Skills

n8n-credentials-and-security

Installation
SKILL.md

n8n Credentials and Security

Non-negotiables

  1. Secrets via the credential system, never in text fields or SDK code. API keys, bearer tokens, OAuth secrets, passwords: all go through newCredential() or the node's credentials parameter. A Set node hardcoding a token and read via {{$json.token}} is a text field with extra steps.
  2. List credentials, then bind by ID. Call list_credentials({type}) before configuring an auth-needing node. One match: bind via 2-arg newCredential('Label', 'credId') at create time, or setNodeCredential op on update_workflow. Multiple matches: ask the user which. The one-arg newCredential('Label') is a placeholder; n8n auto-assigns the most recently edited credential of that type and silently picks wrong when the user has multiples.
  3. Credential creation is the user's job, not yours. The n8n MCP doesn't expose credential creation. Tell the user the exact credential type to create in the UI, then reference it by label in your node config. Don't attempt to create credentials programmatically and don't accept secrets in chat to "set up later".

Strong defaults

  • Use native credentials when available. Every native node (Slack, Gmail, Postgres, OpenAI, etc.) has a credential type. Don't reach for generic credential types when a native option exists.
  • For multi-header or header-plus-query auth shapes, use the httpCustomAuth credential type. See references/CUSTOM_CREDENTIALS.md.

The credential system

In n8n, credentials are first-class objects:

Installs
248
Repository
n8n-io/skills
GitHub Stars
236
First Seen
May 12, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykWarn
n8n-credentials-and-security — n8n-io/skills