Credentials
Issue API keys and webhook auth tokens from the dashboard Credentials section — the secrets your clients use to authenticate to the public API.
The dashboard Credentials section is where every secret your clients use gets issued. Each credential carries a type, an appId scope, and (for webhook types) a webhook URL and auth config. The Create Credential Wizard walks through three steps; the resulting secret is shown once — copy it then, because the dashboard does not let you retrieve it later.
Navigate to Credentials
- Sign in to the dashboard.
- In the sidebar, open Credentials.
- You’ll see every existing credential with a colored type badge (API Key, Bearer, Header) and the appIds each is scoped to.
Warning
Screenshot placeholder — Credentials section overview. Replace with a real screenshot during publish.
Create a new API key
Most automations need this. The full flow:
Step 1 — Auth Type
From the Credentials section, click New Credential. The wizard opens.
- Select API Key.
- This is the
api-keycredential type — it can authenticate viaAuthorization: Bearer <key>orX-API-Key: <key>. See Authentication.
Warning
Screenshot placeholder — Auth Type step showing the three options (API Key, Bearer, Header) with API Key selected.
Step 2 — Final Details
- Name the credential something memorable (“n8n production”, “MCP server for Claude Desktop”). The name is shown in the dashboard list; the key string itself is opaque.
- Pick the appIds this credential can access. Multi-select. The credential will be able to poll all of them and send from any of them.
- For webhook types you’d also set the webhook URL here — but for an API key there’s no URL to configure.
Warning
Screenshot placeholder — Final Details step with name field and appId multi-select showing 2 apps checked.
Step 3 — Save Your Secret
The dashboard generates the secret string (starts pf_live_…) and shows it once with a Copy button. Copy it now.
Warning
Screenshot placeholder — Save Your Secret step showing the newly generated pf_live_… string with a Copy button and a “you won’t see this again” notice.
Click Save. The credential is live immediately. Paste the key into your client’s config:
- MCP server →
PRIVACYFLOW_API_KEY - Agent Zero →
PF_API_KEY - n8n → the API Key field
Tip
Issue one credential per client and per environment. A single key shared between n8n-prod and n8n-staging means a compromise in one leaks the other’s traffic and consumes one shared rate budget. Separate credentials isolate both.
Create a webhook credential
For webhook delivery (instead of polling), you’ll instead configure auth via the Webhook Auth Wizard on the app, not the Credentials section. The wizard creates a webhook-header or webhook-bearer credential and wires it to the app’s delivery settings in one flow. See webhook auth.
Replace (rotate) a credential
Find the credential in the list, click Replace. The dashboard issues a new key string and keeps the same credentialId. Any rate-limit buckets, webhook auth config, and appId scope stay attached — only the key string changes. Rotate clients one at a time; the old key stops returning 200 immediately on save.
Delete a credential
Find the credential in the list, click Delete. The credentialId is freed; the key string is rejected with 403 (poll/send) or 401 (verify) on the next call. There is no grace period. Coordinate deletion with key rotation in your downstream integrations — or use Replace instead, which avoids downtime.
What you can do with each credential type
| Action | api-key | webhook-bearer | webhook-header |
|---|---|---|---|
Authenticate via Authorization: Bearer <key> | ✅ | ✅ | ❌ |
Authenticate via X-API-Key: <key> | ✅ | ❌ | ❌ |
Authenticate via X-Webhook-Token: <key> | ❌ | ❌ | ✅ |
| Poll messages | ✅ | ✅ | ✅ |
| Send messages | ✅ | ✅ | ✅ |
| Verify the key | ✅ | ✅ | ✅ |
| Used as webhook inbound auth | (n/a) | ✅ | ✅ |
See Credentials for the full reference, including how API responses encode the type.
Underlying API calls
Every UI action on the Credentials page maps to a route on the account-management API. To script it, call these with your session cookie:
| UI action | API route | Backend path |
|---|---|---|
| Load the Credentials list (redacted) | GET /dashboard/api/dashboard/credentials (server-rendered into the dashboard page) | GET /dashboard/credentials |
| Click “Show secret” / reveal full secret | GET /dashboard/api/dashboard/credentials-full | GET /dashboard/credentials/full |
| Create Credential Wizard → Save | POST /dashboard/api/dashboard/credentials | POST /dashboard/credentials |
| Click “Replace” (rotate) | POST /dashboard/api/dashboard/credentials (replaces the secret in place; same credentialId) | POST /dashboard/credentials |
| Click “Delete” → confirm | DELETE /dashboard/api/dashboard/credentials/:id | DELETE /dashboard/credentials/:id |
Full route details in the account API reference.