Skip to content

External secrets#

Feature availability

  • External secrets are available on Enterprise Self-hosted and Enterprise Cloud plans.
  • n8n supports Infisical and HashiCorp Vault.
  • n8n doesn't support HashiCorp Vault Secrets.

You can use an external secrets store to manage credentials for n8n.

n8n stores all credentials encrypted in its database, and restricts access to them by default. With the external secrets feature, you can store sensitive credential information in an external vault, and have n8n load it in when required. This provides an extra layer of security and allows you to manage credentials used across multiple n8n environments in one central place.

Connect n8n to your secrets store#

Secret names

Your secret names can't contain spaces, hyphens, or other special characters. n8n supports secret names containing alphanumeric characters (a-z, A-Z, and 0-9), and underscores.

  1. In n8n, go to Settings > External Secrets.
  2. Select Set Up for your store provider.
  3. Enter the credentials for your provider:

    • HashiCorp Vault: provide the Vault URL for your vault instance, and select your Authentication Method. Enter your authentication details. Optionally provide a namespace.

    • Infisical: provide a Service Token. Refer to Infisical's Service token documentation for information on getting your token. If you self-host Infisical, enter the Site URL.

      Infisical environment

      Make sure you select the correct Infisical environment when creating your token. n8n will load secrets from this environment, and won't have access to secrets in other Infisical environments. n8n only support service tokens that have access to a single environment.

      Infisical folders

      n8n doesn't support Infisical folders.

  4. Save your configuration.

  5. Enable the provider using the Disabled / Enabled toggle.

Use secrets in n8n credentials#

To use a secret from your store in an n8n credential:

  1. Create a new credential, or open an existing one.
  2. On the field where you want to use a secret:
    1. Hover over the field.
    2. Select Expression.
  3. In the field where you want to use a secret, enter an expression referencing the secret name:
    {{ $secrets.<vault-name>.<secret-name> }}
    <vault-name> is either vault (for HashiCorp) or infisical. Replace <secret-name> with the name as it appears in your vault.

Use external secrets with n8n environments#

n8n's Source control and environments feature allows you to create different n8n environments, backed by Git. The feature doesn't support using different credentials in different instances. You can use an external secrets vault to provide different credentials for different environments by connecting each n8n instance to a different vault or project environment.

For example, you have two n8n instances, one for development and one for production. You use Infisical for your vault. In Infisical, create a project with two environments, development and production. Generate a token for each Infisical environment. Use the token for the development environment to connect your development n8n instance, and the token for your production environment to connect your production n8n instance.


Infisical version changes#

Infisical version upgrades can introduce problems connecting to n8n. If your Infisical connection stops working, check if there was a recent version change. If so, report the issue to