Possible to do multi-tenant workflows that can reference credentials dynamically?

Describe the problem/error/question

We have a proof of concept workflow setup from a Startup Weekend event we did this past weekend and it’s using a Gmail oAuth2 credential that’s stored as an n8n credential (hardcoded to one account).
At some point the goal would be to open this up so anyone can do oAuth to their Gmail and use the workflow. Is that possible?

I’ve reviewed this this and this thread and that last message from @maxT seemed to indicate this was a newly minted capability but the link he shared is 404 for me and I’ve not yet found a way to reference secrets dynamically nor pull these from an external db at runtime.
By chance is this a paid feature that’s not in the publicly-avail n8n cloud version? Is it avail via the community edition?

What is the error message (if any)?

No error but currently constrained to working only with the dummy Gmail oAuth account for the demo.

Please share your workflow

This is for behalf.bot:

Share the output returned by the last node

n/a

Information on your n8n setup

  • n8n version:
  • Database (default: SQLite): n/a
  • n8n EXECUTIONS_PROCESS setting (default: own, main): ?
  • Running n8n via (Docker, npm, n8n cloud, desktop app): n8n cloud
  • Operating system: whatever n8n cloud uses

pasting the debug output from n8n cloud instance:

instance information

Debug info

core

  • n8nVersion: 1.67.1
  • platform: npm
  • nodeJsVersion: 20.18.0
  • database: sqlite
  • executionMode: regular
  • concurrency: 5
  • license: community
  • consumerId: 00000000-0000-0000-0000-000000000000

storage

  • success: all
  • error: all
  • progress: false
  • manual: true
  • binaryMode: filesystem

pruning

  • enabled: true
  • maxAge: 168 hours
  • maxCount: 2500 executions

client

  • userAgent: mozilla/5.0 (macintosh; intel mac os x 10_15_7) applewebkit/537.36 (khtml, like gecko) chrome/131.0.0.0 safari/537.36
  • isTouchDevice: false

Generated at: 2024-11-18T15:57:56.637Z

It looks like your topic is missing some important information. Could you provide the following if applicable.

  • n8n version:
  • Database (default: SQLite):
  • n8n EXECUTIONS_PROCESS setting (default: own, main):
  • Running n8n via (Docker, npm, n8n cloud, desktop app):
  • Operating system:

Hi @scrollinondubs

Yes, what you’re looking for is an enterprise feature - You can read more on it in our docs:

On Cloud you can use the RBAC feature though, which at least allows you managing user access to workflows and credentials based on user roles and projects. You group workflows into projects, and user access depends on the user’s project role.

Thx for your response @ria.

the RBAC I don’t think gets us anywhere given that we would have one set of workflows serving all users and want to dynamically pass in their Google oAuth tokens so the system works multi-tenant.

I’m reading the external secret docs but this seems more geared towards supporting multiple environments like dev/test/staging/prod. Can you confirm this is indeed intended for the usecase I’m proposing here which would again involve customers oAuthing our app so we can access their Gmail account as them?

More preferable (given that our user db is in Supabase) would be to log the oAuth tokens for each user with their profile in Supabase then dynamically inject them into n8n as environment variables (if that’s possible). Do you know if n8n supports session-based environment vars as credentials? Or maybe this just means we can’t use the native Gmail integration in n8n but can still invoke a custom workflow that serves the same role but injects the user credential at runtime?

Thx for the guidance.
Sean

2 Likes

Hi Sean, we’re trying to do something similar. Did you manage to figure this out?

There’s a community note that a couple of other discussions reference but we haven’t been able to get it working yet: GitHub - bramkn/n8n-nodes-run-node-with-credentials

Would love any guidance if you managed to find another solution.

Thanks!

@Tim_Morris I do not have a working solution for this yet. Will update this thread if I figure something out. The Github repo you referenced looks promising.

1 Like

Yeah it does look promising although definitely tricky to get working. I’ve tried contacting the developer for assistance but he is extremely unhelpful.

Let me know if you figure anything out and I’ll do the same. :+1:

I want to add my 2 cents. I have an enterprise app that is configured with multi tenant oauth. I can manually click on the login button within the stored credentials in n8n and it does work! Now the question here is how can I get this login button on a web front end to allow users to authenticate and get an oauth token for the flow to use?

2 Likes

Hey I’m looking to do the same. Did you guys manage to find a solution?

Bumping for interest

Yes would love to hear if anyone gets this figured out. It almost certainly has to involve storing oauth tokens in a db and injecting those into n8n dynamically at runtime. Perhaps it just can’t be done with the standard issue n8n nodes but could be accomplished via Community Nodes?

This ^^ BTW would make a great future office hours demo @bartv

Out of pure curiousity: for the folks in this thread what is the problem worth to you?

For instance if there were Community Node complements to all the standard issue Google nodes that allowed you to dynamically inject user credentials so you could make your apps multi-tenant enabling your users to oAuth against their own Google accts, how and how much would you expect to pay for that capability (if at all)?

You can do it with my community node referenced above, I am not providing support though.
It is still working however, so you should be able to get it working. Someone in a topic somewhere put some more of a description how to use it, so if you search it on the community you will find it.

Do keep in mind that most of you will need a license for the usecase you need this for. :wink:

I would happily pay for this an enterprise free.

For me this moves n8n from “good to manage some backoffice tasks” to “I can move my core business logic to n8n so non-developers can see and change it”. That’s major.

Hi @BramKn the link to your NPM package (also shared above) is throwing 404. Where can we find the custom node ?

that is not the link to the NPM page. I made the github page private, that is why you cannot see it.

Did you figure it out ? I am also looking to do something similar, a little workflow than can check the calendar for every member of the family

Multi-Tenant OAuth Solution for n8n - Production-Ready Implementation

Great discussion everyone! I’ve been tackling this exact challenge in production environments and wanted to share three working solutions that solve multi-tenant OAuth credentials in n8n.

TL;DR - The Working Pattern

The key insight is using an external OAuth service + n8n HTTP requests for dynamic credential fetching:

User Frontend → OAuth Service → Third-party APIs
      ↓              ↓              ↓
   n8n Workflows ← Token API ← Secure Storage

Production Solutions (Choose Based on Your Stack)

:fire: Firebase Auth + Firestore (Recommended for GCP users)

Setup time: 2-3 days | Cost: $5-50/month depending on scale

// n8n HTTP Request node:
GET https://your-region-project.cloudfunctions.net/getUserCredentials/{{ $parameter.user_id }}/google
Authorization: Bearer YOUR_API_KEY

// Response:
{
  "access_token": "ya29.a0...",
  "expires_at": "2025-05-25T15:30:00Z"
}

// Use in subsequent nodes:
Authorization: Bearer {{ $node["Get User Token"].json.access_token }}

Why Firebase:

  • Native GCP integration (perfect if you’re already on Google Cloud)
  • Built-in OAuth handling with Cloud Functions
  • Automatic token refresh via scheduled functions
  • Firestore for secure, encrypted token storage
  • Minimal operational overhead

:office: Auth0 + Custom Backend (Enterprise-grade)

Setup time: 1-2 weeks | Cost: $70-200/month

Why Auth0:

  • Enterprise security (SOC2, HIPAA, GDPR)
  • 30+ OAuth providers out-of-the-box
  • Advanced user management and MFA
  • Professional support and SLAs
// Your custom API endpoint for n8n:
GET https://your-backend.com/api/credentials/{{ $parameter.user_id }}/google
Authorization: Bearer YOUR_N8N_API_KEY

// Auto-refreshes tokens, handles all OAuth complexity

:rocket: Supabase (Fast MVP, Open Source)

Setup time: 1 day | Cost: $0-25/month initially

// Direct Supabase REST API call in n8n:
GET https://your-project.supabase.co/rest/v1/user_credentials
Authorization: Bearer SUPABASE_SERVICE_KEY
user_id: eq.{{ $parameter.user_id }}
provider: eq.google

Key Implementation Details

1. OAuth Flow Architecture

// 1. User initiates OAuth from your frontend
https://your-oauth-service.com/auth/connect/google?user_id=user123

// 2. OAuth service handles provider flow, stores encrypted tokens
// 3. n8n fetches fresh tokens via HTTP Request
// 4. Automatic refresh happens in background

2. Security Best Practices

  • Token encryption at rest (use GCP KMS, AWS KMS, or similar)
  • API authentication between n8n and your OAuth service
  • User isolation - each user only accesses their own tokens
  • Audit logging for compliance

3. n8n Workflow Pattern

// Standard pattern in every multi-user workflow:

1. [Get User Credentials] HTTP Request node
   ↓
2. [Check Token Valid] IF node 
   ↓
3. [Use API with Token] Your actual API calls
   ↓
4. [Handle Results] Continue workflow

4. Error Handling

// In your n8n workflows:
if (!$node["Get User Token"].json.access_token) {
  const oauthUrl = $node["Get User Token"].json.oauth_url;
  throw new Error(`User needs to authorize: ${oauthUrl}`);
}

Real-World Usage Examples

Gmail Automation per User

// 1. Get user's Gmail token
HTTP Request: GET /credentials/user123/google

// 2. Fetch user's emails  
HTTP Request: GET https://gmail.googleapis.com/gmail/v1/users/me/messages
Authorization: Bearer {{ $node["Get Token"].json.access_token }}

// 3. Process emails specific to this user
// 4. Trigger user-specific actions

Multi-Provider Workflows

// Same user, multiple providers:
// Get Google token for Drive access
// Get Microsoft token for Teams notifications  
// Get Slack token for messaging
// All dynamically resolved per user

Why This Approach Works

  1. Scales infinitely - Each user has isolated credentials
  2. Provider agnostic - Works with any OAuth provider
  3. Automatic refresh - No manual token management
  4. n8n native - Uses standard HTTP Request nodes
  5. Security compliant - Enterprise-grade encryption and isolation

Business Impact

This moves n8n from “internal automation tool” to “customer-facing platform.” You can now build:

  • SaaS products where customers automate their own accounts
  • White-label automation platforms
  • Multi-tenant workflow solutions
  • Customer self-service automation

@jaredshelly @JazzyJohn @everyone - This addresses the core multi-tenant credential challenge you’ve been discussing. I’m happy to share more implementation details or help with specific provider integrations.

Has anyone else implemented similar patterns? What challenges did you face?


Update: I’m working on a comprehensive blog post with full code examples for all three solutions. Will share when complete!

4 Likes

Solid work. This would def make a compelling blog post if you can show an end-to-end setup tutorial for one or more of the approaches. I’d be most interested in pursuing the Supabase one and seeing exactly how the dynamic injection of oAuth tokens stored in Supabase works with N8n. This is very promising though - kudos for writing it all up.

Hi everyone, and first of all thanks for the content (specially to @Egreentech ).
I’m in the same situation (need to get tools work with Ouath credentials for each connected user).

I have a question, hope that it’s not stupid:

  • Would @Egreentech solution with supabase mean that we need to make API calls manually (http nodes) and that we can’t use the native (for example) GMail nodes? I’m in the enterprise edition and can’t think of any other possibility.

I tried to use dynamic credentials (using expressions in a GMail node this way with no success:

I fix the credentials this way:

I’m feeling quite dumb not being able make this work in a simple way. Do I really need to transform every native node that uses OAuth in HTTP requests? That could mean A LOT of job in certain setups :dizzy_face:

Thanks in advance for any kind of information or advice.

Yah this means no pre built nodes, honestly this is pushing me towards windmill or active pieces where this is more out of the box

But before I make the jump, has anyone figured this out?