Configuration#
Feature availability
Embed requires an embed license. For more information about when to use Embed, as well as costs and licensing processes, refer to Embed on the n8n website.
Authentication#
You can secure n8n by setting up User management, n8n's built-in authentication feature.
Credential overwrites#
To offer OAuth login to users, it's possible to overwrite credentials on a global basis. This credential data isn't visible to users but the backend uses it automatically.
In the Editor UI, n8n hides all overwritten fields by default. This means that users are able to authenticate using OAuth by pressing the "connect" button on the credentials.
n8n offers two ways to apply credential overwrites: using Environment Variable and using the REST API.
Using environment variables#
Credential overwrites can be set using environment variable by setting the CREDENTIALS_OVERWRITE_DATA to { CREDENTIAL_NAME: { PARAMETER: VALUE }}.
Warning
Even though this is possible, it isn't recommended. Environment variables aren't protected in n8n, so the data can leak to users.
Using REST APIs#
The recommended way is to load the data using a custom REST endpoint. Set the CREDENTIALS_OVERWRITE_ENDPOINT to a path under which this endpoint should be made available.
Note
The endpoints can be called just one at a time for security reasons.
For example:
-
Activate the endpoint by setting the environment variable in the environment n8n runs under:
1export CREDENTIALS_OVERWRITE_ENDPOINT=send-credentials -
A JSON file with the credentials to overwrite is then needed. For example, a
oauth-credentials.jsonfile to overwrite credentials for Asana and GitHub could look like this:1 2 3 4 5 6 7 8 9 10
{ "asanaOAuth2Api": { "clientId": "<id>", "clientSecret": "<secret>" }, "githubOAuth2Api": { "clientId": "<id>", "clientSecret": "<secret>" } } -
Then apply it to the instance by sending it using curl:
1curl -H "Content-Type: application/json" --data @oauth-credentials.json http://localhost:5678/send-credentials
Note
There are cases when credentials are based on others. For example, the googleSheetsOAuth2Api extends the googleOAuth2Api.
In this case, you can set parameters on the parent credentials (googleOAuth2Api) which will be used by all child-credentials (googleSheetsOAuth2Api).
Environment variables#
There are many environment variables configurable in n8n. The following are most relevant for your hosted solution:
| Variable | Type | Default | Description |
|---|---|---|---|
EXECUTIONS_TIMEOUT |
Number | -1 |
Sets a default timeout (in seconds) to all workflows after which n8n stops their execution. Users can override this for individual workflows up to the duration set in EXECUTIONS_TIMEOUT_MAX. Set EXECUTIONS_TIMEOUT to -1 to disable. |
EXECUTIONS_DATA_PRUNE |
Boolean | true |
Whether to delete data of past executions on a rolling basis. |
EXECUTIONS_DATA_MAX_AGE |
Number | 336 |
The execution age (in hours) before it's deleted. |
EXECUTIONS_DATA_PRUNE_MAX_COUNT |
Number | 10000 |
Maximum number of executions to keep in the database. 0 = no limit |
NODES_EXCLUDE |
Array of strings | - | Specify which nodes not to load. For example, to block nodes that can be a security risk if users aren't trustworthy: NODES_EXCLUDE: "[\"n8n-nodes-base.executeCommand\", \"n8n-nodes-base.filesreadwrite\"]" |
NODES_INCLUDE |
Array of strings | - | Specify which nodes to load. |
N8N_TEMPLATES_ENABLED |
Boolean | true |
Enable workflow templates (true) or disable (false). |
N8N_TEMPLATES_HOST |
String | https://api.n8n.io |
Change this if creating your own workflow template library. Note that to use your own workflow templates library, your API must provide the same endpoints and response structure as n8n's. Refer to Workflow templates for more information. |
Backend hooks#
It's possible to define external hooks that n8n executes whenever a specific operation runs. You can use these, for example, to log data, change data, or forbid an action by throwing an error.
Available hooks#
| Hook | Arguments | Description |
|---|---|---|
credentials.create |
[credentialData: ICredentialsDb] |
Called before new credentials get created. Can be used to restrict the number of credentials. |
credentials.delete |
[id: credentialId] |
Called before credentials get deleted. |
credentials.update |
[credentialData: ICredentialsDb] |
Called before existing credentials are saved. |
frontend.settings |
[frontendSettings: IN8nUISettings] |
Gets called on n8n startup. Allows you to, for example, overwrite frontend data like the displayed OAuth URL. |
n8n.ready |
[app: App] |
Called once n8n is ready. Can be used to, for example, register custom API endpoints. |
n8n.stop |
Called when an n8n process gets stopped. Allows you to save some process data. | |
oauth1.authenticate |
[oAuthOptions: clientOAuth1.Options, oauthRequestData: {oauth_callback: string}] |
Called before an OAuth1 authentication. Can be used to overwrite an OAuth callback URL. |
oauth2.callback |
[oAuth2Parameters: {clientId: string, clientSecret: string \| undefined, accessTokenUri: string, authorizationUri: string, redirectUri: string, scopes: string[]}] |
Called in an OAuth2 callback. Can be used to overwrite an OAuth callback URL. |
workflow.activate |
[workflowData: IWorkflowDb] |
Called before a workflow gets activated. Can be used to restrict the number of active workflows. |
workflow.afterDelete |
[workflowId: string] |
Called after a workflow gets deleted. |
workflow.afterUpdate |
[workflowData: IWorkflowBase] |
Called after an existing workflow gets saved. |
workflow.create |
[workflowData: IWorkflowBase] |
Called before a workflow gets created. Can be used to restrict the number of saved workflows. |
workflow.delete |
[workflowId: string] |
Called before a workflow gets delete. |
workflow.postExecute |
[run: IRun, workflowData: IWorkflowBase] |
Called after a workflow gets executed. |
workflow.preExecute |
[workflow: Workflow: mode: WorkflowExecuteMode] |
Called before a workflow gets executed. Allows you to count or limit the number of workflow executions. |
workflow.update |
[workflowData: IWorkflowBase] |
Called before an existing workflow gets saved. |
Registering hooks#
Hooks are set by registering a hook file that contains the hook functions.
Hook registration is done using the environment variable EXTERNAL_HOOK_FILES.
The variable can be set to a single file:
EXTERNAL_HOOK_FILES=/data/hook.js
Or to contain multiple files separated by a semicolon:
EXTERNAL_HOOK_FILES=/data/hook1.js;/data/hook2.js
Hook files#
Hook files are regular JavaScript files that have the following format:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 | |
Hook functions#
A hook or a hook file can contain multiple hook functions, with all functions executed one after another.
If the parameters of the hook function are objects, it's possible to change the data of that parameter to change the behavior of n8n.
Additionally, the database can also be accessed in any hook function using this.dbCollections (see above).
Frontend external hooks#
Like backend external hooks, it's possible to define external hooks in the frontend code that get executed by n8n whenever a specific operation is performed. They can be used, for example, to log data and change data.
Available hooks#
| Hook | Description |
|---|---|
credentialsEdit.credentialTypeChanged |
Called when an existing credential's type is changed. |
credentials.create |
Called when a new credential is created. |
credentialsList.dialogVisibleChanged |
|
dataDisplay.nodeTypeChanged |
|
dataDisplay.onDocumentationUrlClick |
Called when the help documentation link is selected. |
execution.open |
Called when an existing execution is opened. |
executionsList.openDialog |
Called when the an execution is selected from existing Workflow Executions. |
expressionEdit.itemSelected |
|
expressionEdit.dialogVisibleChanged |
|
nodeCreateList.filteredNodeTypesComputed |
|
nodeCreateList.nodeFilterChanged |
Called when a new entry has been made in the node panel filter. |
nodeCreateList.selectedTypeChanged |
|
nodeCreateList.mounted |
|
nodeCreateList.destroyed |
|
nodeSettings.credentialSelected |
|
nodeSettings.valueChanged |
|
nodeView.createNodeActiveChanged |
|
nodeView.addNodeButton |
|
nodeView.createNodeActiveChanged |
|
nodeView.mount |
|
pushConnection.executionFinished |
|
showMessage.showError |
|
runData.displayModeChanged |
|
workflow.activeChange |
|
workflow.activeChangeCurrent |
|
workflow.afterUpdate |
Called when an existing workflow is updated. |
workflow.open |
|
workflowRun.runError |
|
workflowRun.runWorkflow |
Called when a workflow is executed. |
workflowSettings.dialogVisibleChanged |
|
workflowSettings.saveSettings |
Called when the settings of a workflow are saved. |
Registering hooks#
Hooks can be set by loading the hooks script on the page. One way to do this is by creating a hooks file in the project and adding a script tag in your editor-ui/public/index.html file:
1 | |
Hook files#
Hook files are regular JavaScript files which have the following format:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | |
Hook functions#
Multiple hook functions can be defined per hook. Each hook function is invoked with the following arguments arguments:
store: The Vuex store object. Can be used to change or get data from the store.metadata: Object that contains any data provided by the hook. To see exactly what's passed, search for the hook in theeditor-uipackage.