Option To Prevent Plaintext Webhook Credentials in Execution


I’d like to suggest adding an option (or making it default) to not forward the credentials received by a webhook trigger in to the execution. This would be good to limit exposure of access keys/etc.

For reference, here’s an example of what appears in the execution history when a webhook client uses header auth to launch an n8n webhook:



"headers": {

"x-forwarded-for": "",

"x-forwarded-proto": "https",

"x-forwarded-port": "443",

"host": "n8n.domainname.com",

"x-amzn-trace-id": "Root=1-654beaf3-2cd9616a3f37939610d9e884",

"user-agent": "curl/7.61.1",

"accept": "*/*",

"key": "<redacted from this forum post>"


"params": {


"query": {





Hi @jzrts, I’ll convert this suggestion into a feature request so you and other users can leave a vote on this.

Until such a feature is considered, perhaps you want to simply avoid storing execution data on your webhook flow, strip anything secret and then call a sub-workflow?

E.g. have one workflow like this on which you don’t store execution data:

Then a second workflow (called by the Execute Workflow node) which only receives redacted data and for which you do store execution data:

Oh ya, that’s a good idea for an alternative way to do it. That works just fine too, thanks!

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.