Your n8n API key is effectively a master key to your entire automation instance. This article explains what the key does, why it must be kept secret, and walks you through rotating it safely if it's ever exposed.

What is the n8n API key?

The n8n API key authenticates requests to the n8n REST API. It's mostly used for managing workflows programmatically rather than as a runtime trigger. Typical uses include:

  • CI/CD-style syncing of workflows between dev, staging, and production instances
  • Scheduled backups — exporting all workflows and credentials metadata to git or object storage
  • Bulk activation or deactivation of workflows
  • Pulling execution history into external monitoring or analytics tools
  • Provisioning users and credentials when standing up new tenants
  • Kicking off workflows from external systems where a webhook trigger isn't a good fit
  • Powering custom admin dashboards or chatops bots so non-technical staff can manage workflows without touching the n8n UI directly

Why you must keep it secret

An n8n API key is effectively root over the whole instance. If it leaks, an attacker gets:

  • Read/write on every workflow — they can silently inject a node that copies data to their own webhook, and no one notices because the workflow still does what it's supposed to.
  • Indirect access to every connected service — workflows hold credentials for Gmail, Stripe, AWS, databases, Hostfully, and anything else you've plugged in. Even if the API doesn't return raw secrets, an attacker can build a workflow that uses those credentials and exfiltrates the result. The n8n key becomes a master key to everything downstream.
  • Execution history — past runs often contain customer PII, payment data, internal IDs, and email contents. All readable.
  • Persistence — they can create a new admin user or a hidden scheduled workflow that re-establishes access after you rotate the obvious things.

Treat your n8n API key the same way you'd treat an AWS root key.

When to rotate your API key

Rotate your key immediately if any of the following happens:

  • You've pasted the key into an email, chat message, support ticket, or screenshot
  • The key has been committed to a git repository, even briefly
  • A laptop or device that stored the key has been lost or stolen
  • A team member with access to the key has left the organisation
  • You notice unexpected workflows, executions, or admin users in your instance
  • It's simply been a while — rotate on a regular schedule as good hygiene

How to rotate your n8n API key

Follow these steps to delete a compromised key and create a new one.

Step 1 — Sign in to n8n

Log in to your n8n instance as an owner or admin user.

Step 2 — Open your API settings

Click your user icon in the bottom-left of the n8n interface, then go to Settings > n8n API.

Step 3 — Delete the compromised key

Find the existing key in the list and click Delete. Confirm the deletion. From this moment onwards, the old key will no longer authenticate any requests — this immediately locks out anyone who has it, including any legitimate integrations still using it.

Step 4 — Create a new key

Click Create an API key. Give it a descriptive label (for example, "Production backups — 2026-04") and, if your version of n8n supports it, set an expiry date and scoped permissions rather than granting full access. Copy the new key straight into your secrets manager — this is the only time it will be shown.

Step 5 — Update every integration that used the old key

Any system that authenticated with the old key will now be failing. Update the key in each of the following places as applicable:

  • Secrets managers (AWS Secrets Manager, HashiCorp Vault, Doppler, 1Password, etc.)
  • CI/CD pipelines and deployment scripts
  • Backup jobs and scheduled exports
  • Monitoring, analytics, and log-shipping tools
  • Internal admin dashboards and chatops bots
  • Any `.env` files on servers that legitimately need the key

Step 6 — Audit for persistence

If you suspect the key was actually used by an attacker (not just exposed), don't stop at rotation. Also:

  • Review the list of users in your n8n instance and remove any you don't recognise
  • Review all workflows — especially recently modified ones — for suspicious HTTP Request, Webhook, or Code nodes that send data externally
  • Review scheduled/active workflows for anything you didn't create
  • Rotate credentials for any downstream services (Gmail, Stripe, AWS, databases, Hostfully, and so on) that were reachable via your workflows
  • Check execution history for unusual activity

Best practices for storing and using API keys

  • Use a secrets manager. Never store the key in a workflow's static data, and never commit it to a `.env` file in a repository.
  • Rotate on a schedule. Even without a known leak, rotate keys regularly (quarterly is a reasonable starting point).
  • Restrict network access. If you're self-hosted, put the n8n instance behind a VPN or IP allowlist so the API isn't reachable from the open internet.
  • Turn on audit logging. Make sure you'd notice unusual API activity if it happened.
  • Use scoped keys where possible. On n8n Cloud and recent self-hosted versions, create scoped API keys rather than legacy full-access ones, and give each integration only the permissions it actually needs.
  • One key per integration. Don't share a single key across multiple tools — it makes rotation far easier and limits the blast radius of a leak.
  • Never share keys in email or chat. If you need to send a key to someone, use a secure secret-sharing tool with a short expiry.

Sharing access with the Awesomate team

When we're supporting your account, we may request temporary API access so we can:

  • Push workflows into your account
  • Push agents into your account
  • Access your account to check for errors while we're troubleshooting with you

Always share the key through a secure channel — a secrets manager with a shared vault, or a one-time secret link — never in plain email or chat. Once our work is done, rotate the key using the steps above so the credential we used is no longer valid.

Need help?

If you think your key has been exposed and you're not sure what to do next, contact the Awesomate team straight away. We'd much rather help you rotate a key that turned out to be fine than deal with the fallout of a leak that wasn't caught in time.