Authentication Basics (API keys, OAuth, headers)

Authentication basics in n8n is about proving to an app or API that your workflow has permission to access data or perform actions. Most APIs will reject requests unless you send the correct credentials. In n8n, authentication usually happens through API keys, OAuth, and headers.

API Keys (simple and common)

An API key is a secret value issued by a service to identify your account or application. It is often used for server-to-server access and is easier to set up than OAuth.

  • Where it is used: many SaaS tools, analytics tools, internal APIs
  • How it is sent: usually in a header (for example X-API-Key) or sometimes as a query parameter
  • Best practice: store it inside n8n Credentials, not directly inside nodes, and never expose it in logs or screenshots

OAuth (secure login-based permission)

OAuth is used when an app needs a user-style login flow, and it allows fine-grained permissions (scopes). Instead of giving n8n your password, you “authorise” n8n to access specific resources.

  • Where it is used: Google, Microsoft, Slack, Notion, many CRMs
  • Benefits: safer, revocable access, permission scopes, refresh tokens for long-running workflows
  • What you must manage: correct scopes, redirect URLs (in some setups), and token refresh behaviour

Headers (how credentials are passed)

Headers are key-value pairs sent with every API request. Authentication often happens here:

  • Authorization: Bearer <token> (very common)
  • X-API-Key: <key>
  • Content-Type: application/json (not authentication, but important for correct requests)

Practical exam-ready tips

  • Know when to use API key vs OAuth (API key for simple system access, OAuth for user-authorised platforms)
  • Use credentials manager in n8n for secure storage
  • Check permissions/scopes first when requests fail with 401/403 errors
Working with APIs Using HTTP Request
Testing, Deployment, and Best Practices

Get industry recognized certification – Contact us

keyboard_arrow_up