HTTP Request Node - Header Auth - How to securely save Credentials

Describe the problem/error/question


I am looking for a way to securely (encrypted) save the credentials for an HTTP node request that uses header authentication.

I can add credentials to the HTTP node’s headers, but they won’t be encrypted. My goal is to save them securely (similar to how the credentials work).

Please share your workflow

I want the HTTP request to look like this (with encrypted credentials):

Can I do this without creating a custom node using my custom header auth?

I believe the question is similar to: HTTP Request Node - Body Auth - How to save Credentials and Token

Thank you!

Information on your n8n setup

  • **n8n version:1.29.1
  • **Database (default: SQLite): SQLite
  • **n8n EXECUTIONS_PROCESS setting (default: own, main): main
  • **Running n8n via (Docker, npm, n8n cloud, desktop app): Docker
  • **Operating system: Ubuntu Linux

Hey @CristianG,

In the node if you select Authentication you can set it to Generic > Header and add your API key there this will then keep the header value encrypted like other credentials.


Thanks @Jon,
But in addition to the X-API-KEY I would also need to add the X-Requested-By to the headers. Is there a way to include this in the credential as well?
Right now, I can only add a single value to the credentials.

I am backing up these workflows in GitHub and wouldn’t want any secrets in plain text in there, if possible.

I suppose for that you will have to use the Custom Auth type

Thanks for your reply, @barn4k, but I’m not sure how to set the ‘Custom Auth’ type to be sent as part of the headers.

When making this request, I don’t see any of my ‘Custom Auth’ credentials as part of the request.

When using the ‘Header Auth’ type (shown earlier), I can see the X-API-KEY variable as part of the request (in the header).

You should specify it inside the headers key:

    "X-Requested-By": "yyy",
    "operator": "zzz"


1 Like

Thanks so much, @barn4k, that did it!

1 Like

You only really need to add the API key unless the requested by and operator is also considered secret.