What this means (non-technical)

This happens when you type API keys, passwords, or tokens directly into a node instead of using n8n’s built-in credential system.For example, you paste a Stripe key into an HTTP header or put a database password directly into a connection string inside the workflow.

It works. But the secret is now part of the workflow itself.

What usually goes wrong

The problem shows up later.

When you export the workflow to share with a client or teammate, the secret is included in plain text inside the JSON file.

If you store workflows in Git, that secret becomes part of your repository history. Even if you delete it later, it may still exist in older commits.

Anyone with read access to the workflow can copy the key and use it outside of your intended process. And when you need to rotate the key, you have to manually hunt it down in every workflow where it was pasted.

This creates stress. You stop feeling confident sharing or backing up your workflows because you’re not sure what sensitive data might be inside them.

When this becomes urgent

This becomes much more serious when:

The more people and environments involved, the more exposed those pasted secrets become.

Detect issues in your n8n workflows

Definitions

1. Credential system: n8n’s secure area where you store API keys and passwords separately from the workflow logic.

   
   

2. API key / token: A secret string that gives access to an external service.

   
   

3. Version control (Git): A system that tracks changes to files over time, often used to store workflows.

Disclaimer

This article highlights common patterns and risks seen in real-world n8n workflows. It’s meant to help you build more confidently and avoid surprises as your automation grows. Behavior can vary depending on your setup, version, and configuration.