Credentials

Issue API keys and webhook auth tokens from the dashboard Credentials section — the secrets your clients use to authenticate to the public API.

The dashboard Credentials section is where every secret your clients use gets issued. Each credential carries a type, an appId scope, and (for webhook types) a webhook URL and auth config. The Create Credential Wizard walks through three steps; the resulting secret is shown once — copy it then, because the dashboard does not let you retrieve it later.

  1. Sign in to the dashboard.
  2. In the sidebar, open Credentials.
  3. You’ll see every existing credential with a colored type badge (API Key, Bearer, Header) and the appIds each is scoped to.

Warning

Screenshot placeholder — Credentials section overview. Replace with a real screenshot during publish.

Create a new API key

Most automations need this. The full flow:

Step 1 — Auth Type

From the Credentials section, click New Credential. The wizard opens.

  • Select API Key.
  • This is the api-key credential type — it can authenticate via Authorization: Bearer <key> or X-API-Key: <key>. See Authentication.

Warning

Screenshot placeholder — Auth Type step showing the three options (API Key, Bearer, Header) with API Key selected.

Step 2 — Final Details

  • Name the credential something memorable (“n8n production”, “MCP server for Claude Desktop”). The name is shown in the dashboard list; the key string itself is opaque.
  • Pick the appIds this credential can access. Multi-select. The credential will be able to poll all of them and send from any of them.
  • For webhook types you’d also set the webhook URL here — but for an API key there’s no URL to configure.

Warning

Screenshot placeholder — Final Details step with name field and appId multi-select showing 2 apps checked.

Step 3 — Save Your Secret

The dashboard generates the secret string (starts pf_live_…) and shows it once with a Copy button. Copy it now.

Warning

Screenshot placeholder — Save Your Secret step showing the newly generated pf_live_… string with a Copy button and a “you won’t see this again” notice.

Click Save. The credential is live immediately. Paste the key into your client’s config:

Tip

Issue one credential per client and per environment. A single key shared between n8n-prod and n8n-staging means a compromise in one leaks the other’s traffic and consumes one shared rate budget. Separate credentials isolate both.

Create a webhook credential

For webhook delivery (instead of polling), you’ll instead configure auth via the Webhook Auth Wizard on the app, not the Credentials section. The wizard creates a webhook-header or webhook-bearer credential and wires it to the app’s delivery settings in one flow. See webhook auth.

Replace (rotate) a credential

Find the credential in the list, click Replace. The dashboard issues a new key string and keeps the same credentialId. Any rate-limit buckets, webhook auth config, and appId scope stay attached — only the key string changes. Rotate clients one at a time; the old key stops returning 200 immediately on save.

Delete a credential

Find the credential in the list, click Delete. The credentialId is freed; the key string is rejected with 403 (poll/send) or 401 (verify) on the next call. There is no grace period. Coordinate deletion with key rotation in your downstream integrations — or use Replace instead, which avoids downtime.

What you can do with each credential type

Actionapi-keywebhook-bearerwebhook-header
Authenticate via Authorization: Bearer <key>
Authenticate via X-API-Key: <key>
Authenticate via X-Webhook-Token: <key>
Poll messages
Send messages
Verify the key
Used as webhook inbound auth(n/a)

See Credentials for the full reference, including how API responses encode the type.

Underlying API calls

Every UI action on the Credentials page maps to a route on the account-management API. To script it, call these with your session cookie:

UI actionAPI routeBackend path
Load the Credentials list (redacted)GET /dashboard/api/dashboard/credentials (server-rendered into the dashboard page)GET /dashboard/credentials
Click “Show secret” / reveal full secretGET /dashboard/api/dashboard/credentials-fullGET /dashboard/credentials/full
Create Credential Wizard → SavePOST /dashboard/api/dashboard/credentialsPOST /dashboard/credentials
Click “Replace” (rotate)POST /dashboard/api/dashboard/credentials (replaces the secret in place; same credentialId)POST /dashboard/credentials
Click “Delete” → confirmDELETE /dashboard/api/dashboard/credentials/:idDELETE /dashboard/credentials/:id

Full route details in the account API reference.

Last updated: