Need Help. Not finding global $credentials

Questions
1

Describe the problem/error/question

Hello im new here and just getting into n8n, and have run into a problem. Any help would be Greatly appreciated. Thanks in advance.

I’m encountering an issue where the global $credentials object appears to be empty or malformed (\n when outputted directly, or resulting in undefined/null when trying to access specific credentials) during workflow execution in my local n8n setup. This prevents me from using any stored credentials in my workflows via expressions.

We’ve confirmed that:

  1. A “Query Auth” credential named “Query Auth account” was created successfully, and the API key was entered into its “Value” field during creation. The credential appears in my credentials list.

  2. The API key itself is valid and works correctly when pasted directly (in “Fixed” mode) into an HTTP Request node’s query parameter (after also correcting a playlistId issue for a YouTube API call).

  3. The issue is that expressions like {{ $credentials }} in a “Set” node output as just a newline character (\n), and expressions like {{ $credentials[“Query Auth account”] }} or {{ $credentials[“Query Auth account”].value }} (or .apiKey) result in undefined or null both in the expression editor’s live preview and in the actual output of a “Set” node.

  4. Restarting n8n has not resolved the issue.

  5. The n8n startup log shows warnings about config file permissions (“too wide”) and a deprecation warning for N8N_RUNNERS_ENABLED, but no explicit errors related to loading credentials, the database, or encryption.

The core problem is that the $credentials object is not being populated correctly for use in expressions.

What is the error message (if any)?

When trying to use a credential in an HTTP Request node (e.g., for the key parameter using {{ $credentials[“Query Auth account”].value }}), the node fails with an error from the target API (e.g., Google/YouTube) indicating a missing or invalid API key, such as:
“Forbidden - perhaps check your credentials?”
Followed by API-specific details like:
“Method doesn’t allow unregistered callers (callers without established identity). Please use API Key or other form of API consumer identity to call this API.”

The expression editor’s live preview for {{ $credentials[“Query Auth account”].value }} shows [undefined].
A “Set” node attempting to output {{ $credentials }} shows \n.
A “Set” node attempting to output {{ $credentials[“Query Auth account”] }} shows [null].

Please share your workflow

The primary test workflow involves:

  1. A Manual Trigger node.

  2. A Set node connected to the Manual Trigger, configured with two fields:

  • Mode: Manual Mapping

  • Fields to Set:

    • Field 1:

      • Name: allMyCredentials

      • Value (Expression): {{ $credentials }}

    • Field 2:

      • Name: specificCredentialObject

      • Value (Expression): {{ $credentials[“Query Auth account”] }}

  1. An HTTP Request node (This was the original node where the issue was noticed. For debugging $credentials, the Set node above is more direct).

  • Method: GET

  • URL: https://www.googleapis.com/youtube/v3/playlistItems

  • Authentication: None

  • Query Parameters:

    • part: snippet,contentDetails

    • playlistId: UUIHVTKJWkSdc9N3h0nUWUg

    • key: (Expression) {{ $credentials[“Query Auth account”].value }} ← This is where the problem manifests.

    • maxResults: 5

  • Options → Response Format: JSON

content_copydownload

Use code with caution.Json

Share the output returned by the last node

When the “Set Credentials Test” node is run, the output is (example):

[
  {
    "allMyCredentials": "\n",
    "specificCredentialObject": null
  }
]

content_copydownload

Use code with caution.Json

(Note: In the expression editor’s live preview, both expressions show [undefined].)

When the “HTTP Request YouTube” node is run with the expression {{ $credentials[“Query Auth account”].value }} for the key parameter, it fails. If the raw API key is pasted directly into the key parameter (Fixed mode), the node succeeds and returns valid YouTube data.

Information on your n8n setup

  • n8n version: 1.91.3

  • Database (default: SQLite): Default (SQLite)

  • n8n EXECUTIONS_PROCESS setting (default: own, main): Default (not explicitly set, so likely main or own depending on how n8n start behaves without task runners enabled). The startup log mentioned deprecation for running without task runners and N8N_RUNNERS_ENABLED not being set.

  • Running n8n via (Docker, npm, n8n cloud, desktop app): npm (globally installed, run with n8n start)

  • Operating system: macOS (MacBook Air)

2

I’m curious where you found a reference for $credentials as an available expression variable. I searched the docs but found no reference for an expression variable named $credentials. Just to be sure I searched correctly, I also tried $binary and found that as expected.

The places where $credentials is used in the n8n source appear to all be nodejs variable/object references in the implementation of a node, but I think that refers only to the credentials item configured for a specific instance of a node (not a global reference to all credentials), and isn’t exposed for use in the expression context of a workflow.

If n8n were to provide expression variable access to the details of a credentials item, especially the “secret” parts like a key value or password, it would completely defeat the purpose of separating credentials from workflows. It doesn’t seem reasonable for it to be possible to do what you have described.

3

I guess the root cause of this confusion is that for some reason ChatGPT confidently recommends to use $credentials expressions in the workflow. :man_shrugging:

Nobody reads doc source now :grimacing::grin:

4

The docs and examples floating around for n8n have changed and evolved so much over the past few years that most of what I see from ChatGPT, based on mostly obsolete information at the moment, is wildly inaccurate. It is best to reference the actual current documentation and/or source code before believing anything that AI hallucinates for you.

I thought you might be amused that the reason I looked back at this thread was that I was looking for a way to reference the non-secret part of a credential item. That would be useful for things like getting the base URL (when auth and other API features are colocated like WooCommerce/Wordpress). I can still understand why implementing something like that would be sorta risky though. If ALL the credential fields aren’t VERY CAREFULLY marked as “secret” or “not-secret,” the potential for leaking the protected stuff would probably be too high.

5

This is just fascinating… :grin:

Screenshot 2025-06-14 at 11.51.51 PM
Screenshot 2025-06-14 at 11.51.51 PM1744×1030 123 KB

6

AI: “Yes, I assure you that it would be a simple, beginner task to hack right through n8n’s security and access all of the private, sensitive information that was intentionally separated as “secret” in a Credentials item. Anyone could just look at the news and see that any half-smart monkey could breach the security measures in place at the largest financial institutions on the planet, so simply accessing the credential information in a popular orchestration / workflow tool would certainly be child’s-play!!”

AI must be assumed “high” and “delusional” at all times!!!

This post from 2022 says nope.

This post from 2023 says nope.

This post from 2024 discusses the API approach (which still doesn’t let you read anything, just write/create).

The operations on the n8n node are ALSO conspicuously missing any way to READ credentials information (the only GET isn’t for credential data, but the type/schema OF various types of credentials, presumably for the purpose of creating and writing credential data).

Absolutely NONE of these things provide any sort of access to credentials via the expression variable mechanism.

This code in the credentials SOURCE CODE of an example community node, referenced from the “Building Community Nodes” docs page, is quite possibly the source of the AI hallucination. I guess if you consider that AI has toddler-confidence in what it “knows,” you could (maybe) see why it thinks that community-node development is not, strictly speaking, the same as “for internal n8n coding or development.”

There is, however, one serious heads-up on security in n8n. Credentials information CAN be retrieved in decrypted form using the n8n CLI command. By default, n8n allows executing commands from a workflow, so If you want to close that hole, you must configure the NODES_EXCLUDE environment variable in n8n such that workflows cannot run the n8n command (or any other command) via the Execute Command node.