Credential management, least-privilege principles, and keeping API keys out of workflows.
Every n8n workflow that connects to an external service holds credentials. Those credentials are the most sensitive part of your automation stack. Credential breaches are the single most common cause of automation-related security incidents.
Least privilege means the credentials used in a workflow should have only the permissions that workflow actually needs โ nothing more. A workflow that reads Slack messages should not have the ability to delete channels. Scope credentials at creation time, not as an afterthought.
Never hardcode secrets in workflow expressions, environment variables passed in plain text, or shared team documents. Use n8n's built-in credentials store, an external secrets manager (AWS Secrets Manager, HashiCorp Vault), or environment variables injected at runtime through a secrets manager.
Credentials must be rotatable and revocable without disrupting workflows. Build your credential management so that rotating a key takes under 10 minutes. Test revocation in staging before you need it in production.
๐ก Audit your workflow credentials quarterly. Remove any that are no longer used. Scope down any that are over-privileged. This single habit prevents the majority of automation security incidents.
The best way to internalise these principles is to open a real workflow and audit it against this lesson's checklist. Pick any workflow from the workflow library and work through each principle point by point.
Browse workflows to practice →