GraphQL Authentication JWT

luxmediq · June 26, 2025, 4:44pm

Hi all,

I am trying to request a JWT Token from an API:

To achieve this, I need to add the credentials in the body of the POST request.
Is there any way to realize this using the credentials offered by n8n?

n8n Version: 1.99.1
Source Code: GitHub - n8n-io/n8n: Fair-code workflow automation platform with native AI capabilities. Combine visual building with custom code, self-host or cloud, 400+ integrations.

License: Sustainable Use License + n8n Enterprise License

hubschrauber · June 28, 2025, 7:56pm

Does anything in this post help?

luxmediq · June 29, 2025, 1:59pm

Hi, thanks for the reponse. The provided the solution shows how to add a JWT Token to a request. My issue is requesting the token from the api using credentials provided in the body of the request in a secure way (not just freetext). Since I am using the free version, this seems difficult to solve.

I appreciate the response!

BR
Hans

hubschrauber · June 30, 2025, 2:07am

The closest thing I know of (which, unfortunately, won’t work with a JSON request containing username and password) is if the API server also supported the Generic OAuth2 credential’s semantics for Grant Type: Client Credentials.

For reference, that would be a POST request with Content-Type: application/x-www-form-urlencoded containing request variables named grant_type, scope, client_id, and client_secret which returns the JWT value as application/json like:

{
    "access_token": "eyJhbGciOiJIUzI1N..."
}

I’m not sure how much this comes up, but I’m betting any API service written using NestJS, according to this guide, would require a credential type like this.

It would be useful to have a generic credential type that takes the concept of the Custom auth Credential one step further, and allows you to specify how the auth-request’s response is applied (e.g. Add Request Header Authorization: Bearer {{ $authResponse.json.access_token }}). It would ALSO need to provide a way to specify masked/encrypted values to be included in the JSON element. As it is now, anything you put in a Custom auth credential can be viewed in plain text when you open the credential editor (not very useful).

If you have time, please write a feature request with some more details about what you would like to be able to do.
Update: Found an existing Feature Request that is probably the same thing, so maybe just vote that up.

hubschrauber · June 30, 2025, 3:29am

A short while after I sent that last post, I had an idea about how to make this sorta work…

I tested the idea and got it working, so if you want to try it…

Create an “Oauth2 JWT Adapter” workflow (see below) that:

Accepts the Oauth2 / Grant Type Client Credentials semantics in a Webhook trigger.
Sends (forwards) the client_id and client_secret values to the API JWT endpoint as username and password, respectively.
Returns the JWT value the way the generic Oauth2 credential expects it.
- Note: The API I tested already had the response in the correct form, but the Respond to Webhook node can reformat the API response, if necessary, to { "access_token": "...the-jwt-value..." }.
- IMPORTANT: Once it is working, configure this workflow to NOT save executions, so the password and/or JWT values won’t get “logged.”

Use the “Oauth2 JWT Adapter” workflow

On the HTTP Request node, where you call your actual JWT protected API endpoint, use an Oauth2 credential (which hides/separates the secret password) and configure it to call the “Oauth2 JWT Adapter” workflow at its production webhook URL.

Note: Don’t forget to activate the “Oauth2 JWT Adapter” workflow first.
Note: This assumes the protected API accepts the JWT value in the form of an Authorization: Bearer ...the-jwt-value... header

The Generic Oauth2 Credential is configured like this: