Hi, i have an issue with connecting an API

Adeative_Media · September 26, 2025, 6:16pm

I’m trying to connect a service with an API and HTTP node and i can’t point the API key to the credential i’m creating in my account.

In their API docs they say that i need to pass the credentials in this way:

curl -X ‘POST’ \ ‘https://api.sumit.co.il/accounting/customers/create/’ \ -H ‘accept: text/plain’ \ -H ‘Content-Type: application/json-patch+json’ \ -d ‘{ “Details”: { “ExternalIdentifier”: null, “NoVAT”: null, “SearchMode”: null, “Name”: “Danny Dean”, “Phone”: “050-1234567”, “EmailAddress”: “[email protected]”, “City”: null, “Address”: null, “ZipCode”: null, “CompanyNumber”: “514000123”, “ID”: null, “Folder”: null, “Properties”: null }, “Credentials”: { “CompanyID”: 12345678, “APIKey”: “R576Z62qzuans7dXGOkks8jEalaTisyFrUhraKth9Eksz1GBYQ” }, “ResponseLanguage”: null }’

Please share your workflow

When i try to run the HTTP node with the api key in the body it works, but i prefer not to have the key exposed in the body, so i tried adding it in the credential section in my account, but i cant point to it in the body using {{$credential[‘SUMIT TEST’].value}} .. it simply doesnt work..

This is their API docs: תיעוד REST API מלא של מערכת SUMIT לניהול העסק

What am i doing wrong here?

Because i think its not secured to pass the key like that in the body of the http request no?

Will really appreciate some help here

Information on your n8n setup

n8n version: 1.112.5
Database (default: SQLite): SQLite
n8n EXECUTIONS_PROCESS setting (default: own, main): own
Running n8n via (Docker, npm, n8n cloud, desktop app): xCloud (Docker managed)
Operating system: xCloud managed environment

jabbson · September 26, 2025, 8:48pm

Great question. Does api allow having credentials specified anywhere else except the http request’s body?

Adeative_Media · October 1, 2025, 3:20am

Anybody?!

trungtlt · October 1, 2025, 5:16am

@Adeative_Media this is the problem with API design, it treats credentials as part of the request body (which against security best practices), you’re design this API then you need to make change follow some recommendations out there ( Best practices for REST API security: Authentication and authorization - Stack Overflow )

This is problem with the API provider, not n8n!

Adeative_Media · October 1, 2025, 5:41am

Yes defiantly! i didn’t think its an n8n issue.. so if i do want to use it as they provide.. what can i do to make sure its fully secured? any idea? @trungtlt

trungtlt · October 1, 2025, 6:46am

@Adeative_Media , an additional proxy layer should help, but tradeoff is latency & cost.

You can try Cloudflare Worker or something similar.

Client calls https://api.example.com/wrapper/danny-create (Cloudflare Worker).
Worker reads the stored secret from Worker Secrets, calls https://api.sumit.co.il/.../create/ with body (injects APIKey in body), returns response.
Add Worker-level rate limiting + cache for idempotent calls. (This hides the API key from the browser and is globally fast.)

Adeative_Media · October 1, 2025, 2:13pm

I think i got it!
I’ve added the details as variables in the environment of n8n

Now i send the request in the body like this:

{
“Details”: {
“ExternalIdentifier”: null,
“NoVAT”: null,
“SearchMode”: null,
“Name”: “רזי בדיקה”,
“Phone”: “050-1234567”,
“EmailAddress”: “[email protected]”,
“City”: null,
“Address”: null,
“ZipCode”: null,
“CompanyNumber”: “514000123”,
“ID”: null,
“Folder”: null,
“Properties”: null
},
“Credentials”: {
“CompanyID”: {{ $env.SUMIT_COMPANY_ID }},
“APIKey”: “{{ $env.SUMIT_API_KEY }}”
},
“ResponseLanguage”: null
}

Works great.. the question is now.. if this is secured. because the only place to see these details are in the server.

I’ve asked chatGpt and he recommended to add N8N_ENCRYPTION_KEY to the environment, but when do that the site is going down and i get bad gateway.. i think something related to the encryption..

Do you think its good enough? @trungtlt

trungtlt · October 2, 2025, 8:26am

@Adeative_Media depend on your expected level of security, but at least above option allow you to not hard-coding company ID & API key in the n8n workflow JSON!
Space for improvement still there (with trade-off too), keep reviewing your system/need and improve it!

Muhammad_Bin_Zohaib · October 2, 2025, 8:36am

You’re right that keeping the API key in the body isn’t ideal. In n8n, credentials don’t automatically inject into the body — they work for headers, auth, etc. If the API requires it inside the body, the usual approach is:

Store your API key in a credential (or environment variable).
Then in the HTTP node body, reference it using expression mode like:

"APIKey": {{$credentials.SUMIT_TEST.APIKey}}

(make sure the name matches your credential property).

If the built-in credentials system doesn’t map directly, another safe option is to use environment variables and reference them in the body.

Adeative_Media · October 21, 2025, 1:16pm

Hi, yeah so i was able to reference it as a variable, but not as a credential..

Didn’t find any other option..

system · January 19, 2026, 1:17pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.