API Key Management

n8n-deploy provides streamlined API key management for authenticating with n8n servers across multiple environments.

🎯 Overview

API keys in n8n-deploy serve as authentication tokens for n8n server operations:

  • Push/Pull Workflows: Sync workflows with remote servers
  • Server Management: Link keys to specific server instances
  • Multi-Environment Support: Manage separate keys for dev/staging/prod
  • Plain Text Storage: Simplified storage in SQLite (secure your database file!)

API keys are n8n JWT tokens generated from the n8n web interface under Settings β†’ API.

πŸ”‘ API Key Operations

Add API Key

Store an API key with a memorable name:

# Interactive input (recommended for security)
echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." | n8n-deploy apikey add - --name production_key

# Direct input (visible in shell history)
n8n-deploy apikey add "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." --name staging_key

# Link to server during creation
n8n-deploy apikey add - --name prod_key --server "Production Server πŸš€"

# Add with description
n8n-deploy apikey add - --name dev_key --description "Development environment key"

# Auto-link to server from environment
N8N_SERVER_URL=http://n8n.local:5678 n8n-deploy apikey add - --name local_key

Options:

  • --name: Unique identifier (supports UTF-8, emojis)
  • --server: Link to specific server (creates server if doesn’t exist)
  • --description: Optional documentation string

Pro Tip: Use descriptive names like prod_readonly or staging_admin to indicate environment and permission level.

List API Keys

View all stored API keys:

# Rich emoji output (credentials masked)
n8n-deploy apikey list

# Script-friendly output (credentials masked)
n8n-deploy apikey list --no-emoji

# Display actual credentials (SECURITY WARNING: use with extreme caution)
n8n-deploy apikey list --unmask

# JSON format for parsing
n8n-deploy apikey list --json

Output includes:

  • Key name and description
  • Creation timestamp
  • Last used timestamp
  • Active/inactive status
  • Linked servers (if any)
  • API key credentials (only with --unmask flag)

Example output (credentials masked by default):

πŸ”‘ API Keys

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ Name               β”‚ Created             β”‚ Last Used    β”‚ Status     β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ production_key     β”‚ 2025-09-15 10:30:00 β”‚ 2025-10-05   β”‚ βœ… Active  β”‚
β”‚ staging_key        β”‚ 2025-09-20 14:15:00 β”‚ 2025-10-01   β”‚ βœ… Active  β”‚
β”‚ dev_key            β”‚ 2025-10-01 08:00:00 β”‚ Never        β”‚ βœ… Active  β”‚
β”‚ old_key            β”‚ 2025-08-01 12:00:00 β”‚ 2025-08-15   β”‚ 🚫 Inactiveβ”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Security Warning: The --unmask flag displays actual API credentials. Use only when absolutely necessary and never in logs, shared terminals, or automated scripts.

Test API Key

Validate an API key against an n8n server:

# Test key validity
n8n-deploy apikey test production_key

# Test with specific server
n8n-deploy --server-url http://n8n.example.com:5678 apikey test staging_key

What testing checks:

  • Key format (JWT structure)
  • Server connectivity
  • Authentication success
  • Token expiration status

Example output:

πŸ§ͺ Testing API key: production_key

βœ“ Key format valid
βœ“ Server reachable (http://n8n.example.com:5678)
βœ“ Authentication successful
βœ“ Token expires: 2025-12-31

βœ… API key is valid and working

Deactivate API Key

Soft-delete a key (keeps in database but marks inactive):

# Deactivate key
n8n-deploy apikey deactivate old_key

# Confirm deactivation
n8n-deploy apikey list | grep old_key

Deactivated keys remain in database for audit purposes but cannot be used for operations.

Delete API Key

Permanently remove an API key:

# Delete with confirmation prompt
n8n-deploy apikey delete old_key

# Force delete without confirmation
n8n-deploy apikey delete temp_key --confirm

# Delete and unlink from all servers
n8n-deploy apikey delete staging_key --confirm

Permanent Action: Deleted keys cannot be recovered. Ensure you have backups or can regenerate from n8n.

πŸ”— Server-Key Association

Linking Keys to Servers

API keys can be associated with specific servers for automatic authentication:

# Link existing key to server
n8n-deploy server link production_key "Production Server"

# Add key and link in one command
n8n-deploy apikey add - --name prod_key --server "Production Server"

# View keys linked to server
n8n-deploy server keys "Production Server"

Benefits of linking:

  • Automatic authentication: No need to specify key for each operation
  • Multi-server support: Different keys for different environments
  • Organized management: Group keys by server purpose

Multi-Environment Workflow

Typical setup for DevOps teams:

# Development Environment
n8n-deploy server create http://n8n-dev.internal:5678 --name "Development"
n8n-deploy apikey add - --name dev_key --server "Development"

# Staging Environment
n8n-deploy server create http://n8n-staging.internal:5678 --name "Staging"
n8n-deploy apikey add - --name staging_key --server "Staging"

# Production Environment
n8n-deploy server create https://n8n.example.com --name "Production πŸš€"
n8n-deploy apikey add - --name prod_key --server "Production πŸš€"

# List all configurations
n8n-deploy server list
n8n-deploy apikey list

πŸ›‘οΈ Security Best Practices

Storage Security

API keys are stored in plain text within the SQLite database. Protect your database:

# Set restrictive permissions
chmod 600 ~/.n8n-deploy/n8n-deploy.db
chmod 700 ~/.n8n-deploy

# For multi-user systems
chown $USER:$USER ~/.n8n-deploy

Key Generation

Generate secure API keys from n8n:

  1. Open n8n web interface
  2. Navigate to Settings β†’ API
  3. Click Create API Key
  4. Copy the JWT token immediately
  5. Store in n8n-deploy within 60 seconds

Best Practice: Generate separate keys for each environment and purpose (read-only vs. full access).

Key Rotation Strategy

Regular key rotation enhances security:

#!/bin/bash
# rotate-keys.sh - Monthly key rotation script

# Generate new key in n8n first, then:

# Add new key
echo "new_jwt_token" | n8n-deploy apikey add - --name prod_key_new --server "Production"

# Test new key
n8n-deploy apikey test prod_key_new

# Deactivate old key
n8n-deploy apikey deactivate prod_key_old

# After verification period, delete old key
# n8n-deploy apikey delete prod_key_old --confirm

πŸ“‹ API Key Database Schema

CREATE TABLE api_keys (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    name TEXT NOT NULL UNIQUE,        -- Key identifier (UTF-8 supported)
    api_key TEXT NOT NULL,            -- Plain text n8n JWT token
    description TEXT,                 -- Optional documentation
    created_at TIMESTAMP NOT NULL,    -- Creation time
    last_used_at TIMESTAMP,           -- Last usage time
    is_active INTEGER DEFAULT 1       -- Active status (1=yes, 0=no)
);

CREATE TABLE server_api_keys (
    server_id INTEGER NOT NULL,
    api_key_id INTEGER NOT NULL,
    created_at TIMESTAMP NOT NULL,
    PRIMARY KEY (server_id, api_key_id),
    FOREIGN KEY (server_id) REFERENCES servers(id) ON DELETE CASCADE,
    FOREIGN KEY (api_key_id) REFERENCES api_keys(id) ON DELETE CASCADE
);

The server_api_keys junction table enables many-to-many relationships between servers and API keys.

πŸ†˜ Troubleshooting

Invalid API Key Format

Error: Invalid JWT token format

Causes:

  • Incomplete token (copying error)
  • Extra whitespace or newlines
  • Expired token

Solutions:

# Verify token format (should start with eyJ)
echo "$API_KEY" | head -c 10

# Remove whitespace
API_KEY=$(echo "$API_KEY" | tr -d '[:space:]')
echo "$API_KEY" | n8n-deploy apikey add - --name fixed_key

Authentication Failed

Error: 403 Forbidden or 401 Unauthorized

Diagnosis:

# Test key explicitly
n8n-deploy apikey test suspicious_key

# Check server connectivity
curl -I http://n8n.example.com:5678

# Verify key in n8n interface
# Settings β†’ API β†’ Active Keys

Solutions:

  • Regenerate key in n8n
  • Check server URL is correct
  • Verify key hasn’t expired
  • Ensure key has necessary permissions

πŸ“– Related Documentation

πŸ’‘ Pro Tips

  1. Descriptive Naming: Use {environment}_{purpose} pattern (e.g., prod_readonly, staging_admin)
  2. Regular Rotation: Rotate production keys every 90 days minimum
  3. Separate Keys: Never share keys between environments
  4. Test Before Deploy: Always test new keys before deactivating old ones
  5. Audit Trail: Review last_used_at timestamps regularly
  6. Backup Database: API keys are only stored in the database
  7. Emergency Plan: Document key revocation procedures
  8. Limit Permissions: Use n8n’s role-based permissions for granular access
  9. Monitor Usage: Track key usage patterns for anomaly detection
  10. CI/CD Ephemeral Keys: Use temporary keys that auto-delete after pipeline completion

Last Updated: October 2025 Security Notice: Always secure your n8n-deploy database with appropriate filesystem permissions