n8n credential first, then revoke the old key on the provider side. Verify a test workflow still works before revoking. A broken credential rotation can stop production workflows cold.

OAuth vs API Key

When a service offers both OAuth and API keys, OAuth is generally safer. OAuth tokens are scoped to specific permissions and often expire automatically, limiting blast radius. API keys are typically long-lived and have full account access. Use OAuth wherever available, fall back to API keys only when OAuth is not an option.

For API keys, always use keys scoped to the minimum permissions needed. If you only need read access to HubSpot contacts, do not use a full-admin API key. Scope it down.

Credential Security Risk by Practice

Full-admin API keys for every credentialRisk score

Unscoped OAuth with broad permissionsRisk score

Scoped API keys, periodic rotationRisk score

OAuth with narrow scopes, auto-rotationRisk score

Sharing Credentials With Team Members

On team and enterprise tiers, credentials can be shared with specific users or user groups. Share credentials only with people who need them, and only for the specific workflows they own. Do not share production database credentials broadly.

For teams with multiple environments (dev, staging, prod), create separate credentials per environment even if the underlying service is the same. A dev credential leaked is embarrassing; a prod credential leaked is a real incident.

Credentials Not Saving Fix

If you are hitting "credentials not saving" errors, the most common causes are: N8N_ENCRYPTION_KEY changed between restarts (the new instance cannot decrypt existing credentials, and saving new ones fails), database is read-only or out of disk space, credentials field length exceeds the database column limit. Check the n8n logs for the specific error message. Almost always there is a clear diagnostic.

External Secrets Integration

Enterprise n8n supports external secrets providers (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault). Instead of storing credential values in n8n, n8n references secrets in the external vault. This centralizes secret management, enables auditing, and makes rotation easier.

For self-hosted community n8n, this is not directly supported but you can emulate it with environment variables: load secrets into env at container start via your secrets provider, and reference them in credentials using expression syntax where supported.

Auditing Credential Access

Enterprise n8n logs credential access: who viewed or edited which credential when. Review these logs periodically. Unusual access patterns (a credential being viewed by someone who does not own the related workflow) is worth investigating.

For community n8n, you do not have native audit logs. Rely on team discipline and credential-sharing policies.

Workflow Exports Do Not Contain Credentials

When you export a workflow as JSON, n8n includes references to credentials but not the credential values themselves. This is intentional. When you import the workflow on a different instance, you have to re-create or re-link credentials. This prevents accidentally sharing credentials via exported workflow files.

Backing Up Credentials

Database backups (pg_dump of the n8n Postgres database) include encrypted credentials. If you restore from backup on a new instance and bring the N8N_ENCRYPTION_KEY, the credentials work. Without the key, they do not. Always back up the encryption key alongside database backups.

Credential Hygiene Checklist

N8N_ENCRYPTION_KEY stored securely outside n8nRequired

Credentials scoped to minimum permissionsRequired

Rotation schedule documented and followedRequired

Separate credentials per environmentRequired

Access auditing reviewed quarterlyRequired

Incident Response

If a credential leaks (accidental commit, server compromise, suspected breach): revoke the underlying API key or OAuth token at the provider immediately. Update the n8n credential with a fresh key. Review audit logs for unauthorized use. Rotate related credentials as a precaution. Document the incident for post-mortem.

Have the revocation steps documented before you need them. During an active incident, looking up how to revoke a HubSpot API key wastes minutes that matter.