Loading tutorials…
Loading tutorials…
Credentials are the hidden failure point of every n8n stack. They expire, get rotated, get shared too broadly, or get lost when a teammate leaves. This walks the disciplined pattern for managing them.
Who this is forOperators with 10+ workflows and at least one teammate. If you have ever discovered a workflow had been failing because an OAuth credential silently expired, or if you have rotated an API key and watched 6 workflows break — this is for you.
What you'll need
Step 1
Settings → Credentials. List every credential, who created it, what it accesses, and when it was last rotated.
Open Settings → Credentials. Look at the full list.
Export or copy into a spreadsheet: credential name, credential type, owner (creator), date created.
For each row, add: which workflows reference this credential (Settings → Credential → "Used by" tab), and when the underlying API key/OAuth was last rotated.
Tag each credential: production-critical, dev/test, or stale (not used by any active workflow).
Delete stale credentials immediately. Every unused credential is a liability.
Step 2
Use a structured name: `[App] — [Account] — [Environment]`. E.g., "HubSpot — Marketing Account — Production."
Bad: 'HubSpot,' 'HubSpot 2,' 'Test HubSpot.'
Good: 'HubSpot — Marketing Account — Production,' 'HubSpot — Sales Account — Production,' 'HubSpot — Dev Sandbox.'
When you have 3+ HubSpot connections (sales/marketing/dev), bad names cause workflows to be wired to the wrong account. That is how you accidentally write production data into a dev sandbox.
Rename existing credentials to match the convention. This is a one-time pain that prevents future mistakes.
Step 3
On Pro+, credentials are scoped to projects. On Starter, every Owner/Admin sees every credential — be careful about who has Admin role.
On Pro+: organize credentials by Project. Each project has its own set of credentials and workflows. Editors in one project cannot see credentials from another.
On Starter: every Owner/Admin can see every credential. Only invite the minimum necessary people as Owner/Admin. Use Editor for builders and Viewer for stakeholders.
Never share an Owner login. Every person who needs access gets their own account.
For contractors and agencies: create a "contractor" Project on Pro+ with only the credentials they need. Revoke access when the engagement ends.
Step 4
For each credential, document rotation cadence. OAuth: re-auth annually (or on staff change). API keys: rotate quarterly. Long-lived tokens: rotate every 6 months.
In your credential spreadsheet, add a "Rotation cadence" column.
OAuth-based credentials (Gmail, Google Sheets, HubSpot OAuth): re-authorize annually. Many OAuth tokens auto-refresh, but the refresh token itself has a TTL — usually 6-12 months.
API key credentials (Stripe, SendGrid, internal tools): rotate every 90 days minimum. More often if the key has high blast radius.
Set calendar reminders. Quarterly rotation review prevents the situation where a staffer leaves and you discover their OAuth tokens were powering 8 workflows.
Step 5
A scheduled workflow that queries the n8n API for credentials, flags ones not rotated in 90 days, and posts to Slack.
Create a workflow "Credentials Rotation Audit."
Schedule Trigger: every Monday at 9 AM.
HTTP Request node: `GET /api/v1/credentials` with API key auth.
Function node: filter for credentials with `updatedAt` older than 90 days.
Slack node: post the list to `#ops-internal` with a reminder to rotate.
This catches the "I forgot to rotate" failure mode. Set-and-forget audit.
Step 6
When a teammate leaves, every credential they created must be re-authed by someone else. Document the steps.
Create a doc: "n8n credential offboarding for [departing teammate]."
Step 1: list every credential where the OAuth was authorized by the departing user. (n8n shows credential creator.)
Step 2: for each, have the new owner re-authorize. OAuth credentials especially — when the original user is removed from the vendor account, their tokens are revoked.
Step 3: deactivate the user account in n8n.
Step 4: rotate any API key credentials that may have been generated by the departing user in vendor portals.
Run this playbook on every departure. Skipping it leaves silent breakage that surfaces weeks later.
Common mistakes
OAuth credential tied to a personal Google/Slack/etc. account
What goes wrong: Workflow uses an OAuth credential tied to 'jen@company.com'. Jen leaves. Two weeks later, IT removes her account. Every workflow using that credential breaks simultaneously. ~10 workflows halt with no obvious link to her departure.
How to avoid: Always use shared service accounts for OAuth credentials (e.g., 'automations@company.com' as the authorizing Google account). Never tie a production OAuth credential to a personal account.
Same credential reused for production and testing
What goes wrong: You used the HubSpot Production key for both real workflows and your dev workflow. Dev workflow has a bug and writes 50 garbage contacts into production HubSpot. Cleanup takes 2 hours.
How to avoid: Maintain separate credentials per environment. Always. Even when the test app is just a sandbox in the same vendor account, use a separate API key.
Storing API keys in expression strings instead of Credentials
What goes wrong: You hardcode an API key into an HTTP Request URL inside a workflow. The key is now visible in the workflow JSON, exportable, and not auditable. When you rotate it, that workflow silently fails.
How to avoid: Always use the Credentials feature. One stored credential gets referenced by name from any workflow. Rotating means updating one record.
Never rotating credentials "because nothing is broken"
What goes wrong: A 3-year-old API key with broad scopes sits in n8n. Vendor has had security incidents since the key was issued. Key is potentially compromised but nobody knows. You learn about the breach via a vendor email.
How to avoid: Calendar rotation every 90 days. A small operational tax prevents large security incidents.
No offboarding playbook
What goes wrong: Teammate leaves. Two weeks later, 3 workflows break because their OAuth tokens were revoked. Two more workflows break a month later when a Stripe key they had generated gets rotated by the new accountant. Total: ~6 hours of debug + customer-facing breakage.
How to avoid: Document and run the offboarding playbook every time. 30 minutes during offboarding prevents 6+ hours of post-mortem debug.
Recap
Done — what's next
How to set up n8n self-hosted
Read the next tutorial
Hand it off
Credentials are the boring part of automation work — until they cause a Tuesday-morning outage. EverestX automation specialists set up rotation + audit patterns by default and own the discipline so you do not have to. Typically $200-500/mo at $14-16/hr for ongoing maintenance.
See specialist rates
On Cloud, n8n encrypts credentials with a key managed by n8n. On self-hosted, you set N8N_ENCRYPTION_KEY when you provision the instance. Credentials are encrypted at rest in the database. If you lose the encryption key on self-hosted, all credentials become unrecoverable.
Not within the same node — a node references one credential at execution time. But you can have multiple credentials of the same type stored, and workflows can reference different ones based on logic. On Pro+, project-scoping isolates credential access by team.
Credentials cannot be exported in plaintext (intentional). To migrate from Cloud to self-hosted (or instance to instance), you re-create each credential on the new instance manually. Plan a credential-migration session as part of any instance migration.
OAuth credentials created by the deleted user remain in the database but may stop working when the vendor revokes the user's tokens. Best practice: before deleting a user, transfer ownership of their credentials (or re-authorize from a service account) and run the offboarding playbook.
Yes — that is the default behavior. One credential gets referenced by name from any node, in any workflow. Rotating the credential updates every workflow using it simultaneously. This is why centralized credential management matters.
n8n
Self-hosting n8n is cheap until the day you upgrade and lose every workflow because the docs let you start on SQLite. This walks through the durable install path — Docker + Postgres + HTTPS — that survives version bumps and restarts.
n8n
Workflows fail silently by default. By the time someone notices the missing data, the gap is unrecoverable. This walks the proper error-handling pattern — error workflow, alerts, retries, and the monitoring that catches the rest.
n8n
Your workflow ran fine for weeks. Now it fails — or worse, it succeeds but produces garbage. This is the diagnostic sequence specialists run to isolate the root cause in 15-30 minutes instead of an afternoon.
n8n
DIY n8n is great until you have 15 workflows and a credentials audit you keep deferring. This is the honest framework: when the cost of self-managing exceeds the cost of a specialist, and how to tell which side you are on.
Zapier
Default Zapier behavior on errors: fire once, fail silent, halt the Zap. Lose data. This walks through auto-replay, dedicated error Zaps, fallback paths, and the monitoring discipline that catches breaks within an hour — not after the next quarterly review.