feat(API): Allow updating oauthTokenData via Credentials API for external token providers

Feedback
,
1

Summary

Currently, the Credentials API (PATCH /credentials/:id) explicitly blocks updates to the oauthTokenData field. This prevents legitimate use cases where access tokens are obtained
from external identity providers and need to be set on OAuth2 credentials.

Relevant code (packages/cli/src/credentials/credentials.controller.ts:232-233):

// We never want to allow users to change the oauthTokenDatadelete body.data?.oauthTokenData;

Related PR: fix(core): Redact credentials by tomi · Pull Request #13263 · n8n-io/n8n · GitHub

Current Situation

We use Google Cloud Workload Identity Federation (WIF) to obtain GCP access tokens without storing long-lived service account keys.

wif-with-custom-node
wif-with-custom-node1920×1920 106 KB

Currently, we call Google APIs using HTTP Request Node with a Bearer Auth credential that is updated via the Credentials API:

  1. A custom node exchanges a federation token for a GCP access token via WIF
  2. The access token is set on a Bearer Auth credential via the Credentials API
  3. HTTP Request Node uses this credential to call Google APIs

This works, but HTTP Request Node requires users to understand Google API endpoints and request formats, which is a high barrier for non-technical users.

What We Want

We want to use standard Google Nodes (Sheets, Drive, etc.) instead of HTTP Request Node because:

  • Better UX with schema mapping, pagination, and error handling
  • No need to understand raw Google API specifications
  • Lower barrier for non-engineers

The Problem

Google Nodes use OAuth2 credentials (e.g., googleSheetsOAuth2Api) which store the access token in oauthTokenData. When we try to update this field via the Credentials API, it is
silently stripped from the request.

This means we cannot use WIF-obtained tokens with standard Google Nodes.

Proposal

Remove or make configurable the restriction on updating oauthTokenData.

Rationale:

  • The Credentials API already requires authentication (API Key)
  • Other credential fields (including secrets) can be updated via API
  • Access tokens are short-lived by nature, making them less sensitive than refresh tokens
  • The current behavior silently drops the field without error, which is confusing

Suggested options:

  1. Remove the restriction (access tokens are short-lived anyway)
  2. Allow only access_token updates while still protecting refresh_token (In our WIF use case, we do not use refresh tokens at all - each execution obtains a fresh access token)

Our Environment

  • n8n self-hosted (Enterprise Edition)
  • Using Credentials API with API Key authentication

Additional Context

The comment “We never want to allow users to change the oauthTokenData” doesn’t explain the security concern. Since:

  • API authentication is already required
  • Other sensitive credential data can be updated
  • Access tokens expire quickly

It’s unclear why oauthTokenData specifically needs protection that other credential fields don’t have.